Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis

Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage1
Network analysis Using Wireshark
Lesson 11:
TCP and UDP Analysis

Network analysis using Wireshark V2 yoram@ndi-com.comPage 2
• By the end of this lesson, the participant will be able to:
▫ Understand UDP and TCP network behavior
▫ Understand TCP connectivity problems
▫ Understand how to use Wireshark for TCP troubleshooting
Lesson Objectives

yoram@ndi-com.com
For More lectures, Courses & Keynote Speaking
Contact Me to:

Network analysis using Wireshark V2 yoram@ndi-com.comPage4
Layer 4 protocols - reminder
Configuring TCP and UDP preferences
for troubleshooting
Using Wireshark for UDP analysis
Using Wireshark for TCP analysis
TCP retransmission – where do they
come from and why
Duplicate ACKs and fast retransmissions
Chapter Content
Previous segment loss & out-of-
order packet events
TCP Zero Window and other
sliding-window issues
TCP resets and why they happen
Case studies
“An investment in knowledge always pays the
best interest.”
― Benjamin Franklin

TCP/IP Protocol Stack
Reminder
CellularEthernet WiFi
IP ICMP
UDP TCP
RTP SMTP TelnetDNS
ARP
OSI Layer 1/2
OSI Layer 3
OSI Layer 4
OSI Layer 5-7
SCTP
SIGTRAN
SPDY
IGMP
FTPHTTPs
QUIC
HTTP

TCP vs. UDP
Connectivity Reliability
Connection Start
Connection End

• Connection-less, un-reliable protocol and therefor much
faster that TCP
• Used for:
▫ Name-resolution (DNS..)
▫ Monitoring (SNMP..)
▫ Real-time applications (RTP..)
▫ Broadcasts (NetBIOS enouncements …)
▫ Multicast applications and more
UDP Principles

UDP Frame Structure
source port # dest port #
32 bits
Application
data
(message)
length checksum
Source Port Source Port
Datagram checksum
Datagram length

UDP Example
2
3
1

TCP Principles
• The basic operation of the TCP in each of these areas is:
▫ Connections
▫ Full duplex data transfer
▫ Reliability
▫ Flow Control
▫ Congestion control

TCP Principles – Connections
• TCP mechanisms initialize and maintain status information for each data
stream.
• The combination of sockets that are composed of IP addresses and
sequence numbers, and window sizes, is called a connection.
• Each connection is uniquely specified by a pair of sockets identifying its
two sides.
• When two processes wish to communicate, they open the connection, send
the data, and then, close the connection
socket
door
TCP
Send Buffer
TCP
Receive Buffer
socket
door
segment
application
writes data
application
reads data
segment

TCP Principles – Full-Duplex Data Transfer
• TCP forwards data between end processes
• TCP packages application data, and send it in TCP segments (PDUs)
• Each byte is numbered, and get a “Sequence Number”, and sent to the
other side
• Data is sent in both directions – full duplex connection
socket
door TCP
Send Buffer
TCP
Receive Buffer
socket
door
segment
application
writes data
application
reads data
segment
segmentsegment

TCP Principles - Reliability
• TCP recovers from data that is damaged, lost, duplicated, or delivered
out of order.
• This is achieved by assigning a sequence number to each octet
transmitted, and requiring a positive acknowledgment (ACK) from the
receiving TCP.
• If the ACK is not received within a timeout interval, the data is
retransmitted.
socket
door
TCP
Send Buffer
TCP
Receive Buffer
socket
door
segment
application
writes data
application
reads data
segment
AckAck

Flow & Congestion Control
• Flow control:
▫ Controls the amount of data sent
by the sender.
▫ Achieved by a "window”
mechanism
• Congestion control:
▫ Try to get to the maximum
throughput of the
communication line
time
CWND
Min = MSS
MAX = RWIN
Packet
Loss
Packet
Loss
Packet
Loss

