This is output from a tcpdump trace taken on Friday April 02, 2004. It was taken on ``hawking'' in the Internet Laboratory. hawking has private IP address 10.7.0.1. Much (not all) of the session is an ftp (file transfer protocol) session between hawking and maan (maan.njit.edu, 128.235.32.243). maan is in the public njit network. You can identify packets by number (0 , 1 , 2 , ...) as long as the number is small, or by timestamp. A ``flow'' in IP is a sequence of packet with: Same IP addresses, and Same portnumbers, and Same protocol. Usually we call the two directions two different flows. Sometimes (sloppily) we call them together one flow. Problems for training, maybe to hand in: 1. What do the packets 5 and 6 do? Explain all fields. 2. In the packets 5 and 6, can you figure out the physical address of hawking? If yes, how, and what is it? 3. In the packets 5 and 6, can you figure out the physical address of maan? If yes, how, and what is it? 4. In the packets 5 and 6, can you figure out the physical address of the computer with IP address 10.7.0.253 ? If yes, how, and what is it? 5. From time 12:26:47.059425 until time 12:26:47.070427 something ``unusual'' happens. (The real cause of that actually is a few packets earlier.) Figure out what happened and describe in a paragraph. Maybe as long as half a page. (part of the story is that one side sends a FIN and then the other side says ``Hey, there is data from you that is still missing, transmit it first before you close''). How would this have been dealt with if hawking and maan had not agreed to use SACK? 6. The tcpdump output contains two three way handshakes, one ``ordinary'' four-way handshake, and one ``unusual'' (but NOT abnormal (!)) termination. Find them. For each, give the timestamps of all packets involved and briefly describe the role of the packets. (like 12:26:08.277061 , first SYN; ... , SYN-ACK; ... , ACK.) 7. A TCP flow (or, more accurately, a pair of flows) usually starts with a three way handshake and ends with a four way handshake. Find the two TCP flows in the tcpdump output for which you can find both the start and the beginning. Which start goes with which beginning? (Hint: look at portnumbers). ------- packet number 0 (zero): 12:25:29.110394 0:e0:81:24:28:9c ff:ff:ff:ff:ff:ff 0800 136: 10.7.0.254.631 > 10.7.255.255.631: [udp sum ok] udp 94 (DF) (ttl 64, id 0, len 122) packet number 1: 12:25:38.510689 0:a:57:c0:8c:26 1:0:c:cc:cc:cc 008c 154: snap 0:0:c:20:0 CDP v1, ttl=180s 01/2a DevID 'HP ProCurve Switch 2524(000a57-c08c00)' 02/11 Addr (1): IPv4 127.0.0.1 03/05 PortID '6' 04/08 CAP 0x08 05/2d Version: (suppressed) 06/0b Platform: 'HP 2524' packet number 2: 12:26:00.117117 0:e0:81:24:28:9c ff:ff:ff:ff:ff:ff 0800 136: 10.7.0.254.631 > 10.7.255.255.631: [udp sum ok] udp 94 (DF) (ttl 64, id 0, len 122) packet number 3: 12:26:08.275154 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 73: 10.7.0.1.32773 > 10.1. 0.254.53: [udp sum ok] 40139+ A? maan.njit.edu. (31) (DF) (ttl 64, id 57015, le n 59) packet number 4: 12:26:08.276493 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 219: 10.1.0.254.53 > 10.7. 0.1.32773: [udp sum ok] 40139 1/4/2 maan.njit.edu. A 128.235.32.243 (177) (DF) (ttl 61, id 0, len 205) packet number 5: 12:26:08.276906 0:2:b3:d3:d4:86 ff:ff:ff:ff:ff:ff 0806 42: arp who-has 10.7.0.253 tell 10.7.0.1 packet number 6: 12:26:08.277048 0:2:b3:cd:cd:c9 0:2:b3:d3:d4:86 0806 60: arp reply 10.7.0.253 is-at 0:2:b3:cd:cd:c9 12:26:08.277061 0:2:b3:d3:d4:86 0:2:b3:cd:cd:c9 0800 74: 10.7.0.1.36868 > 128.235.32.243.21: S [tcp sum ok] 1910022878:1910022878(0) win 5840 (DF) (ttl 64, id 31849, len 60) 12:26:08.277240 0:2:b3:cd:cd:c9 0:2:b3:d3:d4:86 0800 102: 10.7.0.253 > 10.7.0.1: icmp: redirect 128.235.32.243 to host 10.7.0.254 [tos 0xc0] (ttl 64, id 21724, len 88) 12:26:08.281976 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 78: 128.235.32.243.21 > 10.7.0.1.36868: S [tcp sum ok] 1488820410:1488820410(0) ack 1910022879 