Home‎ > ‎CIS 140NA‎ > ‎

Lab 9: TCP Connections

In this lab you'll capture and analyze a TCP connection.  


TCP is the most used protocol on the Internet. In this assignment you'll capture a TCP connection and analyze it. 

Capture a TCP Connection

Begin by capturing a TCP connection of your choice. The connection can be plaintext (e.g. HTTP) or encrypted (e.g. HTTPs, SSH). From the perspective of TCP it's the same. The connection should contain at least a few kilobytes of data. Once you have a suitable TCP connection captured save the packets from the connection into their own file called lab9-tcp.pcapng

Start and Stop Analysis

Examine the TCP three-way handshake then answer the following questions:
  1. What port numbers are used?
  2. What is the initial sequence number (the real one, not the relative number)?
  3. What is the initial window size?
  4. What options do both sides support?
Now examine the end of the connection. 
  1. How was the connection ended? (mutually or with a reset?)
  2. Which side initiated the end of the connection?

Examine ACKs

The acknowledgement packets have a special function. They are used to estimate the round trip time (RTT). The RTT estimate is used by both sides to optimize the receive window. Networks with high bandwidth and long RTTs are called Long Fat Networks (LFNs), pronounced "Elephants." Find an ACK packet in your stream that contains the "Timestamps" option. Wireshark will calculate RTT for packets with timestamps and show you the RTT in the "[SEQ/ACK analysis]" dissector. Use the RTT (not the iRTT) value to compute the delay bandwidth product:

    Delay Bandwidth Product = RTT * Connection Bandwidth 

If you're at home you can use the advertised speed of your cable or DSL provider. If you're on the CIS network you should use 48Mbps as the connection bandwidth. If you're elsewhere try using an Internet speed test. Submit the following answers:
  1. What packet number did you find the RTT in? 
  2. What is the bandwidth of your link? 
  3. What is the delay bandwidth product?

Turn In

  1. Your packet capture in lab9-tcp.pcapng
  2. The answers to part 1 
  3. The answers to part 2
Submit your homework on canvas.


  • 10 points for part 1
  • 10 points for part 2