tcpdump is a so called ``sniffer'': it is used to collect full traces of frames on a LAN, in our case, on ethernet. Please do man tcpdump and look at the manual pages. No need to read the whole thing unless you plan to start using it. You must be superuser to use tcpdump. There are a few examples of output (partially digested!) of tcpdump on these pages. Note: these pages look much better than ``real'' tcpdump output pages! They have been nicely formatted etc. The way I tend to use tcpdump is to make a ``raw data file'' using the -w option, and then repeatedly analyze that file with different options. (Using the -r option). dumpIPP.txt is output which shows that if there are an IPP (Internet Print Protocol) Server and Client, they chatter incessantly, making it hard to see what you are interested in. dumpntp.txt and dumpntphex.txt are two different representations of the same packet stream. The second one includes a complete hexadecimal representation of every packet (used the -x option). These two runs give a picture of the activity on the interface of the computer hawking (Should have been Hawkings) when I used rdate to synchronize the clock on hawking with the clock on ntp.njit.edu (The NJIT Network Time Protocol Server). Parts of these NTP runs I showed in class on 10/30/2004. Do ``man date'' and ``man rdate''. Please study the first few packets of every trace. In the second midterm, on 11/13/2004, there will be a question where you must study a short output of tcpdump and answer question about the packets. --- Example of a likely question: The following is output from tcpdump (edited to make it easier readable). For the packet marked: At what time of day was it sent? What are physical source and destination addresses? what is the frame type? How large is the frame? This frame contains an IPv4 packet. How could I tell? For the IP header, give a short description and the value of every field. For identifier and checksum, leave the value in hexadec. For all other fields, give the value in hexadec as well as decimal (or dotted decimal). Is ... a UDP packet or a TCP packet or ... (ICMP, IGMP, ARP, RARP, ...) The packet marked is a TCP packet. How did I tell? Give the values of all fields. (etc) In the output ... , find a three way handshake and a four way handshake that ``belong together''. (Go to the tcpdump output pages on this site and answer the questions above for a number of packets, or for a few flows.) --- Another fairly popular sniffer is ethereal. I prefer tcpdump, because it allows the option of a hexadecimal representation of all packets, in their entireties. ethereal is nicer if you are happy with the information it is willing to give.