Wireshark is network packet analyser. The use of a network packet analyser is to capture network packets and display that packet data as detailed as possible. A network packet analyser is a measuring device used to examine what’s going on inside a network cable, just like a voltmeter is to examine what’s going on inside an electric cable. In the past, packet capturing tools were e very expensive or it is proprietary. with the arrival of Wireshark, all that has changed and it’s is one of the best open source packet analysers available today.
Some intended purposes of the wireshark
Network administrators use it to troubleshoot day to day network problems.
Network security engineers use it to examine security problems and developers use it
to debug protocol implementations.
People use it to learn network protocol internals.
The following are some of the many features Wireshark provides:
It’s available for UNIX and Windows and Capture live packet data from a network interface.
Display packets with very detailed protocol information.
Open and Save packet data captured.
Import and Export packet data from and to a lot of other capture programs.
Filter packets on many criteria and Search for packets on many criteria.
Colorize packet display based on filters and Create various statistics.
Although the range of Internet applications are many and varied, the protocol suites associated with the different application/network combinations have a common structure. The different types of network operate in a variety of modes circuit-switched or packet-switched, connection-oriented or connectionless and hence each type of network has a different set of protocols for interfacing to it. Above the network-layer protocol, however, all protocol suites comprise one or more application protocols and a number of what are called application-support protocols. In order to mask the application protocols from the services provided by the different types of network protocols, all protocol suites have one or more transport protocols. These provide the application protocols with network-independent information interchange service and, in the case of the TCP/IP suite, they are the Transmission Control Protocol (TCP) and the user datagram protocol (UDP). TCP provides a connection-oriented (reliable) service and UDP a connectionless (best-effort) service. Both protocols are present in the suite and the choice of protocol used is determined by the requirements of the application. There is also a version of TCP for use with wireless networks.
TCP/IP protocol suite
It will be helpful to illustrate the position of each protocol relative to the others in the TCP/IP suite. The IP protocols and network dependent protocols below them are all part of the operating system kernel with the various application protocols implemented as separate programs or processes. The two transport protocols, TCP and UDP, are then implemented to run within the operating system kernel.
Figure 1: TCP/IP protocol suite interlayer communication
The Transmission Control Protocol (TCP)
The transmission control protocol (TCP) provides two communicating peer application protocols in a client computer and the other in a server computer – with a two-way, reliable data interchange service. This is transparent to the two communicating peer TCP protocol entities which treat all the data submitted by each local application entity as a stream of bytes. The stream of bytes flowing in each direction is then transferred from one TCP entity to the other in a reliable way; that is, to a high probability, each byte in the stream flowing in.
Figure 2 : TCP packet format
Source Port: 2 Bytes to identify the source application layer protocol.
Destination Port: 2 Bytes to identify the destination application layer protocol.
Sequence Number: 4 Bytes to indicates the outgoing bytes stream sequence number. When no data is to be sent the sequence number will be set to the next octet.
Acknowledgement Number: 4 Bytes to provides a positive acknowledgement of all octets in the incoming byte stream.
Data Offset: 4 bits to indicates where the TCP segment data begins.
Reserved: 6 bits for future use.
Flags: 6 bit to indicates one of six different flags.
Window: 2 Bytes for number of Bytes available space in the receive buffer of the sender.
Checksum: 2 Bytes . 2 Byte field in order to provide a bit level integrity check.
Urgent Pointer: 2 Bytes. In order to indicates the location of urgent data in the segment.
Options: To Indicates additional TCP Options
Computer networking AND internet
User Datagram Protocol (UDP)
Compare with TCP there is no correlation between the size of the messages or blocks of data submitted by a user AP and the amount of data in each TCP segment that is used to transfer the messages. Typically determined by the path MTU to avoid fragmentation of each segment occurring. In contrast, with UDP each message/block of data that is submitted by a user AP is transferred directly in a single IP datagram. On receipt of the message, the source UDP simply adds a short header to it to form what is called a UDP datagram. This is then submitted to the IP layer for transfer over the internet using, if necessary, fragmentation. At the destination, the IP first determines from the protocol field in the datagram header that the destination protocol is UDP, and then passes the contents of the (IP) datagram to the UDP. The latter first determines the intended user AP from a field in the UDP datagram header and then passes the contents of the (UDP) datagram to the peer user AP for processing. There are no error or flow control procedures involved and hence no connection setup is required. UDP packets are the connectionless equivalent to TCP, and are used for many purposes, the most important being that DNS uses UDP for most of its work. DNS finds out which IP address corresponds to which hostname (e.g., www.example.com is not routable as an IP address inside an IP datagram; however, through a DNS system it can find the IP address to route traffic to). Other uses of UDP include VoiP and many online games and streaming media types.
