Course: NET-101, Week 6
Time: ~45 minutes (paired with lab-6-2 for one 90-minute session)
Tools: Academy pcap-tools workbench at /pcap-tools/
Captures: fundamentals-tcp-3way.pcap, fundamentals-http-get.pcap
Part 1: Trace the three-way handshake in isolation (~30 minutes)
Load fundamentals-tcp-3way.pcap in pcap-tools. This capture contains exactly 3 packets: the TCP three-way handshake for a connection to port 22 (SSH), with no application data.
Apply tcp.flags.syn == 1 to confirm the first two packets have SYN set.
Packet 1 -- SYN (client initiates):
Click the first packet. Expand "Transmission Control Protocol" in the packet detail pane.
| Field | Value |
|---|---|
| Source port | |
| Destination port | |
| Sequence number (raw) | |
| Acknowledgment number | |
| Flags (write all set bits) | |
| Window size | |
| TCP options present |
- The acknowledgment number is 0 in a SYN packet. Why? (Hint: look at the flags.)
- What is the MSS option value? Where in the options do you find it?
- Is this the client or the server sending this packet? How do you know?
Packet 2 -- SYN-ACK (server responds):
| Field | Value |
|---|---|
| Source port | |
| Destination port | |
| Sequence number (raw) | |
| Acknowledgment number | |
| Flags (write all set bits) | |
| Window size |
- What is the server's sequence number (ISN)?
- What is the acknowledgment number? Verify: it should be the client's ISN + 1.
- Both SYN and ACK flags are set. What does each flag mean in this packet?
Packet 3 -- ACK (client completes handshake):
| Field | Value |
|---|---|
| Source port | |
| Destination port | |
| Sequence number (raw) | |
| Acknowledgment number | |
| Flags (write all set bits) | |
| Window size |
- What is the acknowledgment number? Verify: it should be the server's ISN + 1.
- Is there any data payload in this packet? (Check the length and the packet bytes.)
- After this packet, the connection is ESTABLISHED. Both sides now have what information?
Part 2: Find the handshake inside a larger capture (~15 minutes)
Load fundamentals-http-get.pcap. This has 10 packets: handshake + HTTP exchange + teardown.
Apply tcp.flags.syn == 1 to isolate the first two packets.
- Verify that the SYN packet here has a different sequence number than the one in
fundamentals-tcp-3way.pcap. (Initial sequence numbers are chosen randomly.) - Apply
tcp.flags.fin == 1. How many FIN packets are in the capture? - Apply
tcp.flags.reset == 1. How many RST packets are in the capture?
Artifact
Create lab-6-1.md in your net-101/ Git repo with:
- The three handshake tables (all field values)
- Answers to all questions
Commit with a meaningful commit message.