Packet Analysis

Assignment

Capture and analyze traffic on your home network while going about your usual network activities. Present your results in summary form, using graphical analysis where appropriate. How much of your network traffic is inbound? How much is outbound?  What portion of it is HTTP traffic? How many devices are active on your network? What are their relative levels of activities? What sites are the most common sources and destinations for your traffic? Write a summary of your work and findings on your blog. We’ll compare notes in class.

Summary:

I only opened five tabs on Chrome and didn’t close the software that is running the background in my PC. I only have one device connected to the Ethernet. Most common sides for sources and destinations are http://www.tigoe.com since I was checking the homework for this week and I was also writing my blog simultaneously. But I did find something interesting since I am unknowingly running a Chinese software in the background. There are some errors showing up when I tried to filter out only HTTP request.

Details:

I decide to look for Ethernet Connections – Since I use PC to do work

I only have chrome and Wireshark open and opened our syllabus and WordPress blogs. Turns out during packet sniffing, I didn’t turn off the following software’s while running.

During my second packet sniffing, I opened Amazon Prime Video on Chrome. I did not find the AS Organization shown in class but when I searched Resolved Addresses, I got to see lots of Amazon related addresses.

Inbound vs Outbound Network traffic

Most of them are HTTP Requests.

Software Running in the BG

For my third packet-sniffing, I only have five tabs open. Yet I find something fishy. Given that I didn’t search anything Chinese related in terms of website or language while searching. I find it odd when I looked up the IP address.

It is in Beijing. And When I looked into China Unicom Beijing. It is the Chinese version of AT&T or Verizon, a telecommunication operator in China. Then when I search the relationship between China Unicom Beijing and Baidu Wangpan, equivalent of Dropbox/Google Drive. It occurred to me to log into Baidu Wangpan, you would either need a Chinese telephone number or Chinese social media which also requires your Chinese phone number. For me, I registered the account for Baidu Wangpan using Chinese phone number. So it makes sense that with Baidu Wangpan running in the background, it is constantly sending and receiving packets.

It is quite scary though since I don’t think it is running cuz I didn’t use it or open its interface but turns out it is constantly running.

TCP Keep-Alive, ACKed unseen segment, Retransmission

To check if connected socket (TCP socket) is still running or broken. You send an empty probe packet with ACK flag turned on. If you receive empty packet from the host, then the connection is running. This is shown by the screenshot below.

source

To understand the error messages in WireSharck, I found this website in Chinese.

I understood the TCP ACKed unseen segment[If there is a discrepancy between the Seq+Len, then there is a missing of the packet from the Seq+Len from previous session ti Seq of the next sesssion.] and TCP Retransmission[If one packet is missing, there will be no ACK sent back. So it will be resent when it is overtime. ]

So the below screenshot shows that the 202.108.23.113 [IP address from Beijing, China], sends TCP keepalive to see if the connection is working and got the Keep-Alive ACK in response.

The second part of the screenshot shows the TCP Retransmission followed by the TCP Dup ACK. I looked it up and found the forum answer here. It mentioned that this pattern most likely that some packets are missing. If you only see the TCP Dup ACK without the TCP Retransmission, then that means the packets are arriving out of order.

Published by Yiting Liu

NYU ITP '21

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
<span>%d</span> bloggers like this: