Preface
The Sharkfest Packet Challenge offers an exciting opportunity for participants to showcase their analysis skills. Sharkfest, an annual conference organized by Wireshark, brings together developers and users to share knowledge, experience, and best practices. In the early days, Sharkfest was held once a year, but it has since expanded to two events annuallyâone in the United States and another in regions like Europe or Asia. One of the conference highlights is the âPRINTING PAINâ Packet Challenge, where participants engage in analyzing packet data to test their comprehensive analytical capabilities through real-world examples.
Topic Information
This case is the fifth and final question in the Sharkfest 2015 Packet Challenge, PRINTING PAIN!, and the packet trace file is printpain.pcapng .
The main description is as follows:
1. What is the make and model of the target printer?
2. What file is being printed?
3. What is the maximum TCP receive buffer size advertised by the printer?
4. What three characteristics make frame 179 a âwindow zero probe?â
5. What is the largest delay between a Window Full indication and a Window Update?
Packet information
The basic information of the packet trace file is as follows:
λ capinfos printpain.pcapng
File name: printpain.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 854
File size: 1071 kB
Data size: 1041 kB
Capture duration: 127.885457 seconds
First packet time: 2013-11-07 13:28:13.967672
Last packet time: 2013-11-07 13:30:21.853129
Data byte rate: 8144 bytes/s
Data bit rate: 65 kbps
Average packet size: 1219.70 bytes
Average packet rate: 6 packets/s
SHA256: a81f71187fa52516fc27a5d5e561bf44d5d54e1dfc8cb3be9e080d0bc793933b
RIPEMD160: d12c9eb5956dd124f99887c9fb6b0a16c7496ff7
SHA1: 8ade6e77ef0719632c1cd26ecf06c89dac051341
Strict time order: True
Capture oper-sys: 32-bit Windows 7 Service Pack 1, build 7601
Capture application: Dumpcap 1.8.6 (SVN Rev 48142 from /trunk-1.8)
Capture comment: Copyright Chappell University <[email protected]> Troubleshooting with Wireshark: Locate the Source of Performance Problems ISBN: 978-1-893939-9-74 You may not reproduce, duplicate, copy, sell, trade, resell, or exploit for any commercial purposes, this trace file or any trace file available at www.wiresharkbook.com.
Number of interfaces in file: 1
Interface #0 info:
Name = \Device\NPF_{6C89B4B8-5C6E-437A-9BA1-CFEF8F98C68D}
Encapsulation = Ethernet (1 - ether)
Capture length = 65535
Time precision = microseconds (6)
Time ticks per second = 1000000
Time resolution = 0x06
Operating system = 32-bit Windows 7 Service Pack 1, build 7601
Number of stat entries = 1
Number of packets = 854
λ
Captured directly via Wireshark on a Windows 7 system, without truncation, the file size is 1071 KB, the number of captured packets is 854, the capture duration is 127.89 seconds, the average rate is 65 kbps, and there are relevant comments.
The session information statistics are as follows. There is only one TCP flow.
The expert information is shown as follows. There are many TCP zero window and TCP window full prompts in the Warning information, indicating that there are certain problems with the TCP window.
Packet Analysis
The initial expanded information of the packet trace file is as follows. Packet List
There are some black warning information prompts on the far right. Click them to see that they are basically TCP zero window and TCP window full prompts.
1. What is the make and model of the target printer?
What is the brand and model of the target printer?
Analysis steps
In Pakcet List
the view, the Protocol is TCP, and there is no special proprietary protocol in the protocol layer statistics. The question mentioned a printer, and I simply checked the service port 9100 and it was probably an HP printer.
Information about the brand and model can be obtained by analyzing- Follow
>TCP Stream
PJL (Printer Job Language), a printer command language developed by Hewlett-Packard , provides printer control at the print job level. Using PJL commands, you can change the default printer settings, such as the number of copies to print.
Analyze the answer
The target printer brand and model is: HP Officejet 6500 E710n-z.
2. What file is being printed?
What file is being printed.
Analysis steps
Also in Analysis- Follow
> TCP Stream
Get relevant information
Analyze the answer
The file that is printed is: Installation.pdf.
3. What is the maximum TCP receive buffer size advertised by the printer?
What is the maximum size of the TCP receive buffer that the printer advertises?
Analysis steps
The TCP receive buffer mentioned in this question is actually the product of TCP Window
and Window size scaling factor
, which is [Calculated window size]
the value of the field .
You can Pakcet List
add column information in the view, and the field value is:tcp.window_size
If you are asking about the printer, you can filter the source IP to get all the Window values ââadvertised by the printer.
Analyze the answer
The maximum size of the TCP receive buffer notified by the printer is: 17520.
4. What three characteristics make frame 179 a âwindow zero probe?â
What three characteristics cause data frame 179 to be labeled a âwindow zero probeâ?
Analysis steps
First, jumping to around No.179, the problem of zero window is obvious.
- First, the client knows that the receiving window of the printer is full based on the window value notified by the printer and the size of the data segment it sends, and marks it as No. 173.Â
TCP Window Full
Note: This mark refers to the TCP window full at the other end. - No.174 The printer is marked as Win 0 because of its own zero windowÂ
TCP ZeroWindow
; - No.175 is the TCP zero window detection packet sent by the client to check whether the printerâs zero window still exists. The printer will respond with an ACK to this zero window detection, i.e. No.176;
- Similarly, if the printer replies that the window size is still zero, the clientâs probe timer is doubled.
Excerpt from the Wireshark official documentation on TCP ZeroWindowProbe
the definition of
TCP ZeroWindowProbe
Set when the sequence number is equal to the next expected sequence number, the segment size is one, and last-seen window size in the reverse direction was zero. If the single data byte from a Zero Window Probe is dropped by the receiver (not ACKed), then a subsequent segment should not be flagged as retransmission if all of the following conditions are true for that segment: * The segment size is larger than one. * The next expected sequence number is one less than the current sequence number. This affects âFast Retransmissionâ, âOut-Of-Orderâ, or âRetransmissionâ.
Analyze the answer
Which three features mark data frame 179 as a âwindow zero probeâ: 1. the sequence number is equal to the next expected sequence number; 2. the segment size is one; 3. the last-seen window size in the reverse direction was zero.
5. What is the largest delay between a Window Full indication and a Window Update?
What is the maximum delay between a âwindow fullâ indication and a âwindow updateâ?
Analysis steps
Letâs review question 4. After the No.184 printer still returned to the zero window, about 11.22 seconds later, the printer window recovered to 16384, that is, the No.185 data packet Win = 16384. The time delay from No.173 TCP Window Full
to No.185 is 25.682732 seconds.TCP Window Update
Similarly, you can click No.173 and right-click Set/Unset Time Reference
to select No.173 as the base time (ie, as the first data frame), and Pakcet List
add column information in the view with the field value of frame.time_relative
. Then the time difference between No.185 and the first data frame No.173 is 25.682732 seconds.
How to find the maximum value of the time interval between No.185 and No.173 in this trace file? You can filter out all âwindow fullâ and âwindow updateâ packets by displaying filter expressions.
Then Pakcet List
add column information in the view, with the field value being: frame.time_delta_displayed
, and arrange from large to small to find the maximum difference.
Analyze the answer
The maximum delay between a âwindow fullâ indication and a âwindow updateâ is: 25.866367 seconds.