TCP/IP Deep Dive

Intermediate Networking
Wiresharktcpdumpnetstatss

Objective

Hands-on practice with tcp/ip deep dive in a network lab environment.

Tools & Technologies

  • Wireshark
  • tcpdump
  • netstat
  • ss

Key Commands

tcpdump -i eth0 'tcp port 80'
ss -tuln
netstat -an | grep ESTABLISHED
wireshark &

Lab Steps

01
Packet Capture

Capture live traffic with tcpdump and analyze in Wireshark.

02
TCP Handshake

Observe and analyze the three-way handshake in a packet capture.

03
Socket States

Use ss and netstat to view socket states: LISTEN, ESTABLISHED, TIME_WAIT.

04
IP Fragmentation

Observe IP fragmentation when packets exceed MTU.

Challenges Encountered

  • Capturing on loopback requires specific interface flag
  • TIME_WAIT is normal and lasts 2*MSL

Key Takeaways

  • Understanding TCP state machine is essential for firewall troubleshooting
  • Wireshark's Follow Stream feature reconstructs full sessions