Project 2: 22C:178 & 055:134

Computer Communications Fall 1998

Project 2 [due 22 October]

We have seen in the first textbook, in online documents, and in lecture material how IP datagrams are sent on the Ethernet. But how does it look in practice? What if you could watch all the Ethernet frames on a local area network, would you be able to figure out what is happening with IP? This project asks you to do just that.

The basis for this project is a special utility called tcpdump, which is a program that can do the following:

In addition to tcpdump, we also have a program tcpshow which generates a more user-friendly display of the contents of a log file. You can view documentation of the two programs to get some idea about the possible parameters and the output they generate:

The Project

Of course tcpdump requires that you have root privileges, so this project will use the lab equipment. The lab should be set up with networking enabled, with machines named one, two, ... nine. In each machine you can log on in two ways: if you log on as "root", the password is root. If you log on as "user" there is no password. Note: during steps 1-3 that follow, it is best that you be the only person using the lab equipment.

Step 1

Choose three machines for the first step of the project. For purposes of explanation, suppose the three machines are six, seven, and eight. On each of these three machines, log on as root. On each of the machines, the first step is to make sure the ARP tables are clear. You can do this by first entering the command

arp -a
which will show you the contents of the ARP table. For each hostname in the ARP table, use the command
arp -d hostname
where "hostname" is one entry in the table (for example, arp -d seven removes the entry for host seven). Repeat this until the output from arp -a shows no ARP table contents. Do this for each of the three machines.

Step 2

Now, on one of the machines (say seven), enter the command

tcpdump -c 500 -w mylog
and you should see a message such as "listening on eth0".
Note: if you do not see this message, perhaps there is an error with the command and/or Linux. We have seen some occasional problems with the tcpdump command, and the only solution seems to be turning the PC off and back on, and then retrying the tcpdump command.

Step 3

Two machines six and eight remain for this step. Try ping eight from machine six. Use the telnet command on machine six as follows:

telnet eight
and then log on in the telnet session to machine eight using the userid "user" (remember that it has no password). After you have logged on, use the ls command or any other commands you like to continue the session. Continue to enter commands until you observe that machine seven, which has been capturing all the Ethernet frames, quits because it has captured 500 records.

This accomplishes Step 3: you now have a file called mylog that you can analyze.

Step 4

Now you can try various ways to examine the mylog file. For instance, tcpdump -r mylog will display it. Another possibility is to copy mylog to a floppy disk, and then read that floppy disk on one of the departmental HP machines. (See the course FAQ for instructions on reading and writing floppies from Linux.) The tcpshow and tcpdump utilities are also available on the departmental machines (which gives you the opportunity to print, edit, etc). You can copy the tcpshow and tcpdump commands into your directory by the commands

cp ~herman/public/tcpdump .
cp ~herman/public/tcpshow .
and then execute them in your directory. Note: the TA reports that tcpdump may incorrectly identify hostnames when executed on the HP machines, but that shouldn't get in the way of your analysis.

What to Turn In

You should submit a report explaining all the IP datagrams and frames that occur in the tcpdump session. Your report should explain the type of frame or datagram, why it occurs, and which protocols are involved. It may help you to read ahead in the textbook (Chapter 5 has figures showing various headers in IP datagrams). If printed, your report should not be more than two pages.


This project counts 100 points maximum. Your score will depend on how thoroughly you explain the results.

Turning in your report

You may either submit a printed report of your results and analysis, or prepare an email containing the report. If you choose to email the report, then mail to and specify in the subject line, the course number, the project number and the last four digits of your student ID number (we are hoping that four digits will be unique). So, for example if your student number is 123456789, then the subject line of your email should be:

178 project 2, student 6789
If you do not have such a subject line, I will bounce your letter back to you and ask for a resubmission of the homework.