Home‎ > ‎CIS 140NA‎ > ‎

Lab 10: TCP Analysis

In this lab you will use Expert Mode to answer some questions and explore the steps in a TCP conversation.

Introduction

Expert mode is one of Wireshark's best features. Expert mode gives you access to the detailed information that the TCP dissector keeps. The dissector looks at every aspect of each TCP conversation.

Getting Basic Statistics

Download the following packet file: 


Answer the following questions:
  1. What is the IP address of the host sending the most data? 
  2. What protocol is being used to transport data? 
  3. How many retransmissions are seen?
  4. How many fast retransmissions are seen? 

Capturing a TCP Connection Sequence

For this part you will capture a complete TCP connection sequence:
  1. Name resolution
  2. MAC resolution
  3. TCP Connection
It's important to remember that you may not see the sequence in order. Your computer is always busy using the network. Because of that it's very likely that the MAC address of your default gateway is stored in the ARP table of your computer. Also, if you have accessed your chosen destination recently you computer may have cached its IP address to save time when you access it again. If you're not seeing DNS lookups try to access a server you have not accessed before or very recently. If you're not seeing ARP lookups you can flush the ARP cache on your computer using the following instructions:

Windows: Deleting the ARP Table

On Windows you can delete all the entries in your ARP table with the following command. You must run the command from a DOS shell executing with Administrator privileges. See this page for how to do that. 

C:\> netsh interface ip delete arpcache

Linux/Mac: Deleting the ARP Table

On Linux or Mac OSX you can delete the arp table with the following command. Only users who have the right to administer the machine will be able to do this:

$ sudo ip -s -s neigh flush all

Saving the Packets

Submit a packet capture with one ARP lookup, one DNS lookup and one TCP conversation. They don't have to be in any particular order but there should not be unrelated packets in your capture. 

Turn In

  1. The answers to part 1 
  2. Your packet capture for part 2
Submit your homework on Canvas.

Grading

  • 10 points for part 1
  • 10 points for part 2
ċ
TCP Analysis Packets.pcapng.gz
(443k)
Michael Matera,
Apr 12, 2016, 9:19 AM
Comments