LAB02 – Instructions

Scenario:
This is the second in series of Wireshark labs, where this one is designed to let you use Wireshark to
explore the behavior of TCP. After a transfer, you initiate and with the help of a pre-recorded Wireshark
file, you will analyze how the TCP protocol does reliability, congestion control and flow control, with a
brief look at connection setup and performance. You will turn in your trace as well as answers to some
questions based on the data you gathered
Details:
Follow the instructions in the lab carefully, with the one exception that you must save your capture file
(Via "File" --> "Save") as the very last step before exiting Wireshark.

Grading
You will be graded based on: 1) your ability to get Wireshark up and running, and 2) the accuracy of
your answers with respect to the Wireshark capture file you uploaded. There are 4 questions at the end
of the tutorial (the last question is really just requires an action on your part), and each question is
equally weighted.

Grading Guidelines
Wireshark Answers
30% 70%
Grading scores % Explanation
90-100: The Wireshark capture file is present, answers to the questions are
thorough and accurate
80-89: The Wireshark capture file is present, all questions are answered and
mostly accurate, but there are some minor errors
70-79: The Wireshark capture file is present, but an answer is missing or several
answers are incomplete or inaccurate
60-69 The Wireshark capture file is present, but one or more answers are
missing and/or most of the answers are incomplete or inaccurate
0-50: The Wireshark capture file is not present and the answers to the
questions are incorrect or severely lacking
LAB02 – TCP traffic
Scenario
In this lab, we will investigate the behavior of the celebrated TCP protocol in detail. We will do so by
analyzing a trace of the TCP segments sent and received in transferring a 150KB file (containing the text
of Lewis Carrol’s Alice’s Adventures in Wonderland) from a computer to a remote server. We will study
TCP’s use of sequence and acknowledgement numbers for providing reliable data transfer; we will see
TCP’s congestion control algorithm – slow start and congestion avoidance – in action; and we will look
at TCP’s receiver-advertised flow control mechanism. We will also briefly consider TCP connection setup
and we will investigate the performance (throughput and round-trip time) of the TCP connection
between your computer and the server.

Exercise 1 – Download Wireshark capture file

1. Open web browser and logon to lms.tvz.hr with your credentials
2. Navigate to My Courses > MU > Application and Transport Layer module
3. Select and download Wireshark-TCP_Trace to your desktop

Note: The traces in this zip file were collected by Wireshark running on the computers, while performing
the steps indicated in the Wireshark lab.

4. On your computer Start Wireshark and view the trace using the File > Open, and then selecting
the tcp-ethereal-trace-1 trace file
5. Configure time format to display time in seconds from beginning of a capture (details in lab01)

Exercise 2 – Analyze a captured trace

Task1: Take a high level view of the trace
1. Filter packet displayed in Wireshark by typing “tcp” into display filter area of Wireshark
(lowercase, no quotes, and do not forget to press return after entering!)

Note: What you should see is series of TCP and HTTP messages between client computer and remote
server. You should see the initial three-way handshake containing a SYN message. You should see
an HTTP POST message. You will also see “[TCP segment of a reassembled PDU]” in the Info
column of the Wireshark display to indicate that this TCP segment contained data that belonged
to an upper layer protocol message (in our case here, HTTP) - – this is Wireshark’s way of
indicating that there are multiple TCP segments being used to carry a single HTTP message

2. Answer the following questions, by looking into Wireshark trace file.

Note: Whenever possible, when answering a question you should paste a print screen (using Windows
Snipping Tool application) of Wireshark console with display of the packet(s) within the trace that
you used to answer the question

Q1: What is the IP address and TCP port number used by the client computer (source) that is
transferring the file to remote server?

HINT: To answer this question, it is probably easiest to select an HTTP message and explore the details
of the TCP packet used to carry this HTTP message, using the “details of the selected packet header
window”
Ip racunala je : 192.168.1.102

TCP 1161

Q2: What is the IP address of remote server? On what port number is it sending and receiving TCP
segments for this connection?

