Assignment 9 1: TCP Analysis Chapter 8 from Practical Packet Analysis - savannahc502/SavC-TechJournal-NET215 GitHub Wiki

Information on this page may be paraphrased or copied from Champlain College materials and other Textbooks. Avoid coping as you may be committing plagiarism. This is for note-taking and academic purposes only.

TCP Analysis - Chapter 8 from Practical Packet Analysis, 3rd Edition, Chris Sanders and Assignment Questions Notes

TCP Packet Structure

image

  • Source Port: The port used to transmit the packet.
  • Destination Port: The port to which the packet will be transmitted.
  • Sequence Number: The number used to identify a TCP segment. This field is used to ensure that parts of a data stream are not missing.
  • Acknowledgment Number: The sequence number that is to be expected in the next packet from the other device taking part in the communication.
  • Flags: The URG, ACK, PSH, RST, SYN, and FIN flags for identifying the type of TCP packet being transmitted.
  • Window Size: The size of the TCP receiver buffer in bytes.
  • Checksum: Used to ensure the contents of the TCP header and data are intact upon arrival.
  • Urgent Pointer: If the URG flag is set, this field is examined for additional instructions for where the CPU should begin reading the data within the packet.
  • Options: Various optional fields that can be specified in a TCP packet.

TCP Ports

TCP communication occurs over source and destination ports.

  • System Port Group: Ports 1-1023 (0 is reserved). "Well-known, established services generally use ports that lie within the system port grouping." > the Destination/Server Port
  • Ephemeral Port Group: Ports 1024-65535, typically. "Only one service can communicate on a port at any given time, so modern operating systems select source ports randomly in an effort to make communications unique." > Source Ports

View a TCP Conversation in Wireshark

  • In Wireshark - go to Statistics - Conversations - and click the TCP tab
  • "Wireshark maintains a list of ports and their most common uses... the labeling of these ports can be confusing, so it’s typically best to disable it by turning off transport name resolution. To do this, go to Edit ▶ Preferences ▶ Name Resolution and uncheck Enable Transport Name Resolution."

image

  • What is the IP address of the client/browser?: 172.16.16.128
  • What is the IP address of the first web server it communicates with?: 212.58.226.142
  • What is the IP address of the second web server?: 67.228.110.120
  • What is the ephemeral port used in the conversation/session with the first web server?: 2826
  • What is the ephemeral port used in the last conversation with the second web server?: 2827
  • What is the system/service port used in the conversation?: 80

TCP Three-Way Handshake

image

All TCP communication requires the connection to be established first with a handshake between the client and server so that proper ports are established and confirmed.

image

  • Look at the highlights and notice the patterns of the SYN/ACK Numbers
    • To Turn Off Relative Wireshark Sequence Numbers (when it's simple integers), "choose Edit ▶ Preferences, expand the Protocols heading, and choose TCP. In the window, uncheck the box next to Relative Sequence Numbers and click OK." This will give the actual sequence numbers.

TCP Teardown

image

TCP Resets

In an ideal world, every connection would end gracefully with a TCP tear-down. In reality, connections often end abruptly. For example, a host may be misconfigured, or a potential attacker may perform a port scan. In these cases, when a packet is sent to a device that is not willing to accept it, a TCP packet with the RST flag set may be sent. The RST flag is used to indicate that a connection was closed abruptly or to refuse a connection attempt.

image

  • What packet # is initiating the teardown of the connection from the client to the server?: 15
  • What packet # is initiating the teardown of the connection from the server to the client: 14
  • What packet # has an SYN request to the server that is not using port 80?: 17
  • What service/system port is the client trying to connect to with that SYN?: 636
  • What ephemeral port is used in that session?: 36658
  • No SYN/ACK is returned from the server for that session. Instead, the RST and ACK flags are set.