Lab One: Wireshark Lab

TA: Wantong Jiang

Peking University

jwtty@pku.edu.cn

September 19th, 2017

1

Introduction

We will be using the Wireshark packet sniffer [http://www.wireshark.org/] for this

lab, allowing us to display the contents of messages being sent/received from/by protocols at

different levels of the protocol stack. (Technically speaking, Wireshark is a packet analyzer

that uses a packet capture library in your computer). Wireshark is a free network protocol

analyzer that runs on Windows, Linux/Unix, and Mac computers. It’s an ideal packet ana-

lyzer for our labs - it is stable, has a large user base and well-documented support that in-

cludes a user-guide (http://www.wireshark.org/docs/wsug_html_chunked/),

man pages (http://www.wireshark.org/docs/man-pages/), and a detailed FAQ

(http://www.wireshark.org/faq.html), rich functionality that includes the capa-

bility to analyze hundreds of protocols, and a well-designed user interface. It operates in com-

puters using Ethernet, serial (PPP and SLIP), 802.11 wireless LANs, and many other link-layer

technologies (if the OS on which it’s running allows Wireshark to do so).

Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in

this case, Internet protocols) and applications (such as a web browser or ftp client) that normally

run on your computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an

addition to the usual software in your computer, and consists of two parts. The packet capture

library receives a copy of every link-layer frame that is sent from or received by your computer.

Messages exchanged by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all

are eventually encapsulated in link-layer frames that are transmitted over physical media such as

an Ethernet cable. In Figure 1, the assumed physical media is an Ethernet, and so all upper-layer

protocols are eventually encapsulated within an Ethernet frame. Capturing all link-layer frames

thus gives you all messages sent/received from/by all protocols and applications executing in

your computer.

2

Figure 1: Packet sniffer structure.

In this lab, we will use the Wireshark on Linux. So first, install the Wireshark and get

familiar with it. Here is a link which may help you: https://www.maketecheasier.

com/using-wireshark-ubuntu/

3

1 802.11 Wireless Network Protocol

1.1 Overview

In this lab, we’ll investigate the 802.11 wireless network protocol. For convenience, we’ll

provide a trace of captured 802.11 frames for you to analyze and assume in the questions below.

1.2 Requirement

• You should do this part personally and submit your own report.

• Print your report and submit it in class.

• Deadline: Tuesday, October 31

1.3 Getting Started

The trace file Wireshark 802 11.pcap is provided. This trace was collected using AirPcap and

Wireshark, consisting of a Linksys 802.11g combined access point/router, with two wired PCs

and one wireless host PC attached to the access point/router. Fortunately, other access points in

neighboring houses are available as well. In this trace file, we’ll see frames captured on channel

6. Since the host and AP that we are interested in are not the only devices using channel 6, we’ll

see a lot of frames that we’re not interested in for this lab, such as beacon frames advertised by

a neighbor’s AP also operating on channel 6. The wireless host activities taken in the trace file

are:

• The host is already associated with the 30 Munroe St AP when the trace begins.

• At t = 24.82, the host makes an HTTP request to http://gaia.cs.umass.edu/

wireshark-labs/alice.txt. The IP address of gaia.cs.umass.edu is 128.119.245.12.

4

• At t = 32.82, the host makes an HTTP request to http://www.cs.umass.edu,

whose IP address is 128.119.240.19.

• At t = 49.58, the host disconnects from the 30 Munroe St AP and attempts to connect

to the linksys ses 24086. This is not an open access point, and so the host is eventually

unable to connect to this AP.

• At t = 63.0 the host gives up trying to associate with the linksys ses 24086 AP, and

associates again with the 30 Munroe St access point.

Once you have downloaded the trace, you can load it into Wireshark and view the trace

using the File pull down menu, choosing Open, and then selecting the Wireshark 802 11.pcap

trace file. The resulting display should look just like Figure 2.

1.4 Beacon Frames

Recall that beacon frames are used by an 802.11 AP to advertise its existence. To answer

some of the questions below, you’ll want to look at the details of the “IEEE 802.11” frame

and subfields in the middle Wireshark window. Whenever possible, when answering a question

below, you should hand in a printout of the packet(s) within the trace that you used to answer

the question asked.

Annotate the printout1 to explain your answer. To print a packet, use File → Print , choose

selected packet only, choose packet summary line, and select the minimum amount of packet

detail that you need to answer the question.

1. What are the SSIDs of the two access points that are issuing most of the beacon frames

in this trace?1What do we mean by “annotate”? Please highlight where in the printout you’ve found the answer and add

some text (preferably with a colored pen) noting what you found in what you’ve highlight.

5

Figure 2: Wireshark window, after opening the Wireshark 802 11.pcap file.

2. What are the intervals of time between the transmissions of the beacon frames the linksys ses 24086

access point? From the 30 Munroe St. access point? (Hint: this interval of time is con-

tained in the beacon frame itself).

