Project#2: Wireshark for DNS & HTTP

Part 2-A:

1 Ip address: 198.168.0.11

2 A. IP address: 209.18.47.62

B. Since we have previously browsed to this site, the browser cached it and
when browse again it simply load it from its cache.

request-line:
GET / HTTP/1.1\r\n
Host: tim.catim.net\r\n

Request header fields:

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0)
Gecko/20100101 Firefox/59.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-US,en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
Connection: keep-alive\r\n
 Upgrade-Insecure-Requests: 1\r\n
\r\n

Resource Identified by a request

[Full request URI: http://tim.catim.net/]
[HTTP request 1/2]
[Response in frame: 9775]
[Next request in frame: 9892]

4 http or dns sets a filter to display all http and dns

ip.addr == 10.0.0.1 && ip.addr==10.0.0.2 sets a conversation filter
between the two difined IP addresses
tcp.port==4000 sets a filter for any TCP packet with 4000 as a source or
destination port
http.request displays all HTTP GET requests
tcp.amalysis.retransmission displays all retransmission in the trace. Helps
when tracking down slow application performance and packet loss

5
6

192.168.0.11 23.215.98.107 [SYN]

23.215.98.107 192.168.0.11 [SYN-ACK]
192.168.0.11 23.215.98.107 [ACK]
 Part 2-B

1 a. because establishing a TCP connection requires two round trips between the
server and client, versus one for DNS over UDP under typical conditions. TCP
provides lossless transmission on lossy media by retransmitting packets, which is
what DNS does anyway. Also UDP’s semantics are faster for small (<=1MTU)
transasctions since there is no connection state and no handshaking.

1 b. because DNS operates on the port 53. Also it limits DNS queries against the
DNS servers.

2. The AAAA queries are Ipv6 record

Part 2-C

1. The basic HTTP GET/response interaction

1.1Browser is running Http version 1.1

Server is running HTTP version 1.1

1.2en-us

1.3192.168.0.11
server: 128.119.245.12
1.4Status code returned: 200

1.5Sun, 08 Apr 2018 05:59:01 GMT

1.6128bytes

1.7No I don’t see any header.

 2 The HTTP conditional Get/response interaction

8. No there is not “IF-MODIFIED-SINCE” line in the HTTP GET

9. Yes the server explicitly return the contents of the file, because of the Line-
based text data in the OK response to the GET.

10. An “IF-MODIFIED-SINCE:” line in the HTTP GET was present. The

information that followed the “IF-MODIFIED-SINCE:” header that is: Sun, 08
Apr 2018 05:59:01 GMT\r\n
11. The status code and phrase returned from the server is HTTP/1.1 304 Not
Modified. The server did not return the contents of the file because the browser
loaded it from its cache.

3 Retrieving Long Documents

12. My browser sent one HTTP get request message. Packet number 11 contained
the Get message for the Bill or Rights.

13. Packet 23 contained the response to the HTTP GET request.

14. The status code from this packet was a 200, and the phrase was an OK.
15. 1 data-containing TCP segments were needed to carry the single
HTTP response and the text of the Bill of Rights.

4 HTML Documents with Embedded Objects

16. 3 HTTP GET request messages were sent by my browser. It sent them to
128.119.245.12, 128.119.245.12, and 128.119.240.90.

17. the browser downloaded the two images in serially. Because the first image
was requested and sent before the second image was requested by the browser.