LAB 1

LAB 1 QUESTIONS

List up to 10 different protocols that appear in the protocol column in the

unfiltered packet-listing window in step 7 above.
HTTP, TCP , OCSP , UDP , TSLv1.2 , TSLv3 , DNS

How long did it take from when the HTTP GET message was sent until the HTTP
OK reply was received? (By default, the value of the Time column in the packetlisting
window is the amount of time, in seconds, since Wireshark tracing began.
To display the Time field in time-of-day format, select the Wireshark View pull
down menu, then select Time Display Format, then select Time-of-day.)

[Time since request: 0.238426000 seconds]

I’ve received “OK” message.
What is the Internet address of the gaia.cs.umass.edu (also known as wwwnet.cs.umass.edu)?
What is the Internet address of your computer?

Destination adress : IntelCor_70:64:bc (60:67:20:70:64:bc)

Address: IntelCor_70:64:bc (60:67:20:70:64:bc)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

Source adress : Cisco_1f:67:00 (a0:e0:af:1f:67:00)

Address: Cisco_1f:67:00 (a0:e0:af:1f:67:00)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)

LAB 2_1
LAB 2_1 QUESTIONS
Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the
server running?

My browser is running HTTP/1.1 .

Server is using HTTP/1.1 .

What languages (if any) does your browser indicate that it can accept to the
server?

Accept-Language: en-US,en;q=0.5\r\n

What is the IP address of your computer? Of the gaia.cs.umass.edu server?

Source: 10.62.137.161
Destination: 195.175.112.225

What is the status code returned from the server to your browser?

Status Code: 200

When was the HTML file that you are retrieving last modified at the server?

Last-Modified: Mon, 15 May 2017 18:04:40 GMT\r\n

How many bytes of content are being returned to your browser?

File Data: 8 bytes

By inspecting the raw data in the packet content window, do you see any headers
within the data that are not displayed in the packet-listing window? If so, name
one.

LAB 2_2
LAB 2_2 QUESTIONS
Inspect the contents of the first HTTP GET request from your browser to the
server. Do you see an “IF-MODIFIED-SINCE” line in the HTTP GET?

No, there is no IF-MODIFIED-SINCE line in the first HTTP GET.

Inspect the contents of the server response. Did the server explicitly return the
contents of the file? How can you tell?

Yes, the server did return the contents of the file as there is a “Line-based text data” line and
under it is the text.

Now inspect the contents of the second HTTP GET request from your browser to
the server. Do you see an “IF-MODIFIED-SINCE:” line in the HTTP GET? If
so, what information follows the “IF-MODIFIED-SINCE:” header?

Yes, there is an “IF-MODIFIED-SINCE” line in the second GET request and it follows with a
date of Monday September 25, 2017 05:59:01
What is the HTTP status code and phrase returned from the server in response to
this second HTTP GET? Did the server explicitly return the contents of the file?
Explain.

The status code is 304 Not Modified and this time it did not return the contents of the file. The
reason is that since the file was not modified there is no new content that needs to be passed
and so there is no need to download the file again.

LAB 2_3
LAB 2_3 QUESTIONS

How many HTTP GET request messages were sent by your browser?

Just one request message was sent by the browser.

How many data-containing TCP segments were needed to carry the single HTTP
response?

There were 4 segments needed to carry the HTTP response. The sizes for the segments are:
1380bytes, 1380bytes, 1380 bytes, and 721 bytes

What is the status code and phrase associated with the response to the HTTP GET
request?

The status code is 200 OK

LAB 2_4
LAB 2_4 QUESTIONS

How many HTTP GET request messages were sent by your browser? To which
Internet addresses were these GET requests sent?

There were 4 HTTP GET requests sent from my browser to the server
(128.119.245.12). It sent to the internet address of the main html page, and also the locations
of the images.

Can you tell whether your browser downloaded the two images serially, or
whether they were downloaded from the two web sites in parallel? Explain.