TCP Message Structure
32 bits
FIN – Finish
SYN – Sync
RST – Reset
PSH – Push
ACK – Acknowledge
Ack numbers to
confirm data arrival
# of bytes rcvr is
willing to accept
In case of URG
pointer, indicates
the data location
Options
Numbering of sent
data
Port Numbers
Source Port # Destination Port #
Sequence number
Acknowledge number
Rcvr. Win. SizeH.Len
F
I
N
S
Y
N
R
S
T
P
S
H
A
C
K
U
R
G
E
C
E
C
W
R
N
S
R
S
V
checksum Urgent Pointer
Options
Application data (variable length)
ECE – Echo
CWR – Congestion
Window Reduced
NS – Nonce Sum

• The original TCP standard (RFC 793)
▫ For more efficient use of high bandwidth networks, a larger TCP window size may
be used.
▫ The TCP window size field controls the flow of data and was originally limited to
between 2 and 65,535 bytes.
• TCP Enhancements (RFC 1323):
▫ Since the size field cannot be expanded, a scaling factor is used.
▫ The TCP window scale option, as defined in RFC 1323, is an option used to increase
the maximum window size from 65,535 bytes to 1 Gigabyte.
▫ Scaling up to larger window sizes is a part of what is necessary for TCP Tuning.
Window Size Scaling

• Every option begins with a 1-byte kind
that specifies the type of option.
• The first two options (with kinds of 0
and 1) are single-byte options.
• The other three are multibyte options
with a len byte that follows the kind
byte.
• The length is the total length,
including the kind and len bytes.
The Options fields
Kind=0
End of Option List
Kind=1
No Operation
Kind=2
Maximum Segment Size
Len=4 MSS
Kind=3
Window Scale factor
Len=3 Shift
Count
Kind=8
Timestamp
Len=10 Timestamp Value Timestamp Echo reply
1 Byte

Maximum Segment Size
Kind=2 Len=4 MSS
Example
11-0a

Window Scale factor
Kind=3 Len=3 Shift
Count
X =
• The TCP window scale option is an option to increase the receive window size allowed
in TCP above its former maximum value of 65,535 bytes.
Example
11-0b

Timestamps
Kind=8 Len=10 Timestamp Value Timestamp Echo reply
• TSV is the Timestamp Value field.
▫ It is used in conjunction with sequence number to uniquely identify segments
(since sequence numbers may wrap).
• TSER is the Timestamp Echo Reply field.
▫ This is used in ACK messages. It holds a copy of the last TSV value received.
▫ It can be used for round trip time estimation (RTT = current time - TSER).
Example
11-0c

TCP Message – Example

• Connectivity means:
▫ Before sending data – creates connection (3
way handshaking)
▫ Transfer data (will be discussed later in this
Lesson)
▫ After data was sent – close connection
The Connectivity Mechanism
S R

Connections State Machine
CLOSED
SYN-SENTSYN-RECEIVED
ESTABLISHED
FIN-WAIT-1
FIN-WAIT-2
LISTEN
CLOSING
TIME-WAIT
CLOSE-WAIT
LAST-ACK
Active Open
Set Up TCB
Send SYN
Passive Open
Set Up TCB
Receive SYN
Send SYN+ACK
Receive
ACK
Receive
SYN+ACK
Send ACK
Close
Send FIN
Receive FIN
Send ACK
Receive
ACK for FIN
Receive FIN
Send ACK
Receive ACK for
FIN
Receive FIN
Send ACK Timer
Expired
Wait for Application Close
Send FIN
Open –
Initiator Sequence
Open –
Responder Sequence
Receive SYN
Send ACK
Simultaneous Open
Close –
Responder Sequence
Close –
Initiator Sequence
Simultaneous Close
TCB – Transmission Control Block

