The goal of this assignment is to help you understand what is
going on in the network by examining exactly what flows across the
wire. This is something of a difficult task because network
protocol designers have worked so hard to provide so much abstraction
to the higher layer applications. Never fear though, there are tools
that we can use.
The goal of the assignment is to examine real protocols in
use and understand the communication that takes place in a network by
examining the bits that flow across a network segment.
For this assignment you will either have to have access to a machine
running UNIX and with the ``snoop'' utility or you will have to use the
parsed version of a snoop file.
The command in UNIX is snoop; however,
it requires root privileges to run. This is a good thing because it
should be hard to snoop packets on the network! So, the snooping has
been done for you, and a snoop file has been created.
Take the snoop-file.bin
(NOTE: Make sure you download this file, i.e. right click and select
``Save Link As''.)
and use it as the source file for snoop (HINT: do a
man snoop and look at how to use the -i option...
you can do this without having root). You will also want to use some
some of the other options that come with snoop to more closely
investigate what is happening in this trace.
If you do not have access to a machine with ``snoop'', you can use
the snoop-file.txt file. It
contains the results of running the snoop command in verbose mode.
Some of the things going on in the trace will contain protocols
we have not gone over. If you really want to understand what is
going on, you will have to use some reference textbook to help.
To help get you started, I have provided a set of sample questions
that you will want to answer about the packet trace. However, these
questions only serve as examples of the kinds of things I think
are important. They serve as a starting point and are
not exhaustive. They are only provided as a guide to help
you find the most interesting aspects of the trace.
- How many total packets are in the trace file?
- What protocols (at each layer of the Internet stack) are seen
at least once somewhere in the trace?
- What are the contents and function of each packet (you can summarize
series of packets that work to accomplish some high level function but
be sure to include a sufficient amount of detail for at least one
series of packets)?
- What DLL/MAC layer addresses can be seen in the trace?
- What IP addresses can be seen in the trace?
- What host names can be seen in the trace?
- What transport-layer port numbers do you see? Do any of them
have special significance? Which ones and what is the significance?
How are the others chosen?
- Can you deduce anything about the network topology on which
this trace was taken, i.e. who is taking the trace? How many hosts
are on the local network, which ones? Which ones are remote? etc.
- How far away are the remote hosts?
- What is the Ethernet packet type and what does it mean?
- What different IP packet types can be seen what does each mean?
- Does IP fragmentation occur?
- Why would some packets have the ``Don't fragment" bit set?
- What are the ranges of sequence numbers in each flow?
- What are the ranges of acknowledgment numbers in each flow?
- In any of the TCP connections, what is the window size?
Does it ever change between connections? How is it chosen?
- Why the difference in the TTL values? If there was suddenly a change
in the reported TTL, what would that be an indicator of?
- This packet trace is full of surprises, especially for someone who
has never looked at a packet trace in detail before. List a few
observations that were surprising to you including details of the
observation and why it was particularly noteworthy.