Capturing and analyzing IP, TCP protocols

using wireshark
Objectives:

1)​ Accessing a website in web browser while capturing the network traffic
using wireshark.
2)​ Filtering the relevant packets of the conversation with the particular
website in the captured file.
3)​ Analysing the IPV4, TCP header fields and TCP three way handshake
procedure in establishing and releasing the connections.
Tool(s) required: Wireshark Network Analyzer

About IPV4 protocol:

●​ It is a fundamental protocol that routes data packets across the internet,

using a 32-bit address system to identify devices and ensure data reaches
the correct destination in the presence of multiple networks.
●​ It is a core protocol that enables communication across the internet and
other packet-switched networks.
●​ Its primary function is to provide a way to identify and locate devices on
a network, allowing data packets to be routed from one device to another.
●​ IPv4 uses a 32-bit address system, which is represented as four sets of
numbers (0-255) separated by periods (e.g., 192.168.1.1).
●​ When a device sends data, it's broken down into packets, each containing
the source and destination IP addresses. Routers then use these addresses
to forward the packets along the network until they reach their
destination.

IPV4 Header format:

About TCP Protocol:

●​ TCP (Transmission Control Protocol) is a connection-oriented, reliable

protocol that ensures data delivery by using features like a three-way
handshake, flow control, and error checking with retransmission, all
while maintaining the order of data packets.
●​ TCP establishes a connection between the sender and receiver before data
transmission, using a three-way handshake (SYN, SYN-ACK, ACK) to
ensure both parties are ready.
●​ TCP guarantees reliable data delivery by using sequence numbers,
acknowledgements (ACKs), and retransmission mechanisms to handle
lost or corrupted packets.
●​ TCP uses a windowing mechanism to prevent the sender from
overwhelming the receiver with data, ensuring efficient and reliable data
transfer.

TCP Header format:

TCP three way handshake:

Activity:
Part A: Filtering and analysing PCAP file of website access to “tesla.com”

Step 1 Filtering tesla.com website packets

●​ Open the wireshark file and observe the total number of packets

●​ Go to view Time Display format select “seconds since first captured

packet”.
●​ Fill up details in the below table.

Total Packets 21346

Displayed packets 21346

Time stamp of the first packet 0

Time stamp of the last packet 73.58

Average duration of each packet(packets/sec) 290.10

●​ To filter tesla.com website traffic apply the filter:

tls.handshake.extensions_server_name contains "tesla.com"

●​ Observe the packet number and IP address of tesla.com

Packet Number 617
IP Address of your PC 192.168.0.171
IP Address of tesla.com 104.120.58.228

●​ Filter all the traffic of telsa.com ip with command:

ip.addr==104.120.58.228
 Step 2 Determining the number of networks between your PC and tesla.com
by observing the TTL field value of IP header.

●​ Open IP header of packet with tesla.com as source and your PC as

destination.
●​ Observe the Time to Live field value.

●​ Assuming the field value is X.

1.​ If X<64: subtract 64-X.
2.​ If 64< X<128: subtract 128-X.
3.​ If X>128: subtract 256-X.

Number of networks: 64-X or 128-X 4

or 256-X.

●​ Verify the same value by pinging tesla.com in Command Prompt.

Step 3 Analyzing the TCP Header and understanding TCP three way
handshake procedure.

●​ Expand TCP header of the first packet with tesla.com IP address.

●​ Right click on conversation completeness field select conversation

filter TCP.

●​ Note down the number of displayed packets in the bottom section.

Displayed packets 8242

Time stamp of the first packet in the 15.01

conversation

Time stamp of the last packet in the 69.70

conversation
 Average duration of each 150.70
packet(packets/sec)

●​ These are the total number packets transferred when accessing the
website.
●​ Determining TCP Conversation Completeness: A full TCP
conversation has the following scenario.

●​ Wireshark assigns a value to each of the following packet types:

1 : SYN
2 : SYN-ACK

4 : ACK
8 : DATA
16 : FIN
32 : RST
●​ Observe the numeric value corresponding to the conversation
completeness field of the first TCP packet.
 ●​ Equate the value observed as sum of all or any of the values assigned to
the packet types above.

Conversation Equated value: Packets in

the Is the
Completeness Current conversation
conversation complete or
not?
63=1+2+4+8+16+3 SYN,SYN-ACK, COMPLETE
2 ACK,DATA,FIN,
RST

●​ From the above value we can determine if the conversation is complete or

not.
●​ Filter the SYN packet using the filter: (ip.addr eq 192.168.0.171 and
ip.addr eq 104.120.58.228) and (tcp.port eq 52040 and tcp.port eq
443) && tcp.flags.syn == 1 && tcp.flags.ack == 0.

Packet no in the wireshark file 613

Source IP 192.168.0.171
Destination IP 104.120.58.228
Source Port Number 52040
Destination Port number 443
Relative Sequence number 0
Relative Acknowledge Number 0
Syn (Flag) 1
Ack (Flag) 0
Push (Flag) 0
Fin (Flag) 0
Reset (Flag) 0
Which type of packet is this in SYN
the conversation?