• Client end system sends TCP SYN control segment
to server
▫ Specifies initial seq #
TCP Connectivity –
Opening Connection
• Server end system receives SYN, replies with SYN-
ACK control segment
▫ ACKs received SYN
▫ Allocates buffers
▫ Specifies server (receiver) initial seq. #
• Client end system replies with ACK control segment
▫ Confirms the connection and the numbers
received to the server
S R

TCP Connectivity – Opening Connection (1)
Source port – 4657
Destination port – 80
Initial sequence number – 1407979388
Next expected sequence number (Ack field) - 1407979389
S R

Source port – 80
Next expected sequence number (Ack field) –
4288471014
Ack number - 1407979389
S R

Source port – 4657
Next expected sequence number (Ack field) – 1407979389
Ack number - 4288471014
S R

• Closing a connection is a two-way handshake,
which is done as follows:
1. Client send request to close connection
2. Server replies with Ack, client connection closed
TCP Connectivity – Connection
Termination
C S
• In most cases, since TCP works in a full
duplex mode, the connection will be closed
from both sides.
1. Server send request to close connection from his side
2. Client replies with Ack, server close connection

TCP Connectivity – Closing Connection (1)

TCP Connection Management

TCP Window Mechanism - Stop & Wait
(b) Frame loss
A
B
frame
0
frame
1
ACK
frame
1
ACK
time
Time-out
frame
2
(c) ACK loss
A
B
frame
0
frame
1
ACK
frame
1
ACK
time
Time-out
frame
2
ACK
(a) All Frames arrives
A
B
frame
0
frame
1
ACK
frame
2
ACK
time
frame
3
ACK
No Longer in Use

TCP Window Mechanism – Go-Back-N
fr
0
timefr
1
fr
2
fr
3
fr
4
fr
5
fr
6
fr
3
A
C
K
1
Error
Out-of-sequence frames
fr
5
fr
6
fr
4
fr
7
fr
8
fr
9
A
C
K
2
A
C
K
3
A
C
K
4
A
C
K
5
A
C
K
6
A
C
K
7
A
C
K
8
A
C
K
9
Time-out
Frame #3 is retransmitted,
With all the following frames
Widely in use,
with improvements

TCP Window Mechanism – Selective Repeat
A
B
fr
0
timefr
1
fr
2
fr
3
fr
4
fr
5
fr
6
fr
2
A
C
K
1
error
fr
8
fr
9
fr
7
fr
10
fr
11
fr
12
A
C
K
2
N
A
K
2
A
C
K
7
A
C
K
8
A
C
K
9
A
C
K
1
0
A
C
K
1
1
A
C
K
1
2
A
C
K
2
A
C
K
2
A
C
K
2
Time-out
Widely in use,
with improvements

Selective Repeat (SACK Option, TCP)
Example
11-0d

Selective Ack
Example
11-0e

Selective Ack (Cont.)

Flow Control - Performance
Window Size [Bytes] = Throughput [Bytes/Sec] X RTT [Sec]
When: W < BW X DELAY
Inefficiency
When: W > BW X DELAY
Queuing in intermediate device
Potential packet loss
Throughput[Bps]
Delay [Sec]

Flow Control - Performance
Throughput = 0.7 * MSS / (RTT * Sqrt(PLR))
MSS - Maximum Segment Size (Bytes)
RTT - Round Trip Time (Sec)
PLR - Packet Loss Ratio (%)
Packet Loss Ratio (%)
Throughput(Mbps)
In the diagram:
MSS – 1400Bytes
RTT – 10mSec
PLR – from 0.01% to 0.03%
Throughput – up to 1MBps

for troubleshooting
come from and why
Chapter Content
order packet events
Case studies

UDP Preferences
Edit  Preferences:

TCP Preferences
Edit  Preferences:

for troubleshooting
come from and why
Chapter Content
order packet events
Case studies

UDP Message Example
SP: 61379  DP: 53
SP: 53  DP: 61379

UDP Statistics
Statistics  Conversations:

Follow UDP Stream

for troubleshooting
come from and why
Chapter Content
order packet events
Case studies