The two images were downloaded serially. The first image was requested and retrieved with a
status of 200 OK. Then the browser tried to download the second image and had a
response of 302 Found, which means the image location moved. The browser had to
then send another request to the new destination to retrieve the second image, and it came
back with a 200 OK.
LAB 2_5
LAB 2_5 QUESTIONS

What is the server’s response (status code and phrase) in response to the initial
HTTP GET message from your browser?

Status Code is 401 and Phrase : OK.

When your browser’s sends the HTTP GET message for the second time, what
new field is included in the HTTP GET message?

Second time , I’ve got “Unauthorized” message.

LAB 3_1
LAB 3_2

What is the IP address and TCP port number used by the client computer (source)
that is transferring the file to gaia.cs.umass.edu? To answer this question, it’s
probably easiest to select an HTTP message and explore the details of the TCP
packet used to carry this HTTP message, using the “details of the selected packet
header window” (refer to Figure 2 in the “Getting Started with Wireshark” Lab if
you’re uncertain about the Wireshark windows).

Client computer (source)IP address: 192.168.1.102

TCP port number: 1161

What is the IP address of gaia.cs.umass.edu? On what port number is it sending

and receiving TCP segments for this connection?

Destination computer: gaia.cs.umass.eduIP address: 128.119.245.12

TCP port number: 80
LAB 3_3
LAB 3_3 QUESTIONS

What is the sequence number of the TCP SYN segment that is used to initiate the
TCP connection between the client computer and gaia.cs.umass.edu? What is it
in the segment that identifies the segment as a SYN segment?

Sequence number of the TCP SYN segment is used to initiate the TCPconnection between the
client computer and gaia.cs.umass.edu. The value is 0 in thistrace.The SYN flag is set to 1 and
it indicates that this segment is a SYN segment.

What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu

to the client computer in reply to the SYN? What is the value of the
ACKnowledgement field in the SYNACK segment? How did gaia.cs.umass.edu
determine that value? What is it in the segment that identifies the segment as a
SYNACK segment?

Sequence number of the SYNACK segment from gaia.cs.umass.edu to theclient computer in

reply to the SYN has the value of 0 in this trace.The value of the ACKnowledgement field in
the SYNACK segment is 1. The value of theACKnowledgement field in the SYNACK
segment is determined by gaia.cs.umass.edu by adding 1 to the initial sequence number of
SYN segment from the client computer (i.e.the sequence number of the SYN segment
initiated by the client computer is 0.).The SYN flag and Acknowledgement flag in the
segment are set to 1 and they indicatethat this segment is a SYNACK segment.

What is the sequence number of the TCP segment containing the HTTP POST
command? Note that in order to find the POST command, you’ll need to dig into
the packet content field at the bottom of the Wireshark window, looking for a
segment with a “POST” within its DATA field.

No. 4 segment is the TCP segment containing the HTTP POST command. Thesequence
number of this segment has the value of 1.
Consider the TCP segment containing the HTTP POST as the first segment in the
TCP connection. What are the sequence numbers of the first six segments in the
TCP connection (including the segment containing the HTTP POST)? At what
time was each segment sent? When was the ACK for each segment received?
Given the difference between when each TCP segment was sent, and when its
acknowledgement was received, what is the RTT value for each of the six
segments? What is the EstimatedRTT value (see page 249 in text) after the
receipt of each ACK?

The HTTP POST segment is considered as the first segment. Segments 1 – 6are No. 4, 5, 7, 8,
10, and 11 in this trace respectively. The ACKs of segments 1 – 6 are No. 6, 9, 12, 14, 15, and
16 in this trace.
Segment 1 sequence number: 1
Segment 2 sequence number: 566
Segment 3 sequence number: 2026
Segment 4 sequence number: 3486
Segment 5 sequence number: 4946
Segment 6 sequence number: 6406

What is the length of each of the first six TCP segments?

