**Introduction/ Summary of Previous Work**


In the prior project, we examined the full network communication sequence leading up to an HTTPS connection. This included:

DNS Resolution: Mapping the domain name to an IP address.

TCP Handshake: Establishing a reliable connection between client and server.

TLS Handshake: Negotiating encryption parameters and securely exchanging keys.

At this stage, the TLS session is fully established, and the encrypted HTTPS traffic is being transmitted.


**📌 Objectives for This Project**

Now, we shift focus to the actual HTTPS communication that occurs after encryption is in place. This includes:

Identifying Encrypted Data Transmission

Locate the first HTTPS request after the TLS handshake.

Confirm the encryption by analyzing TLS records.

Tracking Client-to-Server and Server-to-Client Communication

Analyze the structure of encrypted packets (without decrypting).

Identify patterns in request-response sequences.

Estimating the Type of Communication

Use packet size, sequence numbers, and timing to infer what is happening.

Recognize request-response timing patterns.

(Optional) Exploring Decryption Possibilities

Discuss how HTTPS traffic can be decrypted if session keys are available.

Consider practical applications in cybersecurity analysis.

📌 Next Steps
Filter Wireshark Capture for HTTPS Traffic

Apply the appropriate Wireshark filter to isolate relevant packets.

Analyze First Client-Sent Encrypted Packet

Identify the first POST or GET request within the encrypted stream.

Analyze First Server Response

Confirm server acknowledgment and response structure.

Summarize Findings

Interpret observed patterns in HTTPS traffic.

**🛠 Implementation Plan**

Use Wireshark to apply filters (tcp.port == 443).

Identify packet flow direction (Client → Server, Server → Client).

Document observations in the Jupyter Notebook.

Conclude with key insights.




**tcp.port == 443**

Why This Filter?

This isolates all traffic using TCP port 443, which is the standard port for HTTPS.

It includes both client-to-server and server-to-client communication.

It ensures we only see packets related to encrypted web traffic, excluding unnecessary noise.


Frame 26: 302 bytes on wire (2416 bits), 302 bytes captured (2416 bits) on interface \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3})
        Interface name: \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}
        Interface description: Wi-Fi
    Encapsulation type: Ethernet (1)
    Arrival Time: Mar 24, 2025 15:20:10.893372000 Pacific Daylight Time
    UTC Arrival Time: Mar 24, 2025 22:20:10.893372000 UTC
    Epoch Arrival Time: 1742854810.893372000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.004272000 seconds]
    [Time delta from previous displayed frame: 0.004272000 seconds]
    [Time since reference or first frame: 4.326229000 seconds]
    Frame Number: 26
    Frame Length: 302 bytes (2416 bits)
    Capture Length: 302 bytes (2416 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a), Dst: Commscope_49:ac:e0 (10:93:97:49:ac:e0)
    Destination: Commscope_49:ac:e0 (10:93:97:49:ac:e0)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
    [Stream index: 2]
Internet Protocol Version 4, Src: 192.168.1.185, Dst: 199.59.243.228
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 288
    Identification: 0xd884 (55428)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 128
    Protocol: TCP (6)
    Header Checksum: 0xa3d1 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.1.185
    Destination Address: 199.59.243.228
    [Stream index: 2]
Transmission Control Protocol, Src Port: 5626, Dst Port: 443, Seq: 275, Ack: 3250, Len: 248
    Source Port: 5626
    Destination Port: 443
    [Stream index: 1]
    [Stream Packet Number: 11]
    [Conversation completeness: Complete, WITH_DATA (63)]
        ..1. .... = RST: Present
        ...1 .... = FIN: Present
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: RFDASS]
    [TCP Segment Len: 248]
    Sequence Number: 275    (relative sequence number)
    Sequence Number (raw): 2977648445
    [Next Sequence Number: 523    (relative sequence number)]
    Acknowledgment Number: 3250    (relative ack number)
    Acknowledgment number (raw): 2522082586
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window: 256
    [Calculated window size: 65536]
    [Window size scaling factor: 256]
    Checksum: 0x3799 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 0.249746000 seconds]
        [Time since previous frame in this TCP stream: 0.004272000 seconds]
    [SEQ/ACK analysis]
        [iRTT: 0.092322000 seconds]
        [Bytes in flight: 248]
        [Bytes sent since last PSH flag: 248]
    TCP payload (248 bytes)
Transport Layer Security
    TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
        Content Type: Change Cipher Spec (20)
        Version: TLS 1.2 (0x0303)
        Length: 1
        Change Cipher Spec Message
    TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 53
        Encrypted Application Data: 7dccf269ec89189770c439470761f9cf2e76e648d912070213167dbdfd9fc0dd2cbcc1d0472a3eab033c96baa8269667b6e029013b
        [Application Data Protocol: Hypertext Transfer Protocol]
    TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 179
        Encrypted Application Data […]: 24ab07833e546d26ae76559821f97f60c81c511b3577afd6848896d143f59fd373b1ddc0637b8ae347fa4b306f57cb46e0a12ff977c420fb2fc85c8a59bbce0321a65d382e653e1101a316f32d993e6d083b705595337bf31ee43f7b0579b4e70bde1c955b595
        [Application Data Protocol: Hypertext Transfer Protocol]


