Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / tcpdump / e2e3bd11bd7561bc9d6686283a668fa94e1206b7
commite2e3bd11bd7561bc9d6686283a668fa94e1206b7[log] [tgz]
authorElliott Hughes <enh@google.com>Mon May 15 10:59:29 2017 -0700
committerElliott Hughes <enh@google.com>Mon May 15 14:40:28 2017 -0700
treec99c1f63716e7286ebfb83a0c78d91be06ec8488
parent60aaf97844d4c21b8618fd50046e036c5f78ebe0 [diff]
Upgrade to tcpdump 4.9.0.

From CHANGES:

  Wednesday January 18, 2017 devel.fx.lebail@orange.fr
  Summary for 4.9.0 tcpdump release
    General updates:
    Improve separation frontend/backend (tcpdump/libnetdissect)
    Don't require IPv6 library support in order to support IPv6 addresses
    Introduce data types to use for integral values in packet structures
    Fix display of timestamps with -tt, -ttt and -ttttt options
    Fix some heap overflows found with American Fuzzy Lop by Hanno Boeck and others
        (More information in the log with CVE-2016-* and CVE-2017-*)
    Change the way protocols print link-layer addresses (Fix heap overflows
        in CALM-FAST and GeoNetworking printers)
    Pass correct caplen value to ether_print() and some other functions
    Fix lookup_nsap() to match what isonsap_string() expects
    Clean up relative time stamp printing (Fix an array overflow)
    Fix some alignment issues with GCC on Solaris 10 SPARC
    Add some ND_TTEST_/ND_TCHECK_ macros to simplify writing bounds checks
    Add a fn_printztn() which returns the number of bytes processed
    Add nd_init() and nd_cleanup() functions. Improve libsmi support
    Add CONTRIBUTING file
    Add a summary comment in all printers
    Compile with more warning options in devel mode if supported (-Wcast-qual, ...)
    Fix some leaks found by Valgrind/Memcheck
    Fix a bunch of de-constifications
    Squelch some Coverity warnings and some compiler warnings
    Update Coverity and Travis-CI setup
    Update Visual Studio files

    Frontend:
    Fix capsicum support to work with zerocopy buffers in bpf
    Try opening interfaces by name first, then by name-as-index
    Work around pcap_create() failures fetching time stamp type lists
    Fix a segmentation fault with 'tcpdump -J'
    Improve addrtostr6() bounds checking
    Add exit_tcpdump() function
    Don't drop CAP_SYS_CHROOT before chrooting
    Fixes issue where statistics not reported when -G and -W options used

    New printers supporting:
    Generic Protocol Extension for VXLAN (VXLAN-GPE)
    Home Networking Control Protocol (HNCP), RFCs 7787 and 7788
    Locator/Identifier Separation Protocol (LISP), type 3 and type 4 packets
    Marvell Extended Distributed Switch Architecture header (MEDSA)
    Network Service Header (NSH)
    REdis Serialization Protocol (RESP)