●​ Filter the SYN-ACK packet using the filter: (ip.addr eq 192.168.0.171

and ip.addr eq 104.120.58.228) and (tcp.port eq 52040 and tcp.port
eq 443) && tcp.flags.syn == 1 && tcp.flags.ack == 1

Packet no in the wireshark file 614

Source IP 104.120.58.228
Destination IP 192.168.0.171
Source Port Number 443
Destination Port number 52040
Relative Sequence number 0
Relative Acknowledge Number 1
Syn (Flag) 1
Ack (Flag) 1
Push (Flag) 0
Fin (Flag) 0
Reset (Flag) 0
Which type of packet is this in SYN-ACK
the conversation?

●​ Filter the FIN packet using the filter: (ip.addr eq 192.168.0.171 and
ip.addr eq 104.120.58.228) and (tcp.port eq 52040 and tcp.port eq
443) && (tcp.flags.fin == 1)

Packet no in the wireshark file 21035

Source IP 192.168.0.171
Destination IP 104.120.58.228
Source Port Number 52040
Destination Port number 443
Relative Sequence number 129636
Relative Acknowledge Number 7971959
Syn (Flag) 0
Ack (Flag) 1
Push (Flag) 0
Fin (Flag) 1
Reset (Flag) 0
Which type of packet is this in FIN
the conversation?

Part B: Capturing, filtering and Analysing PCAP file of website access to

“cdac.in”

●​ Retrieve your PC’s IP address from command prompt.

IP Address of your PC 192.168.0.49

●​ Open wirehsark, select the interface and capture packets.

●​ Browse cdac.in for couple of minutes and close the page.

●​ Observe the below details.

Total Packets 9493

Displayed packets 9493

Time stamp of the first packet 0

 Time stamp of the last packet 194.50

Average duration of each 48.80

packet(packets/sec)

●​ Filter the cdac.in website traffic using the filter:

tls.handshake.extensions_server_name contains "cdac.in"
●​ Observe the packet number and IP address of cdac.in

Packet Number 2321

IP Address of your PC 192.168.0.49
IP Address of tesla.com 196.1.1.30

●​ Filter all the traffic of cdac.in ip with command: ip.addr==196.1.1.30

●​ Open IP header of packet with cdac.in as source and your PC as
destination.
●​ Observe the Time to Live field value. Determine the distance to cdac.in
from your PC

Number of networks: 64-X or 128-X 17

or 256-X.

●​ Filter the traffic of the conversation to cdac.in using conversation

completeness field.
●​ Determine the total number of packets for this conversation.

Displayed packets 9

Time stamp of the first packet in the 50.42

conversaiton

Time stamp of the last packet in the 169.07

conversation

Average duration of each 0.075

packet(packets/sec)
 ●​ Determine if the conversation is complete or not.

Conversation Equated value: Packets in the Current Is the

Completeness conversation conversation
complete or
not?
63=1+2+4+8+16+32 SYN,SYN-ACK, COMPLETE
ACK,DATA,FIN,
RST

●​ Filter the SYN packet in this conversation using the filter:(ip.addr eq

196.1.1.30 and ip.addr eq 192.168.0.49) and (tcp.port eq 80 and
tcp.port eq 50198)&&tcp.flags.syn == 1 && tcp.flags.ack == 0

Packet no in the wireshark file 2308

Source IP 192.168.0.49
Destination IP 196.1.1.30
Source Port Number 50198
Destination Port number 80
Relative Sequence number 0
Relative Acknowledge Number 0
Syn (Flag) 1
Ack (Flag) 0
Push (Flag) 0
Fin (Flag) 0
Reset (Flag) 0
Which type of packet is this in SYN
the conversation?

●​ Filter the SYN-ACK packet using the filter: (ip.addr eq 196.1.1.30 and
ip.addr eq 192.168.0.49) and (tcp.port eq 80 and tcp.port eq
50198)&&tcp.flags.syn == 1 && tcp.flags.ack == 1

Packet no in the wireshark file 2313

Source IP 196.1.1.30
Destination IP 192.168.0.49
Source Port Number 80
Destination Port number 50198
Relative Sequence number 0
Relative Acknowledge Number 1
Syn (Flag) 1
Ack (Flag) 1
Push (Flag) 0
Fin (Flag) 0
Reset (Flag) 0
Which type of packet is this in SYN-ACK
the conversation?

●​ Filter the FIN packet using the filter: (ip.addr eq 196.1.1.30 and ip.addr
eq 192.168.0.49) and (tcp.port eq 80 and tcp.port eq 50198)&&
(tcp.flags.fin == 1)

Packet no in the wireshark file 9041

Source IP 192.168.0.49
Destination IP 196.1.1.30
Source Port Number 50198
Destination Port number 80
Relative Sequence number 1
Relative Acknowledge Number 1
Syn (Flag) 0
Ack (Flag) 1
Push (Flag) 0
Fin (Flag) 1
Reset (Flag) 0
Which type of packet is this in FIN
the conversation?

Conclusion:

●​ In this activity wireshark skills of packet capturing and analysis are

performed using TCP and IP protocol headers.
●​ The IP address and distance to the server are determined by filtering and
analysing the IP header.
●​ The parameters of conversation with server including time duration of
conversation, port numbers, flag fields which determine TCP three way
handshake are analysed using TCP header.