This document provides instructions for an assignment using Wireshark to analyze TCP and HTTP traffic. Students are asked to capture network traffic from their own computer, including an HTTP request to a specific URL. They then analyze the captured packets to identify the HTTP requests and responses, TCP segments, and answer questions about the role of each requested file. The tasks are designed to help students learn about network protocols like TCP and HTTP through practical analysis of real network traffic data.

1. Instructor:Dr. Shaji Khan(shajikhan@umsl.eduor314-489-9733)
Page 1 of 6
INFSYS 3842/6836
Assignment 4 (Lab): Understanding TCP and HTTP using Wireshark
Points Possible: 100
Due Date: December 12, 2016 by 11:59pm Central Time
IMPORTANT NOTE: THIS LAB MUST BE CARRIED OUT ON YOUR OWNCOMPUTER AND OWN
NETWORK. PLEASE DO NOT CAPTURE PACKETS ON A NETWORK THAT YOU DO NOT OWN.YOU’VE
BEEN WARNED!
Lab Overview:We’ll continueexploring “layersof functionality”providedbydifferentprotocols and
understandingsyntax of majorprotocol dataunits. Inthislabwe will focuson TransmissionControl
Protocol (TCP) andHyperText TransferProtocol (HTTP)
Lab Purpose:
1) To continue learningthe basicsof how touse Wiresharkto capture networktraffic(from
students’owncomputersandownnetworks)
2) To learnaboutbasic “Capture Filters” available inWireshark
3) To understandHTTP requestsandresponses
4) Understandthe syntax of TCP segmentheader.
Lab Tasks: This labhas twotasks withfourquestionseachfora total of 8 questions.
TASK 1: (This task has four questions)
In thistaskyou will use Wiresharktocapture basicHTTP trafficand complete the activitiesand
questionsasdescribedbelow.
STEPS:
1) OpenWiresharkandidentifythe interface youwill capture trafficfrom(WirelessorEthernetLAN)
2) Close all browserwindows and other applications.
3) Opena browserwindowandtype in http://www.umsl.edu/~khanshaj/3842/.DONOT
PressEnteryet.
4) Go back to Wiresharkand Start a capture.
5) Go back to the browserwindowandnow hitenterto visitthe page.
6) Once the page loads, close the browser window
7) Returnto Wiresharkand Stop the capture. Save the capture on your computer. Call it
“FirstName_LastName_Assignment4_Capture”.
8) Examine the packetscapturedandscroll to find“greencoloredrows”thatdenote “TCP”based
traffic.Notice the Three-stephandshakeandthe HTTPrequestsand data responsesfromthe server,
acknowledgements,andfourstepclosing.
9) In the filterbox type in“http”to filterall httprelatedpackets.Alsotry“tcp or http”to
simultaneouslysee both TCP andHTTP packetsand filteroutthe rest.

2. Instructor:Dr. Shaji Khan(shajikhan@umsl.eduor314-489-9733)
Page 2 of 6
LAB Question1: Whenyou requestedthe page atthe http://www.umsl.edu/~khanshaj/3842/ URL,
how many requestsdidyour browsersendtothe server? [Tip:Type in“http” inthe filterbox toonly
see httprelatedpacketssothat youcan easilycountthe requests]
There are 8 packets.There are 4 GET requestsfromthe computertothe serverand4 OK
responsesfromthe serverbacktothe computer.
LAB Question2: For each of the requests,please provide the a) FILENAMEandFILE Extension,b) aBrief
Descriptionof the file beingrequested,c) the type of HTTP Request(get,post,etc.See:
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods formore informationon
differenttypesof HTTPRequestMethods).
HTTP 1: GET Request/~khanshaj/3842/HTTP/1.1; index.html (text/html)
HTTP 2: GET Request/~khanshaj/3842/style.cssHTTP/1.1;(text/css)
HTTP 3: GET Request/~khanshaj/3842/images/umsl_business_is_pngHTTP/1.1 ; (image/png)
HTTP 4: GET Request/favicon.icoHTTP/1.1; (image/vnd.microsoft.icon)
LAB Question3: How many serverRESPONSESwere receivedbyyourmachine?Examine the response
packetscarefullyforeachof the responses.Identifythe followingforeachresponse:
a) The HTTP “StatusCode”and itsmeaning
a. All 4 responsessaid:HTTP/1.1200 OK whichmeansnoerror infulfilling request
b) ContentType
a. (text/html),(text/css),(image/png),(image/vnd.microsoft.icon)
LAB Question4: Explainclearly,whythe browserhadtomake that manyrequestswhenall youwanted
to do wasviewthe page at http://www.umsl.edu/~khanshaj/3842/. Please discussthe role of each
“resource” beingrequested(forexample,whywas the “style.css” file requestedetc.).
The webpage beingrequestedhadtomake fourdifferentobjectrequestandfourdifferent
responsestobe able toobtainthe page. There are fourdifferentmediafilescalled:(text/html),
(text/css),(image/png),and(image/vnd.microsoft.icon).
TASK 2: (This task has four questions)
FINDTHE PACKETthat belongstothe first HTTP REQUEST message (for/~khanshaj/3842/). See picture
below.