    Updated printers:
    802.11: Beginnings of 11ac radiotap support
    802.11: Check the Protected bit for management frames
    802.11: Do bounds checking on last_presentp before dereferencing it (Fix a heap overflow)
    802.11: Fix the radiotap printer to handle the special bits correctly
    802.11: If we have the MCS field, it's 11n
    802.11: Only print unknown frame type or subtype messages once
    802.11: Radiotap dBm values get printed as dB; Update a test output accordingly
    802.11: Source and destination addresses were backwards
    AH: Add a bounds check
    AH: Report to our caller that dissection failed if a bounds check fails
    AP1394: Print src > dst, not dst > src
    ARP: Don't assume the target hardware address is <= 6 octets long (Fix a heap overflow)
    ATALK: Add bounds and length checks (Fix heap overflows)
    ATM: Add some bounds checks (Fix a heap overflow)
    ATM: Fix an incorrect bounds check
    BFD: Update specification from draft to RFC 5880
    BFD: Update to print optional authentication field
    BGP: Add decoding of ADD-PATH capability
    BGP: Add support for the AIGP attribute (RFC7311)
    BGP: Print LARGE_COMMUNITY Path Attribute
    BGP: Update BGP numbers from IANA; Print minor values for FSM notification
    BOOTP: Add a bounds check
    Babel: Add decoder for source-specific extension
    CDP: Filter out non-printable characters
    CFM: Fixes to match the IEEE standard, additional bounds and length checks
    CSLIP: Add more bounds checks (Fix a heap overflow)
    ClassicalIPoATM: Add a bounds check on LLC+SNAP header (Fix a heap overflow)
    DHCP: Fix MUDURL and TZ options
    DHCPv6: Process MUDURL and TZ options
    DHCPv6: Update Status Codes with RFCs/IANA names
    DNS: Represent the "DNSSEC OK" bit as "DO" instead of "OK". Add a test case
    DTP: Improve packet integrity checks
    EGP: Fix bounds checks
    ESP: Don't use OpenSSL_add_all_algorithms() in OpenSSL 1.1.0 or later
    ESP: Handle OpenSSL 1.1.x
    Ethernet: Add some bounds checking before calling isoclns_print (Fix a heap overflow)
    Ethernet: Print the Length/Type field as length when needed
    FDDI: Fix -e output for FDDI
    FR: Add some packet-length checks and improve Q.933 printing (Fix heap overflows)
    GRE: Add some bounds checks (Fix heap overflows)
    Geneve: Fix error message with invalid option length; Update list option classes
    HNCP: Fix incorrect time interval format. Fix handling of IPv4 prefixes
    ICMP6: Fetch a 32-bit big-endian quantity with EXTRACT_32BITS()
    ICMP6: dagid is always an IPv6 address, not an opaque 128-bit string
    IGMP: Add a length check
    IP: Add a bounds check (Fix a heap overflow)
    IP: Check before fetching the protocol version (Fix a heap overflow)
    IP: Don't try to dissect if IP version != 4 (Fix a heap overflow)
    IP: Stop processing IPPROTO_ values once we hit IPPROTO_IPCOMP
    IPComp: Check whether we have the CPI before we fetch it (Fix a heap overflow)
    IPoFC: Fix -e output (IP-over-Fibre Channel)
    IPv6: Don't overwrite the destination IPv6 address for routing headers
    IPv6: Fix header printing
    IPv6: Stop processing IPPROTO_ values once we hit IPPROTO_IPCOMP
    ISAKMP: Clean up parsing of IKEv2 Security Associations
    ISOCLNS/IS-IS: Add support for Purge Originator Identifier (RFC6232) and test cases
    ISOCLNS/IS-IS: Don't overwrite packet data when checking the signature
    ISOCLNS/IS-IS: Filter out non-printable characters
    ISOCLNS/IS-IS: Fix segmentation faults
    ISOCLNS/IS-IS: Have signature_verify() do the copying and clearing
    ISOCLNS: Add some bounds checks
    Juniper: Make sure a Juniper header TLV isn't bigger than what's left in the packet (Fix a heap overflow)
