CSCD 330 Lab 5
TCP Protocol Wireshark


The TCP protocol is responsible for reliable transport of packets. In this lab we will be using Wireshark to see how TCP behaves. Part of the lab you are to download an existing trace file and part of the lab you will capture TCP traffic.

In first part of this lab, you will analyze an existing SSH session trace file
First, download the trace file and save it somewhere on your computer.
SSH Wireshark Capture File
Then, open Wireshark with the command, sudo Wireshark if Linux, or just open Wireshark if Windows.
Next, click on File open and load the saved ssh capture file.
Follow the instructions below and answer the questions that follow.

Wireshark Settings and Viewing the Packets

1. Set a filter to view only tcp traffic, in the filter bar type, tcp (all lowercase)
2. Select Analyze and then the Enable Protocol menu option. Uncheck the SSH protocol. This allows SSH details to be displayed.
3. Begin looking at the packets in the trace.

Part 1. Analyzing TCP using an SSH Session
Think about what ssh does. It is like Telnet in that you open a window to another computer and type commands and see the results displayed. So, you type something and what gets displayed are the results of what you typed. This trace file was created by myself typing: ssh . I then asked to see a directory listing and quit.


  1. What is the IP address of the client and what is the IP address of the remote machine in this trace?
  2. What port numbers are being used for the client and remote machine?
  3. What packet numbers are involved in the initiation of the TCP ssh session (the three-way handshake)?
    How can you tell TCP is starting a new session?
  4. What are the sequence numbers of the client and remote machine in the beginning?
  5. Is any data being sent during TCP initiation? How can you tell?
  6. What's the Maximum Segment Size on both machines (MSS)? What is the meaning of the MSS?
  7. How many bytes are in the TCP header?
  8. What is the smallest window size during this entire connection? What is the meaning of the win field?
  9. In this trace, packet 16 and on up has the PSH flag set. What does this flag mean? Why do you think its set in this trace?
  10. Can you see the ascii commands typed in this ssh session and the data returned? Why or why not?
  11. View the last few packets of this trace file. Which side sent the first Fin packet? Does the Fin packet seem to be counted as data? How can you tell?
Now, we can view some overall statistics for this trace. Click on Statistics, then Flow Graph, click on TCP flow.
This graph displays the flow of data and the seq. and ack numbers. Answer the next few questions from this graph.
  1. From the first Syn packet until the last Ack of the final Fin packets, how long did this session last?
  2. How much data was sent from the remote machine?
Finally, lets look at some other way to graph the TCP flow. Click on Statistic and then TCP Stream Graph.
Choose Round Trip Time Graph. Answer the questions below.
  1. Does it appear that the packets are being sent at a constant rate? What is the average RTT?

Part 2. Open TCP Sessions of your own
Restart wireshark. Discard existing file. Set preferences for the TCP protocol. Select Edit and then preferences. Then, under protocols, select TCP. Uncheck the relative sequence number box. Click apply. and OK. Open several TCP connections: Web browser, ssh or email.
Answer questions below.

  1. Are there any patterns in port numbers in your connections?
  2. Notice any patterns in sequence numbers?