1
00:00:00,000 --> 00:00:02,000
So let’s look at a more complete example.

2
00:00:03,000 --> 00:00:11,000
In this example, host A initiates a session with the source port of 1024

3
00:00:12,000 --> 00:00:14,000
in a destination port of 23, in other words telnet.

4
00:00:15,000 --> 00:00:20,000
Host A sends 10 bytes of data and an initial sequence number of 10.

5
00:00:21,000 --> 00:00:26,000
Host B acknowledges receipt of the 10 bytes

6
00:00:27,000 --> 00:00:30,000
by sending an acknowledgement number back to A of 11.

7
00:00:31,000 --> 00:00:35,000
Host B in this example, also sets its initial sequence number to 5.

8
00:00:36,000 --> 00:00:39,000
please note also that the port numbers are reversed 
              
8

9
00:00:40,000 --> 00:00:47,000
the source port for traffic going from B to A is 23 and the destination port is 1024.

10
00:00:48,000 --> 00:00:51,000
In this example because we’re using a sliding window

11
00:00:52,000 --> 00:00:55,000
A may send 250 bytes of data for example.

12
00:00:56,000 --> 00:00:59,000
So notice the sequence number is incremented to 260.

13
00:01:00,000 --> 00:01:03,000
In previous examples, we’ve use easy numbers

14
00:01:04,000 --> 00:01:08,000
the window size of 1 or window size of 3 but please note in reality

15
00:01:09,000 --> 00:01:12,000
window sizes are set to the amount of data that can be transmitted in bytes.

16
00:01:13,000 --> 00:01:18,000
So this may not be as easy to read as sequences of 1, 2, and 3.

17
00:01:23,000 --> 00:01:28,000
receipt of data up to sequence 5 and thus acknowledging sequence number 6.

18
00:01:29,000 --> 00:01:31,000
The source ports are swap round again

19
00:01:32,000 --> 00:01:35,000
so the source port is 1024 and the destination port is 23.

20
00:01:36,000 --> 00:01:43,000
Now host B is acknowledging for sequence number 261

21
00:01:44,000 --> 00:01:48,000
remember A send 10 bytes and the 250 bytes

22
00:01:49,000 --> 00:01:50,000
so in other words 260 bytes of data.

23
00:01:51,000 --> 00:01:57,000
B is sending sequence number 6 and once again the port numbers are reversed.

24
00:01:58,000 --> 00:02:02,000
It’s a very important that you understand, how source and destination ports work

25
00:02:07,000 --> 00:02:14,000
So on that note there is nothing better than showing you real world example using Wireshark.

26
00:02:15,000 --> 00:02:18,000
So I’m going to capture traffic on my network

27
00:02:19,000 --> 00:02:27,000
and then I’m going to go to for instance google.com with my web browser.

28
00:02:28,000 --> 00:02:41,000
I’ll go back to Wireshark and stop the capture, here's an example is the DNS query.

29
00:02:42,000 --> 00:02:48,000
So we’ve got host 10.0.0.1 which is my machine

30
00:02:49,000 --> 00:02:53,000
a Dell laptop, querying the DNS server.

31
00:02:54,000 --> 00:03:01,000
At layer 2, you can see the source is my Dell machine going to my Cisco router.

32
00:03:02,000 --> 00:03:07,000
This is an Ethernet 2 frame and please note the type field.

33
00:03:08,000 --> 00:03:15,000
At layer 2 as mentioned, the type field specifies the protocol at layer 3.

34
00:03:16,000 --> 00:03:24,000
In this case 0x0800 in hexadecimal specifies that the layer 3 protocol is IPv4.

35
00:03:25,000 --> 00:03:32,000
At layer 3 you can see the source IP address and the destination IP address.

36
00:03:33,000 --> 00:03:40,000
My PC and the DNS server, you can see that this is IPv4

37
00:03:41,000 --> 00:03:44,000
you can see the header length is 20 bytes.

38
00:03:45,000 --> 00:03:51,000
DSCP or Differentiated Services Code Points is not used in this example

39
00:03:52,000 --> 00:03:58,000
notice ECN which is to do with explicit congestion notification

40
00:03:59,000 --> 00:04:01,000
I mentioned that briefly when talking about the TCP header.
 