    LLC/SNAP: With -e, print the LLC header before the SNAP header; without it, cut the SNAP header
    LLC: Add a bounds check (Fix a heap overflow)
    LLC: Clean up printing of LLC packets
    LLC: Fix the printing of RFC 948-style IP packets
    LLC: Skip the LLC and SNAP headers with -x for 802.11 and some other protocols
    LLDP: Implement IANA OUI and LLDP MUD option
    MPLS LSP ping: Update printing for RFC 4379, bug fixes, more bounds checks
    MPLS: "length" is now the *remaining* packet length
    MPLS: Add bounds and length checks (Fix a heap overflow)
    NFS: Add a test that makes unaligned accesses
    NFS: Don't assume the ONC RPC header is nicely aligned
    NFS: Don't overflow the Opaque_Handle buffer (Fix a segmentation fault)
    NFS: Don't run past the end of an NFSv3 file handle
    OLSR: Add a test to cover a HNA sgw case
    OLSR: Fix 'Advertised networks' count
    OLSR: Fix printing of smart-gateway HNAs in IPv4
    OSPF: Add a bounds check for the Hello packet options
    OSPF: Do more bounds checking
    OSPF: Fix a segmentation fault
    OSPF: Fix printing 'ospf_topology_values' default
    OTV: Add missing bounds checks
    PGM: Print the formatted IP address, not the raw binary address, as a string
    PIM: Add some bounds checking (Fix a heap overflow)
    PIMv2: Fix checksumming of Register messages
    PPI: Pass an adjusted struct pcap_pkthdr to the sub-printer
    PPP: Add some bounds checks (Fix a heap overflow)
    PPP: Report invalid PAP AACK/ANAK packets
    Q.933: Add a missing bounds check
    RADIUS: Add Value 13 "VLAN" to Tunnel-Type attribute
    RADIUS: Filter out non-printable characters
    RADIUS: Translate UDP/1700 as RADIUS
    RESP: Do better checking of RESP packets
    RPKI-RTR: Add a return value check for "fn_printn" call
    RPKI-RTR: Remove printing when truncated condition already detected
    RPL: Fix 'Consistency Check' control code
    RPL: Fix suboption print
    RSVP: An INTEGRITY object in a submessage covers only the submessage
    RSVP: Fix an infinite loop; Add bounds and length checks
    RSVP: Fix some if statements missing brackets
    RSVP: Have signature_verify() do the copying and clearing
    RTCP: Add some bounds checks
    RTP: Add some bounds checks, fix two segmentation faults
    SCTP: Do more bounds checking
    SFLOW: Fix bounds checking
    SLOW: Fix bugs, add checks
    SMB: Before fetching the flags2 field, make sure we have it
    SMB: Do bounds checks on NBNS resource types and resource data lengths
    SNMP: Clean up the "have libsmi but no modules loaded" case
    SNMP: Clean up the object abbreviation list and fix the code to match them
    SNMP: Do bounds checks when printing character and octet strings
    SNMP: Improve ASN.1 bounds checks
    SNMP: More bounds and length checks
    STP: Add a bunch of bounds checks, and fix some printing (Fix heap overflows)
    STP: Filter out non-printable characters
    TCP: Add bounds and length checks for packets with TCP option 20
    TCP: Correct TCP option Kind value for TCP Auth and add SCPS-TP
    TCP: Fix two bounds checks (Fix heap overflows)
    TCP: Make sure we have the data offset field before fetching it (Fix a heap overflow)
    TCP: Put TCP-AO option decoding right
    TFTP: Don't use strchr() to scan packet data (Fix a heap overflow)
    Telnet: Add some bounds checks
    TokenRing: Fix -e output
    UDLD: Fix an infinite loop
    UDP: Add a bounds check (Fix a heap overflow)
    UDP: Check against the packet length first
    UDP: Don't do the DDP-over-UDP heuristic check up front
    VAT: Add some bounds checks
    VTP: Add a test on Mgmt Domain Name length
    VTP: Add bounds checks and filter out non-printable characters
    VXLAN: Add a bound check and a test case
    ZeroMQ: Fix an infinite loop

