Assignment 1: Wireshark

Course: DT151G Datateknik GR (A), Datorkommunikation och

nätverk, med tillämpningar i Linux

1
Laboration 1

Environment & Tools

- Windows 10, Wireshark 3.4.9
- command prompt
- Ubuntu virtualbox, wireshark 3.2.3
- Computer Networking: A top-down approach (book)

Introduction
This is a report for assignment 1 which covers the topics DNS, TCP AND UDP and the
use of wireshark and nslookup.

Purpose
The purpose of this lab is to;
- use nslookup to query for DNS servers for records,
- use wireshark capture transmitted packets,
- Interpret information contained in each segment like RTT, question and answers,
sequence number, acknowledgement number, etc
- Interprete DNS, TCP, UDP and http protocol information present in wireshark.

Results

Part 1:

1. Run nslookup to obtain the IP address of the webserver for the Mid Sweden University,
www.miun.se. What is the IP address?

The IP adress: 104.18.1.138

2
2. What is the IP address of the DNS server that provided the answer to your nslookup
command in question 1 above?

IP adress of the DNS server: 127.0.0.53#53

3. Did the answer to your nslookup command in question 1 above come from an
authoritative or non-authoritative server?

It comes from an non-authoritative server.

4. Use the nslookup command to determine the name of the authoritative name server for
the miun.se domain.

a. What is that name? (If there are more than one authoritative servers, what is the name of
the first authoritative server returned by nslookup)?

The name of the first authoritative server returned by nslookup is dns.miun.se

b. If you had to find the IP address of that authoritative name server, how would you do so?

Just look in the server that returns the IP address when given a domain name.

5. What is ”reverse DNS lookup ?”

3
It is to determine the domain name associated with an IP address

Clearing cache

1. Locate the first DNS query message resolving the name gaia.cs.umass.edu. What is the
packet number in the trace for the DNS query message? Is this query message sent over
UDP or TCP?

Packet number in the trace for the DNS query message: 255
it’s sent over UDP.

2. Now locate the corresponding DNS response to the initial DNS query. What is the packet
number in the trace for the DNS response message? Is this response message received via
UDP or TCP?

Packet number in the trace for the DNS response message: 257
It’s sent over UDP

4
3. What is the destination port for the DNS query message? What is the source port of the
DNS response message?

Destination port for the DNS query message : 53

Source port of the DNS response message: 53

4. To what IP address is the DNS query message sent?

The DNS query message is sent to IP address: 192.168.0.1

5
5. Examine the DNS query message. How many “questions” does this DNS message
contain? How many “answers” answers does it contain?

The DNS query message contains 1 question and 0 answers.

6. Examine the DNS response message to the initial query message. How many “questions”
does this DNS message contain? How many “answers” answers does it contain?

The DNS response message contains 1 question and 1 answer.

7. The web page for the base file http://gaia.cs.umass.edu/kurose_ross/ references the
image object http://gaia.cs.umass.edu/kurose_ross/header_graphic_book_8 E_2.jpg , which,
like the base webpage, is on gaia.cs.umass.edu. What is the packet number in the trace for
the initial HTTP GET request for the base file http://gaia.cs.umass.edu/kurose_ross/?

6
The packet number in the trace for the initial HTTP GET request for the base file is 267.

What is the packet number in the trace of the DNS query made to resolve
gaia.cs.umass.edu so that this initial HTTP request can be sent to the gaia.cs.umass.edu IP
address?

The packet number is 255.

What is the packet number in the trace of the received DNS response?

The packet number is 257.

7
What is the packet number in the trace for the HTTP GET request for the image object
http://gaia.cs.umass.edu/kurose_ross/header_graphic_book_8 E2.jpg?

The packet number is 377.

What is the packet number in the DNS query made to resolve gaia.cs.umass.edu so that this
second HTTP request can be sent to the gaia.cs.umass.edu IP address? Discuss how DNS
caching affects the answer to this last question.

No DNS query was found because the response from the previous query was found in the
sender’s cache.

Now let’s play with nslookup.

8
8. What is the destination port for the DNS query message? What is the source port of the
DNS response message?

Destination port for the DNS query message : 53

Source port of the DNS response message : 53

9. To what IP address is the DNS query message sent? Is this the IP address of your default
local DNS server?

The DNS query message is sent to IP address 192.168.0.1, No it's not the same IP address
of my local DNS server.

10. Examine the DNS query message. What “Type” of DNS query is it? Does the query
message contain any “answers”?

It's a Type A of DNS query.

The query message contains 0 Answers.

9
11. Examine the DNS response message to the query message. How many “questions”
does this DNS response message contain? How many “answers”?

It's a Type A of DNS query.

The DNS response message contain 1 question and 1 Answer.

12. To what IP address is the DNS query message sent? Is this the IP address of your
default local DNS server?

The DNS query message is sent to IP address 192.168.0.1 , No it's not the same IP address
of my local DNS server.

10
13. Examine the DNS query message. How many questions does the query have? Does the
query message contain any “answers”?

The DNS query message contains 1 question and 0 answers.

14. Examine the DNS response message. How many answers does the response have?
What information is contained in the answers? How many additional resource records are
returned? What other information is included in these additional resource records?

The DNS response message does have 3 answers and 1 additional resource record is
returned.

11
Now set your Wireshark packet filter so that Wireshark only displays the UDP segments sent
and received at your host. Pick the first UDP segment and expand the UDP fields in the
details window. Answer the following questions.

1. Select the first UDP segment in your trace. What is the packet number of this segment in
the trace file? What type of application-layer payload or protocol message is being carried in
this UDP segment? Look at the details of this packet in Wireshark. How many fields are
there in the UDP header? What are the names of these fields?

UDP header contains 4 fields and they are: 1. Source port 2. Destination port 3. Length 4.
Checksum

12
2. By consulting the displayed information in Wireshark’s packet content field for this packet,
what is the length (in bytes) of each of the UDP header fields?

The length is 8 bytes and each of the 4 header fields is 2 bytes long.

3. The value in the Length field is the length of what?. Verify your claim with your captured
UDP packet.

Selected packet is 101 bytes. 109 – 8 = 68 bytes.

4. What is the maximum number of bytes that can be included in a UDP payload? (Hint: the
answer to this question can be determined by your answer to 2. above)

UDP payload is 65535-8=65527 bytes

5. What is the largest possible source port number? (Hint: see the hint in 4.)

The largest possible source port number is (2^16 – 1) = 65535

6. What is the protocol number for UDP? Give your answer in decimal notation. To answer
this question, you’ll need to look into the Protocol field of the IP datagram containing this
UDP segment.

UDP is 0x11 hex, which is 17 in decimal value

13
7. Examine the pair of UDP packets in which your host sends the first UDP packet and the
second UDP packet is a reply to this first UDP packet. (Hint: for a second packet to be sent
in response to a first packet, the sender of the first packet should be the destination of the
second packet). What is the packet number of the first of these two UDP segments in the
trace file? What is the packet number of the second of these two UDP segments in the trace
file? Describe the relationship between the port numbers in the two packets.

They have almost the same destination port but the source port has the same number

PART 2

1, What is the IP address and TCP port number used by the client computer (source)
to transfer the alice.txt file to gaia.cs.umass.edu? To answer this question,
it’s probably easiest to select an HTTP message and explore the details of the TCP
packet used to carry this HTTP message, using the “details of the selected packet
header window”.

The client computer uses Port 55639 and ip address 192.168.86.68

14
2. What is the IP address of gaia.cs.umass.edu? On what port number is it sending and
receiving TCP segments for this connection?

The IP address of gaia.cs.umass.edu is 128.119.245.12 and uses port 80

(same picture as in question 1)

3. What is the sequence number of the TCP SYN segment that is used to initiate the TCP
connection between the client computer and gaia.cs.umass.edu? (Note: this is the “raw”
sequence number carried in the TCP segment itself; it is NOT the packet # in the “No.”
column in the Wireshark window. Remember, there is no such thing as a “packet number” in
TCP or UDP; as you know, there are sequence numbers in TCP and that’s what we’re after
here. Also, note that this is not the relative sequence number with respect to the starting
sequence number of this TCP session.). What is it in this TCP segment that identifies the
segment as a SYN segment? Will the TCP receiver in this session be able to use Selective
Acknowledgments?

The “raw” sequence number is 4236649187.

Under flags syn is set to 1 showing that this segment is a SYN segment.
Yes, this session will be able to use Selective Acknowledgments because under options it is
stated “SACK permitted”

15
4. What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the
client computer in reply to the SYN? What is it in the segment that identifies the segment as
a SYNACK segment? What is the value of the Acknowledgement field in the SYNACK
segment? How did gaia.cs.umass.edu determine that value?

The “raw” sequence number of the SYNACK segment is 106896752 with relative sequence
number 0.

In the Flags section, the SYN and Acknowledgement are both set to 1 and in the list area
under info, it states [SYN, ACK] for this segment. This indicates that this is a SYNACK
segment.

The value of the acknowledgement field is 1.

When gaia.cs.umass.edu successfully receives a packet it set the value of the

acknowledgement field to 1.

16
5. What is the sequence number of the TCP segment containing the header of the HTTP
POST command? Note that to find the POST message header, you’ll need to dig into the
packet content field at the bottom of the Wireshark window, looking for a segment with the
ASCII text “POST” within its DATA field. How many bytes of data are contained in the
payload (data) field of this TCP segment? Did all of the data in the transferred file alice.txt fit
into this single segment?

The “raw” sequence number is 4236649188 with relative sequence number 1.

There are 1448 bytes of data in the payload.

17
No, the data was transferred in 106 segments.

6. Consider the TCP segment containing the HTTP “POST” as the first segment in the data
transfer part of the TCP connection.

18
• At what time was the first segment (the one containing the HTTP POST) in the
data-transfer part of the TCP connection sent?

0.024047

• At what time was the ACK for this first data-containing segment received?

RTT = 0.052671

• What is the RTT for this first data-containing segment?

RTT = 0.028624

• What is the RTT value of the second data-carrying TCP segment and its ACK?

RTT = 0.028628

• What is the EstimatedRTT value after the ACK for the second data-carrying segment is
received? Assume that in making this calculation after receiving the ACK for the second
segment, the initial value of EstimatedRTT is equal to the measured RTT for the first
segment and then is computed using the EstimatedRTT equation on page 242, and a value

19
of a = 0.125. Note: Wireshark has a nice feature that allows you to plot the RTT for each of
the TCP segments sent. Select a TCP segment in the “listing of captured packets” window
sent from the client to the gaia.cs.umass.edu server. Then select: Statistics->TCP Stream
Graph->Round Trip Time Graph.

EstimatedRTT = (1 – α) • EstimatedRTT + α • SampleRTT

EstimatedRTT = (1 – 0.125) • (0.028624) + 0.125 • (0.028628)
EstimatedRTT = 0.0286245

7. What is the length (header plus payload) of each of the first four data-carrying TCP
segments?

All four segments have 32 bytes header and 1448 bytes payload each summing this gives a
total of 1480 bytes each.

20
21
8. What is the minimum amount of available buffer space advertised to the client by
gaia.cs.umass.edu among these first four data-carrying TCP segments? Does the lack of
receiver buffer space ever throttle the sender for these first four datacarrying segments?

The minimum amount of available buffer space advertised for the first four segments are
28960, 31872, 34816, 37760. These are the win values of the first 4 ACK segments.

No receiver buffer is steady at 131712 throughout the transmission of the first four
segments.

22
(same pictures as in question 7)

9. Are there any retransmitted segments in the trace file? What did you check for (in the
trace) to answer this question?

No, there were no retransmissions.

We checked if there were multiple data transmissions with same Sequence number

10. How much data does the receiver typically acknowledge in an ACK among the first ten
data-carrying segments sent from the client to gaia.cs.umass.edu? Can you identify cases
where the receiver is ACKing every other received segment (see Table 3.2 in the textbook)
among these first ten data-carrying segments?

The receiver typically acknowledges 1448 bytes of data. This is also computed by the
difference between acknowledgement numbers of two consecutive ACK segments.

1449 - 1 = 1448
2897 - 1449 = 1448
4345 -2897 = 1448
5793 - 4345 = 1448

23
7241 - 5793 = 1448
8689 - 7241= 1448
19137 - 8689 = 1448
11585 - 19137 = 1448
13033 - 11585 = 1448
14481 - 13033 = 1448

No, for the first ten segments the receiver acknowledges every one of the data sent. If the
receiver acknowledged every other data sent, the acknowledged data would be doubled.

11. What is the throughput (bytes transferred per unit time) for the TCP connection? Explain
how you calculated this value.

Throughput = 916249.1266bytes/second
The total amount of data transmitted is the difference between the relative sequence number
of the first TCP segment and the acknowledgement number of the last TCP segment ACK.
i.e total amount = 153426 -1 = 153425 bytes.

This value can also be read from the picture below showing reassembled segments.
The total transmission time is the last acknowledgement was sent minus the time the first
TCP segment was sent.

total transmission time = 0.191496 - 0.024047 = 0.167449 seconds

Throughput = total amount of data / total transmission time
Throughput = 153425bytes/0.167449s = 916249.1266bytes/second

24
12. Use the Time-Sequence-Graph (Stevens) plotting tool to view the sequence number
versus time plot of segments being sent from the client to the gaia.cs.umass.edu server.
Consider the “fleets” of packets sent around t = 0.025, t = 0.053, t = 0.082 and t = 0.1.
Comment on whether this looks as if TCP is in its slow start phase, congestion avoidance
phase or some other phase.

The TCP is at a slow start phase because the number of sequences increases exponentially
over time.

13. These “fleets” of segments appear to have some periodicity. What can you say about the
period?

These are periods when TCP run out of window space.

14. Answer each of the two questions above for the trace, which is provided for download
and is generated

Discussion

We learned alot from this assignment, especially when it comes to wireshark in total. We
have never used this program before. we did not know you can get so much information
about different websites. We applied a lot of the theoretical knowledge learned for the
different sections and saw how different components in networking work together to
accomplish a task.

Two members of the group used VM and one member used windows so we had different
answers for some questions for example regarding the ip address of the local server in part
1 question 12 . We chose to use results from linux but since the last part of part 1 could not
be done on our linux system we included answers from this part from windows.

25
The main challenge was that sometimes wireshark did not produce expected output. For
example, for the last set of questions in part 1, two of us using wireshark on virtual machine
could only get DNS queries but no TCP OR UDP queries despite many attempts. So we
used the results obtained by the third member running wireshark on windows.

Another challenge was that it was not easy to translate the theory to useful information to
answer the questions. For example from part 2 question 6 the main challenge was figuring
out the right information from wireshark to use for our calculations and the learning modules
did not really prepare us for this.

Overall, we think the assignment was insightful and we learned a lot but we think it would
have been better if we had a lecture to introduce wireshark and what the different
information obtained represents before the lab since this was something new for us.

26