This is the screenshot obtained when I check my IP address in the command prompt by typing ipconfig in it.

Now on opening the web browser Google chrome I could observe the transfer of packets while opening the site nitc.ac.in using the appropriate software. Then on opening Wireshark which is used to capture the packets . First we need to uncheck the option to capture packets in the promiscuous mode and enable the option network name resolution. We then start the capturing process. We filter out the TCP from all the different protocols being captured by opening the nitc site. This is the screenshot of the TCP captured protocols.

We now analyse the TCP packets and more specifically the first three get packets from nitc.ac.in.

THE THREE WAY HANDSHAKE TCP utilizes a number of flags, or 1-bit boolean fields, in its header to control the state of a connection. The three we're most interested in here are:

SYN - (Synchronize) Initiates a connection FIN - (Final) Cleanly terminates a connection ACK - Acknowledges received data

As we'll see, a packet can have multiple flags set. Select packet #1 in Wireshark and expand the TCP layer analysis in the middle pane, and further expand the "Flags" field within the TCP header. Here we can see all of the TCP flags broken down. Note that the SYN flag is on (set to 1).

Now do the same for packet #2. Notice that it has two flags set: ACK to acknowledge the receipt of the client's SYN packet, and SYN to indicate that the server also wishes to establish a TCP connection.

Packet #3, from the client, has only the ACK flag set. These three packets complete the initial TCP three-way handshake. Sequence and Acknowledgment Numbers The client on either side of a TCP session maintains a 32-bit sequence number it uses to keep track of how much data it has sent. This sequence number is included on each transmitted packet, and acknowledged by the opposite host as an acknowledgment number to inform the sending host that the transmitted data was received successfully. When a host initiates a TCP session, its initial sequence number is effectively random; it may be any value between 0 and 4,294,967,295, inclusive. However, protocol analyzers like Wireshark will typically display relative sequence and acknowledgment number in place of the field's actual value. These values are relative to the initial sequence number of that stream. This is handy, as it is much

easier to keep track of relatively small, predictable numbers rather than the actual numbers sent on the wire. For example, the initial relative sequence number shown in packet #1 is 0 (naturally), while the ASCII decode in the third pane shows that the actual sequence number is 0xf61c6cbe, or 4129057982 decimal.

The display of relative sequence numbers can optionally be disabled by navigating to Edit > Preferences... and un-checking Relative sequence numbers and window scaling under TCP protocol preferences. However, be aware that the remainder of this article will reference relative sequence and acknowledgment numbers only. To better understand how sequence and acknowledgment numbers are used throughout the duration of a TCP session, we can utilize Wireshark's built-in flow graphing ability. Navigate to Statistics > Flow Graph..., select TCP flow and click OK. Wireshark automatically builds a graphical summary of the TCP flow.

Each row represents a single TCP packet. The left column indicates the direction of the packet, TCP ports, segment length, and the flag(s) set. The column at right lists the relative sequence and acknowledgment numbers in decimal. Selecting a row in this column also highlights the corresponding packet in the main window. We can use this flow graph to better understand how sequence and acknowledgment numbers work.

NOW,
108 8.815265 Parvathy-PC nitc.ac.in TCP 66 Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 108 8.815265 Parvathy-PC nitc.ac.in TCP 66 Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 108 8.815265 Parvathy-PC nitc.ac.in TCP 66 Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 50048 > http [SYN] 50049 > http [SYN] 50050 > http [SYN]

These three packets are responsible for the three way handshaking in this example. The first GET is done via HTTP protocol which ensures that the remaining packets that needs to be sent for opening a complete webpage are made available.

There are a couple of packets unavailable when we filter out only the TCP connections. These are the UDP and DNS connections mainly. 129 9.004532 192.168.61.231 255.255.255.255 UDP 170 port: 53681 Destination port: 10019 131 9.086392 fe80::d8e1:117d:299b:9615 ff02::c SSDP 208 SEARCH * HTTP/1.1 Source M-

After connection has been established we analyse the first three GET requests. 1) 122 8.821664 HTTP/1.1 Parvathy-PC nitc.ac.in HTTP 444 GET /

Hypertext Transfer Protocol Request Method: GET Request URI: / Request Version: HTTP/1.1 Host: nitc.ac.in\r\n Connection: keep-alive\r\n Cache-Control: max-age=0\r\n User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-US,en;q=0.8\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Transmission Control Protocol, Src Port: 50049 (50049), Dst Port: http (80), Seq: 1, Ack: 1, Len: 390

Source port: 50049 (50049) Destination port: http (80) Stream index: 23 Sequence number: 1 (relative sequence number) Next sequence number: 391 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: 20 bytes Flags: 0x18 (PSH, ACK) Window size value: 16425 Calculated window size: 65700 Window size scaling factor: 4 Checksum: 0xc252 [validation disabled]

Internet Protocol Version 4, Src: Parvathy-PC (192.168.61.34), Dst: nitc.ac.in (124.124.70.4) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) Total Length: 536 Identification: 0x5e50 (24144) Flags: 0x02 (Don't Fragment) Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0xda44 (maybe caused by "IP checksum offload"?)]