  Tuesday April 14, 2015 guy@alum.mit.edu
  Summary for 4.8.0 tcpdump release
        Fix "-x" for Apple PKTAP and PPI packets

Bug: N/A
Test: "adb shell tcpdump"
Change-Id: I81df72cf1ebdbe61c5b6069d8532ae817570f23f
464 files changed
tree: c99c1f63716e7286ebfb83a0c78d91be06ec8488
  1. lbl/
  2. missing/
  3. tests/
  4. win32/
  5. READMEREADME.md
  6. .gitattributes
  7. .gitignore
  8. aclocal.m4
  9. addrtoname.c
  10. addrtoname.h
  11. addrtostr.c
  12. addrtostr.h
  13. af.c
  14. af.h
  15. ah.h
  16. Android.mk
  17. appletalk.h
  18. ascii_strcasecmp.c
  19. ascii_strcasecmp.h
  20. atime.awk
  21. atm.h
  22. bpf_dump.c
  23. CHANGES
  24. chdlc.h
  25. checksum.c
  26. CleanSpec.mk
  27. config.guess
  28. config.h
  29. config.h.in
  30. config.sub
  31. configure
  32. configure.in
  33. CONTRIBUTING
  34. cpack.c
  35. cpack.h
  36. CREDITS
  37. ether.h
  38. ethertype.h
  39. extract.h
  40. getopt_long.h
  41. gmpls.c
  42. gmpls.h
  43. gmt2local.c
  44. gmt2local.h
  45. in_cksum.c
  46. install-sh
  47. INSTALL.txt
  48. interface.h
  49. ip.h
  50. ip6.h
  51. ipproto.c
  52. ipproto.h
  53. l2vpn.c
  54. l2vpn.h
  55. LICENSE
  56. llc.h
  57. machdep.c
  58. machdep.h
  59. Makefile-devel-adds
  60. Makefile.in
  61. makemib
  62. mib.h
  63. mkdep
  64. MODULE_LICENSE_BSD
  65. mpls.h
  66. nameser.h
  67. netdissect-stdinc.h
  68. netdissect.c
  69. netdissect.h
  70. nfs.h
  71. nfsfh.h
  72. nlpid.c
  73. nlpid.h
  74. NOTICE
  75. openflow.h
  76. ospf.h
  77. oui.c
  78. oui.h
  79. packetdat.awk
  80. parsenfsfh.c
  81. pcap-missing.h
  82. pcap_dump_ftell.c
  83. PLATFORMS
  84. ppp.h
  85. print-802_11.c
  86. print-802_15_4.c
  87. print-ah.c
  88. print-ahcp.c
  89. print-aodv.c
  90. print-aoe.c
  91. print-ap1394.c
  92. print-arcnet.c
  93. print-arp.c
  94. print-ascii.c
  95. print-atalk.c
  96. print-atm.c
  97. print-babel.c
  98. print-beep.c
  99. print-bfd.c
  100. print-bgp.c
  101. print-bootp.c
  102. print-bt.c
  103. print-calm-fast.c
  104. print-carp.c
  105. print-cdp.c
  106. print-cfm.c
  107. print-chdlc.c
  108. print-cip.c
  109. print-cnfp.c
  110. print-dccp.c
  111. print-decnet.c
  112. print-dhcp6.c
  113. print-domain.c
  114. print-dtp.c
  115. print-dvmrp.c
  116. print-eap.c
  117. print-egp.c
  118. print-eigrp.c
  119. print-enc.c
  120. print-esp.c
  121. print-ether.c
  122. print-fddi.c
  123. print-forces.c
  124. print-fr.c
  125. print-frag6.c
  126. print-ftp.c
  127. print-geneve.c
  128. print-geonet.c
  129. print-gre.c
  130. print-hncp.c
  131. print-hsrp.c
  132. print-http.c
  133. print-icmp.c
  134. print-icmp6.c
  135. print-igmp.c
  136. print-igrp.c
  137. print-ip.c
  138. print-ip6.c
  139. print-ip6opts.c
  140. print-ipcomp.c
  141. print-ipfc.c
  142. print-ipnet.c
  143. print-ipx.c
  144. print-isakmp.c
  145. print-isoclns.c
  146. print-juniper.c
  147. print-krb.c
  148. print-l2tp.c
  149. print-lane.c
  150. print-ldp.c
  151. print-lisp.c
  152. print-llc.c
  153. print-lldp.c
  154. print-lmp.c
  155. print-loopback.c
  156. print-lspping.c
  157. print-lwapp.c
  158. print-lwres.c
  159. print-m3ua.c
  160. print-medsa.c
  161. print-mobile.c
  162. print-mobility.c
  163. print-mpcp.c
  164. print-mpls.c
  165. print-mptcp.c
  166. print-msdp.c
  167. print-msnlb.c
  168. print-nflog.c
  169. print-nfs.c
  170. print-nsh.c
  171. print-ntp.c
  172. print-null.c
  173. print-olsr.c
  174. print-openflow-1.0.c
  175. print-openflow.c
  176. print-ospf.c
  177. print-ospf6.c
  178. print-otv.c
  179. print-pflog.c
  180. print-pgm.c
  181. print-pim.c
  182. print-pktap.c
  183. print-ppi.c
  184. print-ppp.c
  185. print-pppoe.c
  186. print-pptp.c
  187. print-radius.c
  188. print-raw.c
  189. print-resp.c
  190. print-rip.c
  191. print-ripng.c
  192. print-rpki-rtr.c
  193. print-rrcp.c
  194. print-rsvp.c
  195. print-rt6.c
  196. print-rtsp.c
  197. print-rx.c
  198. print-sctp.c
  199. print-sflow.c
  200. print-sip.c
  201. print-sl.c
  202. print-sll.c
  203. print-slow.c
  204. print-smb.c
  205. print-smtp.c
  206. print-snmp.c
  207. print-stp.c
  208. print-sunatm.c
  209. print-sunrpc.c
  210. print-symantec.c
  211. print-syslog.c
  212. print-tcp.c
  213. print-telnet.c
  214. print-tftp.c
  215. print-timed.c
  216. print-tipc.c
  217. print-token.c
  218. print-udld.c
  219. print-udp.c
  220. print-usb.c
  221. print-vjc.c
  222. print-vqp.c
  223. print-vrrp.c
  224. print-vtp.c
  225. print-vxlan-gpe.c
  226. print-vxlan.c
  227. print-wb.c
  228. print-zephyr.c
  229. print-zeromq.c
  230. print.c
  231. print.h
  232. README.md
  233. README.version
  234. Readme.Win32
  235. rpc_auth.h
  236. rpc_msg.h
  237. rpl.h
  238. send-ack.awk
  239. setsignal.c
  240. setsignal.h
  241. signature.c
  242. signature.h
  243. slcompress.h
  244. smb.h
  245. smbutil.c
  246. stime.awk
  247. strtoaddr.c
  248. strtoaddr.h
  249. tcp.h
  250. tcpdump.1.in
  251. tcpdump.c
  252. timeval-operations.h
  253. udp.h
  254. util-print.c
  255. VERSION
  256. version.c
  257. vfprintf.c
README.md

tcpdump

BuildStatus

TCPDUMP 4.x.y
Now maintained by "The Tcpdump Group"
See www.tcpdump.org

Please send inquiries/comments/reports to:

Anonymous Git is available via:

git clone git://bpf.tcpdump.org/tcpdump

Please submit patches by forking the branch on GitHub at:

and issuing a pull request.

formerly from Lawrence Berkeley National Laboratory
Network Research Group tcpdump@ee.lbl.gov
ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z (3.4)

This directory contains source code for tcpdump, a tool for network monitoring and data acquisition. This software was originally developed by the Network Research Group at the Lawrence Berkeley National Laboratory. The original distribution is available via anonymous ftp to ftp.ee.lbl.gov, in tcpdump.tar.Z. More recent development is performed at tcpdump.org, http://www.tcpdump.org/

Tcpdump uses libpcap, a system-independent interface for user-level packet capture. Before building tcpdump, you must first retrieve and build libpcap, also originally from LBL and now being maintained by tcpdump.org; see http://www.tcpdump.org/ .

Once libpcap is built (either install it or make sure it's in ../libpcap), you can build tcpdump using the procedure in the INSTALL.txt file.

The program is loosely based on SMI's "etherfind" although none of the etherfind code remains. It was originally written by Van Jacobson as part of an ongoing research project to investigate and improve tcp and internet gateway performance. The parts of the program originally taken from Sun's etherfind were later re-written by Steven McCanne of LBL. To insure that there would be no vestige of proprietary code in tcpdump, Steve wrote these pieces from the specification given by the manual entry, with no access to the source of tcpdump or etherfind.

Over the past few years, tcpdump has been steadily improved by the excellent contributions from the Internet community (just browse through the CHANGES file). We are grateful for all the input.

Richard Stevens gives an excellent treatment of the Internet protocols in his book "TCP/IP Illustrated, Volume 1". If you want to learn more about tcpdump and how to interpret its output, pick up this book.

Some tools for viewing and analyzing tcpdump trace files are available from the Internet Traffic Archive:

Another tool that tcpdump users might find useful is tcpslice:

It is a program that can be used to extract portions of tcpdump binary trace files. See the above distribution for further details and documentation.

Problems, bugs, questions, desirable enhancements, etc. should be sent to the address "tcpdump-workers@lists.tcpdump.org". Bugs, support requests, and feature requests may also be submitted on the GitHub issue tracker for tcpdump at:

Source code contributions, etc. should be sent to the email address above or submitted by forking the branch on GitHub at:

and issuing a pull request.

Current versions can be found at www.tcpdump.org.

  • The TCPdump team

original text by: Steve McCanne, Craig Leres, Van Jacobson

This directory also contains some short awk programs intended as
examples of ways to reduce tcpdump data when you're tracking
particular network problems:

send-ack.awk
	Simplifies the tcpdump trace for an ftp (or other unidirectional
	tcp transfer).  Since we assume that one host only sends and
	the other only acks, all address information is left off and
	we just note if the packet is a "send" or an "ack".

	There is one output line per line of the original trace.
	Field 1 is the packet time in decimal seconds, relative
	to the start of the conversation.  Field 2 is delta-time
	from last packet.  Field 3 is packet type/direction.
	"Send" means data going from sender to receiver, "ack"
	means an ack going from the receiver to the sender.  A
	preceding "*" indicates that the data is a retransmission.
	A preceding "-" indicates a hole in the sequence space
	(i.e., missing packet(s)), a "#" means an odd-size (not max
	seg size) packet.  Field 4 has the packet flags
	(same format as raw trace).  Field 5 is the sequence
	number (start seq. num for sender, next expected seq number
	for acks).  The number in parens following an ack is
	the delta-time from the first send of the packet to the
	ack.  A number in parens following a send is the
	delta-time from the first send of the packet to the
	current send (on duplicate packets only).  Duplicate
	sends or acks have a number in square brackets showing
	the number of duplicates so far.

