Version 1.0. 1/25/05. 11.11am.
For this assignment, you will be analyzing some packet traces produced by tcpdump. For some of the questions, you may need to write a program. You may use any programming language you like, including shell scripts, or existing Unix tools. For others, you can probably just eyeball the output from tcpdump. To be clear, this is not a programming assignment, but you may use your programming skills to help you complete it.
tcpdump -r tracefile
to look at packets
in file tracefile
.
There are two things to keep in mind about the output of tcpdump. The first are that some options are generic to all protocols and have to with how information is formatted as it is printed. These are set by command line flags. Here are some ones that you might find useful.
The second is that tcpdump includes a powerful
expression-based filtering
language that can be used to
extract only certain packets from a trace. For example, to extract
only those packets sent from www.cs.washington.edu, one would say
tcpdump -r tracefile src host wwww.cs.washington.edu
TCP is bi-directional, meaning that any given packet can both carry data intended for the peer, as well as an acknowledgement for data sent from the peer. For many of the questions, you will want to look at data sent in only one direction.
20:32:35.437157 IP www.cs.washington.edu.http > 10.0.1.4.60258: P 1:1184(1183) ack 202 win 1716
The difference is the size of the tcp portion of the packet. Questions that refer to packet size refer to just this portion.
A packet may also include an acknowledgement, where the acknowledgement contains a sequence number that describes the largest byte received such that all bytes of smaller sequence number have also been received. In the above example, the ack is for sequence number 202, which is the sequence number of the last in-order byte received. So, for example, if three packets are received in order with sequence numbers [1,100], [200,215], [216,220], then the TCP receiver does not generate an ack having a sequence number in excess of 100 until it receives a data packet with a sequence number of at least 101. It may however generate acks for sequence numbers 100 as a "signal" to the sender that something is quite literally "out of sorts" with the packets that have been received.
By default, tcpdump displays the true sequence number for the first
packet in a conversation, and then reverts to a delta for subsequent
packets. This makes the trace easier to read. You can use the
-S
option to change this behavior.
Here's the output of running
tcpdump -r smalltrace.raw
. I recommend that you open in a
new window and STRETCH it in order to look at it. You won't need to
know what all the fields are. The most important ones are the
timestamp, src and destination host, sequence number, and ack (with
sequence number).
There are two parts to this assignment. The first part involves answering a few questions about a very short packet trace representing a brief conversation between my home computer and a computer somewhere on the internet. The entire conversation fits on half a screen, and you should be able to answer all the questions about the first using tcpdump on the raw packet trace directly.
The second part involves analyzing a much longer packet trace, again between my home computer and a server on the internet. This file is too large for you to "eyeball" the results, so you will need to process it somehow.
The way in which you answer each question is just as important as your answer. That means that you should answer each question by providing the information being asked for, as well as an explanation for how you produced the answer. Your explanation should make clear strategy and mechanics. Strategy says "what to look for." Mechanics says "how to look for it."
For example, suppose the question was "A pure-ack packet is a packet that carries no data. It contains only an ack. How many pure ack packets are reflected in the trace file to www.cs.washington.edu?" A good answer would be:
tcpdump -r bigtrace.raw dst host www.cs.washington.edu | awk '{print $7}' | grep 'ack' | wc -l
Or, even more alternatively, you could use a combination of simple tools to extract portions of the data and put it an easy-to-use format, and then write a program that produces the final result. The choice is yours. You will not be graded on the basis of your choice of mechanics, but some choices will be much more time-consuming than others. You will find this assignment easiest if you first think about each question carefully in order to convince yourself that you can answer it easily without a lot of mechanics. None of the questions require much.
000767 IP www.cs.washington.edu.http > 10.0.1.5.52593: . 4264521:4265969(1448) ack 198 win 1716Here, 5 acks are sent with the same sequence number but with an increasing window size. Why is this happening? (again, go with "visual inspection").142937 IP 10.0.1.5.52593 > www.cs.washington.edu.http: . ack 4265969 win 0 184583 IP 10.0.1.5.52593 > www.cs.washington.edu.http: . ack 4265969 win 16384 004061 IP 10.0.1.5.52593 > www.cs.washington.edu.http: . ack 4265969 win 32768 000375 IP 10.0.1.5.52593 > www.cs.washington.edu.http: . ack 4265969 win 49152 000582 IP 10.0.1.5.52593 > www.cs.washington.edu.http: . ack 4265969 win 65535
If you need to include any out of line figures (pdf or gif only), or shell scripts, or program source code do so by including them as links in your hw3.html file. If you want to include them in line in your web page, know how, and they don't distract too much from the flow, go ahead. But, don't worry if you don't know how.
Finally, make sure your web page works before you turn it in. We're not going to be able to debug your html