Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:02,000 So let’s look at a more complete example. 2 2 00:00:03,000 --> 00:00:11,000 In this example, host A initiates a session with the source port of 1024 3 3 00:00:12,000 --> 00:00:14,000 in a destination port of 23, in other words telnet. 4 4 00:00:15,000 --> 00:00:20,000 Host A sends 10 bytes of data and an initial sequence number of 10. 5 5 00:00:21,000 --> 00:00:26,000 Host B acknowledges receipt of the 10 bytes 6 6 00:00:27,000 --> 00:00:30,000 by sending an acknowledgement number back to A of 11. 7 7 00:00:31,000 --> 00:00:35,000 Host B in this example, also sets its initial sequence number to 5. 8 8 00:00:36,000 --> 00:00:39,000 please note also that the port numbers are reversed 8 9 00:00:40,000 --> 00:00:47,000 the source port for traffic going from B to A is 23 and the destination port is 1024. 9 10 00:00:48,000 --> 00:00:51,000 In this example because we’re using a sliding window 10 11 00:00:52,000 --> 00:00:55,000 A may send 250 bytes of data for example. 11 12 00:00:56,000 --> 00:00:59,000 So notice the sequence number is incremented to 260. 12 13 00:01:00,000 --> 00:01:03,000 In previous examples, we’ve use easy numbers 13 14 00:01:04,000 --> 00:01:08,000 the window size of 1 or window size of 3 but please note in reality 14 15 00:01:09,000 --> 00:01:12,000 window sizes are set to the amount of data that can be transmitted in bytes. 15 16 00:01:13,000 --> 00:01:18,000 So this may not be as easy to read as sequences of 1, 2, and 3. 16 17 00:01:23,000 --> 00:01:28,000 receipt of data up to sequence 5 and thus acknowledging sequence number 6. 17 18 00:01:29,000 --> 00:01:31,000 The source ports are swap round again 18 19 00:01:32,000 --> 00:01:35,000 so the source port is 1024 and the destination port is 23. 19 20 00:01:36,000 --> 00:01:43,000 Now host B is acknowledging for sequence number 261 20 21 00:01:44,000 --> 00:01:48,000 remember A send 10 bytes and the 250 bytes 21 22 00:01:49,000 --> 00:01:50,000 so in other words 260 bytes of data. 22 23 00:01:51,000 --> 00:01:57,000 B is sending sequence number 6 and once again the port numbers are reversed. 23 24 00:01:58,000 --> 00:02:02,000 It’s a very important that you understand, how source and destination ports work 24 25 00:02:07,000 --> 00:02:14,000 So on that note there is nothing better than showing you real world example using Wireshark. 25 26 00:02:15,000 --> 00:02:18,000 So I’m going to capture traffic on my network 26 27 00:02:19,000 --> 00:02:27,000 and then I’m going to go to for instance google.com with my web browser. 27 28 00:02:28,000 --> 00:02:41,000 I’ll go back to Wireshark and stop the capture, here's an example is the DNS query. 28 29 00:02:42,000 --> 00:02:48,000 So we’ve got host 10.0.0.1 which is my machine 29 30 00:02:49,000 --> 00:02:53,000 a Dell laptop, querying the DNS server. 30 31 00:02:54,000 --> 00:03:01,000 At layer 2, you can see the source is my Dell machine going to my Cisco router. 31 32 00:03:02,000 --> 00:03:07,000 This is an Ethernet 2 frame and please note the type field. 32 33 00:03:08,000 --> 00:03:15,000 At layer 2 as mentioned, the type field specifies the protocol at layer 3. 33 34 00:03:16,000 --> 00:03:24,000 In this case 0x0800 in hexadecimal specifies that the layer 3 protocol is IPv4. 34 35 00:03:25,000 --> 00:03:32,000 At layer 3 you can see the source IP address and the destination IP address. 35 36 00:03:33,000 --> 00:03:40,000 My PC and the DNS server, you can see that this is IPv4 36 37 00:03:41,000 --> 00:03:44,000 you can see the header length is 20 bytes. 37 38 00:03:45,000 --> 00:03:51,000 DSCP or Differentiated Services Code Points is not used in this example 38 39 00:03:52,000 --> 00:03:58,000 notice ECN which is to do with explicit congestion notification 39 40 00:03:59,000 --> 00:04:01,000 I mentioned that briefly when talking about the TCP header. 42 41 00:04:02,000 --> 00:04:14,000 What I’d like you to see here is notice the protocol at layer 4 is UDP 40 42 00:04:15,000 --> 00:04:22,000 that values in hexadecimal, so 11 in hexadecimal is equal to 17 41 43 00:04:23,000 --> 00:04:26,000 the protocol number once again for UDP is 17. 