60 likes | 75 Views
Learn essential TCP/IP protocol analysis skills from a senior expert. Explore packet analysis best practices, including sequence & acknowledgment, retransmissions, and new features like Selective Acknowledgment (SACK) to troubleshoot network issues effectively. Practice using Wireshark for real-world impact understanding.
E N D
Basic TCP/IP Analysis June 17, 2010 Hansang Bae Senior Vice President | Citi (f.k.a. Citigroup) Email: hansang@gmail.com Please refer to the “answersheet.docx” file for additional information about this presentation. These sessions will be available on youtube: http://www.youtube.com/user/hansangb SHARKFEST‘10 Stanford University June 14-17, 2010
The Basic Building Blocks Lot of people will tell you they know TCP/IP, but most don’t. This includes me! Advice for someone starting out in this field (packet analysis): • Learn the protocols! There is no way around it. I can recommend some books if you’re interested. • Don’t just learn the technical specifications. Try to understand the real world impact. • Everywhere you go, fire up Wireshark and try to observe. Osmosis will kick in sooner or later. • Packet analysis is based on pattern recognition.
Internet Protocol (IP)! How can the IP header information help you? • Look at the IP Identification field. This is not fool proof but it can help pin-point problems. • Look at the TTL field. It too can help your troubleshooting. What is TTL, anyway? • “Don’t Fragment” bit can play a crucial role so you need to learn about this as well. • Practice, practice, practice.
Sequence/Acknowledgement It’s a simple concept. Don’t over think it! • Use relative sequence numbers. “Edit, Preferences, Protocols, TCP, Relative Sequence Numbers….” • If you are new to this, analyze the sequence numbers in one direction at a time. But keep in mind that TCP is a duplex protocol. • Sequence number represents how many bytes have been sent. SEQ + DATA = Next Seq#. It also represents the ACK for the other side. “This is where I’m at, and I’m going to send you this much more” • ACKs are cumulative. (I’m good up to this point)
Retransmissions There are two types of retransmissions. “Regular” retransmissions and “Fast Retransmissions” • If the sender does not get any feedback from the receiver (what feedback?), the sender will retransmit the packet. • The problem with retransmissions is that a timer has to go off before retransmitting. This can be 100ms to 200ms. • Fast Retransmissions address this delay. The receiver notifies the sender “I’m missing a packet, I’m missing a packet, I’m missing a packet” After the third notification, the sender immediately retransmits.
New TCP Features to the Rescue! If you have packet loss, Selective Acknowledgement (SACK) may help to improve throughput. Main Concept: • How do you interpret the SACK field? (use real seq/ack#s) • How does SACK help vis-à-vis normal ACK? • Is there a downside to using SACK?