Identify TCP Header Fields and Operation Using a Wireshark FTP Session Capture

Use Wireshark to capture an FTP session and inspect TCP header fields.

Step 1. Start a Wireshark capture.
a. Start and log into the CyberOps Workstation VM. Open a terminal window and start
Wireshark. Enter the password cyberops and click OK when prompted.
```
[analyst@secOps ~]$ sudo wireshark-gtk
```
b. Start a Wireshark capture for the enp0s3 interface.
c. Open another terminal window to access an external ftp site. Enter ftp ftp.cdc.gov
at the prompt. Log into the FTP site for Centers for Disease Control and Prevention
(CDC) with user anonymous and no password.

[analyst@secOps ~]$ ftp ftp.cdc.gov
Connected to ftp.cdc.gov.
220 Microsoft FTP Service
Name (ftp.cdc.gov:analyst): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>
Step 2. Download the Readme file.
a. Locate and download the Readme file by entering the ls command to list the files.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.

-rwxrwxrwx 1 owner group 128 May 9 1995 .change.dir

-rwxrwxrwx 1 owner group 107 May 9 1995 .message

drwxrwxrwx 1 owner group 0 Feb 2 11:21 pub

-rwxrwxrwx 1 owner group 1428 May 13 1999 Readme

-rwxrwxrwx 1 owner group 383 May 13 1999 Siteinfo

-rwxrwxrwx 1 owner group 0 May 17 2005 up.htm

drwxrwxrwx 1 owner group 0 May 20 2010 w3c

-rwxrwxrwx 1 owner group 202 Sep 22 1998 welcome.msg

226 Transfer complete.

b. Enter the command get Readme to download the file. When the download is complete,
enter the command quit to exit.
```
ftp> get Readme
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 36 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
1428 bytes received in 0.056 seconds (24.9 kbytes/s)
```
c. After the transfer is complete, enter quit to exit ftp.
Step 3. Stop the Wireshark capture.
Step 4. View the Wireshark main window.
Wireshark captured many packets during the FTP session to ftp.cdc.gov. To limit the amount
of data for analysis, apply the filter tcp and ip.addr == 198.246.117.106 and click Apply.

Step 5. Analyze the TCP fields.
After the TCP filter has been applied, the first three packets (top section) display the the
sequence of [SYN], [SYN, ACK], and [ACK] which is the TCP three-way handshake.


TCP is routinely used during a session to control datagram delivery, verify datagram arrival,
and manage window size. For each data exchange between the FTP client and FTP server, a
new TCP session is started. At the conclusion of the data transfer, the TCP session is closed.
When the FTP session is finished, TCP performs an orderly shutdown and termination.
In Wireshark, detailed TCP information is available in the packet details pane (middle section).
Highlight the first TCP datagram from the host computer, and expand the TCP datagram.
The expanded TCP datagram appears similar to the packet detail pane shown below.


The image above is a TCP datagram diagram. An explanation of each field is provided for reference:
? The TCP source port number belongs to the TCP session host that opened a connection. The
value is normally a random value above 1,023.
? The TCP destination port number is used to identify the upper layer protocol or application on
the remote site. The values in the range 0–1,023 represent the “well-known ports” and are associated
with popular services and applications (as described in RFC 1700), such as Telnet, FTP,
and HTTP. The combination of the source IP address, source port, destination IP address, and
destination port uniquely identifies the session to the sender and receiver.
Note: In the Wireshark capture above, the destination port is 21, which is FTP. FTP servers listen on
port 21 for FTP client connections.
? The Sequence number specifies the number of the last octet in a segment.
? The Acknowledgment number specifies the next octet expected by the receiver.
? The Code bits have a special meaning in session management and in the treatment of segments.
Among interesting values are:
? ACK — Acknowledgment of a segment receipt.
? SYN — Synchronize, only set when a new TCP session is negotiated during the TCP threeway
handshake.
? FIN — Finish, the request to close the TCP session.
? The Window size is the value of the sliding window. It determines how many octets can be sent
before waiting for an acknowledgment.
? The Urgent pointer is only used with an Urgent (URG) flag when the sender needs to send
urgent data to the receiver.
? The Options has only one option currently, and it is defined as the maximum TCP segment size
(optional value).