42 44 00:04:27,000 --> 00:04:32,000 So at layer 4, we can see that User Datagram Protocol or UDP is being used. 43 45 00:04:33,000 --> 00:04:38,000 The source port is 62249, in other words, a dynamic or ephemeral port 44 46 00:04:39,000 --> 00:04:43,000 going to a destination port of 53 in other words DNS. 45 47 00:04:44,000 --> 00:05:01,000 We can see the port numbers once again, and opening up the DNS query 46 48 00:05:02,000 --> 00:05:17,000 we can see that it was a query, looking for specific host address. 47 49 00:05:18,000 --> 00:05:29,000 Here we have a DNS response from the DNS server to my host. 48 50 00:05:30,000 --> 00:05:34,000 So once again, very quickly at layer 2 49 51 00:05:35,000 --> 00:05:37,000 you can see the type field denotes the protocol at layer 3. 50 52 00:05:38,000 --> 00:05:49,000 At layer 3, the protocol field, tells us which protocol is used at layer 4 51 53 00:06:00,000 --> 00:06:09,000 Here’s another DNS query from my host to the DNS server. 52 54 00:06:10,000 --> 00:06:14,000 And if we open up the DNS query information 53 55 00:06:15,000 --> 00:06:19,000 you can see that it’s a query for google.com 54 56 00:06:20,000 --> 00:06:26,000 and it's a host query, notice type A, the DNS server replies 55 57 00:06:27,000 --> 00:06:33,000 and notice in the answer, it give us the IP address of google.com 56 58 00:06:34,000 --> 00:06:41,000 Now here’s the three-way handshake between my machine and Google. 57 59 00:06:42,000 --> 00:06:44,000 Notice the source is 10.0.0.1 58 60 00:06:45,000 --> 00:06:48,000 and the destination is this IP address which is Google. 59 61 00:06:49,000 --> 00:06:57,000 Notice the source port is 58313 destinations is 80 64 62 00:06:58,000 --> 00:07:00,000 in other words I’m opening up a web connection to a web server. 60 63 00:07:01,000 --> 00:07:06,000 Opening that up, you can see once again the source and destination port numbers 61 64 00:07:07,000 --> 00:07:10,000 but notice here the flag that are set is SYN. 62 65 00:07:11,000 --> 00:07:15,000 So opening that up you can see that 63 66 00:07:16,000 --> 00:07:21,000 all the other flags or bit set to 0 except for the SYN bit 64 67 00:07:22,000 --> 00:07:31,000 and opening that up you can see, we are trying to set up a connection to the server 65 68 00:07:32,000 --> 00:07:36,000 so we’ve got a connection establish request message to the server. 66 69 00:07:37,000 --> 00:07:45,000 No other flags are set. Notice the initial window size is 8192 67 70 00:07:46,000 --> 00:07:56,000 and opening up the options, you can see that the MSS or Maximum Segment Size is set to 1460 bytes. 68 71 00:07:57,000 --> 00:08:04,000 The reply from Google to my machine at layer 4 shows that the source port is 80 69 72 00:08:05,000 --> 00:08:07,000 and the destination port is 58313. 70 73 00:08:08,000 --> 00:08:14,000 Opening that up, notice the flags that are set are SYN ACK 71 74 00:08:15,000 --> 00:08:18,000 so it’s a second part of the three-way handshake. 72 75 00:08:19,000 --> 00:08:24,000 Notice the acknowledgement bit is set and the synchronization bit is set 73 76 00:08:25,000 --> 00:08:32,000 opening that up, you can see that it's a connection establish acknowledgment from Google. 74 77 00:08:33,000 --> 00:08:43,000 Notice the window size request is 5720 and if we open up the options 75 78 00:08:44,000 --> 00:08:47,000 notice here the maximum segment size is 1430. 76 79 00:08:48,000 --> 00:08:52,000 Looking at the last part of three-way handshake 77 80 00:08:53,000 --> 00:08:56,000 notice my machine talking to Google 78 81 00:08:57,000 --> 00:09:08,000 opening up TCP, you can see that the flags that are set is just the acknowledgement bit 79 82 00:09:09,000 --> 00:09:13,000 and the window size requested 64350 85 83 00:09:14,000 --> 00:09:18,000 and looking at the sequence acknowledgment analysis 80 84 00:09:19,000 --> 00:09:20,000 notice that this is an acknowledgement. 