Classroom Public page

Lab 6-2: TCP Connection Teardown

436 words

Course: NET-101, Week 6 Time: ~45 minutes (paired with lab-6-1 for one 90-minute session) Tools: Academy pcap-tools workbench at /pcap-tools/ Captures: fundamentals-http-get.pcap

Part 1: Trace the graceful teardown (~30 minutes)

Load fundamentals-http-get.pcap. This capture contains a complete HTTP session: three-way handshake, HTTP GET + 200 OK, then a graceful FIN/ACK teardown.

Exercise 1.1 -- Identify the teardown packets:

Apply tcp.flags.fin == 1. Note which packet numbers have FIN set.

  1. How many FIN packets are in the capture?
  2. Which side (client or server) sends the first FIN? How can you tell? (Check source/destination ports.)
  3. After the first FIN, who sends the ACK? And then who sends the second FIN?

Exercise 1.2 -- Trace the teardown sequence:

For each teardown packet, record:

Packet # Flags SEQ ACK Direction
First FIN
ACK of first FIN
Second FIN
ACK of second FIN
  1. In a graceful teardown, each side sends a FIN and receives an ACK. Why do both sides need to independently close their direction of the stream?
  2. The FIN consumes one sequence number. Verify: the ACK following the first FIN should have ACK = first FIN's SEQ + 1.

Part 2: Understand RST behavior (~20 minutes)

RST packets immediately abort a connection. You will not see one in the fundamentals capture (it is a clean session), but you need to understand what they look like.

Apply tcp.flags.reset == 1 to fundamentals-http-get.pcap.

  1. Are there any RST packets? (Expected: no.)

Exercise 2.1 -- RST reasoning:

  1. If a client sends a SYN to a port where no service is listening, what does the server send back?
  2. If you see a capture with a SYN immediately followed by a RST (with no SYN-ACK in between), what does that tell you?
  3. If you see RST packets appearing in the middle of an established TCP session, what are two possible causes?

Exercise 2.2 -- Analyze with expert information:

Go to Analyze > Expert Information in pcap-tools (or Wireshark).

  1. What categories of items appear in the expert information for fundamentals-http-get.pcap? Are there any Errors or Warnings?

Part 3: Follow the full conversation (~10 minutes)

In pcap-tools (or Wireshark), right-click any packet in fundamentals-http-get.pcap and select "Follow > TCP Stream."

  1. What do you see? Can you read the HTTP request and response in plain text?
  2. Which bytes are from the client (one color) and which from the server (another color)?
  3. What is the Host header in the HTTP request?
  4. What is the Content-Type header in the HTTP response?

Artifact

Create lab-6-2.md in your net-101/ Git repo with:

  • The teardown sequence table
  • Answers to all questions

Commit with a meaningful commit message (can be combined with the lab-6-1 commit).