B-11 (Bae) Basic TCP/IP Analysis - Sharkfest - Wireshark

standguideΔίκτυα και Επικοινωνίες

26 Οκτ 2013 (πριν από 4 χρόνια και 18 μέρες)

94 εμφανίσεις



SHARKFEST ‘10 | Stanford University | June 14

17, 2010

Basic TCP/IP Analysis

June 17, 2010



Hansang Bae

Senior Vice President | Citi (
f.k.a
. Citigroup)

Email:
hansang@gmail.com

P
LEASE

REFER

TO

THE


ANSWERSHEET
.
DOCX

FILE

FOR

ADDITIONAL

INFORMATION

ABOUT

THIS

PRESENTATION
.

T
HESE

SESSIONS

WILL

BE

AVAILABLE

ON

YOUTUBE
:
HTTP
://
WWW
.
YOUTUBE
.
COM
/
USER
/
HANSANGB



SHARK
FEST

‘10

Stanford University

June 14
-
17, 2010



SHARKFEST ‘10 | Stanford University | June 14

17, 2010

The Basic Building Blocks

Lot of people will tell you they know TCP/IP, but most
don’t. This includes me!


Advice for someone starting out in this field (packet analysis):

1.
Learn the protocols! There is no way around it. I can recommend
some books if you’re interested.

2.
Don’t just learn the technical specifications. Try to understand the
real world impact.

3.
Everywhere you go, fire up Wireshark and try to observe. Osmosis
will kick in sooner or later.

4.
Packet analysis is based on pattern recognition.



SHARKFEST ‘10 | Stanford University | June 14

17, 2010

Internet Protocol (IP)!

How can the IP header information help you?


1.
Look at the IP Identification field. This is not fool proof
but it can help pin
-
point problems.

2.
Look at the TTL field. It too can help your
troubleshooting. What is TTL, anyway?

3.
“Don’t Fragment” bit can play a crucial role so you need
to learn about this as well.

4.
Practice, practice, practice.





SHARKFEST ‘10 | Stanford University | June 14

17, 2010

Sequence/Acknowledgement

It’s a simple concept. Don’t over think it!

1.
Use relative sequence numbers. “Edit, Preferences,
Protocols, TCP, Relative Sequence Numbers….”

2.
If you are new to this, analyze the sequence numbers in
one direction at a time. But keep in mind that TCP is a
duplex protocol.

3.
Sequence number represents how many bytes have been
sent. SEQ + DATA = Next Seq#. It also represents the ACK
for the other side. “This is where I’m at, and I’m going to
send you this much more”

4.
ACKs are cumulative. (I’m good up to this point)





SHARKFEST ‘10 | Stanford University | June 14

17, 2010

Retransmissions

There are two types of retransmissions. “Regular”
retransmissions and “Fast Retransmissions”

1.
If the sender does not get any feedback from the receiver (what
feedback?), the sender will retransmit the packet.

2.
The problem with retransmissions is that a timer has to go off before
retransmitting. This can be 100ms to 200ms.

3.
Fast Retransmissions address this delay. The receiver notifies the
sender “I’m missing a packet, I’m missing a packet, I’m missing a
packet” After the third notification, the sender immediately
retransmits.






SHARKFEST ‘10 | Stanford University | June 14

17, 2010

New TCP Features to the Rescue!

If you have packet loss, Selective Acknowledgement
(SACK) may help to improve throughput.


Main Concept:

1.
How do you interpret the SACK field? (use real
seq/ack#s)

2.
How does SACK help vis
-
à
-
vis normal ACK?

3.
Is there a downside to using SACK?