42

41
00:04:02,000 --> 00:04:14,000
What I’d like you to see here is notice the protocol at layer 4 is UDP

42
00:04:15,000 --> 00:04:22,000
that values in hexadecimal, so 11 in hexadecimal is equal to 17

43
00:04:23,000 --> 00:04:26,000
the protocol number once again for UDP is 17.

44
00:04:27,000 --> 00:04:32,000
So at layer 4, we can see that User Datagram Protocol or UDP is being used.

45
00:04:33,000 --> 00:04:38,000
The source port is 62249, in other words, a dynamic or ephemeral port

46
00:04:39,000 --> 00:04:43,000
going to a destination port of 53 in other words DNS.

47
00:04:44,000 --> 00:05:01,000
We can see the port numbers once again, and opening up the DNS query

48
00:05:02,000 --> 00:05:17,000
we can see that it was a query, looking for specific host address.

49
00:05:18,000 --> 00:05:29,000
Here we have a DNS response from the DNS server to my host.

50
00:05:30,000 --> 00:05:34,000
So once again, very quickly at layer 2

51
00:05:35,000 --> 00:05:37,000
you can see the type field denotes the protocol at layer 3.

52
00:05:38,000 --> 00:05:49,000
At layer 3, the protocol field, tells us which protocol is used at layer 4

53
00:06:00,000 --> 00:06:09,000
Here’s another DNS query from my host to the DNS server.

54
00:06:10,000 --> 00:06:14,000
And if we open up the DNS query information

55
00:06:15,000 --> 00:06:19,000
you can see that it’s a query for google.com

56
00:06:20,000 --> 00:06:26,000
and it's a host query, notice type A, the DNS server replies

57
00:06:27,000 --> 00:06:33,000
and notice in the answer, it give us the IP address of google.com

58
00:06:34,000 --> 00:06:41,000
Now here’s the three-way handshake between my machine and Google.

59
00:06:42,000 --> 00:06:44,000
Notice the source is 10.0.0.1

60
00:06:45,000 --> 00:06:48,000
and the destination is this IP address which is Google.

61
00:06:49,000 --> 00:06:57,000
Notice the source port is 58313 destinations is 80
 
64

62
00:06:58,000 --> 00:07:00,000
in other words I’m opening up a web connection to a web server.

63
00:07:01,000 --> 00:07:06,000
Opening that up, you can see once again the source and destination port numbers

64
00:07:07,000 --> 00:07:10,000
but notice here the flag that are set is SYN.

65
00:07:11,000 --> 00:07:15,000
So opening that up you can see that

66
00:07:16,000 --> 00:07:21,000
all the other flags or bit set to 0 except for the SYN bit

67
00:07:22,000 --> 00:07:31,000
and opening that up you can see, we are trying to set up a connection to the server

68
00:07:32,000 --> 00:07:36,000
so we’ve got a connection establish request message to the server.

69
00:07:37,000 --> 00:07:45,000
No other flags are set. Notice the initial window size is 8192

70
00:07:46,000 --> 00:07:56,000
and opening up the options, you can see that the MSS or Maximum Segment Size is set to 1460 bytes.

71
00:07:57,000 --> 00:08:04,000
The reply from Google to my machine at layer 4 shows that the source port is 80

72
00:08:05,000 --> 00:08:07,000
and the destination port is 58313.

73
00:08:08,000 --> 00:08:14,000
Opening that up, notice the flags that are set are SYN ACK

74
00:08:15,000 --> 00:08:18,000
so it’s a second part of the three-way handshake.

75
00:08:19,000 --> 00:08:24,000
Notice the acknowledgement bit is set and the synchronization bit is set

76
00:08:25,000 --> 00:08:32,000
opening that up, you can see that it's a connection establish acknowledgment from Google.

77
00:08:33,000 --> 00:08:43,000
Notice the window size request is 5720 and if we open up the options

78
00:08:44,000 --> 00:08:47,000
notice here the maximum segment size is 1430.

79
00:08:48,000 --> 00:08:52,000
Looking at the last part of three-way handshake

80
00:08:53,000 --> 00:08:56,000
notice my machine talking to Google

81
00:08:57,000 --> 00:09:08,000
opening up TCP, you can see that the flags that are set is just the acknowledgement bit

82
00:09:09,000 --> 00:09:13,000
and the window size requested 64350
        
85

83
00:09:14,000 --> 00:09:18,000
and looking at the sequence acknowledgment analysis

84
00:09:19,000 --> 00:09:20,000
notice that this is an acknowledgement.

