NET150 TCP IP Lab - eitan-j/tech-journal GitHub Wiki

Using Wireshark to Observe the TCP Three-way Handshake

Objectives

  • Use Wireshark to monitor an Ethernet interface for recording packet flows
  • Generate a TCP connection using a web browser
  • Observe the initial TCP/IP three-way handshake

Background / Preparation

In this lab, you use the Wireshark network packet analyzer (also called a packet sniffer) to view the TCP/IP packets generated by the TCP three-way handshake. When an application that uses TCP first starts on a host, the protocol uses the three-way handshake to establish a reliable TCP connection between two hosts. You will observe the initial packets of the TCP flow: the SYN packet, then the SYN ACK packet, and finally the ACK packet.

Task 1: Wireshark Capture

  1. Open Wireshark.
  2. Start a new Wireshark capture.
  3. Open a browser and access https://www.howstuffworks.com/
  4. Stop the Wireshark capture

Task 2: Analyzer the captured output.

The one thing we will be searching for is the DNS (Domain Name Server) query to HowStuffWorks. If you have never been to the website HowStuffWorks then your PC will need to resolve the friendly name of HowStuffWorks to its IP address. It ask the DNS to obtain the IP address for HowStuffWorks. Once your computer gets IP address it routes to HowStuffWorks to start your TCP connection.

  1. What is the IP address of your PC? 69.5.123.18
  2. What is the IP address of your default gateway? 69.5.123.1
  3. What is the IP address of the DNS server that the computer queried? 204.13.41.10
  • Beside looking in Wireshark, how can you obtain your DNS server IP address? Googling it.
  1. You may have multiple queries to your DNS server. Your task here is to find the DNS query that corresponds to HowStuffWorks. There will be two entries, one from your PC to the DNS server followed by an entry from the DNS server back to your PC. The second entry is your DNS server responding back with the friendly name and IP address to HowStuffWorks
  • What is the first IP address of HowStuffWorks? 13.226.36.16
  1. The frame below your second DNS entry should be the start of a TCP communication to HowStuffWorks. Click on it.

Task 3: Inspect the TCP Stream

  1. In the top Wireshark window, click on the line containing the first packet identified in Step 5 above. This highlights the line and displays the decoded information from that packet in the two lower windows fill.
  2. Click the arrow in the bottom window, to expand the view of the TCP information.
  3. Notice in the first TCP packet that the relative sequence number is set to 0, and the SYN bit is set to 1 in the Flags field.
  4. Right click packet, scroll down to "Follow", click "TCP Stream"
  5. You should have a windows pop up, that window sis just the ASCII of your TCP stream.
  6. The TCP stream in your main window is the first TCP conversation to the HowStuffWork website.
  • Notice how the stream is not a straight forward sequence.
  1. Click on the second part of the handshake, the [SYN, Ack] packet
  • Notice in the second TCP packet of the handshake that the relative sequence number is set to 0, and the SYN bit and the ACK bit are set to 1 in the Flags field.
  1. Click on the third and final frame of the handshake.
  • Notice only the ACK bit is set, and the sequence number is set to the starting point of 1. The acknowledgement number is also set to 1 as a starting point. The TCP connection is now established, and communication between the source computer and the web server can begin.
  1. Screen Capture your tcp stream window. Just the top portion.