Wireshark TCP Trace

1 | P a g e
Wireshark Assignment: TCP
Submitted By: Paras Raj Pahari
1. What is the IP address and TCP port number used by the client computer (source) that is
transferring the file to gaia.cs.umass.edu? To answer this question, it’s probably easiest to
select an HTTP message and explore the details of the TCP packet used to carry this HTTP
message, using the “details of the selected packet header window” (refer to Figure 2 in the
“Getting Started with Wireshark” Lab if you’re uncertain about the Wireshark windows.
Solution:
31 3.113504 192.168.1.72 128.119.245.12 TCP 1514 [TCP segment of a reassembled PDU]
Frame 31: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits) on interface 0
Ethernet II, Src: IntelCor_67:84:f0 (4c:80:93:67:84:f0), Dst: Sagemcom_7b:4d:da (b0:b2:8f:7b:4d:da)
Internet Protocol Version 4, Src: 192.168.1.72, Dst: 128.119.245.12
Transmission Control Protocol, Src Port: 50443, Dst Port: 80, Seq: 2122, Ack: 1, Len: 1460
IP address of source: 192.168.1.72
Source TCP port Number: 50443

2 | P a g e
2. What is the IP address of gaia.cs.umass.edu? On what port number is it sending and
receiving TCP segments for this connection?
Solution:
IP address of gaia.cs.umass.edu: 128.119.245.12
TCP port number used by gaia.cs.umass.edu: 80

3 | P a g e
3. What is the IP address and TCP port number used by your client computer (source) to
transfer the file to gaia.cs.umass.edu?
Solution:
IP address of source: 192.168.1.72
Source TCP port Number: 50443

4 | P a g e
TCP Basics
Answer the following questions for the TCP segments:
4. What is the sequence number of the TCP SYN segment that is used to initiate the TCP
connection between the client computer and gaia.cs.umass.edu? What is it in the segment
that identifies the segment as a SYN segment?
Solution:
21 2.973840 192.168.1.72 128.119.245.12 TCP 66 50443 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4
SACK_PERM=1
Transmission Control Protocol, Src Port: 50443, Dst Port: 80, Seq: 0, Len: 0
Source Port: 50443
Destination Port: 80
[Stream index: 10]
[TCP Segment Len: 0]
Sequence number: 0 (relative sequence number)
Acknowledgment number: 0
Header Length: 32 bytes
Flags: 0x002 (SYN)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish request (SYN): server port 80]
[Connection establish request (SYN): server port 80]
[Severity level: Chat]
[Group: Sequence]
.... .... ...0 = Fin: Not set

5 | P a g e
The sequence number of the TCP SYN segment that is used to initiate the TCP connection
between the client computer and gaia.cs.umass.edu is 0.
In the segment, the Syn flag is set to 1 that identifies this segment as SYN Segment.

6 | P a g e
5. What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the
client computer in reply to the SYN? What is the value of the Acknowledgement field in
the SYNACK segment? How did gaia.cs.umass.edu determine that value? What is it in the
segment that identifies the segment as a SYNACK segment?
Solution:
22 3.035304 128.119.245.12 192.168.1.72 TCP 66 80 → 50443 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460
SACK_PERM=1 WS=128
Ethernet II, Src: Sagemcom_7b:4d:da (b0:b2:8f:7b:4d:da), Dst: IntelCor_67:84:f0 (4c:80:93:67:84:f0)
Source Port: 80
Destination Port: 50443
[Stream index: 10]
[TCP Segment Len: 0]
Sequence number: 0 (relative sequence number)
Acknowledgment number: 1 (relative ack number)
Header Length: 32 bytes
Flags: 0x012 (SYN, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port 80]
[Connection establish acknowledge (SYN+ACK): server port 80]
[Severity level: Chat]
[Group: Sequence]
.... .... ...0 = Fin: Not set

7 | P a g e
The sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the client
computer in reply to the SYN: 0
Value of acknowledgement field in the SYNACK segment is 1
The server gaia.cs.umass.edu increments 1 to the initial sequence number of SYN segment
from client. It means server is acknowledging that it has received the sequence 0 and further
waiting for next sequence 1 from client.
SYNACK segment is identified in segment as both SYN and Acknowledgement flag are set to 1.

8 | P a g e
6. What is the sequence number of the TCP segment containing the HTTP POST command?
Note: that in order to find the POST command, you’ll need to dig into the packet content
field at the bottom of the Wireshark window, looking for a segment with a “POST” within
its DATA field.
As shown in figure, we can see the POST command in packet content field. Thus sequence
number containing the HTTP POST command is 1.

