Professional Documents
Culture Documents
Mawadda S. Abuhamda
Author Note
captured data for a few minutes while doing things for school and work. One thing I had open
was a VPN connection to a virtual machine for my work. There were a lot of TCP packets
because of that and a lot of TLSv1 Application Data packets. The application packets were from
my work’s IP to my IP. The TCP packets were from my IP to my work’s IP. I recognized the
destination IP, which further confirmed that it was from the VM I had open for work.
address. I wanted to see what it belonged to, so I pinged it. I got a reply, so I decided to type it
into my web browser. It turned out to be Google’s homepage. The packet right after it was a
packet with a source IP of my address and a destination IP of Google. They were both UDP
packets. When I opened the packets, I saw that the source port for the first one was 443 and the
destination port was 65091. I remember learning about ephemeral ports, so I knew that the
destination port wouldn’t be 443 even though the connection is secure. The second packet, which
was from my computer to Google, had a source port of 65091 and a destination port of 443,
which just showed that the connection was continuing. There were many other packets with
Google’s IP as either the source or destination in my capture. I didn’t visit Google’s homepage at
all, so I think the packets were just the result of me using Google Chrome as my browser.
researched them and found out that if a TCP packet is lost or damaged the first time, it
retransmits again. The packet right after that was a D-SACK packet, which means that it notified
the sender of the retransmission. There were also a few TCP spurious retransmission packets
which means that the receiver acknowledged that it received the packets, but not before the
There were also two TCP packets from Slack to my IP and from my IP to Slack. I almost
There were also many packets that used the QUIC protocol, which is a protocol designed
Some useful things I noticed in general about Wireshark is that it shows you the exact
time and date that individual packets were captured. It also shows you the time between a packet
and the one right before it. These things can be very helpful during investigations.
LIVE DATA CAPTURE 4
References
Jasper. (2015, June 4). TCP SACK in capture shows range of previous segments instead of
ask.wireshark.org/questions/42878/tcp-sack-in-capture-shows-range-of-previous-
segments-instead-of-subsequent
https://www.javatpoint.com/tcp-retransmission
Luttgens, J. T., Pepe, M., & Mandia, K. (2014). Incident Response & Computer Forensics, Third
Reprakash, A. (2015, April 10). What are TCP Spurious Retransmissions? Retrieved from IT
Blogtorials: https://ithitman.blogspot.com/2015/04/what-are-tcp-spurious-
retransmissions.html