81 85 00:09:21,000 --> 00:09:24,000 Going back to the first step of the three-way hand shake 82 86 00:09:25,000 --> 00:09:30,000 notice that the initial sequence number from my machine to Google is set to 0. 83 87 00:09:31,000 --> 00:09:35,000 Going to the actual TCP header, notice the sequence number 0. 84 88 00:09:36,000 --> 00:09:42,000 Googles reply as a sequence number 0 and the acknowledgement of 1. 85 89 00:09:43,000 --> 00:09:45,000 As you can see here as well. 86 90 00:09:46,000 --> 00:09:52,000 So they are letting us know, the next segment that they expect to receive is segment 1. 87 91 00:09:53,000 --> 00:10:00,000 Our acknowledgement to them, is we are sending sequence number 1 88 92 00:10:01,000 --> 00:10:04,000 and we are acknowledging the sequence number 1. 89 93 00:10:05,000 --> 00:10:08,000 This is as per what we discussed. 90 94 00:10:09,000 --> 00:10:15,000 Later on, when HTTP is being received 91 95 00:10:16,000 --> 00:10:21,000 notice, we are receiving information from Google to our machine its TCP 92 96 00:10:22,000 --> 00:10:28,000 and notice here, this is a TCP segment of the re-assembled Protocol Data Unit. 93 97 00:10:29,000 --> 00:10:31,000 In other words this is a fragment. 94 98 00:10:32,000 --> 00:10:41,000 Looking at TCP, we can see the sources HTTP and the destination is our port number. 95 99 00:10:42,000 --> 00:10:45,000 In other words Google is sending traffic to us 96 100 00:10:46,000 --> 00:10:49,000 notice here that the sequence number is 2861 97 101 00:10:50,000 --> 00:10:54,000 the next sequence number is 3798 98 102 00:10:55,000 --> 00:10:58,000 and the acknowledgement number is 944. 99 103 00:10:59,000 --> 00:11:04,000 so the next sequence number remember is 3798 100 104 00:11:05,000 --> 00:11:07,000 going to the very next part of the capture 101 105 00:11:08,000 --> 00:11:15,000 notice the sequence number here is 3798 and the next sequence number is 5228. 102 106 00:11:16,000 --> 00:11:19,000 And notice there’s an acknowledgement from our machine to Google 103 107 00:11:20,000 --> 00:11:23,000 saying that we expect to receive 5228. 104 108 00:11:24,000 --> 00:11:28,000 And then the very next capture you can see 105 109 00:11:29,000 --> 00:11:32,000 that sequence number 5228, were sent from Google to us. 106 110 00:11:33,000 --> 00:11:39,000 The next sequence number is 6658, which is the next piece received. 107 111 00:11:40,000 --> 00:11:42,000 Notice 6658 is the sequence number received. 114 112 00:11:43,000 --> 00:11:48,000 Our host is acknowledging receipt of that 108 113 00:11:49,000 --> 00:11:53,000 and saying that the next bit of data to receive is 7894 109 114 00:11:54,000 --> 00:11:59,000 going to the next capture, you can see that the sequence number is what Google sent to us. 110 115 00:12:00,000 --> 00:12:02,000 Now without boring you any longer 111 116 00:12:03,000 --> 00:12:06,000 I’m hoping that this capture gives you a little bit of insight 112 117 00:12:07,000 --> 00:12:09,000 into what's actually happening on the wire. 113 118 00:12:10,000 --> 00:12:14,000 wirehark remembers a free application that you can download 114 119 00:12:15,000 --> 00:12:16,000 just search for it on the internet 115 120 00:12:17,000 --> 00:12:19,000 now I suggest that you captures some traffic on your machine 116 121 00:12:20,000 --> 00:12:23,000 so that you can actually see what's going on in the back ground. 117 122 00:12:24,000 --> 00:12:25,000 So what have we covered? 118 123 00:12:26,000 --> 00:12:30,000 In this section we look at the 2 main protocols residing at layer 4. 119 124 00:12:31,000 --> 00:12:39,000 UDP or User Datagram Protocol and TCP or Transmission Control Protocol. 120 125 00:12:40,000 --> 00:12:45,000 I explained port numbers and which port numbers would be used in which scenarios. 121 126 00:12:46,000 --> 00:12:48,000 I explained the TCP three-way handshake 122 127 00:12:49,000 --> 00:12:52,000 I explained windowing and I explained sequence numbers. 123 128 00:12:53,000 --> 00:12:55,000 Thank you for watching! 12924