CSC 465 Lab Assignment 4

 

Snooping an Ethernet / IP / TCP Trace

 

 

Due: March 22, 2001

 

 

Introduction.

 

This exercise, Snoopy, is developed in honor of Charles Schultz and my childhood-thru-college dog. Here, you will read and interpret (to a limited extent) some actual Ethernet network traffic. Computer Services doesn't want us, for security reasons, to snoop on LAN traffic, but we have access to some Ethernet trace data files along with some basic instructions for reading them. Your assignment is to write a program to read an Ethernet trace file and collect certain information from it.  Each Ethernet frame carries an IP packet and each IP packet carries a TCP or UDP segment.  I’m not concerned with contents of the Ethernet headers, but will ask you to extract and interpret information from IP and TCP headers.  Use the language of your choice.  You might find C or C++ preferable to Java for this one. This is an individual assignment.

 

 

Input for testing.

 

General information about the packet trace data files (along with some code) can be obtained from the textbook web site http://www.netbook.cs.purdue.edu/ for Comer's Computer Networks and Internets.  Specifically, visit the Packet Trace Data Files page  http://www.netbook.cs.purdue.edu/othrpags/page22.htm .  Test your program with Trace 2, Trace 3 and Trace 4. These are available from the ECCENTRIC download folder for this course, in files pkttrc02.dat, pkttrc03.dat, and pkttrc04.dat, respectively. All are traces of FTP sessions, and all will fit on one diskette. The Ethernet frames contain IP datagrams in their data field.

 

 

Trace data file format.

 

You must read the paragraph "About the packet trace data files" on the Packet Trace Data Files page (URL above), because it explains the trace file formats.  In essence, a trace file has this format: a 16 byte header that should be skipped over, followed by a stream of “traced” Ethernet frames (called “packets” in the Purdue explanation).  Each Ethernet frame has a fixed-length 24 byte header injected by the Purdue folks (format described on web page), followed by the frame itself.  The frame itself consists of a fixed length 14 byte Ethernet header (destination address, source address, frame type) which you can skip past, followed by the IP datagram.  The datagram of course contains the TCP/UDP segment.  The IP header includes a Header Length field which usually contains the value 20, since most datagrams have 20 byte headers.  But you’ll need to double-check this to make sure you know where the TCP header starts.

 

 

Program Usage.

 

Your program will be run from the command line (how boring!).  The exact syntax will depend on which language you use.  The basic format is:

 

[ java ]  snoopy   traceFile   [ maxPackets ]

 

Of course the java keyword is used only if your program is written in Java.  traceFile is the pathname of the trace being analyzed.  maxPackets is optional, and indicates an upper limit on the number of packets to read.  By default, all packets in the file are read.  If the file contains fewer than maxPackets packets, by all means stop when the end of file is reached!

 

 

Program Output.

 

Simply send the output to the standard output device, from which it can be redirected to a file if desired.  Output one line of data per packet.  Each data item must be separated by one or more spaces.  My plan is to redirect output into a file then import the file into Excel.

 

The first output line should be column heading labels.  Make sure each heading does not contain spaces and there is at least one space between headings.

 

The second and subsequent output lines should each contain the following values, in this order:

  1. Source IP address
  2. Destination IP address
  3. More-fragments flag
  4. Source port #
  5. Destination port #
  6. * Sequence #
  7. * Acknowledgement #
  8. * Receiver window size
  9. * ACK flag
  10. * SYN flag
  11. * FIN flag
  12. length of TCP/UDP payload in bytes

 

Items 1-3 are in the IP header, items 4-11 are in the TCP header, and item 12 needs to be calculated.  For details on IP header format, see http://www.cs.smsu.edu/~pete/csc465/notes/spring00/ip.html.   The More-fragments flag is a 1 bit field located in the seventh byte of the IP header (bit position 5, if bits are numbered 0-7 from least to most significant).  For details on TCP header format, see http://www.cs.smsu.edu/~pete/csc465/notes/spring00/tcp.html or textbook page 211. 

 

The items marked with asterisk (*) are output only if the datagram is carrying a TCP segment (as opposed to UDP).  The tenth byte of the IP header is the Protocol field, and will have a value of 6 if it is carrying a TCP segment.  For the packet trace files listed in this assignment, all segments will be TCP.

 

Output the IP addresses in dotted-decimal format (see the IP page referenced above, or textbook page 302).  Output flag values as 0 or 1.  All values are unsigned.

 

 

 

To Turn In.

 

The program should be called  snoopy.  Prepare a README file (with instructions, development platform etc) for your program and copy README, source file(s) and executable file if any to a folder called lab4 in your ECCENTRIC upload folder. You may develop your program either under Un*x or Windows/DOS.

 

 

Hints.

  1. In Trace 2, one of the IP addresses is 128.13.2.3.  There are only two different addresses.

  2. The code from the Purdue web page shows an int32 data type in the struct declaration. You can either substitute "long" for "int32" or use "typedef long int32;"

  3. The code from the Purdue web page shows the use of lseek() and read() to get information from the trace file. It does not show how to correctly open a file so that those functions can be used. Use code that looks like this:
    int ifile;
    char[80] filename;
    // get filename from user
    ifile = open(filename, O_RDONLY | O_BINARY);
    The integer returned by open is called a file descriptor. This should be familiar if you have had Operating Systems. It becomes the first argument in the lseek and read calls.

  4. You will need to include some header files for this type of file input to work. If you include all of: <io.h>, <fcntl.h>, <stdlib.h> and <unistd.h>, you should be covered.

  5. To make sure you are not stabbing in the dark, you should output the first couple thousand bytes of the trace file in hexadecimal format.  This way you know exactly what is in the file, and can manually mark off and study the various headers.

  6. You may need to deal with the "big-endian/little-endian" problem. If you correctly extract addresses and none match the one revealed, this may be your problem. If you don't know what this is, look it up on the web. If it is necessary to reverse the byte order, write a "reverse" function for 32-bit unsigned longs. This can be implemented in one expression through a clever combination of bit shifting (<<,>>), bitwise AND (&) and addition.

 

[ assignments | CSC 465 | Peter Sanderson | Computer Science | SMSU ]

Last reviewed: 7 March 2001

Peter Sanderson ( PeteSanderson@smsu.edu )