PRINTING PAIN! Packet Analysis Overview

Preface

The Sharkfest Packet Challenge offers an exciting opportunity for participants to showcase their analysis skills. Sharkfest, an annual conference organized by Wireshark, brings together developers and users to share knowledge, experience, and best practices. In the early days, Sharkfest was held once a year, but it has since expanded to two events annually—one in the United States and another in regions like Europe or Asia. One of the conference highlights is the “PRINTING PAIN” Packet Challenge, where participants engage in analyzing packet data to test their comprehensive analytical capabilities through real-world examples.

Topic Information

This case is the fifth and final question in the Sharkfest 2015 Packet Challenge, PRINTING PAIN!, and the packet trace file is printpain.pcapng .

The main description is as follows:

1. What is the make and model of the target printer?

2. What file is being printed?

3. What is the maximum TCP receive buffer size advertised by the printer?

4. What three characteristics make frame 179 a “window zero probe?”

5. What is the largest delay between a Window Full indication and a Window Update?

Packet information

The basic information of the packet trace file is as follows:

Captured directly via Wireshark on a Windows 7 system, without truncation, the file size is 1071 KB, the number of captured packets is 854, the capture duration is 127.89 seconds, the average rate is 65 kbps, and there are relevant comments.

The session information statistics are as follows. There is only one TCP flow.

The expert information is shown as follows. There are many TCP zero window and TCP window full prompts in the Warning information, indicating that there are certain problems with the TCP window.

Packet Analysis

The initial expanded information of the packet trace file is as follows. Packet ListThere are some black warning information prompts on the far right. Click them to see that they are basically TCP zero window and TCP window full prompts.

1. What is the make and model of the target printer?

What is the brand and model of the target printer?

Analysis steps

In Pakcet Listthe view, the Protocol is TCP, and there is no special proprietary protocol in the protocol layer statistics. The question mentioned a printer, and I simply checked the service port 9100 and it was probably an HP printer.

Information about the brand and model can be obtained by analyzing- Follow>TCP Stream

PRINTING PAIN! Packet Analysis Overview

PJL (Printer Job Language), a printer command language developed by Hewlett-Packard , provides printer control at the print job level. Using PJL commands, you can change the default printer settings, such as the number of copies to print.

Analyze the answer

The target printer brand and model is: HP Officejet 6500 E710n-z.

2. What file is being printed?

What file is being printed.

Analysis steps

Also in Analysis- FollowTCP StreamGet relevant information

Analyze the answer

The file that is printed is: Installation.pdf.

3. What is the maximum TCP receive buffer size advertised by the printer?

What is the maximum size of the TCP receive buffer that the printer advertises?

Analysis steps

The TCP receive buffer mentioned in this question is actually the product of TCP Windowand Window size scaling factor, which is [Calculated window size]the value of the field .

You can Pakcet Listadd column information in the view, and the field value is:tcp.window_size

If you are asking about the printer, you can filter the source IP to get all the Window values ​​advertised by the printer.

Analyze the answer

The maximum size of the TCP receive buffer notified by the printer is: 17520.

4. What three characteristics make frame 179 a “window zero probe?”

What three characteristics cause data frame 179 to be labeled a “window zero probe”?

Analysis steps

First, jumping to around No.179, the problem of zero window is obvious.

  1. First, the client knows that the receiving window of the printer is full based on the window value notified by the printer and the size of the data segment it sends, and marks it as No. 173. TCP Window FullNote: This mark refers to the TCP window full at the other end.
  2. No.174 The printer is marked as Win 0 because of its own zero window TCP ZeroWindow;
  3. No.175 is the TCP zero window detection packet sent by the client to check whether the printer’s zero window still exists. The printer will respond with an ACK to this zero window detection, i.e. No.176;
  4. Similarly, if the printer replies that the window size is still zero, the client’s probe timer is doubled.

Excerpt from the Wireshark official documentation on TCP ZeroWindowProbethe definition of

TCP ZeroWindowProbe

Set when the sequence number is equal to the next expected sequence number, the segment size is one, and last-seen window size in the reverse direction was zero. If the single data byte from a Zero Window Probe is dropped by the receiver (not ACKed), then a subsequent segment should not be flagged as retransmission if all of the following conditions are true for that segment: * The segment size is larger than one. * The next expected sequence number is one less than the current sequence number. This affects “Fast Retransmission”, “Out-Of-Order”, or “Retransmission”.

Analyze the answer

Which three features mark data frame 179 as a “window zero probe”: 1. the sequence number is equal to the next expected sequence number; 2. the segment size is one; 3. the last-seen window size in the reverse direction was zero.

5. What is the largest delay between a Window Full indication and a Window Update?

What is the maximum delay between a “window full” indication and a “window update”?

Analysis steps

Let’s review question 4. After the No.184 printer still returned to the zero window, about 11.22 seconds later, the printer window recovered to 16384, that is, the No.185 data packet Win = 16384. The time delay from No.173 TCP Window Fullto No.185 is 25.682732 seconds.TCP Window Update

Similarly, you can click No.173 and right-click Set/Unset Time Referenceto select No.173 as the base time (ie, as the first data frame), and Pakcet Listadd column information in the view with the field value of frame.time_relative. Then the time difference between No.185 and the first data frame No.173 is 25.682732 seconds.

How to find the maximum value of the time interval between No.185 and No.173 in this trace file? You can filter out all â€œwindow full” and “window update” packets by displaying filter expressions.

Then Pakcet Listadd column information in the view, with the field value being: frame.time_delta_displayed, and arrange from large to small to find the maximum difference.

Analyze the answer

The maximum delay between a “window full” indication and a “window update” is: 25.866367 seconds.