	Here is a short sample from near the start of an ftp:
		3.00    0.20   send . 512
		3.20    0.20    ack . 1024  (0.20)
		3.20    0.00   send P 1024
		3.40    0.20    ack . 1536  (0.20)
		3.80    0.40 * send . 0  (3.80) [2]
		3.82    0.02 *  ack . 1536  (0.62) [2]
	Three seconds into the conversation, bytes 512 through 1023
	were sent.  200ms later they were acked.  Shortly thereafter
	bytes 1024-1535 were sent and again acked after 200ms.
	Then, for no apparent reason, 0-511 is retransmitted, 3.8
	seconds after its initial send (the round trip time for this
	ftp was 1sec, +-500ms).  Since the receiver is expecting
	1536, 1536 is re-acked when 0 arrives.

packetdat.awk
	Computes chunk summary data for an ftp (or similar
	unidirectional tcp transfer). [A "chunk" refers to
	a chunk of the sequence space -- essentially the packet
	sequence number divided by the max segment size.]

	A summary line is printed showing the number of chunks,
	the number of packets it took to send that many chunks
	(if there are no lost or duplicated packets, the number
	of packets should equal the number of chunks) and the
	number of acks.

	Following the summary line is one line of information
	per chunk.  The line contains eight fields:
	   1 - the chunk number
	   2 - the start sequence number for this chunk
	   3 - time of first send
	   4 - time of last send
	   5 - time of first ack
	   6 - time of last ack
	   7 - number of times chunk was sent
	   8 - number of times chunk was acked
	(all times are in decimal seconds, relative to the start
	of the conversation.)

	As an example, here is the first part of the output for
	an ftp trace:

	# 134 chunks.  536 packets sent.  508 acks.
	1       1       0.00    5.80    0.20    0.20    4       1
	2       513     0.28    6.20    0.40    0.40    4       1
	3       1025    1.16    6.32    1.20    1.20    4       1
	4       1561    1.86    15.00   2.00    2.00    6       1
	5       2049    2.16    15.44   2.20    2.20    5       1
	6       2585    2.64    16.44   2.80    2.80    5       1
	7       3073    3.00    16.66   3.20    3.20    4       1
	8       3609    3.20    17.24   3.40    5.82    4       11
	9       4097    6.02    6.58    6.20    6.80    2       5

	This says that 134 chunks were transferred (about 70K
	since the average packet size was 512 bytes).  It took
	536 packets to transfer the data (i.e., on the average
	each chunk was transmitted four times).  Looking at,
	say, chunk 4, we see it represents the 512 bytes of
	sequence space from 1561 to 2048.  It was first sent
	1.86 seconds into the conversation.  It was last
	sent 15 seconds into the conversation and was sent
	a total of 6 times (i.e., it was retransmitted every
	2 seconds on the average).  It was acked once, 140ms
	after it first arrived.

stime.awk
atime.awk
	Output one line per send or ack, respectively, in the form
		<time> <seq. number>
	where <time> is the time in seconds since the start of the
	transfer and <seq. number> is the sequence number being sent
	or acked.  I typically plot this data looking for suspicious
	patterns.


The problem I was looking at was the bulk-data-transfer
throughput of medium delay network paths (1-6 sec.  round trip
time) under typical DARPA Internet conditions.  The trace of the
ftp transfer of a large file was used as the raw data source.
The method was:

  - On a local host (but not the Sun running tcpdump), connect to
    the remote ftp.

  - On the monitor Sun, start the trace going.  E.g.,
      tcpdump host local-host and remote-host and port ftp-data >tracefile

  - On local, do either a get or put of a large file (~500KB),
    preferably to the null device (to minimize effects like
    closing the receive window while waiting for a disk write).

  - When transfer is finished, stop tcpdump.  Use awk to make up
    two files of summary data (maxsize is the maximum packet size,
    tracedata is the file of tcpdump tracedata):
      awk -f send-ack.awk packetsize=avgsize tracedata >sa
      awk -f packetdat.awk packetsize=avgsize tracedata >pd

  - While the summary data files are printing, take a look at
    how the transfer behaved:
      awk -f stime.awk tracedata | xgraph
    (90% of what you learn seems to happen in this step).

  - Do all of the above steps several times, both directions,
    at different times of day, with different protocol
    implementations on the other end.

  - Using one of the Unix data analysis packages (in my case,
    S and Gary Perlman's Unix|Stat), spend a few months staring
    at the data.

  - Change something in the local protocol implementation and
    redo the steps above.

  - Once a week, tell your funding agent that you're discovering
    wonderful things and you'll write up that research report
    "real soon now".