This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How many TCP connections were required to load this site - page 491

0

Ch.20 - page 491 - http-google2011.pcapng says we browsed to www,google.com. How Many TCP connections were required to load this site.

My Ans. is 6 tcp connections or packets 1-6 is that correct? to verify I checked client http request: packet #4 GET / HTTP/1.1 details show: Host: www.google.com and packet 6 (server response shows) HTTP/1.1 200 OK.

I also did a right-click on any of the TCP packets, selected TCP Flow Stream to see traffic flow from client in Red and response traffic from web-Server in Blue for same above?

Let me know if I ma On the right track for Ans above for this question?
Thanks Sarkis

asked 15 Dec '12, 12:06

Sarkis's gravatar image

Sarkis
1111
accept rate: 0%

One Answer:

1

My Ans. is 6 tcp connections or packets 1-6 is that correct?

I don't believe that there are 6 different TCP connections in packets 1-6 (for your scenario). If you load a web page, you first get the SYN,SYN-ACK,ACK (3 packets) then the HTML code (a variable number of packets). Then the browser will parse the HTML code and fetch the 'objects' in the HTML code (CSS, images, javascript, etc.). So, your 6 TCP connections cannot be within the first 6 packets.

HINT: Look for packets with a SYN flag that 'go' to the google server (IP destination). Then count the number of those packets and you will get the number of connections, right? There are several ways to do that. As I don't want to spoil the fun of discovering that yourself, I suggest you first try it yourself and come back if you want/need the next hint ;-)

BTW: What book are you referring to?

Regards
Kurt

answered 15 Dec '12, 13:13

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt for the Hint and Make me understand the Qn. better. working with trace: http-google2011.pcapng in page 491 top Question.

I did some research and used display filter: tcp.flags.syn==1 && tcp.flags.ack==0 and it found only 3 packets (1, 25, 39)with TCP session/connections to web-server IP 74.125.224.81 and 224.96.

So Ans = 3 TCP Connections/sessions with SYN set to 1 to load www.google.com page Hope I am right now and understand TCP connections.

BTW, I was refering to page 491 in - The Official Wireshark Certified Network Analyst Study Guide - Second Edition Book (ISBN 978-1-893939-94-30)

Let me know how I did :) Sarkis

(15 Dec '12, 14:37) Sarkis

I did some research and used display filter: tcp.flags.syn==1 && tcp.flags.ack==0 and it found only 3 packets

O.K. to verify that, you could use: Statistics -> Conversations

So Ans = 3 TCP Connections/sessions with SYN set to 1 to load www.google.com page

It depends, if those connections are all for a google server. Did you check the HTTP Host header?

(15 Dec '12, 15:53) Kurt Knochner ♦

Kurt,

O.K. to verify that, you could use: Statistics -> Conversations

I verified Statistics > Conversation | TCP tab shows TCP:3, which matches my Ans. 3.

It depends, if those connections are all for a google server. Did you check the HTTP Host header?

Well, I verified all three connections under the Packet Details Pane by expanding the HTTP tab with GET requests,each connx showed Host: www.google.com\r\n

Hope this is what you meant. Or Could I verify same... by Right, Click (on each of those 3-Connection packets 1,25,39) and select "Follow TCP Stream" instead?

Thanks Sarkis

(yesterday)Kurt

(16 Dec '12, 19:26) Sarkis

Hope this is what you meant.

Yes. You successfully verified the number of connections.

by Right, Click (on each of those 3-Connection packets 1,25,39) and select "Follow TCP Stream" instead?

sure. There are many ways to find the answer to that question.

(17 Dec '12, 00:55) Kurt Knochner ♦