The goal of this assignment is to help you understand what is going on in the network by examining exactly what flows across the wire. This is something of a difficult task because network protocol designers have worked so hard to provide so much abstraction to the higher layer applications. Never fear though, there are tools that we can use.

Assignment Details

For this assignment you will either have to have access to a machine running UNIX and with the ``snoop'' utility or you will have to use the parsed version of a snoop file. The command in UNIX is snoop; however, it requires root privileges to run. This is a good thing because it should be hard to snoop packets on the network! So, the snooping has been done for you, and a snoop file has been created. Take the snoop-file.bin file (NOTE: Make sure you download this file, i.e. right click and select ``Save Link As''.) and use it as the source file for snoop (HINT: do a man snoop and look at how to use the -i option... you can do this without having root). You will also want to use some some of the other options that come with snoop to more closely investigate what is happening in this trace. If you do not have access to a machine with ``snoop'', you can use the snoop-file.txt file. It contains the results of running the snoop command in verbose mode.

Some of the things going on in the trace will contain protocols we have not gone over. If you really want to understand what is going on, you will have to use some reference textbook to help. To help get you started, I have provided a set of sample questions that you will want to answer about the packet trace. However, these questions only serve as examples of the kinds of things I think are important. They serve as a starting point and are not exhaustive. They are only provided as a guide to help you find the most interesting aspects of the trace.

• How many total packets are in the trace file?
• What protocols (at each layer of the Internet stack) are seen at least once somewhere in the trace?
• What are the contents and function of each packet (you can summarize series of packets that work to accomplish some high level function but be sure to include a sufficient amount of detail for at least one series of packets)?
• What DLL/MAC layer addresses can be seen in the trace?
• What IP addresses can be seen in the trace?
• What host names can be seen in the trace?
• What transport-layer port numbers do you see? Do any of them have special significance? Which ones and what is the significance? How are the others chosen?
• Can you deduce anything about the network topology on which this trace was taken, i.e. who is taking the trace? How many hosts are on the local network, which ones? Which ones are remote? etc.
• How far away are the remote hosts?
• What is the Ethernet packet type and what does it mean?
• What different IP packet types can be seen what does each mean?
• Does IP fragmentation occur?
• Why would some packets have the ``Don't fragment" bit set?
• What are the ranges of sequence numbers in each flow?
• What are the ranges of acknowledgment numbers in each flow?
• In any of the TCP connections, what is the window size? Does it ever change between connections? How is it chosen?
• Why the difference in the TTL values? If there was suddenly a change in the reported TTL, what would that be an indicator of?
• This packet trace is full of surprises, especially for someone who has never looked at a packet trace in detail before. List a few observations that were surprising to you including details of the observation and why it was particularly noteworthy.