CSE508: Network Security, Spring 2016 Homework 1: Passive Network Monitoring ------------------------------------------------------------------------------- Submission deadline: 2/26/2016 11:59pm EDT Submission through https://blackboard.stonybrook.edu In this assignment you will get familiar with passive network traffic analysis. Tcpdump is probably the most popular and widely used passive network monitoring tool. Tcpdump is built on top of the Libpcap packet capture library and can capture and display packet headers and payloads either from a network interface or a network trace file. Your task is to analyze a network trace file and answer various questions. 0. Preparation Download the pcap trace file from: https://piazza.com/class_profile/get_resource/ijor5zasnfz4iv/ik7sunqx4c35cg Use the following command to read the trace file: tcpdump -n -r hw1.pcap | head -n skips the DNS resolution of IP addresses (faster) The output is redirected to 'head' to avoid flooding the console - this is a good strategy while assembling your commands. Alternatively, you can use more(1) to scroll through the output, or you can redirect all output to a text file for further analysis. 1. Network traffic analysis using tcpdump You can find the answers to all of the following questions using only tcpdump's man page and a few shell commands. You may find the following utilities useful: wc, grep, sed, awk, cut, head, tail, more, sort, uniq. You are free to use any other tools you might want (although the above are more than enough). 1.1 How many packets does the trace contain? 1.2 How many ARP packets and how many UDP packets? 1.3 How many packets were exchanged between 192.168.0.200 and 91.189.92.190? 1.4 Print the unique source IP addresses found in the trace. 1.5 Print the unique destination IP addresses found in the trace. 1.6 What are the top-5 TCP and top-5 UDP destination ports? 1.7 How many TCP packets have the SYN flag set? 1.8 How many TCP connection attempts were made? 1.9 Towards which ports were TCP connection attempts made? 1.10 How many HTTP GET requests were made? Print the URLs of all HTTP requests for JPG files. 1.11 When (date and time) was the first and last packet of the trace sent? 1.12 What is the brand of the device that sent most of the packets? What is its IP address? 1.13 Report the distribution of Ethernet packet sizes (how many packets of size X exist in the trace, for all values of X in the trace). 2. What to submit An ASCII text file with the answers to the above questions, along with the command/script/approach used to find them.