Assignment –2

CS 342: Networks Lab

Submitted by Harsh Yadav Roll. No. 180123015 Dept. Mathematics and Computing

Question 1:

The different protocols used at different layers by the desktop application of OneDrive are as follows:
• Transport Layer: TCP, UDP
• Network Layer: IPv4
• Application Layer: DNS
• Physical Layer: Ethernet II
• Transport Layer Security: TLSv1.2

Packet Formats for various protocols are as follows:

1. Transport Layer:
• Transmission Control Protocol (TCP):
o Source Port- 54682: Port associated with sender or port which is sending packets. Used by the
sending host to help keep track of existing data streams.
o Destination Port-443: Port which is receiving packets or port associated with receiver.
o TCP Segment Length-0: This is TCP packet segment length.
o Sequence Number-1: If the SYN flag is set (1), then this is the initial sequence number. The
sequence number of the actual first data byte and the acknowledged number in the
corresponding ACK are then this sequence number plus 1. If the SYN flag is clear (0), then this is
the accumulated sequence number of the first data byte of this segment for the current session.
o Acknowledgement Number-1: Contains the value of the next sequence number that the sender
of the segment is expecting to receive, if the ACK control bit is set. The acknowledgement
number refers to the stream flowing in the opposite direction from the segment.
o Calculated Window size value-131328: Buffer space available for incoming data
o Checksum- 0x1331: This 16-bit field is used for error checking of the header and data.
o Urgent Pointer-0: Points to the first urgent data byte in the packet. If the URG Flag is set, then
this 16-bit field is an offset from the sequence number indicating the last urgent data byte.
 • User Datagram Protocol (UDP):
o Source Port-56566: Described above.
o Destination Port-53: Described above.
o Length-53: This field specifies the length of UDP header and UDP data.
o Checksum-0xbc95: Described above.

2. Network Layer: Internet Protocol Version 4 (IPv4):

o Source-192.168.225.206: PC’s IP Address
o Destination-192.168.225.1: Destination’s IP Address
o Version Field-4: When sending a Version 4 packet the value of the Version field will be 4 which is
represented in binary as ‘0100’.
o Header Length-20 bytes: The HL field is used to specify the total length of the header and is
represented in 32-bit words.
o Differentiated Services Field 0x00: Indicates particular quality of service needs from the network, the
DSF defines the way the routers should queue packets while they are waiting to be forwarded.
o Total Length-40: Used to indicate the total length of the IP packet including the data and is represented
in octets.
o Identification-0x92c3: The Identification field uses 16 bits and is uniquely set by the sender to help
identify specific packets when they are being reassembled from fragments.
o Fragment offset-0: The Fragment Offset field uses 13 bits and is represented in units of 8 octets (or
bytes). This field is used to indicate to the destination device where a received fragment should be placed
when all of the data from the packet is being reassembled.
3. Application Layer: Domain Name System (DNS):
o Transaction Id-0x38e4: A 16-bit identifier assigned by the program that generates any kind of query. This
identifier is used to match up responses to outstanding queries.
o Flags:
➢ Response: A 1-bit field that specifies whether this message is a query (0), or a response (1).
➢ OpCode: A 4-bit field that specifies kind of query in this message. 0 represents a standard query.
o Questions-1: Number of entries in Question section.
o Answer RRs-0: Number of entries in Answer section.
o Authority RRs-0: Number of entries in Authority section.
o Additional RRs-0: Number of entries in Additional section.
o Queries: Shows all queries with name, length, label, type and class.

4. Physical Layer: Ethernet II:

o Destination-(ca:bd:57:25:21:98): Destination MAC Address
o Source-(20:16:b9:9b:a2:80): Source MAC Address
o Type-IPv4 (0x0800): Ethernet type

