Transmission Control

Protocol (TCP)

1
© 2021 C-DAC, Hyderabad
Table of Contents
Objective 3

Prerequisites 3

Problem Statement/Case 3

Summary 3

Fundamental concepts 3

Template for each step 6

Step-1: Capture the real time network traffic using Wireshark 6
Open Wireshark Application 6
Select the network interface 8
Browse a Website 9
Save Network Traffic 11
Step-2: Following TCP Stream 14
Filter tcp traffic 14
Follow TCP Stream 15
Step 3: Analyze TCP Header 17
Analyze TCP SYN Traffic 17
Analyze TCP SYN, ACK Traffic 19
Analyze TCP ACK Traffic 20

References 26

2
© 2021 C-DAC, Hyderabad
1. Objective

Understanding the structure of TCP packets using Packet Analyzer tools.

2. Prerequisites

Prerequisites Version

Tools required Wireshark

Operating System Linux/ Windows 10

3. Problem Statement/Case

The objective of this lab is to understand the TCP protocol and analyze the network
TCP traffic. Analyzing the TCP session would facilitate identifying potential network
problems as TCP maintains state of each TCP connection.

4. Summary

Steps Description

Step-1 1. Capture the real time network traffic using

Wireshark
a. Open the wireshark
b. Select the network interface
c. Browse a Website
d. Save Network Traffic

Step-2 2. Follow TCP Stream

a. Filter tcp traffic
b. Follow TCP Stream

Step-3 3. Analyze TCP Header

a. Analyze TCP SYN Traffic
b. Analyze TCP SYN, ACK Traffic
c. Analyze TCP ACK Traffic
d. Analyze TCP FIN ACK Traffic
e. Analyze TCP ACK Traffic

5. Fundamental concepts

Introduction of TCP:

3
© 2021 C-DAC, Hyderabad
TCP stands for Transmission Control Protocol. TCP is a fourth layer protocol in the OSI
Reference Model, which is the main protocol in the TCP/IP protocol suite. It is a
connection oriented and reliable protocol.

TCP Header format :

TCP establishes a connection between the source and destination hosts before
sending actual data segments. After connection establishment, the data is
transferred in both directions. It uses a three-way handshake procedure for
connection establishment. Three-way handshake is the method used to establish
and tear down the connection between the systems. It occurs in these 3 steps :

1. Connection Establishment

4
© 2021 C-DAC, Hyderabad
2. Data Transfer
After exchanging the messages between the two hosts the data is transferred
between them.

3. Connection Termination
After the completion of data transfer between the two hosts, the two hosts
will terminate the connection by exchanging the FIN and ACK packets.

5
© 2021 C-DAC, Hyderabad
6. Template for each step

1. Step-1: Capture the real time network traffic using Wireshark

a. Open Wireshark Application
To open the wireshark go to the Top left corner, click on the icon to open the list of
the tools available.

6
© 2021 C-DAC, Hyderabad
Then type wireshark in the search bar and click on the launch button.

b. Select the network interface

Select eth0 interface to start capturing the data and Click on this option to
7
© 2021 C-DAC, Hyderabad
capture the N packets. This screen is shown below.

Once you click on the capture button, packet capturing will start. The packet
capturing screen is shown below.

8
© 2021 C-DAC, Hyderabad
 c. Browse a Website
To open the Browser go to the Top left corner, click on the “Application” icon to
open the list of the tools available and select the web browser.

Browse any website in the web browser. For instance www.cdac.in.

9
© 2021 C-DAC, Hyderabad
 d. Save Network Traffic

Before saving Network traffic, stop the Wireshark packet capturing by selecting
the symbol

In order to save the captured network packets, go to the top left corner and click on
“File” followed by “save” .

10
© 2021 C-DAC, Hyderabad
Give any name to your file . Here we have given Traffic1 which is shown below:

11
© 2021 C-DAC, Hyderabad
Now select the extension as pcap by clicking on the drop down beside the “save as”.
Choose the “wireshark/tcpdump- pcap” option and click on the “save” button.

12
© 2021 C-DAC, Hyderabad
 2. Step-2: Following TCP Stream
a. Filter tcp traffic

Analyse the TCP packets using the Filter box. Type “tcp” in the Filter box to get all
the TCP packets.

13
© 2021 C-DAC, Hyderabad
 b. Follow TCP Stream

To view the one complete three way tcp handshake connection, right click on any
green color traffic and select “Follow”. Choose “TCP Stream” as given below:

14
© 2021 C-DAC, Hyderabad
one window will open. Click on the close button.

