Observing TCP

Due date

Introduction

In this assignment, you will examine a TCP trace and test your understanding of its operation using real-world data.

Acknowledgments

This lab is based on the "Retransmission in TCP" lab in Jeanna Matthew's Computer Networks: Computer Protocols in Action, and a homework assignment developed by David Wetherall at the University of Washington.

Goals

• To apply your knowledge of the TCP protocol to analyzing a packet trace.
• To learn more of Wireshark's capabilities.

Logistics

You are to work individually. You may discuss the material with whomever you wish. You may obtain help from anyone you wish, but you should clearly document that help.

Preparation

For this lab, you are given a trace taken on a private network. You will all work with the same trace so that we can compare our findings. 

Download the capture file long-tcp-trace.tar. Run Wireshark (as yourself, not as root using sudo), and open this file.

This trace was captured using the tcpdump program on a personal web and mail server, which has the IP address 69.66.77.232 (by Janet Davis). On the server, the command tcpdump -s94 -w long-tcp-trace.cap port 80 was run, so that 96 bytes of data from each packet to or from port 80 would be saved to the file. From another machine, ladd.cs.grinnell.edu, the command wget http://www.one-eyed-alien.net/~janet/rhododendron.jpg was run, which fetched a large image file from the web server.

Assignment

Task 1: TCP connection basics

1. Follow the TCP state machine to track the state of the server connection versus time.  First, give the initial state. Then, for each state change, give the packet number, ending state, and the transition (e.g., SYN/SYN+ACK) that caused the change.

2. Identify the SYN packets from each side of the connection. What options are being used by the client (machine 2 above) and by the server (69.66.77.232)?

3. Will the connection use selective acknowledgments? How can you tell?

4. What is the only segment in a TCP stream without the ACK bit set? Why?

5. How large (how many bytes) are the TCP data segments being sent by the server?

6. Wireshark displays the initial TCP sequence number as zero, because this is easier for human readers to understand. This option can be disabled by right-clicking on the TCP protocol information in the packet display pane, and choosing the "Protocol preferences..." option.  Uncheck the "Relative sequence numbers" option and click "Apply." What is the actual initial sequence number in each direction?

7. Put the relative sequence numbers back. They are much easier to read.

8. Do all of the packets from server to client contain the same acknowledgment number? Why or why not? How about packets from client to server?

Task 2: Timeout estimation

1. Using the time shown by Wireshark, calculate the value of SampleRTT for the first five acknowedgments received by the server (69.66.77.232). Be sure to correctly identify which data packets are being acknowledged. Is there a trend?

2. Use these three SampleRTT values to compute two estimators for the TCP timeout.

   1. The first estimator is the exponentially-weighted moving average used in TCP's original algorithm for adaptive retransmission.  Use alpha = 0.2 and an initial value of 500ms for EstimatedRTT. 
   2. The second estimator is the Jacobson/Karels algorithm.  Use delta = 1/8, mu = 1, phi = 4, the same initial timeout, and an initial deviation of zero. 
      

   Present your answers as a graph of TimeOut vs time; ideally, both estimators on one graph. Use some spreadsheet software.

3. Now, you'll use Wireshark to look at the sampled RTTs over the entire length of the connection. In the trace window, select a packet sent by the server. Go to the Statistics menu and choose the TCP Stream Graph submenu.  From here, select the Round Trip Time Graph option. To save a copy of this image, you will need to take a screenshot.  Paste the screenshot into your lab notebook. 

4. Describe the general shape of this graph. Does the RTT ever drop below the initial SampleRTT you computed? Roughly how much does the RTT vary in proportion to its initial value?

5. In some places, the RTT measurements form a straight, diagonal line. What do you think is happening in those places?

6. You can close the graph now.

Task 3: Retransmissions

1. Use the filter tcp.analysis.retransmission to show only TCP packets that retransmit segments previously transmitted. What are the packet number, time, and TCP sequence number of the first retransmission? 

2. Clear the filter and find the original packet that it was a retransmission of. What is the number of the packet in the trace, and what time was it sent?

3. Why was this packet retransmitted, due to duplicate ACKs or a timeout?

4. How many packets in a row were retransmitted before the next transmission of new data?

5. Re-apply the filter tcp.analysis.retransmission. Most Fast Retransmissions are followed by an ordinary retransmission soon thereafter. Find a Fast Retransmission for which this is not the case. What is its packet number and time? Then clear the filter.

6. Now, you'll use Wireshark to look at a graph of sequence numbers versus time. In the trace window, select a packet sent by the server (69.66.77.232). Go to the Statistics menu and choose the TCP Stream Graph submenu.  From here, select the Time-Sequence Graph (Stevens) option. (You should see a diagonal line with some blips. If you see a straight line, you selected a packet from the client instead of the server, so close the graph and try again.) 
   

   To save a copy of this image, you will need to take a screenshot.  Paste the screenshot into your lab notebook. 

7. Each dot indicates that a segment with a particular sequence number (Y-axis) was sent at that particular time. What does it mean when the graph appears to be more or less a straight, iagonal line?

8. Identify the time at which the first retransmission occurred.  What does the graph look like at that time?

9. What do you think is happening between time 1.5 and 2.75? (Note that you can click on a dot in the graph to highlight the corresponding packet in the packet trace pane. Unfortunately, you can't do the opposite.) (Note also that you may want to enable the Crosshairs option in the graph option dialog to make it easier to identify packets at particular times or with particular sequence numbers.)

10. What do you think is happening between time 4 and time 4.5? (Be sure to look at the packets in the trace pane, not just the graph.)

11. What do you think is happening between time 8.25 and time 9? (Be sure to look at the packets in the trace.)

Task 4: Your own traces

Using Wireshark, take at least one trace of your own, using different-sized transfers, different client-server pairs, and/or different applications, and examine the resulting time sequence diagrams.

For each trace, explain how you produced the TCP traffic that is captured in the trace. Paste the time sequence diagram into your lab notebook and explain (or ask questions about) any interesting features, as you did in Task 3.

Assessment

Advice

Discussion Questions

1. Is there data sent in the SYN, SYNACK, and ACK packets? Does RFC 793 prohibit data in these packets? 

2. Which timeout estimator would provide better performance for the trace you looked at? Why?

3. Why is the first loss in a TCP connection important to the congestion control algorithm?

4. How many data packets did the server send before the first loss (noted in Task 3, question 2 above)? What was the size of the congestion window at the time of the first loss? How did you figure this out?

5. Based on what you've seen, which of the TCP versions (described on page 494-495 of P&D) do you think the server running? What TCP features can you definitely identify, and what features are you not sure about? (NB: The web server is a FreeBSD box.)

6. How long did you spend on this assignment?

Lab Notebook

Be sure to include your answers to all questions.

Modified from a Janet Davis lab. All traces are from Janet Davis.

Mike Erlinger