5. Transport Layer Security: TLSv1.2:

This acts as an intermediate between transport layer and application layer. It deals with session and
connection coordination.
o Content Type-Handshake (22): It tells about the type of record layer protocol. Here the value 22
represents Handshake protocol contained in this Record Layer.
o Version-TLS 1.0: Version used by the client.
o Length-572: The length (in bytes) of the following TLSCiphertext fragment. The length MUST NOT exceed
2^14 + 2048.
o Random: The Random number generated by Client here is a parameter for the key calculation between
client and server.
o Message Authentication Code (MAC): It is a one-way hash computed from a message and some secret
data. It is difficult to forge without knowing the secret data. Its purpose is to detect if the message has
been altered.
Question 2:
Some of the functionalities used to perform this experiment were: uploading/downloading, creating folder, deleting a
file, view online and signin/signout. The different protocols used for the aforementioned functionalities on OneDrive
Desktop App were TCP, UDP, SSDP, DNS, TLSv1.2, ARP (all of these can be seen in the traces provided in the zip). Their
importance are as follows:

• DNS: Functionalities that used this protocol are: uploading/downloading, creating folder, deleting a file, view
online and signin/signout.
Initially, some DNS queries were observed. The DNS Queries were to identify the host names of the destination
sites, in this case, queries were for skydrive.wns.windows.com (OneDrive) during signin/signout whereas for
other functionalities the queries were for iitgoffice-my.sharepoint.com. A DNS makes it easier to identify a host
by a domain name. A domain name uses words rather than numbers to identify Internet hosts. For reaching the
iitgoffice-my.sharepoint.com the destination IP address was 192.168.43.1. A DNS server translates these
addresses. Our app asks the TCP/IP protocol to ask the DNS server for the IP address of iitgoffice-
my.sharepoint.com. When the app receives the address, it connects to the Web site which was given by the DNS.

• TCP: Functionalities that used this protocol are: uploading/downloading, creating folder, deleting a file, view
online and signin/signout.
All the functionalities mentioned above needs a connection establishment and TCP’s 3-way handshake ensures
a proper connection with destination and that the data is sent to the correct host. It is clear that from the result
produced by Wireshark, TCP is highly preferred over UDP during connection establishment by OneDrive desktop
app. TCP is a connection-oriented protocol which is used for reliable delivery of data to the destination. In case
of TCP, Data arrives in order, duplicate packets are eliminated, lost/corrupted packets are resent and higher
priority is given to accuracy (not to speed). Its responsibility includes end-to-end message transfer independent
of the underlying network and structure of user data, along with error control, segmentation, flow control and
helps to minimize traffic congestion control.

• TLSv1.2: Functionalities that used this protocol are: uploading/downloading, creating folder, deleting a file,
view online and signin/signout.
Transport layers (TCP and UDP) are by default not secure. A user can launch an attack and see what kind of data
is being transferred between two hosts. Sensitive and personal information cannot be transferred over this type
of insecure network. Transport Layer Security (TLS) adds an extra layer of security on top of transport layer by
using some cryptographic mechanisms. The TLS protocol aims to provide privacy and data integrity between two
entities communicating on the network. The main purpose of this security is that even if someone tries to cache
your packet, he will not be able to see the actual content inside the packet. Only an intended recipient can check
the contents of the packet.

• ARP: Functionalities that used this protocol are: view online and signin/signout.
Address Resolution Protocol (ARP) is a procedure for mapping a dynamic Internet Protocol address (IP address)
to a permanent physical machine address in a local area network (LAN). The physical machine address is also
known as a Media Access Control or MAC address. ARP broadcasts a request packet to all the machines on the
LAN and asks if any of the machines know they are using that particular IP address. When a machine
recognizes the IP address as its own, it sends a reply so ARP can update the cache for future reference and
proceed with the communication.

• UDP: Very Less numbers of packets with UDP protocol were observed in some of the functionalities. All such
features like secure and reliable connection are not available in UDP and therefore used by the application
rarely for less important data. Functionality with a considerable number of packets with UDP protocol
was view online. User Datagram Protocol (UDP) is more efficient in terms of both latency and bandwidth.