Frame-Level Metadata (High-Level Packet Details)
Frame 26: 302 bytes on wire (2416 bits), 302 bytes captured (2416 bits)

This packet is relatively small, compared to a typical HTTPS data packet.

It includes TLS handshake completion and early encrypted HTTP communication.

Encapsulation type: Ethernet (1)

Standard Ethernet framing.

Arrival Time: Mar 24, 2025 15:20:10.893372 PDT

This timestamp tells us exactly when this packet was captured in the network session.

[Time delta from previous captured frame: 0.004272 seconds]

This packet was sent very shortly after the previous one, indicating a rapid back-and-forth exchange.

Suggests an efficient TLS handshake completion.

Ethernet Layer (L2)
Destination: Commscope_49:ac:e0 (10:93:97:49:ac:e0)

Source: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a)

This confirms the packet was sent from your computer (e0:ad:47:20:d9:0a) to the server (10:93:97:49:ac:e0).

This is a client-to-server transmission, as expected.

Type: IPv4 (0x0800)

The packet carries an IPv4 payload.

IP Layer (L3)
Source IP: 192.168.1.185 (Your Computer)

Destination IP: 199.59.243.228 (Weightlifting.com Web Server)

This confirms that you are sending this packet to the web server.

This is the first client-side encrypted HTTPS packet after the handshake.

Time to Live (TTL): 128

Your system set a TTL of 128, meaning the packet can traverse up to 128 network hops before being discarded.

Protocol: TCP (6)

This packet is using the Transmission Control Protocol (TCP).

TCP Layer (L4)
Source Port: 5626 (Your Random Ephemeral Port)

Destination Port: 443 (HTTPS)

This confirms secure web traffic.

The session was established using port 443 for encrypted HTTPS traffic.

Sequence Number: 275

This is the next expected sequence number from the client’s side.

Acknowledgment Number: 3250

This means your computer is acknowledging receipt of all data from the server up to sequence 3250.

Flags: PSH, ACK

ACK (Acknowledgment): Confirms receipt of previous data.

PSH (Push Data): Indicates that this packet contains immediately usable data.

TCP Segment Length: 248

The packet contains 248 bytes of payload (this includes TLS application data).

TLS Layer (L5-7)
1️⃣ TLS Change Cipher Spec
Content Type: Change Cipher Spec (20)

This packet includes a Change Cipher Spec message, meaning your computer is switching to encrypted mode.

Version: TLS 1.2 (0x0303)

TLS 1.3 reuses the TLS 1.2 version field for compatibility.

Length: 1

This is a minimal TLS message, simply indicating that all further communication will be encrypted.

2️⃣ TLS Encrypted Application Data (HTTPS Traffic Begins)
Opaque Type: Application Data (23)

This section contains encrypted HTTPS data.

Wireshark cannot decrypt it unless you have session keys.

Length: 53 + 179 bytes

The first encrypted block is 53 bytes long.

The second encrypted block is 179 bytes long.

This is the first encrypted web request your computer sends after the handshake.

What This Means
Your computer has now completed the TLS handshake.

The encryption keys are now established.

All future communication is encrypted.

The first encrypted HTTPS request is sent.

This could be an HTTP GET request for the website.

The data inside is completely unreadable without decryption keys.

🔍 Key Takeaways
✅ This is the client’s "finished" message and first encrypted HTTPS request.
✅ TLS encryption is fully enabled at this point.
✅ You cannot see the actual HTTPS request without decryption.
✅ The next packets should contain encrypted web responses from the server.