9 | P a g e
7. Consider the TCP segment containing the HTTP POST as the first segment in the TCP
connection. What are the sequence numbers of the first six segments in the TCP connection
(including the segment containing the HTTP POST)? At what time was each segment sent?
When was the ACK for each segment received? Given the difference between when each
TCP segment was sent, and when its acknowledgement was received, what is the RTT value
for each of the six segments? What is the EstimatedRTT value (see Section 3.5.3, page 239
in text) after the receipt of each ACK? Assume that the value of the EstimatedRTT is equal
to the measured RTT for the first segment, and then is computed using the EstimatedRTT
equation on page 239 for all subsequent segments.
Note: Wireshark has a nice feature that allows you to plot the RTT for each of the TCP
segments sent. Select a TCP segment in the “listing of captured packets” window that is being
sent from the client to the gaia.cs.umass.edu server. Then select: Statistics->TCP Stream
Graph->Round Trip Time Graph
Solution:

10 | P a g e
24 3.037245 192.168.1.72 128.119.245.12 TCP 715 50443 → 80 [PSH, ACK] Seq=1 Ack=1 Win=65700 Len=661
25 3.037798 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=662 Ack=1 Win=65700 Len=1460
28 3.038547 128.119.245.12 192.168.1.72 TCP 54 80 → 50407 [RST] Seq=1 Win=0 Len=0
Packet No 24, 25, 31,33,34,36 are first six segments in TCP connection including segment
containing HTTP POST
Packet No 30, 32, 35, 38, 43 are the Ack received

11 | P a g e
Packet
No
Segments Sequence
Number
Sent Time Ack
Received Time
RTT (sec) Estimated RTT after
ACK of segment
Received(Sec)
24 Segment 1 1 3.037245 3.113406 (ACK 662) 0.076161 0.076161
25 Segment 2 662 3.037245 3.113743 (ACK 2122) 0.076498 0.076203125
31 Segment 3 2122 3.113504 3.183655 (Ack 3582) 0.070151 0.075446609
33 Segment 4 3582 3.113788 3.190782 (ACK 6502) 0.076994 0.075640033
34 Segment 5 5042 3.113798 3.190782 (ACK 6502) 0.076984 0.075808029
36 Segment 6 6502 3.183743 3.271689 (ACK 9422) 0.087946 0.077325275
According to Formulae given below, we calculated the Estimated RTT
Estimated RTT = 0.875*Estimated RTT +0.125*Sample RTT
Estimated RTT after ACK of Segment 1= 0.076161 sec
Estimated RTT after ACK of Segment 2= 0.875*0.076161+0.125*0.076498=0.076203125 sec
ROUND TRIP TIME GRAPH

12 | P a g e
8. What is the length of each of the first six TCP segments?
Solution:
28 3.038547 128.119.245.12 192.168.1.72 TCP 54 80 → 50407 [RST] Seq=1 Win=0 Len=0
Segments Sequence Number Length in Bytes
Segment 1 1 661
Segment 2 662 1460
Segment 3 2122 1460
Segment 4 3582 1460
Segment 5 5042 1460
Segment 6 6502 1460

13 | P a g e
9. What is the minimum amount of available buffer space advertised at the receiver for the
entire trace?
Solution:
21 2.973840 192.168.1.72 128.119.245.12 TCP 66 50443 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4
SACK_PERM=1
22 3.035304 128.119.245.12 192.168.1.72 TCP 66 80 → 50443 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460
SACK_PERM=1 WS=128
The minimum amount of available buffer space advertised at the receiver for the entire trace
is indicated in the first SYNACK segment. It is 29200 bytes.

14 | P a g e
10. Are there any retransmitted segments in the trace file? What did you check for (in the
trace) in order to answer this question?
Solution:
No, there weren’t any retransmitted segments in the trace file. I checked for repeated entry for
segment with the same sequence number, but there was no such repetition.

15 | P a g e
4. TCP congestion control in action (For your reference)
We can see the action of TCP congestion control from Wireshark.
Select a TCP segment in the Wireshark’s “listing of captured-packets” window. Then select the
menu: Statistics->TCP Stream Graph-> Time-Sequence-Graph (Stevens). You should see a plot
that looks similar to the following plot, which was created from the captured packets in the
packet trace tcp-ethereal-trace-1 in http://gaia.cs.umass.edu/wireshark-labs/wireshark-trace.zip.
Here, each dot represents a TCP segment sent, plotting the sequence number of the segment versus the time at
which it was sent. Note that a set of dots stacked above each other represents a series of packets that were sent
back-to-back by the sender.

16 | P a g e
Time Sequence Graph (Stevens) from the captured packets of my experiment.

Wireshark TCP Trace

More Related Content

What's hot (20)

Viewers also liked (14)

Similar to Wireshark TCP Trace (20)

Recently uploaded (20)

Wireshark TCP Trace