Packet tracer

Run the protocol analyzer on the packet-captured file “capture SUSS_trace1223.pcap”. You should see 1223 packets captured during a conversion between a browser client and a web server. The current version of the packet tracer provides expert information on the analysis of packets for user’s convenience. This information should not be used as answers, but guides to help you develop your own analysis and understanding.

Question 1

In frame 1, a browser client made a DNS query to discover the IP address of a web server.

(a) Provide screen capture of the query frame. Examine the query frame and highlight in the packet list the IP address of the DNS server.

(b) Provide screen capture of the DNS server’s response frame. Analyze and highlight the domain name and IP address of the web server in the packet details. Demonstrate how the client discovers the IP host address of the web server.

Question 2

In frame 3, the browser client made a second DNS query to discover the IP address of another web server.

• Explain why the browser made multiple queries to the DNS server, including a third query in frame 10?

• Provide screen capture of the DNS server’s response in the second query. Highlight the canonical domain name and multihomed IP addresses of the web server. Highlight the IP address of the web server involved in the current conversation and illustrate how it was selected.

Question 3

Follow on the DNS query in frame 1, the client made a HTTP GET request to retrieve a file on the web server.

• Provide screen capture of the request frame and highlight the relevant packet details in the GET message to show the host name of the web server and the full directory file name. Formulate the full URL and use it on a web browser to retrieve the requested file. Provide a screen capture of the page displayed on the browser’s window.

(b) Provide a screen capture of the response frame sent from the web server and highlight the status and message in the HTTP response. Explain the significance in the status code and response message.

Question 4

In frame 24, the client sent an SSL record to negotiate a secure session for communication with the web server.

• Provide screen capture of the SSL protocol record in the TLS layer. Identify the SSL message, and its content type and protocol type. Indicate the values for the content type and the protocol type.
• Identify the frame that carries the first SSL response message from the server. Provide screen capture of the SSL protocol record in the TLS layer and identify its content type and protocol type. Examine and indicate the values for the content and protocol types.

• Provide screen capture of the client’s cipher suites and another screen capture of the server’s cipher suite selection. Explain how the client and the server agree on the use of a specific cipher suite for their communication. Highlight the relevant cipher suite in the screen captures to support your explanation.

Question 5

In frame 34 and subsequence frames, the server sent back four messages of SSL handshake protocol records to the client.

• Identify each message and its SSL record presented on Wireshark. Illustrate the data structure of each of the SSL records for the four messages. Identify the name and size of all fields in the record, and the value stored in them.

[Hint: A data structure of an SSL record is illustrated here.]

(b) Given the MTU size is 1500 bytes, verify that the maximum TCP segment length is 1460 bytes. Estimate the number of frames required to transmit the four messages over to the client, and the size of the last TCP segment. Identify the corresponding frame numbers in Wireshark. [Hint: this question illustrates the TCP segmentation function.]

(c) Demonstrate that the SSL record for Certificate was segmented into three TCP segments and reassembled in frame 37. Provide screen capture of the TCP layer in frame 37 and highlight the packet details to validate the sizes of the TCP segments. [Hint: this question illustrates the reassembly of TCP segments.]

Question 6

The client initiated another two secure sessions with the web server using SSL handshake protocols in frame 334 and frame 609. (a) Identify each TCP connection and illustrate the SSL handshake protocols using a timesequence diagram.

[Hint: A time-sequence diagram shows the message flow between the client and server.]

• Examine the differences in handshake protocols involved in the two sessions. Identify the messages that are only present in one of the sessions and explain their functions inpart of the full SSL handshake protocols.

(c) Provide screen capture of the Client Hello and Server Hello message for each of the sessions. Examine the Session IDs and explain their significance in reducing the time taken to negotiate new security parameters for each connection.

Question 7

Following the completion of SSL handshake protocols in Q6, the client begins secure data communication with the server.

(a) In frame 753, the client sent a secure HTTP request message to the server. Provide a screen capture of the SSL protocol record and identify its protocol type, version, and length of the request message. Examine the contents of the request message and explain whether it carries the usual HTTP “GET” message as in Q3.

(b) In frame 864, the server sent the first data segment to the client. Provide screen capture of the packet bytes in the data segment. Examine the contents of the first five bytes of the data segment and conclude whether it is indeed the first data segment of the application data sent from the server. [Hint: set Wireshark preferences in TCP to allow “reassemble out-of-order segments”.]

(c) In frame 866, the server sent the second data segment to the client. Provide screen capture of the packet bytes in this data segment. Examine the contents of the first five bytes of the data segment and conclude whether this is indeed the second data segment of the application data sent from the server.

(d) Provide screen capture of the TCP flow control parameters in frames 864 and 866. Analyze the sequence numbers and conclude whether the two frames were transmitted in-order or out-of-order.