3. Instructor:Dr. Shaji Khan(shajikhan@umsl.eduor314-489-9733)
Page 3 of 6
10) Withthe above GET requestpacket selected(it shouldremainhighlighted),please complete the
rest of thislab

4. Instructor:Dr. Shaji Khan(shajikhan@umsl.eduor314-489-9733)
Page 4 of 6
LAB Question5: Using the packetassociatedwiththe GET requestasmentionedabove,pleasecomplete the followingfieldsinthe TCPsegment
headerbelow.The ideahere istolearnaboutthe differentfieldsandwhattheyaccomplish. NOTE:Althoughthe fieldvaluesare alwaysinbinary
(as seeninthe bottommostsectionof yourcapture) please feel freetoprovide the valuesastheyappearinthe MIDDLE part (i.e.eitherdecimal
or hex as the case maybe). Type inyourvaluesinthe “Grey”shadedareasimmediatelybeloweachfield.
[Hint: please visithttp://en.wikipedia.org/wiki/Transmission_Control_Protocol tolearn more about TCP and lookfor the section“Segment
Structure” to betterunderstand what each of the fieldsbelowmean]
TCP Header
OffsetOctet 0 1 2 3
Octet Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 0 Source Port Number Destination Port Number
61957 80
4 32
Sequence Number
(relative sequence number is fine)
1965
8 64
Acknowledgement Number (if ACK bit is set)
(relative ACK number is fine)
19560
12 96 Data offset
Reserved
NS
CWR
ECE
URG
ACK
PSH
RST
SYN
FIN
Window Size
0 0 0
12 96 32 bytes 0 0 0 0 1 1 0 0 0 61
16 128 Checksum Urgent pointer (if URG is set)
0x67c1 0
20
…
160
…
Options (if Data offset value is > 5)
… (options could be up to 40 bytes, making the TCP header anywhere from 20 bytes minimum to 60 bytes maximum)
[Note: TCP header padding is used to ensure that the TCP header ends and data begins on a 32 bit boundary. The padding is
composed of zeros.)