Frame 29: 1262 bytes on wire (10096 bits), 1262 bytes captured (10096 bits) on interface \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3})
        Interface name: \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}
        Interface description: Wi-Fi
    Encapsulation type: Ethernet (1)
    Arrival Time: Mar 24, 2025 15:20:10.981397000 Pacific Daylight Time
    UTC Arrival Time: Mar 24, 2025 22:20:10.981397000 UTC
    Epoch Arrival Time: 1742854810.981397000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.059610000 seconds]
    [Time delta from previous displayed frame: 0.059610000 seconds]
    [Time since reference or first frame: 4.414254000 seconds]
    Frame Number: 29
    Frame Length: 1262 bytes (10096 bits)
    Capture Length: 1262 bytes (10096 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: Commscope_49:ac:e0 (10:93:97:49:ac:e0), Dst: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a)
    Destination: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Commscope_49:ac:e0 (10:93:97:49:ac:e0)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
    [Stream index: 2]
Internet Protocol Version 4, Src: 199.59.243.228, Dst: 192.168.1.185
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 1248
    Identification: 0x4478 (17528)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 246
    Protocol: TCP (6)
    Header Checksum: 0xbe1d [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 199.59.243.228
    Destination Address: 192.168.1.185
    [Stream index: 2]
Transmission Control Protocol, Src Port: 443, Dst Port: 5626, Seq: 3250, Ack: 523, Len: 1208
    Source Port: 443
    Destination Port: 5626
    [Stream index: 1]
    [Stream Packet Number: 13]
    [Conversation completeness: Complete, WITH_DATA (63)]
        ..1. .... = RST: Present
        ...1 .... = FIN: Present
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: RFDASS]
    [TCP Segment Len: 1208]
    Sequence Number: 3250    (relative sequence number)
    Sequence Number (raw): 2522082586
    [Next Sequence Number: 4458    (relative sequence number)]
    Acknowledgment Number: 523    (relative ack number)
    Acknowledgment number (raw): 2977648693
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window: 529
    [Calculated window size: 67712]
    [Window size scaling factor: 128]
    Checksum: 0x9a42 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 0.337771000 seconds]
        [Time since previous frame in this TCP stream: 0.059610000 seconds]
    [SEQ/ACK analysis]
        [iRTT: 0.092322000 seconds]
        [Bytes in flight: 1208]
        [Bytes sent since last PSH flag: 1208]
    TCP payload (1208 bytes)
Transport Layer Security
    TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 1203
        Encrypted Application Data […]: 9719d19c8b2f0a9f7e6ba7885601d835312ba4288862fae05a0cda5901cf0df589fb96232ce0af653ab8c2636a0d34d4a25d0e11f5e04bc0aebbd12a340e82ee4409eceb808598c32f6825bfd7f1fb4ea8f76c5a769eb9e7f18813decfedfff712f0555a3459d
        [Application Data Protocol: Hypertext Transfer Protocol]


This packet (Frame 29) is the first major encrypted HTTPS response from the server after the handshake. It contains TLS 1.3 encrypted application data, meaning it likely holds part of the webpage content being sent back to your browser.

🔎 Frame-Level Analysis
Frame 29: 1262 bytes on wire (10096 bits), 1262 bytes captured (10096 bits)

This is a much larger packet than previous handshake packets.

Since the payload is 1208 bytes, this means we’re now seeing actual data transmission (web content).

Arrival Time: Mar 24, 2025 15:20:10.981397 PDT

This is the timestamp when this packet arrived.

Time delta from previous captured frame: 0.059610 seconds

There was a short delay between this packet and the last one.

This could indicate server processing time before sending the response.

🖧 Ethernet Layer (L2)
Destination: e0:ad:47:20:d9:0a (Your Computer)

Source: Commscope_49:ac:e0 (Server)

The packet is sent from the web server to your computer.

This confirms that your request has been processed, and the server is now responding.

Type: IPv4 (0x0800)

This is an IPv4-based communication.

🌍 IP Layer (L3)
Source IP: 199.59.243.228 (Weightlifting.com Server)

Destination IP: 192.168.1.185 (Your Computer)

This packet carries the first encrypted content from the website.

Time to Live (TTL): 246

The packet can traverse up to 246 network hops before expiring.

Protocol: TCP (6)

The transport protocol is TCP.

🔢 TCP Layer (L4)
Source Port: 443 (HTTPS)

Destination Port: 5626 (Your Ephemeral Port)

This confirms the packet is part of an established HTTPS session.

Sequence Number: 3250

This is the next byte in the sequence from the server.

Acknowledgment Number: 523

This tells the client, “I received everything up to byte 523 from you.”

