Experiment Conditions:
Location:
*
Equipment: Fujitsu Laptop running Win 8.1 (64bit) Browser : Chrome
Local IP address : 192.168.2.74 192 .168.2.74
Task – I The first task tas k was to capture all TCP traffic to/from Facebook while logging into a Facebook Account and then analyze analy ze the Data. A filter to record only TCP traffic to and from 31.13.71.96 (The IP address of Facebook) Facebook) was set and th e capture was saved to “Facebook Facebook 31.13.71.96.pcapng 3 1.13.71.96.pcapng ”. This was accomplished using the Capture Filter: tcp and host 31.13.71.96
The login process was completed and the capture was stopped. A total of 315 Packets were captured over the 15 seconds that the process took to complete. Display filters to filter these packets by destinations were used to trace the ip.dst==31.13.71.96 ip.dst==192.168.2.74
number of packets to and from Facebook F acebook and we determined that we received 212 packets from Facebook while we sent 103 packets to it. Clos e to a 2:1 ratio for the number of packets received to that sent. Display filters were then written to analyze the flags set in the captured packets. The following prov ides a summary of the Filter expressions us ed and the data that was gathered gathered from the results.
A.) SYN Flag To Determine number of TCP packets with flag SYN set: Display Filter =
tcp.flags.syn==1
Number of packets with SYN flag set = 4
To Determine Determine number of TCP packets with SYN flag not set: Display Filter = tcp.flags.syn==0
Packets with SYN flag not set = 311
To Determine Determine number of TCP packets with SYN set and sent to host:
Display Filter = tcp.flags.syn==1 && ip.dst==192.168.2.74
Packets Received Received With W ith SYN flag set = 2
To Determine Determine number of TCP packets with SYN flag set and s ent to Facebook:
Display Filter = tcp.flags.syn==1 && ip.dst==31.13.71.96
Packets Sent With SYN flag set = 2
B.) PSH Flag Determine number of TCP packets with PSH Flag set: To Determine Display Filter =
tcp.flags.push==1
Packets with PSH flag set = 113
To Determine number of TCP packets with PSH Flag not set:
Display Filter = tcp.flags.push==0
Packets with PSH flag not set = 202
To Determine Determine number of TCP packets with PSH Flag set and sent to host:
Display Filter = tcp.flags.push==1 tcp.flags.push==1 && ip.dst==192.168.2.74
Packets Received With PSH flag set = 85
To Determine number of TCP packets with PSH flag set and sent to Facebook:
Display Filter = tcp.flags.push==1 tcp.flags.push==1 && ip.dst==31.13.71.96
Packets Sent Sent With PSH flag set = 28 28
C.) PSH & SYN Flags pac kets with PSH or SYN Flags set and sent to To Determine number of TCP packets host:
Display Filter = (tcp.flags.push==1||tcp.flags.syn==1) (tcp.flags.push==1||tcp.flags.syn==1) && ip.dst==192.168.2.74
Packets Received Received With W ith SYN flag set = 87
To Determine number of TCP packets with PSH or SYN flags s et and sent to Facebook: Display Filter = (tcp.flags.push==1||tcp.flags.syn==1) (tcp.flags.push==1||tcp.flags.syn==1) && ip.dst==31.13.71.96
Packets Sent With SYN flag set = 30
D.)RST D.) RST Flag To Determine number of TCP packets with RST Flag set: Display Filter =
tcp.flags.reset==1
Packets with RST flag set = 0
To Determine number of TCP packets with RST Flag not set:
Display Filter = tcp.flags.reset==0
Packets with RST flag not set = 315
These results are summed up in the following table. Captured TCP Packets Packets Flags Fl ags Statistics Task: Capture all TCP traffic to/from Facebook, during the time when you log in to your Facebook account Total Captured Packets
315
Packets Sent to Facebook Packets Received Receiv ed from Facebook
103 103 212 212
Packets Sent to Facebook with SYN flag fl ag set
2
Packets Sent to Facebook with PSH flag fl ag set Packets Received Receiv ed from Facebook with SYN flag set
28 2
Packets Received Receiv ed from Facebook with PSH flag set
85
Packets Sent to Facebook with SYN & PSH flags fl ags set Packets Received Receiv ed from Facebook with SYN & PSH flags fl ags set
30 87
Total Packets With SYN flag set
4
Total Packets With PSH flag set Total Packets With RST flag fl ag set
113 113 0
Total Packets With ACK flag fl ag set Total Packets With CWR flag fl ag set
313 313 0
Total Packets With SYN and PSH flags fl ags set
Summary Summ ary of Analysis From A, we can see that the percentage of Packets with SYN set is 1.3%, with 4 in 315 packets having SYN set. Two of these packets were sent to Facebook while two were received. So these are the two packets initially broadcasted when the connection is setup and the two response acknowledgement packets sent from Facebook. From B, we can see that the percentage of Packets with PSH set is 35.9% with 113 in 202 packets having PSH set. 28 of these were sent to Facebook and 85 were received, implying that a total of 28 Data segments were Sent to Facebook and 85 segments were received. From C, we can see that a total of 87 Packets were sent with SYN or PSH set were received and a total of 30 Packets were received. From D, We see s ee that no reset was triggered and that the connection remained the same for the entire duration of the capture.