Ethernet II, Src: QuantaCo_ab:77:3b (00:1e:68:ab:77:3b), Dst: 192.168.61.1 (00:09:0f:b7:40:a2)

Destination: 192.168.61.1 (00:09:0f:b7:40:a2) Source: QuantaCo_ab:77:3b (00:1e:68:ab:77:3b) Type: IP (0x0800) 2) 261 18.965180 Parvathy-PC nitc.ac.in /app/webroot/css/nitc.css HTTP/1.1 HTTP 547 GET

Hypertext Transfer Protocol GET /app/webroot/css/nitc.css HTTP/1.1\r\n Expert Info (Chat/Sequence): GET /app/webroot/css/nitc.css HTTP/1.1\r\n Message: GET /app/webroot/css/nitc.css HTTP/1.1\r\n Severity level: Chat Group: Sequence Request Method: GET Request URI: /app/webroot/css/nitc.css Request Version: HTTP/1.1 Host: nitc.ac.in\r\n Connection: keep-alive\r\n Cache-Control: max-age=0\r\n If-Modified-Since: Fri, 06 Jan 2012 10:56:55 GMT\r\n User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11\r\n Accept: text/css,*/*;q=0.1\r\n

If-None-Match: "1e6036e-2f57-4b5d9e8328bc0"\r\n Referer: http://nitc.ac.in/\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-US,en;q=0.8\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Transmission Control Protocol, Src Port: 50048 (50048), Dst Port: http (80), Seq: 1, Ack: 1, Len: 493 Source port: 50048 (50048) Destination port: http (80) Stream index: 22 Sequence number: 1 (relative sequence number) Next sequence number: 494 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: 20 bytes Flags: 0x18 (PSH, ACK) Window size value: 16425 Calculated window size: 65700 Window size scaling factor: 4 Checksum: 0xc252 [validation disabled]

Internet Protocol Version 4, Src: Parvathy-PC (192.168.61.34), Dst: nitc.ac.in (124.124.70.4) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) Total Length: 536 Identification: 0x5e50 (24144) Flags: 0x02 (Don't Fragment) Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0xda44 (maybe caused by "IP checksum offload"?)] Ethernet II, Src: QuantaCo_ab:77:3b (00:1e:68:ab:77:3b), Dst: 192.168.61.1 (00:09:0f:b7:40:a2)

Destination: 192.168.61.1 (00:09:0f:b7:40:a2) Source: QuantaCo_ab:77:3b (00:1e:68:ab:77:3b) Type: IP (0x0800)

3) 262 18.965770 Parvathy-PC nitc.ac.in /app/webroot/css/calendar.css HTTP/1.1

HTTP 550

GET

Hypertext Transfer Protocol GET /app/webroot/css/calendar.css HTTP/1.1\r\n Expert Info (Chat/Sequence): GET /app/webroot/css/calendar.css HTTP/1.1\r\n Message: GET /app/webroot/css/calendar.css HTTP/1.1\r\n Severity level: Chat Group: Sequence Request Method: GET Request URI: /app/webroot/css/calendar.css Request Version: HTTP/1.1 Host: nitc.ac.in\r\n Connection: keep-alive\r\n Cache-Control: max-age=0\r\n If-Modified-Since: Sat, 20 Feb 2010 05:48:16 GMT\r\n User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11\r\n Accept: text/css,*/*;q=0.1\r\n If-None-Match: "1e60363-96d-48001bf152800"\r\n Referer: http://nitc.ac.in/\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-US,en;q=0.8\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Transmission Control Protocol, Src Port: 50050 (50050), Dst Port: http (80), Seq: 1, Ack: 1, Len: 496 Source port: 50050 (50050) Destination port: http (80) Stream index: 24 Sequence number: 1 (relative sequence number) Next sequence number: 497 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: 20 bytes Flags: 0x18 (PSH, ACK) Window size value: 16425 Calculated window size: 65700 Window size scaling factor: 4 Checksum: 0xc255 [validation disabled] Good Checksum: False Bad Checksum: False Internet Protocol Version 4, Src: Parvathy-PC (192.168.61.34), Dst: nitc.ac.in (124.124.70.4) Version: 4 Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) Total Length: 536 Identification: 0x5e50 (24144) Flags: 0x02 (Don't Fragment) Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0xda44 (maybe caused by "IP checksum offload"?)] Source: Parvathy-PC (192.168.61.34) Destination: nitc.ac.in (124.124.70.4) Ethernet II, Src: QuantaCo_ab:77:3b (00:1e:68:ab:77:3b), Dst: 192.168.61.1 (00:09:0f:b7:40:a2) Destination: 192.168.61.1 (00:09:0f:b7:40:a2) Source: QuantaCo_ab:77:3b (00:1e:68:ab:77:3b) Type: IP (0x0800)

FLOWGRAPH

 I/O GRAPH: ( Number of packets vs time)