Burton Rosenberg
5 March 2003
You are to look at the following network traces and interpret them. That is, pick apart the packets, finding the ethernet header, the IP header (for ICMP and UDP traffic) and the UDP header (UDP traffic). Also, once the headers have been identified interpret the body of the packet.
The network traces as given are a little hard to work with because the packets are all run together. So the first job is to delimit the ethernet packets. Hints to do this:
ff ff ff ff ff ff).
This sequence of 12 f's will almost certainly be the start
of a packet.
08 00 45. This is almost certainly the
start of an IP header. Actually the 45 is the start of the header,
the 08 00 is the type field of the ethernet packet designating IP.
The packets were captured using tcpdump and then turned into readable text using hexdump. Hexdump's format is:
byte-number da ta in ma ny co lu mn s. |text of same data|
The text is very useful, particularly for DNS traffic, where
there is actual readable stuff inside the DNS packet.
Tcpdump seems to add some stuff between packets and at the end of the file. I found some mysterious stuff between packets which didn't seem to make sense as part of the packet. (I think this is the time of packet arrival.) I mention it because I don't want it to confuse you. It is not part of your assignment to understand tcpdump's output format, just the network traffic. Here is the traffic to analyze:
Have fun!