Flags: PSH, ACK

ACK (Acknowledgment): Confirms receipt of the last packet.

PSH (Push Data): This data is meant to be processed immediately.

TCP Segment Length: 1208

This is a large data packet, which strongly suggests it is carrying part of a webpage.

Calculated Window Size: 67712

The TCP window size is dynamically adjusting for data flow.

🔐 TLS (L5-7) – Encrypted HTTPS Response
1️⃣ TLS Encrypted Application Data
Opaque Type: Application Data (23)

This means the packet contains encrypted content.

Length: 1203 bytes

A large amount of encrypted data, likely a portion of a web page (HTML, CSS, JavaScript, etc.).

Encrypted Application Data […]:

The actual data is completely unreadable in Wireshark because it is encrypted.

🔑 What This Means
The server is now delivering the requested webpage.

This is an encrypted HTTPS response to your browser.

TLS encryption prevents content inspection.

You cannot see what’s inside unless you decrypt the session keys.

This is the first major response, meaning the next packets will likely contain more page content.

Additional packets will follow, building the full page.

🚀 Next Steps
✅ Filter for more HTTPS packets to track the full page load process.
✅ Look for TCP segments carrying additional web content.
✅ Optionally, try decrypting TLS traffic with session keys (advanced).

Frame 30: 657 bytes on wire (5256 bits), 657 bytes captured (5256 bits) on interface \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3})
        Interface name: \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}
        Interface description: Wi-Fi
    Encapsulation type: Ethernet (1)
    Arrival Time: Mar 24, 2025 15:20:11.001140000 Pacific Daylight Time
    UTC Arrival Time: Mar 24, 2025 22:20:11.001140000 UTC
    Epoch Arrival Time: 1742854811.001140000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.019743000 seconds]
    [Time delta from previous displayed frame: 0.019743000 seconds]
    [Time since reference or first frame: 4.433997000 seconds]
    Frame Number: 30
    Frame Length: 657 bytes (5256 bits)
    Capture Length: 657 bytes (5256 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: Commscope_49:ac:e0 (10:93:97:49:ac:e0), Dst: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a)
    Destination: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Commscope_49:ac:e0 (10:93:97:49:ac:e0)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
    [Stream index: 2]
Internet Protocol Version 4, Src: 199.59.243.228, Dst: 192.168.1.185
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 643
    Identification: 0x4479 (17529)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 246
    Protocol: TCP (6)
    Header Checksum: 0xc079 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 199.59.243.228
    Destination Address: 192.168.1.185
    [Stream index: 2]
Transmission Control Protocol, Src Port: 443, Dst Port: 5626, Seq: 4458, Ack: 523, Len: 603
    Source Port: 443
    Destination Port: 5626
    [Stream index: 1]
    [Stream Packet Number: 14]
    [Conversation completeness: Complete, WITH_DATA (63)]
        ..1. .... = RST: Present
        ...1 .... = FIN: Present
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: RFDASS]
    [TCP Segment Len: 603]
    Sequence Number: 4458    (relative sequence number)
    Sequence Number (raw): 2522083794
    [Next Sequence Number: 5061    (relative sequence number)]
    Acknowledgment Number: 523    (relative ack number)
    Acknowledgment number (raw): 2977648693
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window: 529
    [Calculated window size: 67712]
    [Window size scaling factor: 128]
    Checksum: 0x2914 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 0.357514000 seconds]
        [Time since previous frame in this TCP stream: 0.019743000 seconds]
    [SEQ/ACK analysis]
        [iRTT: 0.092322000 seconds]
        [Bytes in flight: 1811]
        [Bytes sent since last PSH flag: 603]
    TCP payload (603 bytes)
Transport Layer Security
    TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 574
        Encrypted Application Data […]: 668f2d179c20755a3f9772c54dc4c8683f31aaa3d5730a53e8b287a8e3f2c97fe2ce963c6d21e3790717983d7fe5e6fd78a537b23b27e6acf5362321f4b0e849c66f4e866d6bce10ff4f733dc914cdedfa04849e886eec287de6463e7d439974149d768283c79
        [Application Data Protocol: Hypertext Transfer Protocol]
    TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 19
        Encrypted Application Data: 4d7cff9c1287808caa95d4266bf09e243e14f0
        [Application Data Protocol: Hypertext Transfer Protocol]


Frame 30: HTTPS Encrypted Application Data (Follow-up Webpage Content)
🔎 Overview
This packet is another encrypted HTTPS response from the server (Weightlifting.com), continuing to deliver webpage content to your browser. It follows Frame 29, which contained the first major payload of encrypted data.

🖧 Ethernet Layer (L2)
Destination: e0:ad:47:20:d9:0a (Your Computer)

Source: Commscope_49:ac:e0 (Server)

This is another response from the server.

Type: IPv4 (0x0800)

This is a standard IPv4 communication.

🌍 IP Layer (L3)
Source IP: 199.59.243.228 (Weightlifting.com Server)

Destination IP: 192.168.1.185 (Your Computer)

Confirms that this is an incoming HTTPS response.

Time to Live (TTL): 246

Can traverse up to 246 network hops before expiring.

Protocol: TCP (6)

Uses TCP transport.

🔢 TCP Layer (L4)
Source Port: 443 (HTTPS)

Destination Port: 5626 (Your Ephemeral Port)

Confirms active HTTPS session.

Sequence Number: 4458

This is the next segment of data from the server.

Acknowledgment Number: 523

The server acknowledges your last message.

Flags: PSH, ACK

ACK (Acknowledgment): Confirms previous data received.

PSH (Push Data): Immediate delivery to the application layer (web browser).

TCP Segment Length: 603

This is another significant data segment, indicating more webpage content.

🔐 TLS (L5-7) – Encrypted HTTPS Response
1️⃣ TLS Encrypted Application Data
Opaque Type: Application Data (23)

This means the packet contains encrypted webpage data.

Length: 574 bytes + 19 bytes

More webpage content being sent to your browser.

Encrypted Application Data:

This remains unreadable without the session key.

📌 What This Means
The webpage is continuing to load.

This packet contains additional encrypted HTML, CSS, or JavaScript.

Your browser is decrypting and rendering the page.

The browser is handling this data behind the scenes.

Next steps in analysis:

Track larger packets to see when the full page is loaded.

Check for HTTP response headers (may be embedded in other frames).



Frame 31: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3})
        Interface name: \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}
        Interface description: Wi-Fi
    Encapsulation type: Ethernet (1)
    Arrival Time: Mar 24, 2025 15:20:11.001140000 Pacific Daylight Time
    UTC Arrival Time: Mar 24, 2025 22:20:11.001140000 UTC
    Epoch Arrival Time: 1742854811.001140000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 4.433997000 seconds]
    Frame Number: 31
    Frame Length: 54 bytes (432 bits)
    Capture Length: 54 bytes (432 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
    [Coloring Rule Name: TCP SYN/FIN]
    [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Commscope_49:ac:e0 (10:93:97:49:ac:e0), Dst: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a)
    Destination: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Commscope_49:ac:e0 (10:93:97:49:ac:e0)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
    [Stream index: 2]
Internet Protocol Version 4, Src: 199.59.243.228, Dst: 192.168.1.185
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 40
    Identification: 0x447a (17530)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 246
    Protocol: TCP (6)
    Header Checksum: 0xc2d3 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 199.59.243.228
    Destination Address: 192.168.1.185
    [Stream index: 2]
Transmission Control Protocol, Src Port: 443, Dst Port: 5626, Seq: 5061, Ack: 523, Len: 0
    Source Port: 443
    Destination Port: 5626
    [Stream index: 1]
    [Stream Packet Number: 15]
    [Conversation completeness: Complete, WITH_DATA (63)]
        ..1. .... = RST: Present
        ...1 .... = FIN: Present
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: RFDASS]
    [TCP Segment Len: 0]
    Sequence Number: 5061    (relative sequence number)
    Sequence Number (raw): 2522084397
    [Next Sequence Number: 5062    (relative sequence number)]
    Acknowledgment Number: 523    (relative ack number)
    Acknowledgment number (raw): 2977648693
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x011 (FIN, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...1 = Fin: Set
            [Expert Info (Chat/Sequence): Connection finish (FIN)]
                [Connection finish (FIN)]
                [Severity level: Chat]
                [Group: Sequence]
        [TCP Flags: ·······A···F]
            [Expert Info (Note/Sequence): This frame initiates the connection closing]
                [This frame initiates the connection closing]
                [Severity level: Note]
                [Group: Sequence]
    Window: 529
    [Calculated window size: 67712]
    [Window size scaling factor: 128]
    Checksum: 0x8c59 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 0.357514000 seconds]
        [Time since previous frame in this TCP stream: 0.000000000 seconds]


Frame 31: HTTPS Session Termination (FIN-ACK)
🔎 Overview
Frame 31 marks the beginning of the connection termination process. The server sends a FIN-ACK (Finish-Acknowledgment) flag, signaling that it has no more data to send and wants to close the TCP connection.

