Description

Lab Exercise 05 – Using Wireshark to Examine the Transport Layer
Objectives
Part 1: Use Wireshark to familiarize yourself with the TCP Protocol.
Part 2: Use Wireshark to familiarize yourself with the UDP Protocol.
Background / Scenario
To complete this Lab Exercise you must download the sample Wireshark Capture files from Blackboard. The filenames are http_witp_jpegs.cap and dns.cap. For your reference, these are sample capture files provided through the Wireshark Wiki: https://wiki.wireshark.org/SampleCaptures where many more interesting sample capture files are available.
These sample captures will illustrate the functionality of the Transport Layer and how the information in the header is used to move information between the Application Layer and the lower layers of the OSI Model.
Required Resources
• 1 PC (Windows 7, 8, or 10 with internet access with Wireshark installed)
• Sample Capture Files.
Part 1: The TCP Protocol
In Part 1, you will examine the header fields and content in a TCP Segment (A Layer 4 PDU is called a segment). A Wireshark capture will be used to examine the contents in those fields.
The contents of this file have been captured using Wireshark running on the client PC. The network traffic has been filtered so that it only contains the one type of traffic we want to inspect.
Step 1: Open the capture file http_witp_jpegs.cap in Wireshark
The screen is split in 3. We will focus on the top section (it should be colour-coded right now). Using your knowledge of the Transport Layer and with reference to this capture file, answer the following questions.

Using the Numbering on the left side, which segments contain the three-way handshake (only refer to the first time you encounter the three-way handshake)?
_______________________________________________________________________________________
_______________________________________________________________________________________
What is/are the source port(s) (list all that you find)?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
What is/are the destination port(s) (list all that you find)? Which one appears most frequently?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________ What Application Layer protocol is associated with the most frequent destination port number (the official list of port numbers is here https://www.iana.org/assignments/service-names-port-numbers/service-names-portnumbers.txt)? ____________
What RFC(s) is/are associated with this Application Layer Protocol (there are several RFCs that apply here, list one)? _________________________________
Step 2: From the Statistics Menu, select Conversations. When the Conversations window opens, select the TCP Tab.
How many Transport Layer Conversations/Sessions are there? _______________________________
The information in this view can be sorted by clicking on the column header. Try clicking on the headers (Address A, Port A, Address B, Port B, etc.) to see how this works.
Which computer, Address A or Address B, do you think is the client? ___________________________
How Many different Servers is this client connecting to? ____________________________
Click on the Column Header “Bits/s B -> A”, the largest value at the bottom (or top, depending on your sort direction) should be 2867k. Click somewhere on this line so that the entire line is highlighted. Right-click on this line and select “Apply As Filter” from the menu. Then select “Selected” and “A<->B” from the sub-menus. It should look like this:

When you have selected “A<->B”, click Close to close the Conversations Window. You should be back at the main Wireshark screen with only the Filtered conversation displayed. The numbers on the left side should start at 275 and end at 483.
The displayed traffic represents a single complete TCP “conversation” between two hosts: a client and a server. Note the three-way handshake before any application data is exchanged.
What is the source port for this conversation? ________________________________________________
What is the destination port for this conversation? _____________________________________________
What is being requested by the client? ______________________________________________________ Reflection Question (no wrong answer, give it your best shot): Was the request successfully fulfilled? How might we know, based on this trace, if a problem has occurred?
_____________________________________________________________________________________
_____________________________________________________________________________________
Part 2: The UDP Protocol
In Part 2, you will examine the header fields and content in a UDP Segment (recall that a Layer 4 PDU is called a segment). A Wireshark capture will be used to examine the contents in those fields.
The contents of this file have been captured using Wireshark running on the client PC. The network traffic has been filtered so that it only contains the one type of traffic we want to inspect.
Step 1: Open the capture file dns.cap in Wireshark.
The screen is split in 3. We will focus on the top section (it should be colour-coded right now). Using your knowledge of the Transport Layer and with reference to this capture file, answer the following questions.

How do we begin communication between a client and a server when we use UDP?
_______________________________________________________________________________________
_______________________________________________________________________________________
What is/are the source port(s) (list all that you find)?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
What is/are the destination port(s) (list all that you find)? Which appears most frequently?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
What Application Layer protocol is associated with the most frequent destination port number? ____________ What RFC(s) is/are associated with this Application Layer Protocol? _________________________________
Step 2: From the Statistics Menu, select Conversations. When the Conversations window opens, select the UDP Tab.
How many Transport Layer Conversations/Sessions are there? _______________________________ In the context of UDP, what does a “session” mean (remember, UDP does not build a session before communicating, so what do these rows represent)? ____________________________________________ _____________________________________________________________________________________
Which computer, Address A or Address B, do you think is the client? ______________________________
How many different client addresses are there in this capture? ___________________________________
How many different server addresses are there in this capture? ___________________________________
Click on the Column Header “Packets”, the largest value at the bottom (or top, depending on your sort direction) should be 24. Click somewhere on this line so that the entire line is highlighted. Right-click on this line and select “Apply As Filter” from the menu. Then select “Selected” and “A<->B” from the sub-menus. It should look like this:

When you have selected “A<->B”, click Close to close the Conversations Window. You should be back at the main Wireshark screen with only the Filtered conversation displayed. The numbers on the left side should start at 1 and end at 24.
What is the source port for this conversation? ________________________________________________
What is the destination port for this conversation? _____________________________________________
Although UDP does not establish a session and maintain a connection like TCP does, we view this as a “conversation” in Wireshark because the application is using consistent source and destination numbers. How might this be useful when managing or troubleshooting the application or our network connectivity?
_____________________________________________________________________________________
_____________________________________________________________________________________
Reflection Question (no wrong answer, give it your best shot): What other information available in this view might be useful for managing or troubleshooting applications?
_____________________________________________________________________________________
_____________________________________________________________________________________
Reflection
The middle section of the three sections in Wireshark presents an analysis of each protocol layer. Select any row in the top section of wireshark and then view the information at each layer of the OSI model in the middle section. What does this analysis tell you about how the layers of the OSI model inter-relate with each other? _______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________