Length of the first TCP segment (containing the HTTP POST): 565 bytesLength of each of
the other five TCP segments: 1460 bytes

What is the minimum amount of available buffer space advertised at the received
for the entire trace? Does the lack of receiver buffer space ever throttle the
sender?

The minimum amount of buffer space (receiver window) advertised atgaia.cs.umass.edu for
the entire trace is 5840 bytes, which shows in the firstacknowledgement from the server. This
receiver window grows steadily until a maximumreceiver buffer size of 62780 bytes. The
sender is never throttled due to lacking ofreceiver buffer space by inspecting this trace.
Are there any retransmitted segments in the trace file? What did you check for (in
the trace) in order to answer this question?

There are no retransmitted segments in the trace file. We can verify this bychecking the
sequence numbers of the TCP segments in the trace file. In the
Time-Sequence-Graph (Stevens) of this trace, all sequence numbers from the
source(192.168.1.102) to the destination (128.119.245.12) are increasing monotonically
withrespect to time. If there is a retransmitted segment, the sequence number of
thisretransmitted segment should be smaller than those of its neighboring segments.

What is the throughput (bytes transferred per unit time) for the TCP connection?
Explain how you calculated this value.

The computation of TCP throughput largely depends on the selection ofaveraging time period.
As a common throughput computation, in this question, we selectthe average time period as
the whole connection time. Then, the average throughput forthis TCP connection is computed
as the ratio between the total amount data and the totaltransmission time. The total amount
data transmitted can be computed by the difference between the sequence number of the first
TCP segment (i.e. 1 byte for No. 4 segment)and the acknowledged sequence number of the
last ACK (164091 bytes for No. 202segment). Therefore, the total data are 164091 - 1 =
164090 bytes. The wholetransmission time is the difference of the time instant of the first
TCP segment (i.e.,0.026477 second for No.4 segment) and the time instant of the last ACK
(i.e., 5.455830second for No. 202 segment). Therefore, the total transmission time is
5.455830 -0.026477 = 5.4294 seconds. Hence, the throughput for the TCP connection is
computedas 164090/5.4294 = 30.222 KByte/sec
LAB 3_4
LAB 3_4 QUESTIONS

Can you identify where TCP’s slowstart phase begins

and ends, and where congestion avoidance takes over? Comment on ways in
which the measured data differs from the idealized behavior of TCP that we’ve
studied in the text..
LAB 4
LAB 4 QUESTIONS

What is the IP address of your computer?

Within the IP packet header, what is the value in the upper layer protocol field?

How many bytes are in the IP header? How many bytes are in the payload of the
IP datagram? Explain how you determined the number of payload bytes.

Has this IP datagram been fragmented? Explain how you determined whether or
not the datagram has been fragmented.
Which fields in the IP datagram always change from one datagram to the next
within this series of ICMP messages sent by your computer?

Which fields stay constant? Which of the fields must stay constant? Which fields
must change? Why?

Describe the pattern you see in the values in the Identification field of the IP
datagram
What is the value in the Identification field and the TTL field?

Do these values remain unchanged for all of the ICMP TTL-exceeded replies sent
to your computer by the nearest (first hop) router? Why?
Find the first ICMP Echo Request message that was sent by your computer after
you changed the Packet Size in pingplotter to be 2000. Has that message been
fragmented across more than one IP datagram? [Note: if you find your packet has
not been fragmented, you should download the zip file
http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the ipethereal-trace-
1packet trace. If your computer has an Ethernet interface, a packet
size of 2000 should cause fragmentation.3]

Print out the first fragment of the fragmented IP datagram. What information in
the IP header indicates that the datagram been fragmented? What information in the IP header
indicates whether this is the first fragment versus a latter fragment?
How long is this IP datagram?
Print out the second fragment of the fragmented IP datagram. What information in
the IP header indicates that this is not the first datagram fragment? Are the more
fragments? How can you tell?

What fields change in the IP header between the first and second fragment?

How many fragments were created from the original datagram?

What fields change in the IP header among the fragments?