This is the first step in the four-way TCP teardown that follows after the encrypted web data has been fully transmitted.

🖧 Ethernet Layer (L2)
Destination: e0:ad:47:20:d9:0a (Your Computer)

Source: Commscope_49:ac:e0 (Weightlifting.com Server)

This confirms that the server is closing the session.

Type: IPv4 (0x0800)

Standard IPv4 packet.

🌍 IP Layer (L3)
Source IP: 199.59.243.228 (Weightlifting.com Server)

Destination IP: 192.168.1.185 (Your Computer)

This is a server-to-client communication, ending the session.

Time to Live (TTL): 246

Normal for a web server response.

Protocol: TCP (6)

Transport protocol for the session.

🔢 TCP Layer (L4)
Source Port: 443 (HTTPS)

Destination Port: 5626 (Your Ephemeral Port)

The connection remains on the same HTTPS session.

Sequence Number: 5061

This tracks data flow in the session.

Acknowledgment Number: 523

Acknowledges that your last packet was received.

Flags: FIN, ACK

ACK (Acknowledgment): Confirms receipt of all previous packets.

FIN (Finish): The server is closing its end of the session.

This is the first step in TCP’s four-way handshake teardown.

TCP Segment Length: 0

No actual data is being sent, just the termination signal.

📌 What This Means
The server is done transmitting data.

The web page has fully loaded in your browser.

No further HTTPS data will be sent.

This starts the TCP connection teardown.

Your system will need to reply with FIN-ACK to confirm closure.

A final ACK from the server will complete the process.

Next steps in analysis:

Look for your computer’s FIN-ACK response.

Confirm the final ACK from the server (which fully closes the session).

🚀 Next Steps
✅ Check for your device's FIN-ACK packet (client response).
✅ Look for the final ACK from the server, which will complete the session closure.
✅ Confirm no additional data is being transmitted after the session ends.

Frame 32: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3})
        Interface name: \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}
        Interface description: Wi-Fi
    Encapsulation type: Ethernet (1)
    Arrival Time: Mar 24, 2025 15:20:11.001140000 Pacific Daylight Time
    UTC Arrival Time: Mar 24, 2025 22:20:11.001140000 UTC
    Epoch Arrival Time: 1742854811.001140000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 4.433997000 seconds]
    Frame Number: 32
    Frame Length: 54 bytes (432 bits)
    Capture Length: 54 bytes (432 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
    [Coloring Rule Name: Bad TCP]
    [Coloring Rule String: tcp.analysis.flags && !tcp.analysis.window_update && !tcp.analysis.keep_alive && !tcp.analysis.keep_alive_ack]
Ethernet II, Src: Commscope_49:ac:e0 (10:93:97:49:ac:e0), Dst: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a)
    Destination: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Commscope_49:ac:e0 (10:93:97:49:ac:e0)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
    [Stream index: 2]
Internet Protocol Version 4, Src: 199.59.243.228, Dst: 192.168.1.185
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 40
    Identification: 0x447b (17531)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 246
    Protocol: TCP (6)
    Header Checksum: 0xc2d2 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 199.59.243.228
    Destination Address: 192.168.1.185
    [Stream index: 2]
Transmission Control Protocol, Src Port: 443, Dst Port: 5626, Seq: 5061, Ack: 523, Len: 0
    Source Port: 443
    Destination Port: 5626
    [Stream index: 1]
    [Stream Packet Number: 16]
    [Conversation completeness: Complete, WITH_DATA (63)]
        ..1. .... = RST: Present
        ...1 .... = FIN: Present
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: RFDASS]
    [TCP Segment Len: 0]
    Sequence Number: 5061    (relative sequence number)
    Sequence Number (raw): 2522084397
    [Next Sequence Number: 5062    (relative sequence number)]
    Acknowledgment Number: 523    (relative ack number)
    Acknowledgment number (raw): 2977648693
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x011 (FIN, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...1 = Fin: Set
            [Expert Info (Chat/Sequence): Connection finish (FIN)]
                [Connection finish (FIN)]
                [Severity level: Chat]
                [Group: Sequence]
        [TCP Flags: ·······A···F]
            [Expert Info (Note/Sequence): This frame initiates the connection closing]
                [This frame initiates the connection closing]
                [Severity level: Note]
                [Group: Sequence]
    Window: 529
    [Calculated window size: 67712]
    [Window size scaling factor: 128]
    Checksum: 0x8c59 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 0.357514000 seconds]
        [Time since previous frame in this TCP stream: 0.000000000 seconds]
    [SEQ/ACK analysis]
        [iRTT: 0.092322000 seconds]
        [TCP Analysis Flags]
            [Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
                [This frame is a (suspected) retransmission]
                [Severity level: Note]
                [Group: Sequence]


