Assignment 4

CSCI 470: Complete Exercise One Only

CSCI 570: Complete both exercise One and two.

1) Exercise One

Open Wireshark, then use the File menu and the Open command to open the file Exercise One.pcap. You should see 26 packets listed.

This set of packets describes a conversation between a users client and a central server. This entire conversation happens automatically, after a user types something and hits enter. Look at the packets to answer the following questions in relation to this conversation.

In answering the following questions, use brief descriptions. For example, In frame X, the client requests a web page, and in frame Y, the server delivers the content of the page.

a)

Hint: See the accompanying document titled the QuickStart Guide Look under the appendix describing Hits Versus Page Views.

Hint: a favicon.ico is a small graphic that can be used as an icon to identify a web page. In the following graphic the colorful G to the left is a favicon.ico.

What is the IP address of the client that initiates the conversation?

a)Use the first two packets to identify the server that is going to be contacted. List the common name, and three IP addresses that can be used for the server.

b)What is happening in frames 3, 4, and 5?

c)What is happening in frames 6 and 7?

d)Ignore frame eight. However, for your information, frame eight is used to manage flow control.

e)What is happening in frames nine and ten? How are these two frames related?

f)What happens in packet 11?

g)After the initial set of packets is received, the client sends out a new request in packet 12. This occurs automatically without any action by the user. Why does this occur? See the first hint to the left.

h)What is occurring in packets 13 through 22?

i)Explain what happens in packets 23 through 26. See the second hint to the left.

j)In one sentence describe what the user was doing (Reading email? Accessing a web page? FTP? Other?).

I) Exercise Two

Open Wireshark, then use the File menu and the Open command to open the file Exercise Two.pcap. You should see 176 packets listed.

a)

Review: The TCP/IP network does not know how to route using names, such as www.yahoo.com. It only knows how to route using IP addresses. Therefore, a common name (CNAME), such as www.yahoo.com must be translated to an IP address, like 216.109.117.106 before your computer can request a web page.

Your computer uses a DNS request to lookup a CNAME and it gets back a set of IP addresses (a primary address and one or more backup addresses) that can be used to contact the server.

Hint: See the accompanying document titled the QuickStart Guide Look under the appendix describing Hits Versus Page Views.

In the first few packets, the client machine is looking up the common name (cname) of a web site to find its IP address. What is the cname of this web site? Give two IP addresses for this web site.

b)How many packets/frames does it take to receive the web page (the answer to the first http get request only)?

c)Does this web site use gzip to compress its data for sending? Does it write cookies? In order to answer these questions, look under the payload for the reassembled packet that represents the web page. This will be the last packet from question b above. Look to see if it has Content-Encoding set to gzip, and to see if it has a Set-Cookie to write a cookie.

d)What is happening in packets 26 and 27? Does every component of a web page have to come from the same server? See the Hint to the left.

e)In packet 37 we see another DNS query, this time for us.i1.yimg.com. Why does the client need to ask for this IP address? Didnt we just get this address in packet 26? (This is a trick question; carefully compare the two common names in packet 26 and 37.)

f)In packet 42 we see a HTTP Get statement, and in packet 48 a new HTTP Get statement. Why didnt the system need another DNS request before the second get statement? Click on packet 42 and look in the middle window. Expand the line titled Hypertext Transfer Protocol and read the Host: line. Compare that line to the Host: line for packet 48.

g)Examine packet 139. It is one segment of a PDU that is reassembled with several other segments in packet 160. Look at packets 141, 142, and 143. Are these three packets also part of packet 160? What happens if a set of packets that are supposed to be reassembled do not arrive in a continuous stream or do not arrive in the proper order?

h)Return to examine frames 141 and 142. Both of these are graphics (GIF files) from the same source IP address. How does the client know which graphic to match up to each get statement? Hint: Click on each and look in the middle window for the heading line that starts with Transmission Control Protocol. What difference do you see in the heading lines for the two files? Return to the original Get statements. Can you see the same difference in the Get statements?