How to Determine Serial or Parallel File Downloads Using Wireshark

tcpwireshark

In the http-ethereal-trace provided in the link below there are three HTTP GET request.The 2nd and 3rd request downloads a GIF and JPG format image recpectively.How can we determine wether the two files are downloaded in serial or parallel manner looking at the HTTP and TCP connections made? Kindly explain in detail.

link:- https://drive.google.com/open?id=1Wa7G9TCjoouUYYyrczfAaN1JQafU-hHI

Best Answer

They are in parallel, which you can see in any convenient capture tool. They are in parallel because the second one opens before processing has finished on the first one. Indeed, processing hasn't even started.

We see two TCP opens a few millseconds apart, one on port 4308 and one on port 4309:

06:38:41.734948 IP (tos 0x0, ttl 128, id 694, offset 0, flags [DF], proto TCP (6), length 48)
    192.168.1.102.4308 > 165.193.123.218.80: Flags [S], seq 4246632680, win 64240, options [mss 1460,nop,nop,sackOK], length 0
06:38:41.736408 IP (tos 0x0, ttl 128, id 699, offset 0, flags [DF], proto TCP (6), length 48)
    192.168.1.102.4309 > 134.241.6.82.80: Flags [S], seq 4246666212, win 64240, options [mss 1460,nop,nop,sackOK], length 0

We identify the streams from their fetches, a little later where segments show the fetches from port 4308 for the GIF and 4309 for the JPEG:

06:38:41.756098 IP (tos 0x0, ttl 128, id 703, offset 0, flags [DF], proto TCP (6), length 611)
    192.168.1.102.4308 > 165.193.123.218.80: Flags [P.], seq 1:572, ack 1, win 64860, length 571: HTTP, length: 571
    GET /catalog/images/pearson-logo-footer.gif HTTP/1.1
    ...
06:38:41.759416 IP (tos 0x0, ttl 128, id 705, offset 0, flags [DF], proto TCP (6), length 595)
    192.168.1.102.4309 > 134.241.6.82.80: Flags [P.], seq 1:556, ack 1, win 64240, length 555: HTTP, length: 555
    GET /~kurose/cover.jpg HTTP/1.1
    ...

The output above was done with tcpdump capture tool, filtering on TCP steams.

tcpdump -n -v -K -r http-ethereal-trace-4 ip proto \\tcp
Related Topic