Frame 32: Duplicate FIN-ACK – Suspected Retransmission
🔎 Overview
Frame 32 is almost identical to Frame 31, except that Wireshark flags it as a suspected retransmission.

This means the server is resending the FIN-ACK because it likely didn’t receive an expected response from your computer.

🌐 Why Would This Happen?
🔹 Packet Loss or Delay:

The original FIN-ACK (Frame 31) may have been lost in transit.

Your computer might have been slightly delayed in responding, making the server resend the closure request.

🔹 Redundant Transmission by the Server:

Some systems intentionally retransmit a FIN-ACK to ensure the client properly receives it before fully closing the connection.

🔹 Wireshark’s TCP Analysis Might Be Overly Cautious:

Wireshark flags suspected retransmissions, but this doesn’t always indicate an actual problem.

🖧 Ethernet Layer (L2)
Destination: e0:ad:47:20:d9:0a (Your Computer)

Source: Commscope_49:ac:e0 (Weightlifting.com Server)

Same as Frame 31—this is a retransmission.

🌍 IP Layer (L3)
Source IP: 199.59.243.228 (Server)

Destination IP: 192.168.1.185 (Your Computer)

Again, identical to Frame 31.

🔢 TCP Layer (L4)
Source Port: 443 (HTTPS)

Destination Port: 5626 (Your Ephemeral Port)

Sequence Number: 5061 (Same as Frame 31)

Acknowledgment Number: 523 (Same as Frame 31)

TCP Flags: FIN, ACK

Confirms that this is a repeated attempt to close the session.

📌 Key Takeaways
✅ This is likely a harmless retransmission.
✅ The server is ensuring the FIN-ACK gets received by your system.
✅ You should expect your computer to send a FIN-ACK response next.



Frame 33: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3})
        Interface name: \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}
        Interface description: Wi-Fi
    Encapsulation type: Ethernet (1)
    Arrival Time: Mar 24, 2025 15:20:11.001180000 Pacific Daylight Time
    UTC Arrival Time: Mar 24, 2025 22:20:11.001180000 UTC
    Epoch Arrival Time: 1742854811.001180000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.000040000 seconds]
    [Time delta from previous displayed frame: 0.000040000 seconds]
    [Time since reference or first frame: 4.434037000 seconds]
    Frame Number: 33
    Frame Length: 54 bytes (432 bits)
    Capture Length: 54 bytes (432 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a), Dst: Commscope_49:ac:e0 (10:93:97:49:ac:e0)
    Destination: Commscope_49:ac:e0 (10:93:97:49:ac:e0)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
    [Stream index: 2]
Internet Protocol Version 4, Src: 192.168.1.185, Dst: 199.59.243.228
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 40
    Identification: 0xd885 (55429)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 128
    Protocol: TCP (6)
    Header Checksum: 0xa4c8 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.1.185
    Destination Address: 199.59.243.228
    [Stream index: 2]
Transmission Control Protocol, Src Port: 5626, Dst Port: 443, Seq: 523, Ack: 5062, Len: 0
    Source Port: 5626
    Destination Port: 443
    [Stream index: 1]
    [Stream Packet Number: 17]
    [Conversation completeness: Complete, WITH_DATA (63)]
        ..1. .... = RST: Present
        ...1 .... = FIN: Present
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: RFDASS]
    [TCP Segment Len: 0]
    Sequence Number: 523    (relative sequence number)
    Sequence Number (raw): 2977648693
    [Next Sequence Number: 523    (relative sequence number)]
    Acknowledgment Number: 5062    (relative ack number)
    Acknowledgment number (raw): 2522084398
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x010 (ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······A····]
    Window: 256
    [Calculated window size: 65536]
    [Window size scaling factor: 256]
    Checksum: 0x8d6a [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 0.357554000 seconds]
        [Time since previous frame in this TCP stream: 0.000040000 seconds]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 31]
        [The RTT to ACK the segment was: 0.000040000 seconds]
        [iRTT: 0.092322000 seconds]


Frame 33: Final ACK – Connection Fully Closed
🔎 Overview
This frame confirms the completion of the connection teardown process between your computer and the web server.