Figure 3: UDP header fields
The IP is a connectionless protocol that manages addressing data from one point to another, and fragments large amounts of data into smaller, transmittable packets. The major components of Internet Protocol datagrams are:
IP Identification (IPID):Uniquely identify an IP datagram.
Protocol :Describes the higher-level protocol contained within the datagram.
Time-to-live (TTL): Attempts to keep datagrams and packets from routing in circles. When TTL reaches 0, the datagram is dropped.The TTL allows traceroute to function, identifying each router in a network by sending out datagrams with successively increasing TTLs, and tracking when those TTLs are exceeded.
Source IP Address: The IP address of the host where the datagram was created.
Destination IP Address :The destination of where the datagram should be sent.
The TCP Handshake
An important concept of the TCP is handshaking. Before any data can be exchanged between two hosts, they must agree to communicate. Host A sends a packet with the SYN flag set to Host B. If Host B is willing and able to communicate, it returns the SYN packet and adds an ACK flag. Host A begins sending data, and indicates to Host B that it also received the ACK. When the communication between the host sends, a packet with the FIN (finish) flag is sent, and a similar acknowledgement process is followed.
Another important component of TCP is sequence identification, where each packet sent is part of a sequence. Through these numbers, TCP handles complex tasks such as retransmission, acknowledgement, and order.
The Three-Way Handshake
TCP utilizes a number of flags, or 1-bit boolean fields, in its header to control the state of a connection. The three we’re most interested in here are:
SYN – (Synchronize) Initiates a connection
FIN – (Final) Cleanly terminates a connection
ACK – Acknowledges received data
Figure 4: Shows the TCP packet capture of three way hand shake
Select packet no: 1 in Wireshark and expand the TCP layer analysis in the middle pane, and further expand the “Flags” field within the TCP header. Here we can see all of the TCP flags broken down. Note that the SYN flag is on (set to 1).
Figure 5 : Multiple falg set
As shown in the above packet capture, It has two flags set: first one, ACK to acknowledge the receipt of the client’s SYN packet, and second one, SYN to indicate that the server wishes to make a TCP connection.
Figure 6: Three way hand shake elustrated using wireshark
Figure 7 : The variability of the TCP window size
As seen above capture, TCP window size changes varies during the downloads. The following window size observed during the download from different mirror sites.
Initial window size
Window size variability
Time taken to download
3min 45 sec
Variability of TCP windows Size
The TCP receive window is the amount of unacknowledged data between the sender and the receiver. If the window size is set at 16KB, the sender waits after sending 16KB, until the receiver has acknowledged that it has received the data. Only then will the sender start transmitting data again.
In order to improve throughput the window size needs to be set at a high enough value, that will enable the sender to keep transmitting data at all time. The TCP receive window is an upper bound on the amount of data that will be allowed to be in the pipe between the sending and receiving host. The receiver tells the sender its maximum TCP receive window size, and this sets an upper bound of the connection, regardless of the actual bandwidth available on the network.
The actual window size varies throughout the session. The TCP protocol uses something called slow start, meaning the sender will start sending a small amount of data at first, until it receives an acknowledgement message from the receiver. The sender will then try to send larger and larger chunks of data, until the pipe between sender and receiver becomes full, at which point the window size is made smaller, and data starts flowing again, and the window size can be increased again. This cycle of expanding and shrinking continues throughout the session to make sure the connection is working at its maximum.
The meaning of fast recovery is since duplicate ACK came through; one packet has left the wire. Perform congestion avoidance; don’t jump down to slow start.
TCP session termination
TCP Connection Termination is implemented as follows:
One computer sends a FIN packet to the other computer including an ACK for the last data received (N).
The other computer sends an ACK number of N+1.
It also sends a FIN with the sequence number of X.
The originating computer sends a packet with an ACK number of N+1. The connection is closed.
Another way to close the connection is for one computer to send a packet with the RST (reset) bit set which will tell the other computer to immediately terminate the connection.
Figure 9: TCP session termination process
Figure 10: Sample packet capture of TCP session termination using wireshark
Selective Acknowledgment (SACK)
Selective Acknowledgment (SACK) is a mechanism that includes a retransmission algorithm which helps overcome weak links on the TCP/IP stack. The use of SACK is helpful in a scenario where there is a heavy flow of traffic and some packets are getting lost. With SACK, the sender doesn’t have to resend all the packets that were sent after one lost packet. He can selectively resend only the packets that were lost.
Experiment on cable disconnection is done in three(3) phase
Disconnected for 13 sec
Disconnected for 50 sec
Disconnected for 100sec
As seen on the below packet capture screen (Please refer appendix, cable disconnected at 41.46001 Sec(line-12390) and we have seen the SYN and SACK at 61.033812 Sec. ( Please refer appendix figure:7).
After connecting the cable as seen below capture screen we can see the SYN and ACK at 61.076489 Sec (line 12557).
Total tine taken to recover from discconnection – 20 sec.