Some Guidelines
Look for
irrefutable
evidence
of the
cause
Study a
specific
instance of
that
symptom
Look at
one
symptom
at a time

1. Connectivity problems can happen due to:
a) No response from the destination
b) Firewall of another security device that blocks
communications
c) Bad performance to the point that communications is not
possible
TCP Retransmissions – Why They Happen
2. Performance problems can happen due to:
a) Network bottlenecks
b) Non-responsive servers or clients
c) Non-responsive application
d) Delay variations (Jitter)

Connectivity problems (1a):
No response from the destination
Open the exercise file.
What was the problem here?
Example
11-1

Connectivity Problem (1b):
Security device that blocks communications
Open the exercise file. It was not possible to
connect to the Camera server 82.80.120.135.
What was the problem here?
Example
11-2

Connectivity Problems (1c):
Bad performance to the point of connectivity
Example11-3
Massive
retransmissions

Connectivity Problems (1c) (Cont.):
Bad performance to the point of connectivity
What is unique?
Why can it happen?
What should we look for?
~2.5Sec
~2.5Sec
~2.5Sec

What do we see here?
Standard SYN/ACK
SYN/ACK with Selective Ack

What (else..) do we see here?
Very small receiver
window size

Performance problems (2a):
Network Bottlenecks
1250-1300
Pkts/Sec
10Mbits/Sec
Retransmissions
Example
11-4

Performance problems:
Network Bottlenecks (Cont.)
10MBytes (sequences) per 10 seconds
= 10Mbits/Sec
Fix and stable
window size  no
window issues

Performance problems (2b)
Non-responsive server (or application/s)
Is it the server or specific application?
Example 11-5
Single steam  slow application

Performance problems (2b)
Non-responsive server (or application/s)
Example 11-6

Performance problems (2c):
Non-responsive application
What is unique?
Why can it happen?
Example
11-7

Performance problems (2d):
Delay variations (Jitter)
Example
11-8

Performance problems (2d):

Performance problems (Cont.):
Example
11-9

Example #1: Typical Connection Problems
Connection not opened to
81.218.31.171
(SYN / SYN / SYN)
Connection opened to
108.160.163.43
SYN / SYN-ACK / ACK

Example #2 – Application Freeze
Five
consecutive
retransmiss
ions
A new
connection
established
Time intervals
increase with
every
retransmission

for troubleshooting
come from and why
Chapter Content
order packet events
Case studies

• Happens when:
▫ Lost frame (RTO Expires)
• Cause:
▫ Slow server/PC
▫ Errors / Packet loss
▫ Sudden increase in delay
What Can the Reasons for
Retransmissions?

RTO Calculations
• Jacobson algorithm:
▫ rtt = (1-a)old_rtt + a curr_rtt
▫ mdev = (1-b)old_mdev + b curr_mdev
▫ rto = rtt + 4 * mdev
▫ a = 1/8, b = ¼ (a,b Constants)
1.000.200.100.100.100.30000.7000
0.900.200.100.100.100.28750.6875
0.800.200.100.100.100.27500.6750
0.700.200.100.100.100.26250.6625
0.600.200.100.100.100.25000.6500
0.500.200.100.100.100.23750.6375
0.400.200.100.100.100.22500.6250
0.300.200.100.100.100.21250.6125
0.200.200.100.100.100.20000.6000
0.100.200.100.100.100.18750.5875
current-rttold-rtt
current-
mdevold-mdevmdevrttrto
http://ee.lbl.gov/papers/congavoid.pdf

The Result - Retransmissions
Example
11-10

Retransmissions – What are they?
Example
11-10

What we see in the IO Graph
3 retransmissions
between 2 and 3
seconds

Performance problems (Cont.):
Delay variations (Jitter) – TCP RTO/RTT
Example
11-10

for troubleshooting
come from and why
Chapter Content
order packet events
Case studies