85
00:09:21,000 --> 00:09:24,000
Going back to the first step of the three-way hand shake

86
00:09:25,000 --> 00:09:30,000
notice that the initial sequence number from my machine to Google is set to 0.

87
00:09:31,000 --> 00:09:35,000
Going to the actual TCP header, notice the sequence number 0.

88
00:09:36,000 --> 00:09:42,000
Googles reply as a sequence number 0 and the acknowledgement of 1.

89
00:09:43,000 --> 00:09:45,000
As you can see here as well.

90
00:09:46,000 --> 00:09:52,000
So they are letting us know, the next segment that they expect to receive is segment 1.

91
00:09:53,000 --> 00:10:00,000
Our acknowledgement to them, is we are sending sequence number 1

92
00:10:01,000 --> 00:10:04,000
and we are acknowledging the sequence number 1.

93
00:10:05,000 --> 00:10:08,000
This is as per what we discussed.

94
00:10:09,000 --> 00:10:15,000
Later on, when HTTP is being received

95
00:10:16,000 --> 00:10:21,000
notice, we are receiving information from Google to our machine its TCP

96
00:10:22,000 --> 00:10:28,000
and notice here, this is a TCP segment of the re-assembled Protocol Data Unit.

97
00:10:29,000 --> 00:10:31,000
In other words this is a fragment.

98
00:10:32,000 --> 00:10:41,000
Looking at TCP, we can see the sources HTTP and the destination is our port number.

99
00:10:42,000 --> 00:10:45,000
In other words Google is sending traffic to us

100
00:10:46,000 --> 00:10:49,000
notice here that the sequence number is 2861

101
00:10:50,000 --> 00:10:54,000
the next sequence number is 3798

102
00:10:55,000 --> 00:10:58,000
and the acknowledgement number is 944.

103
00:10:59,000 --> 00:11:04,000
so the next sequence number remember is 3798

104
00:11:05,000 --> 00:11:07,000
going to the very next part of the capture

105
00:11:08,000 --> 00:11:15,000
notice the sequence number here is 3798 and the next sequence number is 5228.

106
00:11:16,000 --> 00:11:19,000
And notice there’s an acknowledgement from our machine to Google

107
00:11:20,000 --> 00:11:23,000
saying that we expect to receive 5228.

108
00:11:24,000 --> 00:11:28,000
And then the very next capture you can see

109
00:11:29,000 --> 00:11:32,000
that sequence number 5228, were sent from Google to us.

110
00:11:33,000 --> 00:11:39,000
The next sequence number is 6658, which is the next piece received.

111
00:11:40,000 --> 00:11:42,000
Notice 6658 is the sequence number received. 
   
114

112
00:11:43,000 --> 00:11:48,000
Our host is acknowledging receipt of that

113
00:11:49,000 --> 00:11:53,000
and saying that the next bit of data to receive is 7894

114
00:11:54,000 --> 00:11:59,000
going to the next capture, you can see that the sequence number is what Google sent to us.

115
00:12:00,000 --> 00:12:02,000
Now without boring you any longer

116
00:12:03,000 --> 00:12:06,000
I’m hoping that this capture gives you a little bit of insight

117
00:12:07,000 --> 00:12:09,000
into what's actually happening on the wire.

118
00:12:10,000 --> 00:12:14,000
wirehark remembers a free application that you can download

119
00:12:15,000 --> 00:12:16,000
just search for it on the internet

120
00:12:17,000 --> 00:12:19,000
now I suggest that you captures some traffic on your machine

121
00:12:20,000 --> 00:12:23,000
so that you can actually see what's going on in the back ground.

122
00:12:24,000 --> 00:12:25,000
So what have we covered?

123
00:12:26,000 --> 00:12:30,000
In this section we look at the 2 main protocols residing at layer 4.

124
00:12:31,000 --> 00:12:39,000
UDP or User Datagram Protocol and TCP or Transmission Control Protocol.

125
00:12:40,000 --> 00:12:45,000
I explained port numbers and which port numbers would be used in which scenarios.

126
00:12:46,000 --> 00:12:48,000
I explained the TCP three-way handshake

127
00:12:49,000 --> 00:12:52,000
I explained windowing and I explained sequence numbers.

128
00:12:53,000 --> 00:12:55,000
Thank you for watching!