3. What (in hexadecimal notation) is the source MAC address on the beacon frame from 30

Munroe St? Recall from Figure 6.13 in the text that the source, destination, and BSS are

three addresses used in an 802.11 frame. For a detailed discussion of the 802.11 frame

structure, see section 7 in the IEEE 802.11 standards document (cited above).

4. What (in hexadecimal notation) is the destination MAC address on the beacon frame from

6

30 Munroe St?

5. What (in hexadecimal notation) is the MAC BSS id on the beacon frame from 30 Munroe

St?

6. The beacon frames from the 30 Munroe St access point advertise that the access point can

support four data rates and eight additional “extended supported rates.” What are these

rates?

1.5 Data Transfer

Since the trace starts with the host already associated with the AP, let first look at data transfer

over an 802.11 association before looking at AP association/disassociation. Recall that in this

trace, at t = 24.82, the host makes an HTTP request to http://gaia.cs.umass.edu/

wireshark-labs/alice.txt. The IP address of gaia.cs.umass.edu is 128.119.245.12.

Then, at t = 32.82, the host makes an HTTP request to http://www.cs.umass.edu.

1. Find the 802.11 frame containing the SYN TCP segment for this first TCP session (that

downloads alice.txt). What are three MAC address fields in the 802.11 frame? Which

MAC address in this frame corresponds to the wireless host (give the hexadecimal repre-

sentation of the MAC address for the host)? To the access point? To the first-hop router?

What is the IP address of the wireless host sending this TCP segment? What is the desti-

nation IP address? Does this destination IP address correspond to the host, access point,

first-hop router, or some other network-attached device? Explain.

2. Find the 802.11 frame containing the SYNACK segment for this TCP session. What

are three MAC address fields in the 802.11 frame? Which MAC address in this frame

corresponds to the host? To the access point? To the first-hop router? Does the sender

7

MAC address in the frame correspond to the IP address of the device that sent the TCP

segment encapsulated within this datagram?

1.6 Association/Disassociation

Recall that a host must first associate with an access point before sending data. Association

in 802.11 is performed using the ASSOCIATE REQUEST frame (sent from host to AP, with a

frame type 0 and subtype 0) and the ASSOCIATE RESPONSE frame (sent by the AP to a host

with a frame type 0 and subtype of 1, in response to a received ASSOCIATE REQUEST). For

a detailed explanation of each field in the 802.11 frame, see page 34 (Section 7) of the 802.11

spec at http://gaia.cs.umass.edu/wireshark-labs/802.11-1999.pdf.

1. What two actions are taken (i.e., frames are sent) by the host in the trace just after t = 49,

to end the association with the 30 Munroe St AP that was initially in place when trace

collection began? (Hint: one is an IP-layer action, and one is an 802.11-layer action).

Looking at the 802.11 specification, is there another frame that you might have expected

to see, but don’t see here?

2. Examine the trace file and look for AUTHENICATION frames sent from the host to an AP

and vice versa. How many AUTHENTICATION messages are sent from the wireless host

to the linksys ses 24086 AP (which has a MAC address of Cisco Li f5:ba:bb) starting at

around t = 49?

3. Does the host want the authentication to require a key or be open?

4. Do you see a reply AUTHENTICATION from the linksys ses 24086 AP in the trace?

5. Now let’s consider what happens as the host gives up trying to associate with the linksys ses 24086

AP and now tries to associate with the 30 Munroe St AP. Look for AUTHENICATION

8

frames sent from the host to and AP and vice versa. At what times are there an AU-

THENTICATION frame from the host to the 30 Munroe St. AP, and when is there a reply

AUTHENTICATION sent from that AP to the host in reply? (Note that you can use the

filter expression ”wlan.fc.subtype == 11 and wlan.fc.type == 0 and wlan.addr ==

IntelCor d1 : b6 : 4f” to display only the AUTHENTICATION frames in this trace for

this wireless host.)

6. An ASSOCIATE REQUEST from host to AP, and a corresponding ASSOCIATE RE-

SPONSE frame from AP to host are used for the host to associated with an AP. At what

time is there an ASSOCIATE REQUEST from host to the 30 Munroe St AP? When is the

corresponding ASSOCIATE REPLY sent? (Note that you can use the filter expression

”wlan.fc.subtype < 2 and wlan.fc.type == 0 and wlan.addr == IntelCor d1 : b6 :

4f” to display only the ASSOCIATE REQUEST and ASSOCIATE RESPONSE frames

for this trace.)

7. What transmission rates is the host willing to use? The AP? To answer this question,

you will need to look into the parameters fields of the 802.11 wireless LAN management

frame.

1.7 Other Frame Types

Our trace contains a number of PROBE REQUEST and PROBE RESPONSE frames.

1. What are the sender, receiver and BSS ID MAC addresses in these frames? What is the

purpose of these two types of frames? (To answer this last question, you’ll need to dig

into the online references cited earlier in this lab).

9

2 Traceroute

2.1 Overview

The Internet is a large and complex aggregation of network hardware, connected together by

gateways. Tracking the route one’s packets follow (or finding the miscreant gateway that’s

discarding your packets) can be difficult. Traceroute utilizes the IP protocol ‘time to live’ field

and attempts to elicit an ICMP TIME EXCEEDED response from each gateway along the path

to some host.

In this part, we aim to understand how traceroute works using wireshark. Note that for win-

dows, another command called tracert plays the same role as traceroute with some difference

in the implementation, so you are required to do this lab on your linux machine.

2.2 Requirement

• You should do this part personally and submit your own report.

• Print your report and submit it in class.

• The annotate and other requirements of the report are the same as those in the first section.

• Deadline: Tuesday, October 31

2.3 Step One

Type the command: traceroute -I baidu.com. Use wireshark packet sniffer result to explain what

has been shown in the terminal. Basically, you need to clarify the questions below:

1. What types of packets have been involved in the process?

2. What’s the source address and destination address of each type of packet?

3. How does the client know the IP of each hop?

10

4. What does “*” shown in the terminal (if so) mean?

5. Search relevant information to explain what may cause “***” in the some of the hops.

2.4 Step Two

Type the command: traceroute baidu.com. Use wireshark packet sniffer result to explain what

has been shown in the terminal. Basically, you need to clarify the questions below:

1. What types of packets have been involved in the process?

2. What’s the source address and destination address of each type of packet?

3. How does the client know the IP of each hop?

4. What does “*” shown in the terminal (if so) mean?

5. Search relevant information to explain what may cause “***” in the some of the hops.

6. Compare step one and step two, explain what may cause the different results of two

commands.

11

3 TCP Analysis

3.1 Overview

The objective is to see the details of TCP (Transmission Control Protocol). TCP is the main

transport layer protocol used in the Internet. There are various TCP congestion control algo-

rithms designed for different scenarios or from different perspective to improve TCP perfor-

mance. In this part, you are required to learn three different TCP CC algorithms: RENO, CU-

BIC, and BBR. We are going to do some interesting experiments together and you are required

to analyze wireshark trace we collect.

3.2 Requirement

• You should do this part personally and submit your own report.

• Print your report and submit it in class.

• The annotate and other requirements of the report are the same as those in the first section.

• Deadline: Tuesday, October 31

3.3 RENO

TCP Reno implements an algorithm called Fast recovery. A fast retransmit is sent, half of the

current CWND is saved as SSThresh and as new CWND, thus skipping slow start and going

directly to Congestion Avoidance algorithm.

3.4 CUBIC

Used by default in Linux kernels 2.6.19 and above, TCP CUBIC attempts to solve the prob-

lem of efficient TCP transport when bandwidth-delay product is large. CUBIC allows very fast

window expansion; however, it also makes attempts to slow the growth of cwnd sharply as

12

cwnd approaches the current network ceiling, and to treat other TCP connections fairly. It still

uses packet loss as the only indicator to adjust its cwnd. Similar to TCP Reno, such loss-based

congestion control algorithm lies in a hypothesis that packet losses are caused by “conges-

tion”. Under networking environment with high loss rate, such loss-based congestion control

misinterperts loss as a signal of network congestion, reduces congestion window, and leads to

low throughput. Furthermore, when bottleneck buffers are large, loss-based congestion control

tends to keep them full, causing bufferbloat.

3.5 BBR

TCP BBR has been accepted as an alternative in Linux kernel 4.9 and above. Since the inherent

problem of loss-based congestion control is inevitable, it changes ideas to actively probing

bottleneck bandwidth and RTT constantly instead of passively responsing to packet loss. More

specifically, TCP BBR continues estimating two significant physical constraints of a TCP link,

namely BtlBw (bottleneck bandwidth) and RTprop (round-trip propagation time) to adjust its

congestion control window. To attain both constraints accurately, it will slightly change the

transmission pattern at a fixed period and meanwhile probe bandwidth and RTT constantly.

Then it will calculate (estimated values of) BtlBw and RTprop by bandwidth sequence and

RTT sequence, respectively. At the same time, BBR controls TCP transmission by both making

the transmission speed less than pacing gain(t) ·BtlBw and preventing the amount of data in

flight (data sent but not yet acknowledged) from exceeding cwnd gain(t) · BtlBw · RTprop,

where pacing gain(t) and cwnd gain(t) are functions of the time t, depending on the detail of

BBR algorithm.

13

3.6 Experiemnt and Analyze

In this part, we will first utilize class breaks to do some experiments: all of you make TCP con-

nection simultanerously to the same server, aiming to create congestion. We will use wireshark

to collect trace from server and you can collect your own trace from your laptop. Then you

use the two traces to analyze diffrent TCP congestion control algorithm, compare them, and

demonstrate your findings. We will provide you with scripts to connect to the server, these will

be settled later.

The metrics you analyze could include but not limited to:

• Throughput

• Packet loss rate

• Round trip time

• Out-of-order Delay

• Bytes in flight

• RTO

Tips: Since the DDL is right after lecture on transport layer, you may prepare relevant knowl-

edge as early as possible.

14