Ip adresa remote servera je : 128.119.245.12

TCP : 80

3. Change the listing of captured packets so that it shows information about the TCP Segments
containing HTTP messages, rather than about the HTTP messages
 In Wireshark main windows select Analyze > Enabled Protocols…
 Scroll down and deselect HTTP
 Click OK

Note: Now you should see only TCP segments that have been sent between computer and servers
during data exchange

Task3: TCP Basics

Answer following questions for the TCP segments (include Snipping tool printscreen of packets if able)

Q3: What is the sequence number of the TCP SYN segment that is used to initiate the TCP connection
between the client computer and remote server? What is it in the segment that identifies the
segment as a SYN segment?

Segment : 0

Sekvencijski broj od TCP SYN segment se koristi kao pocetak konekcije izmedu computer I remote
server.
Q4: What is the sequence number of the SYNACK segment sent by server to the client computer in
reply to the SYN? What is the value of the Acknowledgement field in the SYNACK segment? How did
server determine that value? What is it in the segment that identifies the segment as a SYNACK
segment?

Broj sekvencija od SYNACK : 0

Vrijednost Acknowledgemen iznosi : 1

Vrijednost je prikazana kao ACK number

SYN flag i Acknowledgement flag su postavljene na 1, to nam predstavlja da je SYNACK segment.

Q5: What is the sequence number of the TCP segment containing the HTTP POST command? Note
that in order to find the POST command, you’ll need to dig into the packet content field at the bottom
of the Wireshark window, looking for a segment with a “POST” within its DATA field (start from
beginning)

Segment number : 1
Q6: Consider the TCP segment containing the HTTP POST as the first segment in the TCP connection.
What are the sequence numbers (wireshark No. column) of the first six segments in the TCP
connection (including the segment containing the HTTP POST)?

Seg1:1
Seg2:566

Seg3:2026

Seg4:3486

Seg5:4946

Seg6:6406

At what time was each segment sent? When was the ACK for each segment received?
Seg1: 0.026477 Ack1: 0.053937

Seg2: 0.041737 akc2: 0.077294

Seg3: 0.054026 akc3: 0.124085

Seg4: 0.054690 akc4: 0.169118

Seg5: 0.077405 akc5: 0.217299

Seg6: 0.078157 akc6: 0.267802

Given the difference between when each TCP segment was sent, and when its acknowledgement was
received, what is the RTT value for each of the six segments?

HINT: Wireshark has a nice feature that allows you to plot the RTT for each of the TCP segments sent.
Select a TCP segment in the “listing of captured packets” window then select: Statistics->TCP Stream
Graph- >Round Trip Time Graph.

Q7: What is the length of each of the first six TCP segments?

Length 1.TCP segment: 565 byte

Length 2-6 tcp segment:1460byte

Q8: What is the minimum amount of available buffer space advertised at the received for the entire
trace? Does the lack of receiver buffer space ever throttle the sender?

Minimum je 5840 byte

Senderu nece puknut bandwidth jer receiver ima velik buffer.

Q9: Are there any retransmitted segments in the trace file? What did you check for (in the trace) in
order to answer this question?

HINT: Wireshark has a nice feature that allows you to plot the Sequence Number (Stevens) for each of
the TCP segments sent. Select a TCP segment in the “listing of captured packets” window then select:
Statistics->TCP Stream Graph- > Sequence Number (Stevens).

nema retransmitted segments.

U grafu vidimo segmente od izvora(192.168.1.102) do odredišta (128.119.245.12),on se krece

monotono u odnosu na vrijeme. Ako ima/postoji retransmitted segmenta segmentni broj od
retransmitted segmenta treba biti manji od susjednih segmenta.
Q10: How much data does the receiver typically acknowledge in an ACK? Can you identify cases
where the receiver is ACKing more than one segment?

Prihvaca obicno 1460 byta

ACK *2 – velicina Acknowledgea

Q11: What is the throughput (bytes transferred per unit time) for the TCP connection? Explain how
you calculated this value.

Ovisi o uzetom period vremena. Podjelili smo ukupan broj bajtova s vremenom koje je prošlo.
Upon completing this lab , close Wireshark and other used programs. Upload this file to LMS.tvz.hr
for evaluation.