5. Instructor:Dr. Shaji Khan(shajikhan@umsl.eduor314-489-9733)
Page 5 of 6
LAB Question6: For each of the TCP segmentheaderfieldsyoucompletedabove,please briefly
describe itspurpose/meaning. Whenpossible,pleaseanswerthisquestionbothingeneralaswell asin
particularto the segmentyouare currentlyexamining. Forexample, destinationportspecifies the
receiving portwhich in the currentpacketis port80. Since this is a GET request,it is sent to port80 on
the serverside which is the well-known portserversuseforlistening to HTTP traffic)
[Hint:A goodreadingof the above linkand understandingthe segmentstructure willhelpwith
thistask.The answersare givenonthe linkabove buttry to actuallyunderstandwhateachfield
does]
Source Port Number: this is the assigned number that identifies the sending port
Destination Port Number: this is the assigned number that identifies the destination port
Sequence Number: This is 32 bits and has a dual role- if SYN flag is set (1) then this is the initial
sequence number. Sequence number of the actual first data byte and the acknowledged
number in the corresponding ACK are then this same sequence plus 1. - if the SYN flag is clear
(0) then this is the accumulated sequence number of the first data byte of the segment for the
current session.
Acknowledgement Number: This is 32 bits and if ACK is flagged then the value of the field is the
next sequence number of the first data byte of this segment that the sender is expecting. If there
are any bytes this recognizes (or acknowledges) the receipt of all prior bytes. The first ACK sent
by each end does acknowledge the other ends initial sequence number itself but no data is
there.
Data offset: This is 4 bits and does specify the size of the TCP header in 32-bit
words. Minimum size header is 5 words and the maximum is 15 words thus giving 20 bytes
minimum to 60-bytes maximum allowing for up to 40 bytes of options in the header. This field is
also the offset from the start of the TCP segment to the actual data.
NS: A 1-bit flag that is the ECN-nonce concealment protection.
CWR: A 1-bit flag known as Congestion Window Reduced which is set by sending the host to
indicate that it received a TCP segment with the ECE flag set and had responded in congestion
control mechanism. This is added to header by RFC 3168.
ECE: A 1-bit flag that is the ECN-Echo which has a dual role depending on the value of SYN
flag. It indicates -if the flag is set to 1 that the TCP peer is ECN capable, -if the flag is set to 0
(clear) that a packet with congestion experienced flag set (ECN = 11) in IP Header received
during normal transmission which is added to the header by RFC 3168. Does serve as an
indication of network congestion to the TCP sender.
URG: A 1-bit field which indicates that the urgent pointer field is significant.
ACK: A 1-bit field that indicates that the acknowledgement field is significant which means that
all packets after the initial SYN packet sent by the client should have this flag set.
PSH: A 1-bit field which is a Push Function. This asks to push the buffered data to the receiving
application.
RST: A 1-bit field which resets the connection.
SYN: A 1-bit field which synchronizes the sequence numbers. Only the first packet sent from
each end should have the flag set. Some other flags and fields change meaning based on this
flag and some are only valid for when it is set and others when it is clear.
FIN: A 1-bit field which has no more data from the sender.
Window Size: This is a 16-bit field which is the size of the receive window, which specifies the
number of the window size units (which by default is in bytes) (also beyond the segment
identified by the sequence number in the acknowledgement field) that the sender of the
segment is willing to receive at the current time.
Checksum: This is a 16-bit field which is used for checking errors of the header and data.

6. Instructor:Dr. Shaji Khan(shajikhan@umsl.eduor314-489-9733)
Page 6 of 6
Urgent Pointer: This is a 16-bit field. When this flag is set then the field is an offset from the
sequence number indicating the last urgent data byte.
LAB Question7: What is the minimumsize of the TCPsegmentheaderinbytes?Whatisthe maximum
size?
Minimumsize is20 bytesandmaximumsize 60 bytes.
LAB Question8: Giventhe above isthe TCPsegment’s header
1) Where do youthinkisthe data(payload) of thissegmentlocated (i.e.doesitprecedeorfollowthe
header)?
The data section(payload) followsthe header.
2) What wouldconstitute the data portionof thisTCPsegment? (Be specificinyouranswerbasedon
thisparticularsegment) [Hint:thisanswerwill be easierif youreadthe sectiononTCP Segment
Structure of the Wikipedialinkabove andalsounderstandhow HTTPusesTCP]
TCP acceptsdata from a data streamand dividesitintochunkswhichaddsthe TCPheader
creatingthe TCP segment.The segmentisthenencapsulatedintoanIPdatagram and
exchangedwithpeers. Therefore,the datastreamconstitutesthe dataportionof the TCP
segment.
LAB DELIVERABLES (to be uploadedto MyGateway):
1) UploadcompletedWorddocument
2) Uploadthe Wiresharkcapture file
GETTING HELP:
1) Call (314-489-9733) / email (shajikhan@umsl.edu)me anytime.Feelfree towalk-intomyoffice
if you see me there orsetupappointment.Tutorsare alsoavailable (see MyGateway/Faculty
Informationforhours,orsimplywalkintocybersecuritylab,ESH204 duringlabhours).
2) Of course try to helpeachotherout.If some studentsare alreadyfamiliarwiththe taskslisted
above,Iencourage youto helpothers.“Teaching”andhelpingothersisbyfarthe bestway to
learn!