Question 3:
Whenever we load a website or something, host to IP lookup is triggered using DNS protocol (UDP). We may also have
some ARP packets due to our ethernet/wifi connection’s broadcast messages. In the transport layer TCP helps in
establishing a correct communication through three-way handshake which ensured that both client and server are
ready. Yes, there are TLS Handshaking message sequences and 3-Way TCP Handshaking message sequences in the
applications as explained below:
• TLS Handshaking Message Sequence: TLS is an encryption protocol designed to secure Internet
communications. A TLS handshake is the process that kicks off a communication session that uses TLS encryption.
During a TLS handshake, the two communicating sides exchange messages to acknowledge each other, verify
each other, establish the encryption algorithms they will use, and agree on session keys to secure the
attributes of a session. During the course of a TLS handshake, the client and server together will do the following:
o Specify which version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use
o Decide on which ciphertexts/messages they will use
o Authenticate the identity of the server via the server’s public key
o Generate session keys in order to use symmetric encryption after the handshake is complete.
TLS handshakes are a series of datagrams, or messages, exchanged by a client and a server. Most frequent
cipher text/messages used are ‘Client Hello’, ‘Server Hello’, ‘Certificate, Server Key Exchange, Server Hello
Done’, ‘Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message’ which can be seen from
below screenshot.

• 3-Way TCP Handshake Message sequence: Before a client attempts to connect with a server, the server must
first bind to and listen at a port to open it up for connections: this is called a passive open. Once the passive
open is established, a client may initiate an active open.

Establishing a normal TCP connection requires three separate steps:

1) SYN: The client sends a segment (with empty payload) with SYN which tells the server that the client wants
to commence data communication with the server. The client sets the segment's sequence number to a
random value Y.
2) SYN-ACK: Server replies with a response packet with the SYN-ACK bits set to 1 bit. The acknowledgment
number is set to one more than the received sequence number i.e. Y+1, and the sequence number that the
server chooses for the packet is another random number, Z.
3) ACK: The final step involves the client acknowledging the response of the server. The sequence number is
set to the received acknowledgement value i.e. Y+1, and the acknowledgement number is set to one more
than the received sequence number i.e. Z+1.

a) Creating Folder/Uploading/Downloading: Initially we obtain some DNS queries (for iitgoffice-

my.sharepoint.com). Then, this functionality makes use of the TCP 3-way, which is used to establish a
reliable connection between the hosts. The TCP Handshake has been already explained above. After this,
the functionality uses TLS Handshake mechanism (explained above), which lays the initial foundation for
the encrypted data transfer that is to happen afterwards. After this, the communications between the two
involved hosts starts via TCP and the TLS protocols. Screenshots from different traces are given below:

▪ The two screenshots given below are from uploading functionality trace:
 ▪ The two screenshots given below are from create folder functionality trace:

b) Signin: After getting some DNS queries (for skydrive.wns.windows.com (OneDrive)) this functionality also
used the 3-way TCP hand-shaking mechanism to establish a reliable connection and further a TLSv1.2
handshaking mechanism for making the connection more secured. At last an arp request message (who is
A.A.A.A tell B.B.B.B where the two are IP addresses) is broadcast on the local area network with an
Ethernet protocol type 0x806. The packet is discarded by all the machines except the target machine
which responds with an arp response message (A.A.A.A is hh:hh:hh:hh:hh:hh where hh:hh:hh:hh:hh:hh is
the Ethernet source address).

Question 4:
Statistics for uploading functionality on OneDrive Desktop App using wireshark is given below:

Date/Time Throughput RTT (in ms) Avg. Packet No. of No. of UDP No. of TCP No. of
(In pps) Size (in B) Packets Lost Packets Packets Response
per request
29-09-20/ 3.7 270 486 0 11 56 1
00:46 hrs
29-09-20/ 17.8 56 656 0 35 647 0.92
17:06 hrs
29-09-20/ 21.4 46 925 0 2 434 1
19:45 hrs
Question 5:
I used Jio-Fiber wifi for the whole lab assignment and discovered that for many functionalities of OneDrive including
the uploading function (which was used to analyse the statistics in Q4) sent/received packets from multiple hosts or
servers. Below is the screenshot of trace for uploading function at 17:06 hrs 29-09-20:

Note: List of IP address of multiple hosts can be seen from the above screenshot
Multiple hosts exist maybe because of the following reasons:
o Load Balancing - Distributing network traffic across a server and to reduce network congestion
o Geographic location - Ideal scenario is for a server to be as close as possible to the customer or end user
o Maintenance backup
o Price and as a caution for unwanted fault in the network lines of few servers.