Homework 1: Practice with Tcpdump


Due: Tue, Aug 31 via email

In this assignment you will get some practice using tcpdump. Download the file test.pcap and use tcpdump to answer the following questions. In the file, there is one large file transfer.
  1. When did the transfer start? When did it end? The ssh connection started at 19:14:39.197043, when the first SYN packet is seen to host 129.82.47.120 (taylor.cs.colostate.edu). The actual data most likely started at 19:14:40.129621 when the first packet of size 1440 is seen. Note that the MTU negotiated earlier was 1460. The data transfer most likely ended at 19:14:43.367989, when a packet of size 464 bytes was transfered. There was a number of small packets transfered after that, which are most likely SSH related data. The TCP connection ended at 19:14:43.546753 when the ack for the last FIN was received.
  2. What was the size of the data transfered? This can be obtained from the sequence numbers of the SYN and FIN packets. However, tcpdump makes it easy for you to find this because it shows the offset from the initial sequence number. Thus, the final amount of data transfered is 3047767, which appears in the FIN packet at 19:14:43.546702. Given that the size of the file was 3029296 bytes, the rest is ssh related data.
  3. What was the average roundtrip time? Argus reports 0.013865 secs RTT.
  4. How many packets were transfered? Argus reports 2171 from source to destination, 3305 total packets.
  5. What was the data packet size? Looking at the tcpdump output, most large packets were 1440 bytes.
  6. What was the window size on each endpoint? Looking at tcpdump, swin was 10816B and dstwin 50400B. Note that you may see a different number in the tcpdump output, for example you will see win 169 for the source host. The reason is that in the original SYN packet the hosts negotiated window scaling (wscale 6), so you have to multiply the window value seen in the packet by 6 * 8 = 64B (window scaling is negotiated in multiples of 8 bytes). Argus reports the correct window fo you. Why then, does the server reports an unscaled window size? Because window scaling (wscale) was 0 in the syn-ack.
  7. What was the average transfer rate? Argus reports 6028799 b/s.