What are DupAck’s (Duplicate Ack’s)
and Fast Retransmissions? Example
11-10

Fast Retransmission – Example #2

for troubleshooting
come from and why
Chapter Content
order packet events
Case studies

Previous Segment Lost

What Happened Here?
SYN, SEQ=0
SYN ACK, SEQ=0, ACK=1
ACK, SEQ=1, ACK=1
PKT 1604
PKT 1720
PKT 1721
212.150.83.94 62.189.244.254
SEQ=1, N-SEQ=778, ACK=1
PKT 1722
SEQ=1, ACK=778
PKT 1845
SEQ=553, ACK=778
PKT 1846
Previous
Segment Lost
SEQ=778, ACK=1
PKT 1847DupACK (1722)
PKT 1848
TCP
Out-Of-Order
SEQ=778, ACK=554
PKT 1849

And this is What We See

TCP Out-Of-Order Packet

What Happened Here?
SYN, SEQ=0
SYN ACK, SEQ=0, ACK=1
ACK, SEQ=1, ACK=1
PKT 1604
PKT 1720
PKT 1721
212.150.83.94 62.189.244.254
PKT 1722
SEQ=1, ACK=778
PKT 1845
SEQ=553, ACK=778
PKT 1846
Previous
Segment Lost
SEQ=778, ACK=1
PKT 1847DupACK (1722)
PKT 1848
TCP
Out-Of-Order
SEQ=778, ACK=554
PKT 1849

for troubleshooting
come from and why
Chapter Content
Previous segment loss & out-
of-order packet events
Case studies

TCP Window Messages –
the Sliding Window Mechanism
• In TCP, the receiver specifies the current window size in
every packet. Because TCP provides a byte-stream
connection, window sizes are expressed in bytes.
• A window is the number of data bytes that the sender is
allowed to send before waiting for an acknowledgment.
• Initial window sizes are indicated at connection setup,
but might vary throughout the data transfer to provide
flow control.

• TCP ZeroWindow - Occurs when a receiver advertises a receive window size of zero.
• TCP ZerowindowProbe - The sender is testing to see if the receiver's zero window
condition still exists by sending the next byte of data to elicit an ACK from the
receiver.
• TCP ZeroWindowViolation - The sender has ignored the zero window condition of the
receiver and sent additional bytes of data.
• TCP WindowUpdate - This indicates that the segment was a pure WindowUpdate
segment.
• TCP WindowFull - This flag is set on segments where the payload data in the segment
will completely fill the RX buffer on the host on the other side of the TCP session.
TCP Window Messages

Window Problem Example
Number of Zero
windows between 8-
16 seconds
Example
11-13

Zero Window Problem

for troubleshooting
come from and why
Chapter Content
Previous segment loss & out-
of-order packet events
Case studies

• Reasons for resets:
1. Firewall the blocks connection (3 SYNs)
2. Connection inactive
3. Application initiated
Reses and Why they Happen

Firewall the Blocks Connection
Example
11-14

for troubleshooting
come from and why
Chapter Content
order packet events
Case studies

Example – Retransmissions and DupACKs
Retransmissions
DupACKs

Multiple DupACKs
Duplicate Ack’s
number 46, 47, 48
…51 for packet
number 19022
Requesting for
sequence number
14593377
Response packet
(Fast
Retransmission)
Fast
Retransmission
with the requested
sequence number

Exercise #1 - What is Wrong Here?
What is wrong here (Example 10-12)?
What was the problem?

Summary
• In this lesson we talked about:
▫ Using Wireshark for TCP and UDP
▫ TCP and UDP preferences
▫ TCP retransmissions
▫ TCP DupACK’s and Fast Retransmissions
▫ TCP Resest
▫ How to discover L4 performance and connectivity problems

yoram@ndi-com.com
For More lectures, Courses & Keynote Speaking
Contact Me to:

Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis

More Related Content

What's hot (20)

Similar to Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis (20)

More from Yoram Orzach (20)

Recently uploaded (20)

Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis