Wireshark Lab Activity on TCP

M5 Wireshark TCP
In this lab, we’ll investigate the behavior of the celebrated TCP protocol in detail. We’ll
do so by analyzing a trace of the TCP segments sent and received in transferring a 150KB
file (containing the text of Lewis Carrol’s Alice’s Adventures in Wonderland) from your
computer to a remote server. We’ll study TCP’s use of sequence and acknowledgement
numbers for providing reliable data transfer. We’ll also briefly consider TCP connection
setup and we’ll investigate the performance (round-trip time) of the TCP connection
between your computer and the server.
Before beginning this lab, you’ll probably want to review sections 9.4 in the text.
1. Practicing – Capturing a bulk TCP transfer from your computer to a
remote server
We will use a provided trace file tcp-wireshark-trace1-1 to answer the questions in this
project. However, I’d like to include the following steps that you would take to produce
your own trace file to practice Wireshark on your own. Remember, use the provided trace
file tcp-wireshark-trace1-1 to answer the questions.
Practice only:
Before beginning our exploration of TCP, we’ll need to use Wireshark to obtain a packet
trace of the TCP transfer of a file from your computer to a remote server. You’ll do so by
accessing a Web page that will allow you to enter the name of a file stored on your
computer (which contains the ASCII text of Alice in Wonderland), and then upload the
file to a Web server using the HTTP POST method. We’re using the POST method
rather than the GET method as we’d like to transfer a large amount of data from your
computer to another computer. Of course, we’ll be running Wireshark during this time to
obtain the trace of the TCP segments sent and received from your computer.
Do the following:
• Start up your web browser. Go the http://gaia.cs.umass.edu/wiresharklabs/alice.txt and retrieve an ASCII copy of Alice in Wonderland. Store this as a
.txt file somewhere on your computer.
• Next go to http://gaia.cs.umass.edu/wireshark-labs/TCP-wireshark-file1.html.
• You should see a screen that looks like Figure 1.
Figure 1: Page to upload the alice.txt file from your computer to
gaia.cs.umass.edu
•
•
•
•
Use the Browse button in this form to the file on your computer that you just
created containing Alice in Wonderland. Don’t press the “Upload alice.txt file”
button yet.
Now start up Wireshark and begin packet capture (see the earlier Wireshark labs
if you need a refresher on how to do this).
Returning to your browser, press the “Upload alice.txt file” button to upload the
file to the gaia.cs.umass.edu server. Once the file has been uploaded, a short
congratulations message will be displayed in your browser window.
Stop Wireshark packet capture. Your Wireshark window should look similar to
the window shown in Figure 2.
Figure 2: Success! You’ve uploaded a file to gaia.cs.umass.edu and have
hopefully captured a Wireshark packet trace while doing so.
The provided packet trace tcp-wireshark-trace1-1 was captured while following the steps
above on one of the author’s computers 1.
1
The trace file tcp-wireshark-trace1-1 is used to answer this Wireshark lab. Once you’ve downloaded a
trace file, you can load it into Wireshark and view the trace using the File pull down menu, choosing Open,
and then selecting the trace file name.
2. A first look at the captured trace
Before analyzing the behavior of the TCP connection in detail, let’s take a high-level
view of the trace.
Let’s start by looking at the HTTP POST message that uploaded the alice.txt file to
gaia.cs.umass.edu from your computer. Find that file in your Wireshark trace, and
expand the HTTP message so we can take a look at the HTTP POST message more
carefully. Your Wireshark screen should look something like Figure 3.
Figure 3: expanding the HTTP POST message that uploaded alice.txt from your computer
to gaia.cs.umass.edu
There are a few things to note here:
• The body of your application-layer HTTP POST message contains the contents of
the file alice.txt, which is a large file of more than 152K bytes. OK – it’s not that
large, but it’s going to be too large for this one HTTP POST message to be
contained in just one TCP segment!
• In fact, as shown in the Wireshark window in Figure 3 we see that the HTTP
POST message was spread across 106 TCP segments. This is shown where the
red arrow is pointing in Figure 3. If you look even more carefully there, you can
see that Wireshark is being really helpful to you as well, telling you that the first
TCP segment containing the beginning of the POST message is packet #4 in the
trace tcp-wireshark-trace1-1 for the example in Figure 3. The second TCP
segment containing the POST message in packet #5 in the trace, and so on.
