Course: NET-101, Week 7
Time: ~90 minutes
Tools: Academy pcap-tools workbench at /pcap-tools/
Captures: fundamentals-http-get.pcap, tall-100-frames.pcap
Part 1: Read window sizes across a real session (~30 minutes)
Load fundamentals-http-get.pcap. This 10-packet capture contains a complete HTTP GET session. For each TCP packet (skip non-TCP packets if any), record the window size advertised by the sender.
Apply tcp to filter to TCP only.
| Packet # | Sender direction | Window size (bytes) | Notes |
|---|---|---|---|
| 1 (SYN) | Client -> Server | ||
| 2 (SYN-ACK) | Server -> Client | ||
| 3 (ACK) | Client -> Server | ||
| ... |
Questions:
- Does the window size change across the connection? If so, in which direction -- does it grow or shrink?
- In the SYN packet, the window size is the receiver's initial buffer advertisement. What is the client's initial window size?
- In the SYN-ACK packet, what is the server's initial window size?
- In the ACK of the HTTP 200 OK response, what is the client's window size? Has it changed?
Part 2: Expert information analysis (~30 minutes)
Load tall-100-frames.pcap. This is a longer capture with many packets. This capture was synthesized for layout testing; it may contain repetitive patterns.
Go to Analyze > Expert Information.
Exercise 2.1 -- Retransmissions:
Apply tcp.analysis.retransmission.
- How many retransmitted segments are there in
tall-100-frames.pcap? - If there are retransmissions, how long after the original segment do they appear? (Check the Time column.)
Exercise 2.2 -- Duplicate ACKs:
Apply tcp.analysis.duplicate_ack.
- How many duplicate ACKs are there?
- What is the relationship between duplicate ACKs and the retransmissions you found? (They should appear near each other in time.)
Exercise 2.3 -- Window analysis:
Apply tcp.analysis.zero_window.
- Are there any zero-window events? If so, how long do they last before a Window Update is sent?
Apply tcp.analysis.window_full.
- Are there any Window Full events? These occur when the sender reaches the limit of what the receiver's window allows.
Part 3: Interpret the congestion picture (~20 minutes)
Based on your analysis from Parts 1 and 2, answer the following:
- In a connection with no congestion, what pattern of duplicate ACKs would you expect to see? (Zero, or something else?)
- If you saw a sequence of: normal traffic, then 3 duplicate ACKs, then a retransmission, then normal traffic -- what TCP mechanism does this describe? (Name it.)
- If the window size suddenly drops to 0, what must the sender do? What does it wait for?
- The term "slow start" implies a slow beginning. If a TCP connection starts with cwnd = 10 MSS and doubles each RTT, how many RTTs until cwnd reaches 80 MSS?
Part 4: Write a filter for congestion indicators (~10 minutes)
Write a single Wireshark display filter that shows ALL of the following in one view: retransmissions, duplicate ACKs, and zero-window events.
Test it on tall-100-frames.pcap. How many packets match?
Hint: combine the three analysis filters with or.
Artifact
Create lab-7-1.md in your net-101/ Git repo with:
- The window-size table from Part 1
- Answers to all questions
- Your combined display filter from Part 4
Commit with a meaningful commit message.