Result after using TCP stream is given below:

15
© 2021 C-DAC, Hyderabad
 3. Step 3: Analyze TCP Header
a. Analyze TCP SYN Traffic

Try to observe the TCP SYN traffic captured in the Wireshark packet list pane. Type
tcp.port == 80 in the Filter box and press Enter.

16
© 2021 C-DAC, Hyderabad
Right click on the first SYN packet and select Follow and then click on TCP Stream.
Click on the Close button. The below screen will be visible.

Expand Transmission Control Protocol to view the further details and observe the
following:
● Observe the Source port. Notice that it is a dynamic port selected for this
connection.
● Observe the Destination port. Notice that it should be 80.
● Observe the Sequence number. Notice that it is 0 (relative sequence number). To
see the actual sequence number, select the Sequence number to highlight the
sequence number in the bottom Wireshark bytes pane.

17
© 2021 C-DAC, Hyderabad
Expand Flags to view flag details. Observe the flag settings. Notice that SYN is set,
indicating the first segment in the TCP three-way handshake.

b. Analyze TCP SYN, ACK Traffic

Click on the SYN , ACK packet and start analyzing TCP SYN, ACK Traffic.

Expand Transmission Control Protocol to view TCP details.

● Observe the Source port. Notice that it will be 80.

18
© 2021 C-DAC, Hyderabad
 ● Observe the Destination port. Notice that it is the same dynamic port selected for
this connection.
● Observe the Sequence number. Notice that it is 0 (relative sequence number). To
see the actual sequence number, select Sequence number to highlight the
sequence number in the bottom Wireshark bytes pane.
● Observe the Acknowledgement number. Notice that it is 1 (relative ack number).
To see the actual acknowledgement number, select Acknowledgement number to
highlight the acknowledgement number in the bottom pane. Notice that the
actual acknowledgement number is one greater than the sequence number in the
previous segment.

Expand Flags to view flag details. Observe the flag settings. Notice that SYN and ACK are
set, indicating the second segment in the TCP three-way handshake.

c. Analyze TCP ACK Traffic

Click on the ACK packet and start analyzing TCP ACK Traffic.

19
© 2021 C-DAC, Hyderabad
Expand Transmission Control Protocol to view TCP details.
● Observe the Source port. Notice that it is the same dynamic port selected for this
connection.
● Observe the Destination port. Notice that it should be 80.
● Observe the Sequence number. Notice that it is 2 (relative sequence number).
● Observe the Acknowledgement number. Notice that it is 2 (relative ack number).

Expand Flags to view flag details. Observe the flag settings. Notice that ACK is set,
indicating the third segment in the TCP teardown handshake. The client has
acknowledged the server closing the TCP connection.

20
© 2021 C-DAC, Hyderabad
 d. Analyze TCP FIN ACK Traffic

Click on the FIN, ACK packet and start analyzing TCP FIN, ACK Traffic.

Expand Transmission Control Protocol to view TCP details.

● Observe the Source port. Notice that it should be 80.
● Observe the Destination port. Notice that it is the same dynamic port selected for
this connection.
● Observe the Sequence number. Notice that it is 1 (relative sequence number).
● Observe the Acknowledgement number. Notice that it is 2 (relative ack number).

21
© 2021 C-DAC, Hyderabad
Expand Flags to view flag details. Observe the flag settings. Notice that FIN and ACK are
set, indicating the second segment in the TCP three-way handshake. The server has
indicated it is closing the TCP connection with the client.

e. Analyze TCP FIN ACK Traffic

Click on the ACK packet and start analyzing TCP ACK Traffic.

Expand Transmission Control Protocol to view TCP details.

● Observe the Source port. Notice that it is the same dynamic port selected for this
connection.
● Observe the Destination port. Notice that it must be 80.
● Observe the Sequence number. Notice that it is 2 (relative sequence number).
● Observe the Acknowledgement number. Notice that it is 2 (relative ack number).

22
© 2021 C-DAC, Hyderabad
Expand Flags to view flag details. Observe the flag settings. Notice that ACK is set,
indicating the third segment in the TCP teardown handshake. The client has
acknowledged the server closing the TCP connection.

23
© 2021 C-DAC, Hyderabad
Observed Output:
From this lab we have observed and analyzed the packets of TCP header.

Lab Exercise:
Please fill the values by considering the above output

Worksheet: TCP segment

Fields

Values Hex/Decimal Code

Source Port number

Destination Port number

Sequence number

Acknowledgement number

Header Length

Flags

Window size

Checksum

Options

24
© 2021 C-DAC, Hyderabad
7. References
● https://www.wireshark.org/

25
© 2021 C-DAC, Hyderabad