netsniff-ng toolkit Protocol Overhead How fast can you really go using a given media and protocol stack? We examine how much bandwidth is left for applications. Ethernet Ethernet frame format: 6 byte dest addr 6 byte src addr [4 byte optional 802.1q VLAN Tag] 2 byte length/type 46-1500 byte data (payload) 4 byte CRC An excellent source of ethernet information is Charles Spurgeon's Ethernet Web Site. Notes: 48-bit (6 byte) ethernet address have a 24-bit "Organizationally Unique Identifier" (OUI) assigned by IEEE + a 24-bit number assigned by the vendor. Gigabit Ethernet with Jumbo Frames Gigabit ethernet is exactly 10 times faster than 100 Mbps ethernet, so for standard 1500 byte frames, the numbers above all apply, multiplied by 10 (for 10GE, multiple by 100). An excellent paper on ATM overhead was written by John Cavanaugh of MSC. Notes: DS3 and SONET frames are 125 usec long (8000/sec). On the physical layer (single pt-to-pt hop), one out of every 27 cells is an OAM cell. Packet Over SONET (POS) So we get: References: P.
IP Packet Overhead by Richard Hay What does it cost for transport? This question can be applied to moving goods and delivering services across distances. Let me tell a true story about the first time I realized lower layer overhead matters and makes a difference in performance results. Once upon a time I was a test engineer for a Tier 1 IP Service provider. Figure I. When I ran the tests I had some of the oddest results I had ever encountered. As this book will explain, a 46 byte IP packet inside of a 64 byte Ethernet frame actually utilizes at least 84 bytes on the Ethernet wire. How does anyone come into a situation where knowing the per packet layer1 & layer2 overhead conditions for various technologies even matters you may ask? 1.1 Packets/Sec & Bits/Sec IP performance can be measured in a variety of ways. How are pps and bps related? pps x packet size (bytes) x 8 = bps Now there are some caveats and assumptions in this mathematical relationship. 1.2 OSI & TCP/IP Layer Models Figure II. 1.3 Organization
Traces - SimpleWiki From this location you can download several traces, including anonymized packet headers (tcpdump/libcap), Netflow version 5 data, a labeled dataset for intrusion detection, and Dropbox traffic traces. More information on the data collection and on the anonymization procedures can be found below. When using these traces, please refer to the Acceptable Use policy. Cloud Storage Benchmarks You can download from this link the software and data presented in: "Benchmarking Personal Cloud Storage" by Idilio Drago, Enrico Bocchi, Marco Mellia, Herman Slatman and Aiko Pras. Dropbox Traffic Traces You can download from this page the flow data used in the following paper: Drago, I. and Mellia, M. and Munafò, M. Check here for more details. First Data Capture These datasets were captured from March 24, 2012 to May 5, 2012. Second Data Capture This dataset was captured from June 01, 2012 to July 31, 2012. Labeled Dataset for Intrusion Detection This dataset was collected in a large college.
WLAN Book Packet Captures Showing 1 - 25 of 166 nf9-juniper-vmx.pcapng.cap 912 bytes Submitted Dec 10, 2016 by Jb93 Juniper vMX NetFlow. arp_pcap.pcapng.cap 2.2 KB Submitted Mar 11, 2016 by Ashay ARP Request reply packet captures STP-TCN-TCAck.pcapng.cap 692 bytes Submitted Mar 11, 2016 by sahil_pujani Spanning Tree 8021.D Topology Change Notification and Topology Change Ack. Packet 4: aa:bb:cc:00:02:00 generates TCN because of Link failure Packet 5: aa:bb:cc:00:01:00 is the Root Bridge and it generates TCAck. bgplu.cap 2.1 KB Submitted Jan 24, 2016 by mxiao BGP Labeled Unicast SNMPv3.cap 1.3 KB Submitted Oct 7, 2015 by nra This is a SNMPv3 (IPv4) Captures.Where SNMP manager is requesting to SNMP agent using SNMPv3. SNMP Manager: 192.168.29.58 SNMP agent: 192.168.29.160 SNMP ver: 3 Level: AuthPriv Authentication: MD5 Encryption: AES 128 Regards Suman S lispmn_IPv6-RLOC.pcapng.cap 5.9 KB Submitted Sep 18, 2015 by krunal_shah LISP control (map register,request and reply )and Data packets with IPv6 as RLOC and IPv4 as EID. ESP IPv6
SampleCaptures Sample Captures So you're at home tonight, having just installed Wireshark. You want to take the program for a test drive. If you don't see what you want here, that doesn't mean you're out of luck; look at some of the other sources listed below, such as How to add a new Capture File If you want to include a new example capture file, you should attach it to this page (click 'attachments' in header above). Please don't just attach your capture file to the page without putting an attachment link in the page, in the format attachment:filename.ext; if you don't put an attachment link in the page, it's not obvious that the capture file is available. It's also a very good idea to put links on the related protocol pages pointing to your file. Other Sources of Capture Files If you don't find what you're looking for, you may also try: General / Unsorted tfp_capture.pcapng (libpcap) Tinkerforge protocol captures over TCP/IP and USB. dhcp.pcap (libpcap) A sample of DHCP traffic.
PCAP files from the US National CyberWatch Mid-Atlantic Collegiate Cyber Defense Competition (MACCDC) The U.S. National CyberWatch Mid-Atlantic Collegiate Cyber Defense Competition (MACCDC) is a unique experience for college and university students to test their cybersecurity knowledge and skills in a competitive environment. The MACCDC takes great pride in being one of the premier events of this type in the United States. While similar to other cyber defense competitions in many aspects, the MA CCDC, as part of the National CCDC, is unique in that it focuses on the operational aspects of managing and protecting an existing network infrastructure. The teams are physically co-located in the same building. MACCDC official website: markofu/pcaps 3 way handshake, TCP Three-way handshake, TCP Synchronization In this lesson, you will learn how two TCP devices synchronize using three way handshake (3 way handshake) and what are the three steps of a TCP three way handshake and how two TCP devices synchronize. Before the sending device and the receiving device start the exchange of data, both devices need to be synchronized. During the TCP initialization process, the sending device and the receiving device exchange a few control packets for synchronization purposes. This exchange is known as a three-way handshake. The three-way handshake begins with the initiator sending a TCP segment with the SYN control bit flag set. TCP allows one side to establish a connection. TCP identifies two types of OPEN calls: Active Open. Passive Open A passive OPEN can specify that the device (server process) is waiting for an active OPEN from a specific client. TCP Three-way Handshake Step 1. Step 2. Step 3. This handshaking technique is referred to as the Three-way handshake or SYN, SYN-ACK, ACK.