Let’s now “get our hands dirty” by looking at some TCP segments.
• First, filter the packets displayed in the Wireshark window by entering “tcp”
(lowercase, no quotes, and don’t forget to press return after entering!) into the
display filter specification window towards the top of the Wireshark window.
Your Wireshark display should look something like Figure 4. In Figure 4, we’ve
noted the TCP segment that has its SYN bit set – this is the first TCP message in
the three-way handshake that sets up the TCP connection to gaia.cs.umass.edu
that will eventually carry the HTTP POST message and the alice.txt file. We’ve
also noted the SYNACK segment (the second step in TCP three-way handshake),
as well as the TCP segment (packet #4, as discussed above) that carries the POST
message and the beginning of the alice.txt file.
Figure 4: TCP segments involved in sending the HTTP POST message (including the
file alice.txt) to gaia.cs.umass.edu
Answer the following questions by opening the Wireshark captured packet file tcpwireshark-trace1-1.
1. What is the IP address and TCP port number used by the client computer (source)
that is transferring the alice.txt file to gaia.cs.umass.edu? To answer this
question, it’s probably easiest to select an HTTP message and explore the details
of the TCP packet used to carry this HTTP message.
2. What is the IP address of gaia.cs.umass.edu? On what port number is it sending
and receiving TCP segments for this connection?
Since this lab is about TCP rather than HTTP, now change Wireshark’s “listing of
captured packets” window so that it shows information about the TCP segments
containing the HTTP messages, rather than about the HTTP messages, as in Figure 4
above. This is what we’re looking for‒a series of TCP segments sent between your
computer and gaia.cs.umass.edu!
3. TCP Basics
Answer the following questions for the TCP segments:
3. What is the sequence number of the TCP SYN segment that is used to initiate the
TCP connection between the client computer and gaia.cs.umass.edu? (Note: this
is the “raw” sequence number carried in the TCP segment itself; it is NOT the
packet # in the “No.” column in the Wireshark window. Remember there is no
such thing as a “packet number” in TCP or UDP; as you know, there are sequence
numbers in TCP and that’s what we’re after here. Also note that this is not the
relative sequence number with respect to the starting sequence number of this
TCP session.). What is it in this TCP segment that identifies the segment as a
SYN segment?
4. What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu
to the client computer in reply to the SYN? What is it in the segment that
identifies the segment as a SYNACK segment? What is the value of the
Acknowledgement (raw) field in the SYNACK segment? How did
gaia.cs.umass.edu determine that value?
5. What is the sequence number of the TCP segment containing the header of the
HTTP POST command? Note that in order to find the POST message header,
you’ll need to dig into the packet content field at the bottom of the Wireshark
window, looking for a segment with the ASCII text “POST” within its DATA
field2,3. How many bytes of data are contained in the payload (data) field of this
TCP segment? Did all of the data in the transferred file alice.txt fit into this single
segment?
6. Consider the TCP segment containing the HTTP “POST” as the first segment in
the data transfer part of the TCP connection.
• At what time was the first segment (the one containing the HTTP POST) in
the data-transfer part of the TCP connection sent?
• At what time was the ACK for this first data-containing segment received?
• What is the RTT for this first data-containing segment?
2
Hint: this TCP segment is sent by the client soon (but not always immediately) after the SYNACK
segment is received from the server.
3
Note that if you filter to only show “http” messages, you’ll see that the TCP segment that Wireshark
associates with the HTTP POST message is the last TCP segment in the connection (which contains the
text at the end of alice.txt: “THE END”) and not the first data-carrying segment in the connection.
Students often find this unexpected and/or confusing.
• What is the RTT value the second data-carrying TCP segment and its ACK?
7. What is the length of each of the first four data-carrying TCP segments?4
8. Are there any retransmitted segments in the trace file? What did you check for (in
the trace) in order to answer this question?
4
The TCP segments in the tcp-wireshark-trace1-1 trace file are all less than 1480 bytes. This is because the
computer on which the trace was gathered has an interface card that limits the length of the maximum IP
datagram to 1500 bytes. This 1500-byte value is a fairly typical maximum length for an Internet IP
datagram.