NET304 coursework This is an individual coursework. The purpose of this coursework is to familiarise yourself with some of the available tools for analysing network and traffic characteristics as well as apply data analysis to network analysis. Make sure you use your own words; when necessary, clearly mark quoted text and indicate the reference. Read the notes at the end of the specification for details on the tasks. The coursework is to be submitted via DLE as two files: one file for the report, in Word format, and one for the packet trace from task 3, in pcap format. 1. Download a packet trace from OneDrive (see notes below) and analyse it using any preferred method to determine: • Trace characteristics: start/end, number of packets, (max 5 points) • What is local network and number of hosts (max 5 points) • Usage characteristics – connections, packets, and bytes rates: totals, average, average per local host (max 5 points) • Top local users, top remote destination ports (max 5 points) • Packet size: min, max, average, stdev, distribution (you may want to use intervals/bins instead of individual packet sizes; e.g. 0-64, 64-96, 96-128,128-256,256-512,512-1024,1024- bytes) (max 5 points) • RTT: min, max, average, stdev, cumulative distribution (exclude zero values) (max 5 points) • The evolution over time for byte rates and RTT, by plotting a graph of it (max 10 points) Describe the commands/method used for analysis and comment on the results. For plotting rates and distributions, use the gnuplot and plott or hist scripts. (35 points) 2. Download a netflow trace from OneDrive (see notes below) and analyse it using any preferred method to determine: • The local network and number of hosts, explaining the method(s) that can be used for the task (max 5 points) • The evolution of traffic over time – produce a set of graphs to display the rate of connections, packets, and bytes rates over time (max 10 points) • The top 10 local users, responsible for generating the highest amount of traffic/connections/packets, and compare them to the rest of the local users; provide the distribution of transport TCP/UDP ports and protocols (TCP/UDP/ICMP/other), commenting on the results (max 10 points) • The statistical characteristics of the flow size (as defined/recorded in netflow, in terms of octets and number of packets), calculating the minimum, maximum, average, and standard deviation values; display graphically a cumulative distribution of the values (max 10 points) Describe the commands/method used for analysis and comment on the results. (35 points) 3. Generate a single web download and capture the traffic of that one TCP connection. The capture must be performed using pcap-compatible software (windump or tcpdump). The maximum size of the downloaded object must be less than 4MB. For the captured packet trace, perform the analysis tasks below: • Describe the timeline of events within the connection (initiation, closing, transfer) using clear references to timestamps (max 10 points) • Calculate RTT (provide three samples using SEQ/ACK matching) and bottleneck bandwidth (provide at least three samples using interarrival times) (max 10 points) • Compare RTT results with tcptrace analysis output and ping/traceroute results; compare bandwidth results with speedtest.net results (max 10 points) (30 points) Notes: • Tasks 1 and 2 o Pcap and netflow traces for analysis were stored on OneDrive and can be downloaded using this link: https://liveplymouthac-my.sharepoint.com/personal/bogdan_ghita_plymouth_ac_uk/_layouts/15/guestaccess.aspx?guestaccesstoken=acZ1d2djcsdGRpQhXAy5wtwssWQQZHlZhDPjHTqwVss%3d&folderid=2_039b596d1aae9454b8985a11c3b1fbaa2&rev=1 (Contact the module leader if you encounter any problems accessing the files) o The netflow traces were collected using nfdump - http://sourceforge.net/projects/nfdump/ and the pcap traces were collected using tcpdump. o Each student must pick one trace from each set, using the "Trace number" column from the NET304-students.xlsx file; o If you have problems running nfdump to decode the file, you can download the corresponding text output file – for each nfdump file (.nf), there is a text output file (.out) o Avoid using screenshots of wireshark graphs • Task 3 o As part of the submission, you must include in the report submission the packet trace you analyse. If the trace is not included or the file is unreadable for various reasons, you will get zero points for the task. If the same packet trace is submitted and/or analysed by more than one student – zero points for the task for all the students involved. o Points will be deducted if the packet trace: includes more than one TCP connection; includes any other non-TCP traffic; is for a downloaded object larger than 4MB o If you do not have your own PC with a network connection and the ability to install the required packet capture programs, you should run the packet capture in the lab and output the trace it in text format for later analysis. o You must include in the answer some of the packets from the trace, as shown by windump, tcpdump, or tshark (not all; just the ones involved in various calculations, as per the examples in the lectures). Use windump/tcpdump / tshark output, which is text and therefore easier to handle, not wireshark screenshots, which are typically unreadable. • As part of the assignment, do not attempt any actions that could be interpreted as hacking attempts. Examples of such actions include capturing packets from other computers by setting the NIC in promiscuous mode using other tools (such as network scanners or other hacking utilities) to investigate network configuration) • The report should not be longer than 3000 words, excluding any text from diagrams, tables, images, or trace output (this is a maximum limit, not a recommended limit!) Marking scheme: Completing the task – 50% - The answer must include details/information for all listed parameters Meaningful/useful explanations – 50% - The answers must be accompanied by comments on the method used. The answer should not include just a mathematical calculation, but also briefly explain the formula/meaning of the figures involved. - Include information that would help a reader to understand/determine the characteristics and parameters of their network connection - Where the results include any anomalies, such as significant variations between the measured values or very high values, these anomalies must be discussed/explained/commented on. Threshold Criteria (these are indicative only): To achieve a pass (40%+), you must provide basic information about the pcap trace (task 1), basic trace and users information for the netflow trace (task 2), and basic information about the connection (task 3) To achieve a 2.2 mark (50%+), you must provide more detailed information about the pcap trace (task 1), calculate the statistical values listed (task 2), and include information about the timeline and performance parameters (task 3) To achieve a 2.1 mark (60%+), you must provide a detailed analysis of the pcap trace, including statistical analysis and comments on performance (task 1), calculate and fully describe the methods used for the statistical values listed and indicate methods for identification of the local network (task 2), and calculate, fully describe the listed parameters, as well as compare the performance parameters with tcptrace, as required (task 3) To achieve a 1st class mark (70%+), you must provide complete statistical information about the pcap trace and comments on the performance (task 1), calculate all statistical information and evolution over time for the listed parameters (task 2), and extensively describe the timeline and performance calculation, commenting on the results and proposing additional tests to investigate any performance issues (task 3).