win 49232 (DF) (ttl 59, id 30351, len 64) 12:26:08.282004 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36868 > 128.235.32.243.21: . [tcp sum ok] ack 1488820411 win 5840 (DF) (ttl 64, id 31850, len 52) 12:26:08.317125 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 126: 128.235.32.243.21 > 10.7.0.1.36868: P [tcp sum ok] 1488820411:1488820471(60) ack 1910022879 win 49232 (DF) (ttl 59, id 30352, len 112) 12:26:08.317215 0:2:b3:d3:d4:86 0:2:b3:cd:cd:c9 0800 66: 10.7.0.1.36868 > 128.235.32.243.21: . [tcp sum ok] ack 1488820471 win 5840 (DF) [tos 0x10] (ttl 64, id 31851, len 52) 12:26:08.317362 0:2:b3:cd:cd:c9 0:2:b3:d3:d4:86 0800 94: 10.7.0.253 > 10.7.0.1: icmp: redirect 128.235.32.243 to host 10.7.0.254 [tos 0xd0] (ttl 64, id 21725, len 80) 12:26:08.317425 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 79: 10.7.0.1.36868 > 128.235.32.243.21: P [tcp sum ok] 1910022879:1910022892(13) ack 1488820471 win 5840 (DF) [tos 0x10] (ttl 64, id 31852, len 65) 12:26:08.320022 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 66: 128.235.32.243.21 > 10.7.0.1.36868: . [tcp sum ok] ack 1910022892 win 49232 (DF) (ttl 59, id 30353, len 52) 12:26:08.320375 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 104: 128.235.32.243.21 > 10.7.0.1.36868: P [tcp sum ok] 1488820471:1488820509(38) ack 1910022892 win 49232 (DF) (ttl 59, id 30354, len 90) 12:26:08.320839 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 84: 10.7.0.1.36868 > 128.235.32.243.21: P [tcp sum ok] 1910022892:1910022910(18) ack 1488820509 win 5840 (DF) [tos 0x10] (ttl 64, id 31853, len 70) 12:26:08.322948 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 66: 128.235.32.243.21 > 10.7.0.1.36868: . [tcp sum ok] ack 1910022910 win 49232 (DF) (ttl 59, id 30355, len 52) 12:26:08.323300 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 104: 128.235.32.243.21 > 10.7.0.1.36868: P [tcp sum ok] 1488820509:1488820547(38) ack 1910022910 win 49232 (DF) (ttl 59, id 30356, len 90) 12:26:08.360030 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36868 > 128.235.32.243.21: . [tcp sum ok] ack 1488820547 win 5840 (DF) [tos 0x10] (ttl 64, id 31854, len 52) 12:26:11.662952 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 76: 10.7.0.1.36868 > 128.235.32.243.21: P [tcp sum ok] 1910022910:1910022920(10) ack 1488820547 win 5840 (DF) [tos 0x10] (ttl 64, id 31855, len 62) 12:26:11.666892 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 98: 128.235.32.243.21 > 10.7.0.1.36868: P [tcp sum ok] 1488820547:1488820579(32) ack 1910022920 win 49232 (DF) (ttl 59, id 30357, len 84) 12:26:11.666926 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36868 > 128.235.32.243.21: . [tcp sum ok] ack 1488820579 win 5840 (DF) [tos 0x10] (ttl 64, id 31856, len 52) 12:26:13.274601 0:2:b3:cd:cd:c9 0:2:b3:d3:d4:86 0806 60: arp who-has 10.7.0.1 tell 10.7.0.253 12:26:13.274624 0:2:b3:d3:d4:86 0:2:b3:cd:cd:c9 0806 42: arp reply 10.7.0.1 is-at 0:2:b3:d3:d4:86 12:26:13.279121 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0806 60: arp who-has 10.7.0.1 tell 10.7.0.254 12:26:13.279128 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0806 42: arp reply 10.7.0.1 is-at 0:2:b3:d3:d4:86 12:26:20.476061 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 81: 10.7.0.1.36868 > 128.235.32.243.21: P [tcp sum ok] 1910022920:1910022935(15) ack 1488820579 win 5840 (DF) [tos 0x10] (ttl 64, id 31857, len 67) 12:26:20.522357 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 66: 128.235.32.243.21 > 10.7.0.1.36868: . [tcp sum ok] ack 1910022935 win 49232 (DF) (ttl 59, id 30358, len 52) 12:26:20.562539 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 91: 128.235.32.243.21 > 10.7.0.1.36868: P [tcp sum ok] 1488820579:1488820604(25) ack 1910022935 win 49232 (DF) (ttl 59, id 30359, len 77) 12:26:20.562605 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36868 > 128.235.32.243.21: . [tcp sum ok] ack 1488820604 win 5840 (DF) [tos 0x10] (ttl 64, id 31858, len 52) 