CPSC 441, Networking, Fall 2004
Lab 6: Ethereal and TCP


YOU HAVE ALREADY USED the packet-sniffer, Ethereal, in a previous lab. In this lab, you will use it again, this time to observe some details of the TCP protocol in action. In the first part of the lab, you will look at connection set-up and tear-down. The second part of the lab looks at how TCP behaves when it sends a single very long message. (The second part of the lab is based on the TCP Ethereal lab from our textbook's web site.)


Part 1: SYN, FIN, and All That

In this part of the lab, you will use Ethereal and netstat to look at several telnet sessions to investigate opening and closing of connections.

Recall that Ethereal is used to capture packets. Select the "Start" command from the "Capture" menu. Click the "OK" button to start a capture session. Another dialog appears while packets are being captured. Click "Stop" in this dialog box to end the session and display the captured packets. The "Filter" box at the bottom of the Ethereal window can be used to select a subset of the packets that you want to view. Set the filter to "tcp", for example, if you only want to see TCP packets.

Question 1: For this question, start a capture session, telnet to math.hws.edu and log in. (A user name and password that you can use will be given at the lab, so that you don't have to risk your own password to the insecure telnet protocol.) Give the "exit" command to log out. Then stop the capture and take a look at the packets. Describe the packets that are used in the opening and closing three-way handshakes. How long did the open and close sequences take? Are there any differences from the diagrams in the book? Is there anything in the Options section of the SYN and SYNACK TCP packets?

Question 2: After a connection is closed, the partner that initiated the close operation goes into a "TIME_WAIT" state that the book says can last for 1/2, 1, or 2 minutes, depending on the implementation. I would like you to find out how long it lasts in Linux. To do this, you need a way to observe the state of a TCP connection; the netstat command can serve this purpose. Run netstat with the command "netstat -t -n -c". This will show TCP connections and will repeat the output continuously until it is interrupted with CONTROL-C. Part of the output is the connection state, which can be things like ESTABLISHED, FIN_WAIT2, and TIME_WAIT. I want you to find out how long the TIME_WAIT state persists after you close a connection. You can use a telnet session to math.hws.edu to test this. You will have to force this connection to close from your side of the connection. To do this in telnet, hit CONTROL-] (control key plus left-bracket). You will get a telnet> prompt from the telnet client on your computer. Enter a close command to tell it to close the connection. You should report on how long the TIME_WAIT state lasts and explain exactly how you determined the answer.

Question 3: Keep netstat running while you do this question. Start up Ethereal again, if it's not already running. For this question, I recommend that you enter "tcp" in the Ethereal Window's "Filter" box, and press return, before starting the capture. And in the Start Capture window, select the options "Update list of packets in real time" and "Automatic scrolling in Live Capture". This lets you see TCP packets as they are captured. Start an Ethereal packet capture session. Try telnetting to a non-existent IP address outside the HWS local area network. For example, "telnet 123.45.67.89" should work. Based on the packets displayed in the Ethereal capture session, describe what TCP does in this case as it attempts to open a connection. (Give it some time.) Also, what do you see in the output of netstat, and why?


Part 2: TCP in Depth

This part of the lab is based on the Ethereal lab for TCP from our textbook's web site. However, instead of the questions in that lab, I want to ask my own questions (some of which are adapted from the textbook's lab).

Note that a quick way to retrieve information from a given URL on the Internet is the wget command. For example, to retrieve the alice.txt file that you need for the lab, you can use the command

          wget  http://gaia.cs.umass.edu/ethereal-labs/alice.txt

Get this file. (We are using this particular file only because it's a text copy of Alice in Wonderland, which is cool. Actually, any file of one or two hundred kilobytes would work just as well.) You will upload this file to the textbook's Web site using the file upload page at this Web address:

          http://gaia.cs.umass.edu/ethereal-labs/TCP-ethereal-file1.html

Before you click the submit button on this page, start up Ethereal and begin a packet trace. After the file has been successfully retrieved, you can stop the packet trace. You will probably want to save the packet trace, using Ethereal's "Save" command. That way, you can revisit the trace later just by loading the file, instead of having to repeat the experiment.

You only want to look at TCP packets in the packet trace, so enter "tcp" as a filter in the "Filter" box at the bottom of the Ethereal window. (I found that my data was polluted by a bunch of ICMP packets that were not part of the conversation with the web server. If this is also true for you, try using "tcp and not icmp" as the filter.)

Question 4: Ethereal, in its default configuration, reports zero-based sequence and ACK numbers. That is, it subtracts the initial sequence number to get a number that represents an actual number of bytes in the data stream. What sequence number does it report in the initial SYN packet? What ACK number does Ethereal report in the SYNACK packet? Why? Can you find the actual initial sequence number from the SYN packet? (Hint: You can find it pretty easily, but it will be in hexadecimal format.)

Question 5: Look at the first segment for the HTTP Post data. This is the beginning of the file upload. What is the sequence number in this packet? Why? Look at some of the ACK packets received from the server as the POST message is being sent. What is the value of the sequence number in each of these packets? Why?

Question 6: Explain how you can find the actual round trip time for a given ACK packet, just by looking at the information in the top third of the Ethereal window. (Note that the time column specifies the time in seconds since the beginning of the packet trace.) If you look in the TCP section of the ACK packet in the middle third of the Ethereal window, you will find that the round trip time has already been calculated for you. Look at the first six ACKs that are received from the server. For each ACK, compute the value of the TCP state variable EstimatedRTT, as given by the formula on page 237 of the textbook. Do you observe a lot of variation in the measured RTTs over the course of the transmission? (You can use Ethereal to get a plot of all the RTTs. Click on any TCP packet, then select the "Round Trip Time Graph" command from the "TCP Stream Graph" sub-menu of the "Statistics" menu.)

Question 7: Is a separate ACK received for each data packet, or did the server sometimes acknowledge several packets with one ACK? Can you find any retransmitted packets? What did you look for to determine the answers?

Question 8: Click on any TCP packet in the conversation, and then select the "Time Sequence Graph (Stevens)" command from the "TCP Stream Graph" sub-menu of the "Statistics" menu. This graph shows the time at which each packet was sent. Describe the pattern of times that you observe. Do you see groups of packets that are sent in "clusters" at almost the same time? If so, what changes do you see in the sizes of these clusters? If not, what do you see? We will be covering TCP's congestion control algorithm early next week. Can you find evidence of this algorithm -- including the slow start and the congestion-avoidance phases -- in the Time Sequence Graph?

Question 9: The reason for using an upload to a remote site in the previous questions was to get a realistic view of transmission over the Internet. Transmission inside a local area network should be faster and more reliable. Do a packet capture of uploading the alice.txt file to the page at http://math.hws.edu/eck/cs441/upload.html. Comment on any differences between this local transfer and the Internet transfer. For example, how much faster is it? How do round trip times compare? How about the Time Sequence Graphs?