Reading: Chapter 20, and especially section 20.5 discusses how TCP handles network congestion.
In this lab you will continue experimenting with TCP connections. This time we will examine the transfer of a "real" application level protocol: HTTP.
As a convenience I previously captured the traffic between a web browser and a web server, storing the result in a "PCAP Next Generation" formatted capture file. The file is lab-07.pcapng. The client was at the IP address of 10.0.0.106 (on my home network), and the server was at the IP address of 24.196.82.226. The capture is of the web page http://www.ada-auth.org. Note that the web server is using the standard HTTP port of 80. The connection is not encrypted.
For this lab you can use tshark as you have been, but you can also install Wireshark on your personal system and open the capture file using that tool. This has the advantage of giving you a full graphical interface, which you might find more convenient. In fact, I recommend doing this. Note that using Wireshark to capture traffic on the VTC LAN is a violation of Policy 502. Only the wired networks in BLP-210 and CON-106 have exceptions to this policy.
Answer the following questions:
Which frames contain the three-way handshake that starts the connection? How can you tell?
What are the client-side and server-side ports used by this connection?
In your captured data, do you see the connection being closed? How can you tell?
Take a closer look at frame 4 (i.e., dissect it). This frame contains the client's GET command requesting a particular URL from the server. In addition to the GET command itself, the client includes a list of "Key: Value" pairs providing additional information to the server. What is that additional information? (Note that Wireshark decodes it for you under the "Hypertext Transfer Protocol" header below (i.e., inside of) the Transmission Control Protocol header. You are now looking at the contents of the TCP segment and thus at a protocol higher in the network stack (HTTP is an application layer protocol).
In frame 4 the client sends a list of character sets it will accept from the server (in "Accept-Charset"). The list is lengthy. What is the last character set in that list? Because the decoded version of Accept-Charset is truncated, you will have to look at the actual data in the packet to answer this question (that being the point!).
Frame 5 contains the server's response to the client's GET request. Dissect that frame and record the response (it is short). What I'm looking for is the textual response of the server. It should be one line. You should see, among other things, the response code of 200, which means "success." Another response code you often see is 404, which means "failure: resource not found."
Starting with frame 7 and going through frame 19, the server sends the requested content to the client. However, frame 19 is special so for this question only consider up to frame 17. After each segment from the server, the client ACKs that segment. Check the sequence numbers and ACK numbers to make sure they are correct. Note that the server's ACK numbers don't change since the client isn't sending anything. You can use the relative sequence numbers computed by Wireshark for this question.
Look at one (or more) of the segments being sent by the server to see chunks of the web page being transferred. Note that the server application is not aware of these chunks. It writes the page into the TCP connection, and it is the server-side TCP software that breaks the data into segments.
Frame 19 contains the last portion of the web page, but Wireshark also uses that frame to reconstruct the entire transfer for you by gathering data from the previous frames into a single display. Expand the "[8 Reassembled TCP Segments...]" (recall that information inside [square brackets] is computed by Wireshark). There you can click on the individual chunks that made up the transfer and have them highlighted in the data pane.
Expand the "Hypertext Transfer Protocol" header to see the decoded version of the server's HTTP response. In addition to the response code sent earlier (and shown here again as a convenience), you will see several "Key: Value" pairs containing additional information being returned to the client. What is the value associated with the "Content-type" key? Note that if the file being transferred was an image the content type would be something like "image/jpeg". What is it in this case? Which character set did the server select to use (it should be one of the character sets the client previously said was acceptable)?
You can also expand the "Line-based text data" header and see the contents of the web page in a more natural way. Keep in mind that this is a reassembly of several previously transmitted segments.
In theory anyone on the path between the client and server could use a tool like Wireshark (or similar) to view the contents of the web pages you fetch, as well as the contents of any forms you submit (which would be in segments going from client to server). This is obviously a security and privacy concern. The particular page used in this lab contains only public information and no information from the client is required. Thus, in this case the security issue is moot.
In many real-world connections, however, immediately after the TCP handshake, the Transport Layer Security (TLS) protocol steps in, and the client and server negotiate cryptographic parameters. After that, the contents of all segments are encrypted and unintelligible to anyone other than the two endpoints. Note, however, that the IP and TCP headers are not encrypted in any case. The IP headers need to be read by the routers, and the TCP headers need to be read by the TCP software for processing sequence numbers, acknowledgements, and so forth.
Although not part of this lab, if you are curious take a look at this exchange between a web client and the www.vtc.edu web server using HTTPS (secure HTTP).
Submit a document to Canvas containing your answers to the questions above. Be sure to include your name in the file This lab is worth 20 points.
Last Revised: 2023-03-09
© Copyright 2023 by Peter C. Chapin <pchapin@vtc.edu>