4.1 Fill in the Table#

• First, capture the data during the wget download. The operation is as follows:

• Open the cap file with Wireshark and filter for the TCP protocol. The result is as follows:

• Based on the captured packets, analyze the TCP segment structure and fill the table with the field names, field lengths, field values, and meanings in the TCP protocol:

• Based on the analysis results, what parts does the TCP segment structure consist of and what are their functions?

TCP segments can generally be divided into:

1. Port numbers: used to identify different application processes on the same computer.

1.1 Source port: The source port, together with the IP address, serves to identify the return address of the packet.

1.2 Destination port: The port specifies the application program interface on the receiving computer.

The source port and destination port in the TCP header, together with the source IP and destination IP in the IP datagram, uniquely determine a TCP connection.

2. Sequence number and acknowledgment number: They are key parts of TCP’s reliable transmission. The sequence number is the sequence number of the first byte of data in this segment, ensuring the ordered delivery of TCP transmission. The acknowledgment number, i.e., ACK, indicates the next byte sequence number expected to be received, showing that all data prior to that sequence has been correctly received.

3. Data offset/header length: 4 bits. Since the header may contain optional content, the length of the TCP header is not fixed; it actually indicates the starting offset of the data region within the segment.

4. Reserved: Reserved for future use, currently set to 0.

5. Flags: URG ACK PSH RST SYN FIN, six in total, each flag represents a control function.

5.1 URG: Urgent pointer flag; when 1, the urgent pointer is valid; when 0, the urgent pointer is ignored.

5.2 ACK: Acknowledgment flag; when 1, the acknowledge number is valid; when 0, the segment does not contain acknowledgment information, and the acknowledgment number field is ignored.

5.3 PSH: Push flag; when 1, this indicates data to be pushed to the receiving application immediately, rather than queued in the buffer.

5.4 RST: Reset connection flag; used to reset a connection that has encountered errors due to host crashes or other reasons, or to reject illegal segments and connection requests.

5.5 SYN: Synchronization sequence; used to establish a connection. In a connection request, SYN=1 and ACK=0 indicate that the segment does not carry a bundled acknowledgment, and the connection response carries an acknowledgment, i.e., SYN=1 and ACK=1.

5.6 FIN: Finish flag; used to release the connection. When 1, it indicates the sender has no more data to send, i.e., the sender’s data stream is closed.

1. Window: Sliding window size, used to inform the sender of the receiver’s buffer size, thereby controlling the rate at which the sender transmits data and achieving flow control.
2. Checksum: Parity-like checksum; this checksum is computed over the entire TCP segment, including the TCP header and data, using 16-bit words. It is calculated and stored by the sender and verified by the receiver.
3. Urgent pointer: Only valid when the URG flag is set to 1. The TCP urgent mechanism is a way for the sender to transmit urgent data to the other end.
4. Data portion: The transmitted information.

4.2 Analyze the Three-Way Handshake#

• Analyze the flags and sequence numbers of the handshake

First handshake: The client sends to the server a segment with the SYN flag set and Seq=0 (x), requesting to establish a connection with the server.

Second handshake: The server responds to the client with SYN and ACK, Seq=0 (y), ACK=1 (x+1).

Third handshake: The client, upon receiving the server’s SYN segment, responds with ACK=1 (y+1) and the ACK flag set.

4.3 Analyze the Four-Way Handshake for Releasing a Connection#

• Analyze the message flags and sequence numbers

First handshake: The client sends FIN to the server, Seq=166, Ack=7725

Second handshake: The server responds with ACK, Seq=7725, Ack=167

Third handshake: The server sends FIN, Seq=7725, Ack=167

Fourth handshake: The client responds with ACK to the server, Seq=167, Ack=7726

• Why Wireshark captured only four segments

From the figure, we can see that at this time there are only three FIN/ACK sequences. This is because TCP is a full-duplex communication, and when the client has no more data to send to the server, it can send a FIN signal to inform the server that its data transmission has ended. However, at this moment the server may still send data to the client. Therefore, the termination of data transfer on both ends may occur independently and may be separated by a relatively long time, requiring at least 2+2=4 uses of the handshake to completely terminate the connection. But if the server, after receiving the client’s FIN, has no more data to send to the client, then the client’s ACK and the server’s own FIN can be combined into a single packet, allowing the four-way handshake to reduce to three.

5.1 Problems and Solutions#

The problem: When using Xftp to connect to the server, a connection error occurred. The solution: After switching to the campus network, the connection returned to normal. Troubleshooting revealed that the cause was the server firewall.

5.2 Reflections#

• This experiment familiarized me with the operation of code and software during IP protocol analysis, as well as the analysis and extraction of TCP segments, providing evidence for the knowledge learned in class. Through this experiment, I mastered the concrete workflow of using the wget command, learned the basic usage of commonly used IP protocol analysis software, and improved my programming ability.
• Through these common IP protocol analysis commands, tracking and analyzing IP protocol usage, and analyzing the structure of TCP segments, I have reinforced the knowledge taught in class.