You are here: Home / Past Courses / Fall 2011 - ECPE 177 / Homework / Homework 2 - Transport Layer

Homework 2 - Transport Layer

Submission information: This homework assignment is due at the start of class on the due date.  You must turn it in electronically via the companion Sakai website. Simply upload a document in PDF format, or type your solution directly into the Assignment submission box.


Wireshark UDP Analysis

In this exercise, you will use Wireshark to analyze UDP packets.

First, install the Wireshark packet capture program on your own computer.  Versions for Windows and Mac are available at, and versions for Linux are available in the normal software manager for your distribution.

Second, use Wireshark to capture UDP packets. Turn off any network-intensive programs you may already have running.  Then, tell Wireshark to start capturing packets on the active network interface. Note that this typically requires running the program in Administrator or root mode. Then, you should do something that will cause your host (computer) to send and receive several UDP packets. (Hint: what very common protocol have we talked about in class that uses UDP as the transport layer?  What could you easily do in order to trigger this protocol to run?).  After you see a few UDP packets in your capture window, stop packet capture before you have a massive file!

Third, set your packet filter so that Wireshark only displays UDP packets sent and received at your host. (Type "udp" in the text box labeled "Filter" at the top of the Wireshark window and press enter). Pick one of these UDP packets and expand the UDP fields in the details window.

Answer the following questions based on your captured packets:

  1. What did you do to cause your computer to send and receive several UDP packets?
  2. How many fields are there in the UDP header?  (To verify your answer, you could compare it against the description of UDP found online at Network Sorcery).
    1. List each field name
    2. List the size of each field in bytes (Hint: Look at the bottom part of the Wireshark detail window)
  3. The value in the Length field is the length of what, exactly?  Verify you answer using a captured packet.
  4. What is the maximum number of bytes that can be included in a UDP payload? What aspect of the UDP header design causes this limit?
  5. What is the largest possible source port number? What aspect of the UDP header design causes this limit?
  6. What is the protocol number for UDP? Give your answer in both hexadecimal and decimal notation. (Hint: look in the IP header)
  7. Research UDP online. Over which fields in the packet is the UDP checksum calculated?
  8. Examine a pair of UDP packets in which the first packet is sent by your host and the second packet is a reply to the first packet. What is the relationship between the source and destination port numbers in the two packets?


Wireshark HTTP Analysis: Conditional Requests

Modern web browsers perform object caching and thus perform a "conditional" GET when retrieving an HTTP object. For this problem, you will capture a conditional GET using Wireshark.

First, make sure your browser’s cache is empty. (To do this under Firefox, select Tools->Clear Private Data, for Internet Explorer, select Tools->Internet Options- >Delete Files, or for Chrome, select Clear Browsing Data).   This removes all cached files from your browser’s cache.

Second, start your web browser and the Wireshark packet capture program. Start packet capture in Wireshark.

Third, enter the following URL in your browser: Your browser should display a very simple five-line HTML file.

Fourth, quickly enter the same URL into your browser again (or simply select the refresh button on your browser)

Fifth, stop Wireshark packet capture, and enter “http” in the Filter window so that only captured HTTP messages will be displayed.

Answer the following questions based on your captured packets:

  1. Inspect the contents of the first HTTP GET request from your browser to the server.
    1. Do you see an “IF-MODIFIED-SINCE” line in the HTTP GET? Why or why not?
  2. Inspect the contents of the server response.
    1. Did the server explicitly return the contents of the file? How can you tell?
    2. When was the file last modified?
  3. Inspect the contents of the second HTTP GET request from your browser to the server.
    1. Do you see an “IF-MODIFIED-SINCE:” line in the HTTP GET?
    2. If so, what information follows the “IF-MODIFIED-SINCE:” header?  Where did the web browser learn that information from?
  4. Inspect the contents of the server response to this second request.
    1. What is the HTTP status code and phrase returned from the server?
    2. Did the server explicitly return the contents of the file?  Why or why not?


Wireshark HTTP Analysis: Long Documents

The HTTP protocol can be used to transfer very large files. However, IP messages have a maximum length of ~64kB, and standard Ethernet frames are limited to only ~1.4kB.  What happens when a file larger than this is transferred?

First, start up your web browser, and make sure your browser’s cache is cleared as discussed above.

Second, start up the Wireshark packet sniffer and begin capturing.

Third, enter the following URL into your browser: Your browser should display Act 1, Scene 1, of Henry V.

Fourth, quickly stop Wireshark packet capture. Filter on this string:  http or tcp

In the packet-listing window, locate the following items:

  1. Your HTTP GET message for page2.html (near the top)
  2. Many TCP messages, with some labeled "TCP Segment of a Reassembled PDU”
  3. The server's HTTP OK 200 response message for page2.html (near the bottom)


The HTTP response message consists of a status line, followed by header lines, followed by a blank line, followed by the entity body. In the case of our HTTP GET, the entity body in the response is the entire requested HTML file. For this document, the 8616 byte file is too large to fit in one TCP packet. The single HTTP response message is thus broken into several pieces by TCP, with each piece being contained within a separate TCP segment. Each TCP segment is a separate packet recorded by Wireshark. The last fragment of the response is captured by Wireshark, which then reassembles all the prior pieces and shows an HTTP 200 OK message (with the full document).

Answer the following questions based on your captured packets:

  1. Based on your knowledge of TCP, what is the purpose of the three TCP messages that occur before the initial GET request from your web browser?
  2. How many HTTP GET request messages were sent by your browser?
  3. How many data-containing TCP segments were needed to carry the single HTTP response? (Tip: Find the final HTTP 200 OK packet, expand it, and Wireshark will describe how the TCP segments were reassembled)
    1. How much data did each of these separate packets carry, and what was the total file data size sent from the server to web browser in bytes?


UDP versus TCP

Application programmers often choose UDP as a transport protocol in order to gain more precise control over what data is sent out in a particular network segment, and when that segment is sent.

  1. Why does an application have more control of what data is sent in a segment?
  2. Why does an application have more control over when the segment is sent?


Alternate Transport Layer Protocols: SCTP

The Transport Layer is not limited to only UDP and TCP.  As the Internet has evolved, a variety of alternate transport layer protocols have been designed and implemented. One such example is SCTP, the Stream Control Transmission Protocol.

Research SCTP online and answer the following questions:

  1. What applications was SCTP designed to work well for?
  2. What features does SCTP contain that enable it to work well for a certain targeted class of applications?
    1. (In your answer, you should name 4 similarities and/or differences between SCTP and the more widely known transport layer protocols TCP and UDP.)
  3. How popular is SCTP today?
    1. If popular: what types of applications use SCTP today?
    2. If not popular: What is holding back widespread use of SCTP on the Internet today?