CSE508: Network Security (PhD Section), Spring 2015 Homework 1: Passive Network Monitoring ------------------------------------------------------------------------------- Submission deadline: 2/20/2015 11:59pm EDT Submission through email to: mikepo+CSE508HW1@cs.stonybrook.edu In this assignment you will get familiar with passive network traffic analysis. Tcpdump is probably the most popular and widely used passive network monitoring tool. Tcpdump is built on top of the libpcap packet capture library and can capture and display packet headers and payloads either from a network interface or a network trace file. Your task is to analyze a network trace file and answer various questions. 0. Preparation Download the pcap trace file from: https://piazza.com/class_profile/get_resource/i591w69hv9e4u4/i5unw6o3ebo1g4 Use the following command to read the trace file: tcpdump -n -r hw1.pcap | head -n skips the DNS resolution of IP addresses (faster) The output is redirected to head to avoid flooding the console - this is a good strategy while assembling your commands. Alternatively, you can use more(1) to scroll through the output, or you can redirect all output to a text file for further analysis. 1. Network traffic analysis using tcpdump You can find the answers to all of the following questions using only tcpdump's man page and shell commands. You may find the following utilities useful: wc, grep, sed, awk, cut, head, tail, more, sort, uniq. You are free to use any other tools you might want (although the above are more than enough). 1.1 How many packets does the trace contain? 1.2 How many ARP and how many UDP packets? 1.3 How many packets were exchanged between 192.168.0.200 and 87.98.246.8? 1.4 Print the unique source IP addresses found in the trace. 1.5 Print the unique destination IP addresses found in the trace. 1.6 What are the top-5 TCP and top-5 UDP destination ports? 1.7 How many TCP packets have the SYN flag set? 1.8 Towards which ports are TCP connection attempts made? 1.9 How many HTTP GET requests are there? Print the URLs of PHP script requests 1.10 When (date and time) was the first and last packet of the trace sent? 1.11 What is the brand of the device that sent most packets? What is its IP? 1.12 Report the distribution of ethernet packet sizes in the trace. 2. What to submit An ASCII text file with the answers to the above questions, along with the command/script/approach used to find them.