tcpdump is a so called ``sniffer'': it is used to collect full traces of frames on a LAN, in our case, on ethernet. Please do man tcpdump and look at the manual pages. No need to read the whole thing unless you plan to start using it. You must be superuser to use tcpdump. There are a few examples of output (partially digested!) of tcpdump on these pages. The way I tend to use tcpdump is to make a ``raw data file'' using the -w option, and then repeatedly analyze that file with different options. (Using the -r option). dumpIPP.txt is output which shows that if there are an IPP (Internet Print Protocol) Server and Client, they chatter incessantly, making it hard to see what you are interested in. dumpntp.txt and dumpntphex.txt are two different representations of the same packet stream. The second one includes a complete hexadecimal representation of every packet (used the -x option). These two runs give a picture of the activity on the interface of the computer hawking (Should have been Hawkings) when I used rdate to synchronize the clock on hawking with the clock on ntp.njit.edu (The NJIT Network Time Protocol Server). Do ``man date'' and ``man rdate''. Please study the first few packets of every trace. During and after the break there will be homework on tcpdump. On the second Midterm there will be at least one question on tcpdump. --- Example: the following is output from tcpdump (edited to make it easier readable). For the packet marked: At what time of day was it sent? What are physical source and destination addresses? what is the frame type? How large is the frame? This frame contains an IPv4 packet. How could I tell? For the IP header, give a short description and the value of every field. For identifier and checksum, leave the value in hexadec. For all other fields, give the value in hexadec as well as decimal (or dotted decimal). Or: something where you have to figure out something by combining output from tcpdump with other output. Like netstat, ifconfig, arp. --- Another fairly popular sniffer is ethereal. I prefer tcpdump, because it allows the option of a hexadecimal representation of all packets, in their entireties. ethereal is nicer if you are happy with the information it is willing to give. If there are students who want to play with tcpdump in my lab, as long as you do not take time from Mr Jain or me, it can be arranged.