Understanding TCP Segments

Note: Everything must be typed and drawn via computer!


A-   Download Example A file. Answer the following questions:

1-    Consider Frame 1. How large is it in terms of number of bytes?

2-    Using the Flow Graph feature (Statistics -> Flow Graph) take a snap shot of your results.

3-    In frame 2 which flags are set?

4-    What is the average window size in this connection?

5-    Using Statistics ->TCPStreamGraph -> Window plot the announced window sizes.

6-    Go to Edit -> Preference -> Protocols -> TCP and uncheck the box next to Relative Sequence Number & Window Scaling. What happens? Make sure it is Checked.

7-    Carefully observe the timing between packets. How is transmission time of Frames 3, 4, & 5 changing? Explain what is happening.

8-    What are the key differences between Frames 4 and 5?

9-    Go to Statistics -> TCPStreamGraph -> TimeSequenceGraph. What do you see? Show your plot.

10- Plot the throughput graph for this connection. What is happening?

11- Go to Coloring Rules. Select Bad TCP. Note the conditions. Change the Foreground to RED and Background to YELLOW. What happens?


B-   Download Example B file. Answer the following questions. Make sure the Relative Sequence Number is unchecked as explained above.

1.     Using a timing diagram show all the TCP segments exchanged between the source and destination. You must include Seq#, Data Size, ACK#, for each TCP segment. You graph will be a more detailed version of what you see using Statistics -> Flow Graph.

2.     Explain what the relationship between ACK and Seq# is.

3.     What type of application the client is trying to access in this case.

4.     How many retransmission packets (if any) are in this connection?

5.     Try to filter tcp.analysis.flags. What happens?

6.     Explain why sends so many duplicated packets. What is it expecting? Be specific. You can use FlowGraph results.

7.     Explain how the Seq# is calculate in Frame 9.


C-   Download Example C file. Answer the following questions. Make sure the relative timing between packets is set.

1.     How does Wireshark know a TCP segment is a KeepAlive segment?

2.     Explain how often the KeepAlive packets are transmitted.

3.     How many bytes are in a KeepAlive segment. Explain. Note that the LEN is zero!

4.     What is the purpose of transmitting Frame 4 and 6?

5.     What happens after receiving a KeepAlive Packet? What does the node do?



D- Download Example D file. Answer the following questions. Assume is the attacker and is the victim. Make sure the relative timing between packets is set.

    1. Go to Statistics -> Conversations:TCP. Are majority of packets flowing from attacker to the victim or victim to the attacker?
    2. How many TCP Sessions are captured in this file?
    3. Which port the attacker is targeting in the first SYN frame? Using the List of Internet Socket Port Number which protocol is this port associated with?
    4. How can we filter all TCP segments going to destination port 443? In this case, how many packets will yield as the result?
    5. Is port 443 on the victim available or not or we cannot really tell? In other words, is this port responding?
    6. How can we filter all TCP segments going to destination port 113? Which protocol is this port associated with? What is the purpose of this protocol?
    7. Draw the timing diagram for all packets exchanged between the two nodes from/into port 113. Note that you can take a snapshot of the results from Statistics -> FlowGraph after you filter the packets.
    8. What is the status of port 13 on the victim? How do you know?
    9. Using the Conversation window in Wireshark sort all the TCP conversations by the highest value of packet numbers (Click on Packets). Which port on the victim machine are definitely available and responding?
    10. In general, what do you think the attacker is trying to do to the victim machine?
    11. What is the Stream Index of frame number 13?
    12. How do you filter TCP Stream Index number 12? Note that conversation number is (1 + TCP Stream Index number)
    13. Explain what exactly is happening in TCP Session 12. Show the timing diagram for this session. How does this session ends, eventually?
    14. Looking at all the packets captured, how long after the first packet the peak traffic occurred? Note: You must use IO Graph. What was the peak traffic at this point?
    15. At what exact time of the day the scanning occurred?
    16. What is the status of HTTP port on the victim?
    17. Which TCP Stream number was used to examine the HTTP port?
    18. How many ports are checked for FTP? Explain why.

    ------------- UP TO HERE -------------

Programing Section: Write a program that can implements Dijkstra algorithm. You can assume your network is limited to 6 nodes and 10 links. The link costs can be anything. The program must work for any network configuration. As you run the program, it must show the path to reach every other node in the network. At the end of the program, you must show the number of times the program (loops) were executed. You can use any programming language you wish.

Download Example E file. Use this for class exercise only!