Subtitles of the Movie

Now it's time to put together some of the things that we've looked at in talking about TCP. We've talked about flags and sequence numbers and Window sizes. Now let's actually see what they look like in a simple packet capture. We're going to use a tool called Wireshark to capture a simple TCP communications session. Now, this session is going to be just an ordinary connection to a website; nothing extraordinary. But what I want you to look for, and when I say simple, you'll understand what I mean when we look at it. It's not as simple as you might think. But I do want you to look for flags, Window sizes and sequence numbers and while we haven't covered some of the things having to do with Wireshark, we'll cover those in a later session. Right now I just want to demonstrate the characteristics of a TCP session to you. So with that, let's go ahead and take a look at our packet capture. OK, we're in our Windows XP Professional Box and we're going to start Wireshark. Now, don't worry about Wireshark because I know we haven't talked about it just yet, but we're going to as we go throughout the course. So for right now, what you need to know is we're actually going into capture and listen in on the traffic between this Windows XP Box and a website. So we're going to click capture and we're going to click interfaces and we're going to start capturing traffic on one of the Windows network cards. So we're going to click start and then we're going to minimize this and we're just going to open up a simple website. Now, I have the default website set to www.vtc.com and that's all we're going to do is simply go to the website. Now let's go and stop the capture process and take a look at what we got. Now, I'm not going to go in depth on the traffic capture at this time. I just want to show you a few things. This is all the traffic that was captured during this particular session and basically we captured, just in that simple connection to a website, 182 packets. So let's go up here and just look at a few things. First of all, let's go ahead and look at a TCP session establishment. Let's click on this particular packet to look at it. Now, if you look down here and we open up transmission control protocol, part of this particular capture, we're going to see different information about it. Now, what this does is actually record details about the packet capture that we go. It gives a source port, which is port 80. This is from the web; sequence number is one, acknowledgement number is 436. So this is kind of in the middle of a sequence. And we have Window size right here, which was sent back from the receiving computer, the size of 64,240 bytes and we have an acknowledgement number, we have the sequence number. So that's basically all there is to it. This is a SYNACK basically. Let's look at another packet. If we look up here, this is the initial SYN packet that was sent, the beginning of the Three-Way Handshake and we had the destination port as 80. Here was our source port from the box in question, from our XP Box, going to port 80, relative sequence number started out as zero. Now, I should point out that relative sequence number and actual sequence number are two different things. The relative sequence number is what's reported as part of the TCP conversation itself. So you don't get to see the big 32-byte number right there. But it says which flags were set; the SYN and the initial Window size and if we move along, we see the SYNACK with just a reply back and the Three-Way Handshake and it replied back with the senders sequence number and its own acknowledgement number. And you can see that the SYN and ACK Flags were set and the Window size was sent back from the receiver saying 64K bytes is OK. And then here was the final ACK. Source port from the sender, a destination port of point, port 80, sequence number is one, acknowledgement number one and the ACK. So that was basically our Three-Way Handshake. We were also able to show you the different things we've talked about: the source port, the destination port, the sequence numbers, acknowledgement numbers, the flags that were sent and the Window size. These are all the characteristics of a TCP session that we've talked about throughout this section of the course. So now you have a little bit better of an idea about what goes on during a TCP session. Now, we're not going to cover some of the rest of the stuff until a little bit later, but we will cover Wireshark and we will go through, throughout the rest of this course, basically about how to read traffic coming in and how to follow it and understand what it's doing along each packet on the way.