Laboratory 4: Wireshark TCP Lab

MSc CNS
Petros Zaris M00389001
2/10/2012

1. Capturing a bulk TCP transfer from your computer to a remote server and 2. A first look at the captured trace:

TCP Basics
Answer the following questions for the TCP segments: 1. What is the IP address and TCP port number used by your client computer (source) to transfer the file to gaia.cs.umass.edu? What is the IP address and port number used by gaia.cs.umass.edu to receive the file. The IP address and TCP port number of my client computer is (source): IP address: 192.168.10.1 TCP port number: 53786 The IP address and TCP port number used by gaia.cs.umass.edu is (destination): IP address: 128.119.245.12 TCP port number: 80

2. What is the sequence number of the TCP SYN segment that is used to initiate the TCP connection between the client computer and gaia.cs.umass.edu? What is it in the segment that identifies the segment as a SYN segment? The sequence number of the TCP SYN segment that is used to initiate the TCP connection between the client computer and the gaia.cs.umass.edu is: 0 (Seq=0). The segment that indicates that the segment is a SYN segment can be seen at the 2nd LSBit of the flags as it is set to 1, otherwise is not set or 0. Here we can see that we have a SYN segment with the SYN flag set to 1:

At the following capture we can see that we dont have a SYN segment (Syn flag: Not Set):

3. What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the client computer in reply to the SYN? What is the value of the ACKnowledgement field in the SYNACK segment? How did gaia.cs.umass.edu determine that value? What is it in the segment that identifies the segment as a SYNACK segment? The sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the client computer in reply to the SYN is: 0 (Seq=0). The value of the ACKnowledgment field in the SYNACK segment is: 1 (Ack=1). gaia.cs.umass.edu determined that value (1) by incrementing it by 1 and since the SYN segment had sequence number 0 the result was 1. The SYN flag and acknowledgment flag in the segment are both set to 1 and indicate that this segment is a SYNACK segment. We can see from the following capture that we have the 2nd (syn) and 5th (ack) LSBits set to 1 in the flag segment.

Note: After question 3 the pc crashed so I had to re-run the capture, thats why the rest screenshots will differ from the first three questions. 4. What is the sequence number of the TCP segment containing the HTTP POST command? Note that in order to find the POST command, youll need to dig into the packet content field at the bottom of the Wireshark window, looking for a segment with a POST within its DATA field. The sequence number of the TCP segment containing the HTTP POST command is 1 (the command is the fourth in number, since the first three are the SYN and SYNACK segments). As we can see from the picture below in the Flag section the Push bit is set (1), and that is how we recognize the POST command. Also we can see it from the description. Just a note is that if the data are too big to fit in one package then the push flag is set only in the first package of the data stream and then there is just a continuation with the push flag not set.

5. Consider the TCP segment containing the HTTP POST as the first segment in the TCP connection. What are the sequence numbers of the first six segments in the TCP connection (including the segment containing the HTTP POST)? At what time was each segment sent? When was the ACK for each segment received? Given the difference between when each TCP segment was sent, and when its acknowledgement was received, what is the RTT value for each of the six segments? What is the EstimatedRTT value (see page 237 in text) after the receipt of each ACK? Assume that the value of the EstimatedRTT is equal to the measured RTT for the first segment, and then is computed using the EstimatedRTT equation on page 249 for all subsequent segments. Note: Wireshark has a nice feature that allows you to plot the RTT for each of the TCP segments sent. Select a TCP segment in the listing of captured packets window that is being sent from the client to the gaia.cs.umass.edu server. Then select: Statistics->TCP Stream Graph->Round Trip Time Graph. The first six segments in the TCP connection (including the segments containing the HTTP POST) are: 4,5,7,9,12 and 15 and those should now be segments 1,2,3,4,5,6 with sequence numbers 1,663,2123,3583,6503 and 9423 respectively. So the acknowledgments for segments 1-6 are: 6,8,10,13,16 and 19. Each segment was sent at: Sent time ACK time received RTT (sec) Segment 1 08:41:42.384848 08:41:42.583934 0.199086 Segment 2 08:41:42.384949 08:41:42.590953 0.206004 Segment 3 08:41:42.583983 08:41:42.783931 0.199948

Segment 4 Segment 5 Segment 6

08:41:42.590973 08:41:42.983694 08:41:42.820311 08:41:43.583711 08:41:43.473636 08:41:43.783662

0.392721 0.763400 0.310026

EstimatedRTT = 0.875 * EstimatedRTT + 0.125 * SampleRTT EstimatedRTT after the receipt of the ACK of segment 1: EstimatedRTT = RTT for Segment 1 = 0.199086 second EstimatedRTT after the receipt of the ACK of segment 2: EstimatedRTT = 0.875 * 0.199086 + 0.125 * 0.206004 = 0.19995075 EstimatedRTT after the receipt of the ACK of segment 3: EstimatedRTT = 0.875 * 0.19995075 + 0.125 * 0.199948 = 0.199950406 EstimatedRTT after the receipt of the ACK of segment 4: EstimatedRTT = 0.875 * 0.199950406 + 0.125 * 0.392721 = 0.22404673 EstimatedRTT after the receipt of the ACK of segment 5: EstimatedRTT = 0.875 * 0.22404673 + 0.125 * 0.763400 = 0.291465889 EstimatedRTT after the receipt of the ACK of segment 6: EstimatedRTT = 0.875 * 0.291465889 + 0.125 * 0.310026 = 0.293785903

6. What is the length of each of the first six TCP segments? The length of each of the first six TCP segments is: 662 bytes for the 1st, 1460 bytes for the 2nd and 3rd segment, 2920 bytes for the 4th, 5th and 6th segment.

7. Are there any retransmitted segments in the trace file? What did you check for (in the trace) in order to answer this question? TCP Retransmission occurs when the sender retransmits a packet after the expiration of the acknowledgement. If we check the sequence numbers in the trace file we will notice that there are no retransmissions. Since segment 1 has sequence number 1 with length 662 bytes results that the 2nd segment should have sequence number 663 and so it has. So for the rest segments: 2nd segment with 1460 bytes of length gives the 3rd segment sequence number 2123 (663+1460) and so on

8. Use the Time-Sequence-Graph (Stevens) plotting tool to view the sequence number versus time plot of segments being sent from the client to the gaia.cs.umass.edu server. Can you identify where TCPs slow start phase begins and ends, and where congestion avoidance takes over? Using the Time-Sequence-Graph (Stevens) of this trace, all sequence numbers from the source (192.168.10.1) to the destination (128.119.245.12) are increasing monotonically with respect to time. If there is a retransmitted segment, the sequence number of this retransmitted segment should be smaller than those of its neighbouring segments.

10