12:26:20.562673 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 72: 10.7.0.1.36868 > 128.235.32.243.21: P [tcp sum ok] 1910022935:1910022941(6) ack 1488820604 win 5840 (DF) [tos 0x10] (ttl 64, id 31859, len 58) 12:26:20.565394 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 100: 128.235.32.243.21 > 10.7.0.1.36868: P [tcp sum ok] 1488820604:1488820638(34) ack 1910022941 win 49232 (DF) (ttl 59, id 30360, len 86) 12:26:20.600027 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36868 > 128.235.32.243.21: . [tcp sum ok] ack 1488820638 win 5840 (DF) [tos 0x10] (ttl 64, id 31860, len 52) 12:26:28.858897 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 73: 10.7.0.1.36868 > 128.235.32.243.21: P [tcp sum ok] 1910022941:1910022948(7) ack 1488820638 win 5840 (DF) [tos 0x10] (ttl 64, id 31861, len 59) 12:26:28.862029 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 95: 128.235.32.243.21 > 10.7.0.1.36868: P [tcp sum ok] 1488820638:1488820667(29) ack 1910022948 win 49232 (DF) (ttl 59, id 30361, len 81) 12:26:28.862064 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36868 > 128.235.32.243.21: . [tcp sum ok] ack 1488820667 win 5840 (DF) [tos 0x10] (ttl 64, id 31862, len 52) 12:26:31.133845 0:e0:81:24:28:9c ff:ff:ff:ff:ff:ff 0800 136: 10.7.0.254.631 > 10.7.255.255.631: [udp sum ok] udp 94 (DF) (ttl 64, id 0, len 122) 12:26:38.513577 0:a:57:c0:8c:26 1:0:c:cc:cc:cc 008c 154: snap 0:0:c:20:0 CDP v1, ttl=180s 01/2a DevID 'HP ProCurve Switch 2524(000a57-c08c00)' 02/11 Addr (1): IPv4 127.0.0.1 03/05 PortID '6' 04/08 CAP 0x08 05/2d Version: (suppressed) 06/0b Platform: 'HP 2524' 12:26:47.033379 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 74: 10.7.0.1.36868 > 128.235.32.243.21: P [tcp sum ok] 1910022948:1910022956(8) ack 1488820667 win 5840 (DF) [tos 0x10] (ttl 64, id 31863, len 60) 12:26:47.035850 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 86: 128.235.32.243.21 > 10.7.0.1.36868: P [tcp sum ok] 1488820667:1488820687(20) ack 1910022956 win 49232 (DF) (ttl 59, id 30362, len 72) 12:26:47.035884 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36868 > 128.235.32.243.21: . [tcp sum ok] ack 1488820687 win 5840 (DF) [tos 0x10] (ttl 64, id 31864, len 52) 12:26:47.035925 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 72: 10.7.0.1.36868 > 128.235.32.243.21: P [tcp sum ok] 1910022956:1910022962(6) ack 1488820687 win 5840 (DF) [tos 0x10] (ttl 64, id 31865, len 58) 12:26:47.046895 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 115: 128.235.32.243.21 > 10.7.0.1.36868: P [tcp sum ok] 1488820687:1488820736(49) ack 1910022962 win 49232 (DF) (ttl 59, id 30363, len 101) 12:26:47.046979 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 74: 10.7.0.1.36869 > 128.235.32.243.2079: S [tcp sum ok] 1951713092:1951713092(0) win 5840 (DF) (ttl 64, id 10904, len 60) 12:26:47.049760 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 78: 128.235.32.243.2079 > 10.7.0.1.36869: S [tcp sum ok] 1498407331:1498407331(0) ack 1951713093 win 49232 (DF) (ttl 59, id 30364, len 64) 12:26:47.049802 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36869 > 128.235.32.243.2079: . [tcp sum ok] ack 1498407332 win 5840 (DF) (ttl 64, id 10905, len 52) 12:26:47.049880 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 89: 10.7.0.1.36868 > 128.235.32.243.21: P [tcp sum ok] 1910022962:1910022985(23) ack 1488820736 win 5840 (DF) [tos 0x10] (ttl 64, id 31866, len 75) 12:26:47.054521 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 142: 128.235.32.243.21 > 10.7.0.1.36868: P [tcp sum ok] 1488820736:1488820812(76) ack 1910022985 win 49232 (DF) (ttl 59, id 30365, len 128) 12:26:47.059423 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 844: 128.235.32.243.2079 > 10.7.0.1.36869: P [tcp sum ok] 1498408780:1498409558(778) ack 1951713093 win 49232 (DF) (ttl 59, id 30367, len 830) 12:26:47.059425 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 66: 128.235.32.243.2079 > 10.7.0.1.36869: F [tcp sum ok] 