Assignment 1

Computer Networks Assignment

Wireshark

Arjun Purushothaman
B090141EC S6 EC A batch

Question: Use the web browser to access the homepage of www.google.com. Use Wireshark to capture the packets arriving at your computer. In the server packet trace youll find the packets taht were generated by your own access of the web server. Analyse the server and client side traces to explore aspects of TCP.In particular youll evaluate the performance of the TCP connection between the computer and the web server. Trace the TCPs window behaviour, and infer packet loss, retransmission, flow control, congestion control behaviour and estimated round-trip time. ANSWER

Web browser used : Capture software Procedure :

Mozilla Firefox Wireshark

1. Open Wireshark.Set the capture interface, uncheck the capture packets in promiscuous mode option and check the Enable network name resolution box. 2. Open the web browser. Start capture in Wireshark. Load the webpage www.google.com . 3. The Ethernet frames containing the http messages from www.google.com are captured by Wireshark. Analyse the packets by filtering TCP and DNS protocols.

Screenshot of Wireshark GUI

The first packet that is sent is from the source-202.164.134.17 to the destination www.google.com. This TCP packet has a source port number 49881 and the destination port 80(http). The relative sequence number of this packet is 0 and header length is 32 bytes. The packet-header details window provides details about the packet selected in the packet listing window. A screen shot that shows the packet details of the first packet initiating the connection from client to server(handshaking packet)is as shown:

 The packet contents window displays the entire contents of the captured frame in both ASCII and decimal format. Even though the only action taken was to download a webpage there may be many other protocols running, that are oblivious to the user (like automatic updates) and packets associated with them also appear in the packet listing window. In order to display and analyse the tcp packets in the packet listing window,enter tcp to the packet-display filter field. The first http message is the HTTP GET request that was sent from the computer to the HTTP server hosting www.google.com .This HTTP GET message is actually contained within a TCP segment ,which is contained in an IP datagram which is encapsulated in an Ethernet frame. Each webpage is composed of numerous objects along with the basic html file.Dowloading an object requires the client to send the corresponding HTTP GET request. The left most column of the packet listing window is the No. Of the packet as counted by Wireshark.This is not the sequence number assigned by any protocol. The time field denotes the time of capture of the packet since the start of the capture session.
DNS Request and Response

Domain Name System(DNS) is used for resolving host names and domain names to IP addresses. The fact is that when we type www.google.com it is translated into an IP address via special queries that take place from the PC. A DNS query is generated when the client needs to resolve a domain name into an IP Address. This is the result of entering "www.nitc.ac.in" in the URL field of the web browser. DNS works on destination port 53.Here source port is 58744 Protocol used for DNS query is UDP(User Datagram Protocol).

 The next packet is the standard query response from 3.238.88.202.asianet.co.in to the host. The computer now knows who it needs to contact to get to the website. So it sends an http request directly to gateway server and downloads the webpage.
TCP Packet Analysis

When two processes running in different end systems connect via TCP, the client has to generate an Initial Sequence Number (ISN).Every operating system uses its own algorithm of generating ISN. The first three packets are part of the 3-way handshake performed by TCP before any data is transferred between the two hosts.
Let the Host with IP 202.164.134.17 be called A and the Gateway Server hosting www.google.com be called B.

1) Host A sends a packet to the Gateway Server. This packet has the SYN flag set and also contains the ISN generated by Host A's operating system. The actual sequence number is not observable in Wireshark as the ISN is protected. Instead it displays the relative sequence number as 0. Since Host A is initiating the connection and hasn't received a reply from the Gateway Server, the Acknowledgment number is set to zero (0).
Internet Protocol, Src: 202.164.134.17 (202.164.134.17), Dst: wwwcctld.l.google.com (74.125.236.87) Transmission Control Protocol, Src Port: 49883 (49883), Dst Port: http (80), Seq: 0, Len: 0 No. 40 Time 19.680981 Source 202.164.134.17 Destination Protocol www-cctld.l.google.com TCP

Info. 49883 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2 SACK_PERM=1 Frame 40: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Ethernet II, Src: SdlCommu_67:1d:1f (00:e0:48:67:1d:1f), Dst: 202.164.134.1 (00:25:84:57:80:d9) Internet Protocol, Src: 202.164.134.17 (202.164.134.17), Dst: 74.125.236.87 (74.125.236.87) Transmission Control Protocol, Src Port: 49883 (49883), Dst Port: http (80), Seq: 0, Len: 0

2) The Gateway Server receives Host A's request and generates a reply containing its own generated ISN and the next Sequence number it is expecting from Host A. The Server also has the SYN & ACK flags set, acknowledging the previous packet it received and informing Host A of its own Sequence number. "I acknowledge your sequence number and expecting your next packet with sequence number XXXX. My sequence number is YYYY".