0
Task – II The next task was to capture all HTTP traffic to and from Facebook while logging into an Account. For this a Capture Filter was used to isolate TCP data headed to port 80 at Facebook’s Facebook’s I P: tcp port 80 and host 31.13.71.96
The login process pr ocess was w as completed completed and the capture was saved to “ raw.pcapng”. 14
HTTP packets were captured over the duration of 20 seconds. The number of Packets sent to Facebook was determined using the filter ip.dst==31.13.71.96
A total of 8 Packets were sent to Facebook. Facebook. i.e. 8/14 Packets The number of Packets received from Facebook was determined by using the filter: ip.dst==192.168.2.74
A total of 6 Packets were received. i.e. 6/14 Packets.
Task – III The last task was to capture all traffic to and from YouTube while playing a popular video. For this task we picked “ The Flash - Extended https://www.y https:// www.youtube outube.com/wat .com/watch?v=Yj0l7iGKh8g ch?v=Yj0l7iGKh8g). ).
Trailer ”
(URL
-
No capture filters were utilized as YouTube servers may change during streaming. The capture was saved to “ flashmovietrailer.pcapng ”. A total of 16889 Packets
were received, within the 5.76 minutes of capture. Large amounts amounts of traffic have been been observed obs erved to to I P 173.194.1 173.19 4.130.1 30.18, 8, but communication to YouTube isn’t limited limited to this single s ingle server. For the sake of
calculation, we consider only this IP for the sake of calculating volume of transmitted traffic, but for other calculations (flags, etc) the entire traffic is considered. To isolate the packets sent by host and received at YouTube, the display filter, ip.src==192.168.2.74 and ip.dst==173.194.130.18
was used. A total of 4264 4 264 Packets were sent to to YouTube. YouTube. i.e. 4264/1688 4264/ 16889 9 Packets Packets To isolate the packets sent by YouTube and Received by host, the display filter, ip.src==173.194.130.18 and ip.dst==192.168.2.74
was used. us ed. A total of 10786 Packets Packets were received received from YouTube. YouTube. i.e. 10786/16889 Packets. Packets. The number of packets that had SYN set s et was determined determined using us ing the filter tcp.flags.syn==1
A total of 61 Packets had had SYN flag set. So, we can say that s everal connections were reestablished over the the course cour se of the capture. The number of packets pack ets that had PSH set was determined using us ing the filter tcp.flags.push==1
A total of 604 60 4 Packets had had PSH flag set. That is, a total total of 604 data segments segments were transmitte trans mitted d over the entire duration The number of packets with RST was determined using the filter tcp.flags.reset==1
A total of 26 Packets had RST flag set. s et. This implies that the connection was reset res et 26 times over the course of the capture. For our capture, capture, the primary server for streaming the video seems to have remained a constant with 1505 1 5050/16889 0/16889 packets coming from the same server, s erver, and the rest spread amongst amongst several servers. The capture file was w as exported as a .cs v file and excel excel was used us ed to perform perfor m deep analysis and the following plots of SYN and PSH instances were obtained.
A.)Occurrence A.) Occurrence of SYN=1 flags plotted against time
Histogram 12 T E S G A10 L F N Y 8 S H T I W 6 S T E K 4 C A P F O 2 O N 0 0
20
40
60
80
1 0 0 1 2 0 1 4 0 1 6 0 1 8 0 2 0 0 22 0 24 0 26 0 28 0 30 0 32 0 34 0 TIME (seconds)
B.)Occurrence of PSH=1 flags plotted against against time ti me
Histogram 160
T E140 S G 120 A L F H100 S P H T 80 I W T E 60 K C A 40 P
F O O 20 N 0 0
20
40
60
80
1 00 1 2 0 14 0 16 0 1 80 2 0 0 2 2 0 2 4 0 2 60 2 8 0 3 0 0 3 2 0 34 0 TIME (seconds)
When A and B are observed, obs erved, a correlation can be found between between the number of push instances instances and sync instances for majority of the transmission, it could be related to a reestablishment of connection after a segment s egment is transmitte trans mitted, d, since s ince more push instances mean more data segments are transmitte trans mitted. d.
C.) Histogram of of Packet sizes size s
Histogram 11000 9000 S T E 7000 K C A P 5000 F O O 3000 N
1000 -1000
SIZE RANGES
We can see from C that close to 1/3rd of all transmissions take place with very small Packet sizes and 2/3rd of all transmissions take place with very large packet sizes and only an ignorable fraction fraction of packets packets are of sizes s izes in between. between.
References: http://www.ece.rutgers.edu/~marsic/books/CN/projects/wireshark/ws-project-1.html https://ask.wireshark.org https://www.wireshark.org http://wiki.wireshark.org/CaptureFilters#Default_Capture_Filters http://www.howtogeek.com/104 278/how -to-use-wiresharkhttp://www.howtogeek.com/104 -to-use-wireshark-to-ca to-capture-fil pture-filter-and-i ter-and-inspec nspect-pac t-packets/ kets/ http://www.webyield.net/ip/index. http://www.webyield. net/ip/index.php php https://www.youtube.com/watch?v=RyxPp22x9PU http://www.youtube.com/watch?v=Yj0l7iGKh8g http://packetlife.n http://packetlife.net/library/c et/library/cheat-sheets/ heat-sheets/