1498409558:1498409558(0) ack 1951713093 win 49232 (DF) (ttl 59, id 30368, len 52) 12:26:47.059478 0:2:b3:d3:d4:86 0:2:b3:cd:cd:c9 0800 78: 10.7.0.1.36869 > 128.235.32.243.2079: . [tcp sum ok] ack 1498407332 win 5840 (DF) [tos 0x8] (ttl 64, id 10906, len 64) 12:26:47.059485 0:2:b3:d3:d4:86 0:2:b3:cd:cd:c9 0800 78: 10.7.0.1.36869 > 128.235.32.243.2079: . [tcp sum ok] ack 1498407332 win 5840 (DF) [tos 0x8] (ttl 64, id 10907, len 64) 12:26:47.059688 0:2:b3:cd:cd:c9 0:2:b3:d3:d4:86 0800 106: 10.7.0.253 > 10.7.0.1: icmp: redirect 128.235.32.243 to host 10.7.0.254 [tos 0xc8] (ttl 64, id 21726, len 92) 12:26:47.068017 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 1490: 128.235.32.243.2079 > 10.7.0.1.36869: P [tcp sum ok] 1498407332:1498408756(1424) ack 1951713093 win 49232 (DF) (ttl 59, id 30369, len 1476) 12:26:47.068020 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 868: 128.235.32.243.2079 > 10.7.0.1.36869: FP [tcp sum ok] 1498408756:1498409558(802) ack 1951713093 win 49232 (DF) (ttl 59, id 30370, len 854) 12:26:47.068174 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 78: 10.7.0.1.36869 > 128.235.32.243.2079: . [tcp sum ok] ack 1498408756 win 8544 (DF) [tos 0x8] (ttl 64, id 10908, len 64) 12:26:47.068286 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36869 > 128.235.32.243.2079: F [tcp sum ok] 1951713093:1951713093(0) ack 1498409559 win 11392 (DF) [tos 0x8] (ttl 64, id 10909, len 52) 12:26:47.070427 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 66: 128.235.32.243.2079 > 10.7.0.1.36869: . [tcp sum ok] ack 1951713094 win 49232 (DF) (ttl 59, id 30371, len 52) 12:26:47.090034 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36868 > 128.235.32.243.21: . [tcp sum ok] ack 1488820812 win 5840 (DF) [tos 0x10] (ttl 64, id 31867, len 52) 12:26:47.092094 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 90: 128.235.32.243.21 > 10.7.0.1.36868: P [tcp sum ok] 1488820812:1488820836(24) ack 1910022985 win 49232 (DF) (ttl 59, id 30372, len 76) 12:26:47.093057 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36868 > 128.235.32.243.21: . [tcp sum ok] ack 1488820836 win 5840 (DF) [tos 0x10] (ttl 64, id 31868, len 52) 12:26:51.634953 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 72: 10.7.0.1.36868 > 128.235.32.243.21: P [tcp sum ok] 1910022985:1910022991(6) ack 1488820836 win 5840 (DF) [tos 0x10] (ttl 64, id 31869, len 58) 12:26:51.637520 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 115: 128.235.32.243.21 > 10.7.0.1.36868: P [tcp sum ok] 1488820836:1488820885(49) ack 1910022991 win 49232 (DF) (ttl 59, id 30373, len 101) 12:26:51.637554 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36868 > 128.235.32.243.21: . [tcp sum ok] ack 1488820885 win 5840 (DF) [tos 0x10] (ttl 64, id 31870, len 52) 12:26:51.640669 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 206: 128.235.32.243.21 > 10.7.0.1.36868: P [tcp sum ok] 1488820885:1488821025(140) ack 1910022991 win 49232 (DF) (ttl 59, id 30374, len 192) 12:26:51.640672 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 66: 128.235.32.243.21 > 10.7.0.1.36868: F [tcp sum ok] 1488821025:1488821025(0) ack 1910022991 win 49232 (DF) (ttl 59, id 30375, len 52) 12:26:51.640739 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36868 > 128.235.32.243.21: . [tcp sum ok] ack 1488821025 win 5840 (DF) [tos 0x10] (ttl 64, id 31871, len 52) 12:26:51.640830 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0800 66: 10.7.0.1.36868 > 128.235.32.243.21: F [tcp sum ok] 1910022991:1910022991(0) ack 1488821026 win 5840 (DF) [tos 0x10] (ttl 64, id 31872, len 52) 12:26:51.643385 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0800 66: 128.235.32.243.21 > 10.7.0.1.36868: . [tcp sum ok] ack 1910022992 win 49232 (DF) (ttl 59, id 30376, len 52) 12:26:56.638536 0:e0:81:24:28:9c 0:2:b3:d3:d4:86 0806 60: arp who-has 10.7.0.1 tell 10.7.0.254 12:26:56.638560 0:2:b3:d3:d4:86 0:e0:81:24:28:9c 0806 42: arp reply 10.7.0.1 is-at 0:2:b3:d3:d4:86