No. 41

Time 19.763347

Source Destination www-cctld.l.google.com 202.164.134.17

Protocol TCP

Info. http > 49883 [SYN, ACK] Seq=0 Ack=1 Win=5720 Len=0 MSS=1430 SACK_PERM=1 WS=6 Frame 41: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Ethernet II, Src: 202.164.134.1 (00:25:84:57:80:d9), Dst: SdlCommu_67:1d:1f (00:e0:48:67:1d:1f) Internet Protocol, Src: 74.125.236.87 (74.125.236.87), Dst: 202.164.134.17 (202.164.134.17) Transmission Control Protocol, Src Port: http (80), Dst Port: 49883 (49883), Seq: 0, Ack: 1, Len: 0

3) Host A receives the reply and now knows Gateway's sequence number. It generates another packet to complete the connection. This packet has the ACK flag set and also contains the sequence number that it expects the Gateway Server to use next.
No. 42 Info. 49883 > http [ACK] Seq=1 Ack=1 Win=65780 Len=0 Frame 42: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) Ethernet II, Src: SdlCommu_67:1d:1f (00:e0:48:67:1d:1f), Dst: 202.164.134.1 (00:25:84:57:80:d9) Time 19.763494 Source 202.164.134.17 Destination Protocol

www-cctld.l.google.com TCP

With this the three way handshake is over, a virtual connection between the two now exists and the Gateway Server is ready to listen to Host A's request. 4) Host A generates a packet with some data and sends it to the Gateway Server. The data tells the Gateway Server which webpage it would like sent. The sequence number of the segment in line 4 is the same as in line 3 because the ACK does not occupy sequence number space. Any packets generated, which are simply acknowledgments (in other words, have only the ACK flag set and contain no data) to previously received packets, never increment the sequence number. TCP HEADER LENGTH The 'Header length' field allows the receiving end to calculate the number of bytes in the TCP Header. At the same time, it is mandatory because without it there is no way the receiver will know where the data portion begins. Logically, wherever the TCP header ends, the data begins. As the packet in our screenshot reaches the receiving end, the receiver will read the header length field and know exactly where the data portion starts. This data will be carried to the layers above, while the TCP header will be stripped and disregarded. In this example, we have no data, which is normal since the packet is initiating a 3-way handshake.

TCP FLAG OPTIONS Each TCP segment has a purpose, and this is determined with the help of the TCP flag options, allowing the sender or receiver to specify which flags should be used so the segment is handled correctly by the other end. The most popular flags are the "SYN", "ACK" and "FIN", used to establish connections, acknowledge successful segment transfers and, lastly, terminate connections.

Urgent flag: This flag is used to identify incoming data as 'urgent'. Such incoming segments do not have to wait until the previous segments are consumed by the receiving end but are sent directly and processed immediately.

ACKnowledgement: The ACKnowledgement flag is used to acknowledge the successful receipt of packets. The Push flag,:It exists to ensure that the data is given the priority (that it deserves) and is processed at the sending or receiving end. It is used quite frequently at the beginning and end of a data transfer, affecting the way the data is handled at both ends. Reset (RST) flag: It is used when a segment arrives that is not intended for the current connection. In other words, a packet was sent to a host in order to establish a connection, and there was no such service waiting to answer at the remote host, then the host would automatically reject the request and then send a reply with the RST flag set. This indicates that the remote host has reset the connection. the SYN flag is initially sent when establishing the classical 3-way handshake between two hosts. FIN flag(standing for the word FINished): This flag is used to tear down the virtual connections created using the previous flag (SYN), so because of this reason, the FIN flag always appears when the last packets are exchanged between a connection.

TCP OPTIONS In the packet listing as well as details window there are a few different attributes to each packets

Maximum Segment Size (MSS): It defines the maximum segment size that will be used during a connection. It is observed during the SYN and SYN/ACK phase of the 3-wayhandshake. The MSS TCP Option occupies 4 bytes Window Scaling(WS) Selective Acknowledgements (SACK): The problem with the plain ACKs is that there are no mechanisms for a receiver to state "I'm still waiting for bytes 20 through 25, but have received bytes 30 through 35".This is achieved through SACKs. When a logical connection is established using the classic 3-way-handshake the hosts must send a "Selective Acknowledgments Permitted" in the TCP Options to indicate that they are able to use SACKs. From then, the SACK option is sent whenever a selective acknowledgment is required.

 A lot of packets have TCP segment of a reassembled PDU" in Info field. The message means that TCP handed of the dissection to a higher layer protocol dissector. This dissector told the TCP dissector to collect multiple TCP segment to construct one PDU. If all goes well, the packet that contains the last part of the application PDU will have full dissection of the application protocol. The screenshot marks HTTP ok 200 response packet from the server. 200 OK is the standard response for successful HTTP requests. The actual response will depend on the request method used. In a GET request, the response will contain an entity corresponding to the requested resource.

TCP CONGESTION CONTROL RTT GRAPH FOR TCP SEGMENT WITH SEQUENCE NO 1461

Each dot represents a TCP segment sent, plotting the sequence number of the segment versus time at which it was sent. A set of dots stacked above each other represents a series of packets that were sent back-to-back by the sender. Slow Start phase can be observed when initially where the dots are not stacked directly on top of each other. Then the TCP congestion avoidance takes over. We can also see from the capture that the host A sends ACK for a window of packets sent by the server. Below is shown the I/O Graph overt the total capture time.Red indicates all the packets while TCP packets are filtered in black.

The following I/O graph shows RTT for ACKs in red.

TEARING DOWN A CONNECTION

1) Once the data transfer is complete, Host B sends a packet with the FIN, ACK flags set

With this packet, the Server is ACKnowledging the previous stream while at the same time initiating the TCP close procedure to kill this connection. At this point, server's application will stop receiving any data and will close the connection from this side. 4) In response to Host Bs request to close the connection, Host A will send an Acknowledgement back, and also notify its application that the connection is no longer available. 5) Once this is complete, the host A will send its own FIN, ACK flags to close their part of the connection. But this is done only if host A wants no other data from the server. Here, host A initiates a new TCP connection via a 3-way handshake and requesting for the next object to be downloaded through an HTTP GET request. This continues until all the objects in the webpage are successfully downloaded and displayed in the browser.