In simpler terms, your computer is saying:
“Got it! I acknowledge the connection is closing.”
This marks the final step in the TCP four-way handshake for connection termination.

📌 What’s Happening Here?
Frame 31 and 32 were FIN-ACK messages from the server, requesting to close the connection.

✅ Frame 33 is your computer’s acknowledgment (ACK) that it received the server's FIN-ACK.
✅ After this, the connection is officially terminated.

🖧 Ethernet Layer (L2)
Destination: Commscope_49:ac:e0 (Server)

Source: e0:ad:47:20:d9:0a (Your Computer)

This confirms your system is responding to the server.

🌍 IP Layer (L3)
Source IP: 192.168.1.185 (Your Computer)

Destination IP: 199.59.243.228 (Server)

The connection is being closed from your side to the server.

🔢 TCP Layer (L4)
Source Port: 5626 (Your Computer's Ephemeral Port)

Destination Port: 443 (HTTPS)

Sequence Number: 523

Acknowledgment Number: 5062

This means your system acknowledges the FIN packet from the server.

TCP Flags: ACK ✅

This confirms that your computer has received and acknowledged the server’s request to close.

🚀 What Happens Next?
✅ The connection is now fully closed.
✅ No more data will be exchanged between your system and the server.

🔎 Key Takeaways
✅ This is the final step in the TCP termination process.
✅ Your computer properly responded to the server’s request to close the session.
✅ This ensures there are no lingering open connections.



Final Summary: HTTPS Traffic Analysis with Wireshark
🚀 Objective
This project aimed to analyze an entire HTTPS session captured in Wireshark, starting from the DNS resolution to the full TCP & TLS handshake, followed by encrypted data transmission and proper connection termination.

Throughout this project, we meticulously tracked the flow of events to understand the precise order in which they occur. This method ensures that future Wireshark analyses will be structured, efficient, and meaningful.

📌 Step-by-Step Flow of Events
We followed the logical sequence of a web request using HTTPS, breaking down each critical phase:

1️⃣ DNS Resolution (Converting Domain to IP)
The client queried a DNS server to resolve the website name (weightlifting.com) into an IP address.

This process is necessary before establishing any network connection.

2️⃣ TCP Handshake (Establishing a Connection)
A three-way handshake was performed between the client (192.168.1.185) and the web server (199.59.243.228) on port 443 (HTTPS).

This process included:

SYN → SYN-ACK → ACK

A bidirectional connection was successfully established.

3️⃣ TLS Handshake (Establishing Secure Communication)
Client Hello: The client proposed supported TLS versions, cipher suites, and extensions.

Server Hello: The server selected TLS 1.3, a cipher suite (AES-GCM-SHA256), and a key exchange method (X25519).

Key Exchange: The client and server established a shared secret key using asymmetric encryption.

Finished Message: Both parties switched to symmetric encryption, securing all subsequent data.

4️⃣ Encrypted HTTPS Data Transmission
Once the TLS handshake was complete, actual HTTP data was exchanged, but it was fully encrypted within TLS packets.

These packets were identified as Application Data inside TLS 1.3 Record Layers.

5️⃣ Connection Termination (Graceful TCP Shutdown)
The server initiated the FIN-ACK to begin closing the connection.

The client acknowledged the request and responded with its own FIN-ACK.

The server then confirmed closure, marking the official end of communication.

🔑 Key Takeaways
✅ Flow Matters: Every network connection follows an orderly, structured process. Understanding this sequence allows accurate troubleshooting in Wireshark.
✅ Security Layers: TLS encryption secures HTTPS traffic, ensuring that data remains confidential and tamper-proof.
✅ Efficient Analysis: Recognizing Client Hello, Server Hello, Encrypted Data, and TCP FIN packets is crucial for evaluating secure web communications.
✅ Real-World Relevance: This project reflects real-world security analysis, applicable to network security monitoring, intrusion detection, and compliance audits.

🚀 Next Steps
This project provided a strong foundation in analyzing HTTPS traffic. Moving forward, we could explore:

Decrypting HTTPS traffic with session keys (if available).

Comparing TLS 1.3 vs. TLS 1.2 behaviors in Wireshark.

Identifying anomalies in encrypted web traffic (e.g., malicious activity, certificate mismatches).

