Professional Documents
Culture Documents
Procedures
1: Open Wireshark and set up our privacy filter so that you display only DNS traffic to or from
your computer (Filter: dns && ip.addr==<your IP address>).
3:The query packet on Wireshark. a bunch of bytes (70-75 bytes) listed as the actual packet
contents the actual packet contents in the bottom Wireshark window. The bytes at offsets up to
number 33-34 are generated by the lower-level protocols.
4:Wireshark probably shows the UDP checksum as “Validation Disabled”. Why is that?
Yes. The reason is that Wireshark is very often used to capture the network frames of the same
PC that is running Wireshark. This usually results in the checksums of outgoing frames being
incorrect since they are only calculated for transmission by the network card after they were
already recorded by Wireshark. To avoid constant "checksum error" messages it was decided to
have the checksum validation disabled by default.
5:Save your capture file. Restrict the range of saved packets to only those in the DNS query.
Step 2: TCP
7:Download and save a copy of Geoffrey Chaucer's Canterbury Tales and Other Poems from the
Project Gutenberg website1. Grab the Plain Text UTF-8 version:
http://www.gutenberg.org/ebooks/2383.txt.utf-8
8:Clear out Wireshark and start a new capture.
9: upload the file. The point of this exercise is to capture a lengthy TCP stream which originates
at your computer. http://www.ini740.com/Lab2/lab2a.html
Client :
IP->10.0.2.7
PORT->58014
Server:
IP->128.2.131.88
PORT->80
13: “listing of captured packets” information about the TCP segments .
14:What is the sequence number of the TCP SYN segment that is used to initiate the TCP
connection?
ANS: 0
Wireshark uses relative sequence numbers by default. Can you obtain absolute sequence
numbers instead? How?
Ans-> Yes.To disable relative sequence numbers and instead display them as the real absolute
numbers, go to the TCP preferences and untick the box for relative sequence numbers.
15:What is the sequence number of the SYNACK segment sent by the server in reply to the SYN?
What is the value of the Acknowledgement field in the SYNACK segment?
Ans= sequence number 1
16: What is the sequence number of the TCP segment containing the HTTP POST command?
19:Are there any retransmitted segments? What did you check for (in the trace) to answer this
question?
There are no retransmitted segments in the trace file. We can verify this by checking the sequence
numbers of the TCP segments in the trace file.
20:How much data does the receiver typically acknowledge in an ACK? Can you identify cases
where the receiver is delayed ACKing segments? Explain how or why not.
Ans :Window size value: 64240 ,Yes. The acknowledgment number indicates which byte in the
stream is expected next and thus which bytes have been received. This enables the original
sender to determine which of its sent segments have been received and which ones need
retransmitting.
21:What is the throughput (bytes transferred per unit time) for the TCP connection?
Explain how you calculated this value.
I looked to the FINACK packet which shows a acknowledgement number of 361, meaning that 361
bytes were acknowledged .The time on this message is 8.367347461. So an approximate average
throughput can be calculated as 361 bytes/ 8.367347461seconds ≈ 4.3143 MBps (mega bytes per
second) for this connection. See the below screenshot.
Step 2c: Statistics
22:What is the most common TCP packet length range? What is the second most common TCP
packet length range? Why is the ratio of TCP packets of length < 40 bytes equal to zero? Describe
what actions you took to get answers to these questions from Wireshark.
Range :20byte ,the tcp header adding upto 40bytes. Because this is smaller than ethernet’s
minimum payload size of 46 bytes.
23: What average throughput did you use in Mbps? How many packets were captured in the packet
capture session? How many bytes in total? Explain your methods.
Average throughput is the total payload over the entire session divided by the total time. Total
time is calculated by taking the difference in timestamps between the first and last packet.
Avg throughput:- 427/19.49934sec=21.8981sec
427 packets are captured.
24:A conversation represents a traffic between two hosts. With which remote host did your
local host converse the most (in bytes)? How many packets were sent from your host? How
many packets were sent from the remote host?
The remote host is ->128.2.131.88
Packets sent from host is:142
Sent from the remote host:93
25:Select a TCP segment in the Wireshark’s “listing of captured-packets” window. Then select the
menu: Statistics ➙ TCP Stream Graph ➙ Time-Sequence- Graph (Stevens).
26:Use the Time-Sequence-Graph (Stevens) plotting tool to view the sequence number versus time
plot of segments being sent. Can you identify where TCP’s slowstart phase begins and ends, and
where congestion avoidance takes over? Comment on ways in which the measured data differs from
the idealized behavior of TCP that we’ve studied in the text. Make sure to include a copy of the plot
in your report.
In the below grapg the slow start is from (4.9 to 5.1) and from( 5.7 to 5.9)
Step 4: The Network Layer
27:Load the capture file that you saved in step 1. Recall that this was a simple DNS query, carried
in a UDP packet.
29:Most of the fields should match up and make perfect sense. Verify the Datagram Length,
Upper-layer protocol and the IP address fields.
In UDP the packet length is 55 and in network layer the total length of the packet is 120
in that the header length is 20 byte
In network layer src IP=127.0.0.53 and Dst:127.0.0.1
And in lower layer protocal source port =53
DST port =36204
30:Are there any interesting features of the data in the identifier/flags/offset fields?
Yes , there are interesting features of the data in the flags the fields like Reserverd bit ,Don’t
fragments, more fragments .And the fragment off set is set to 0
31:In class, we discussed the TTL field and determined that we didn’t know a good way to set
this. What does your OS set this field to? BTW, please document in this question what your OS
and OS version are.
In this device the Time to live value set by the OS is :64 .
OS :’Ubuntu‘ and Version :Ubuntu 20.04.3 LTS
ICMP
32:Start a new capture, with the display filter showing only packets sent to or from your computer
(i.e. “ip.addr==<ip address>”)
33:In a terminal window, execute the traceroute utility to trace from your computer to
www.cmuj.jp . Do whatever you can to get a traceroute consisting of about a dozen steps.
34:Stop the capture and take a look at what you found.
35: What are the transmitted segments like? Describe the important features of the segments
you observe. In particular, examine the destination port field. What characteristics do you
observe about this port number and why would it be chosen so?What about the return packets?
What are the values of the various header fields?
Port number :
Src:40676
Dst:33434
The value’s of various header are:
Header checksum :0x2fee
Header length :20 bytes
36: What about the return packets? What are the values of the various header fields?
Internet Control Message Protocol (ICMP) is used by the network layer to relay information about its
status. If an IP packet doesn't arrive, then ICMP can be used to return the IP packet to its source with an
error message.
ICMP creates and sends messages to the source IP address indicating that a gateway to the internet, such
as a router, service or host, cannot be reached for packet delivery. Any IP network device has the
capability to send, receive or process ICMP messages.
38: Lab1 asserted that ping operates in a similar fashion to traceroute. Use Wireshark to show the degree
to which this is true. What differences and similarities are there between the network traffic of ping
versus traceroute?