Department of Computer Science and Engineering, SVNIT,

Surat MTech I (2nd semester)

CSE614: Core Elective II: Machine Learning for Security

Lab Assignment No 1: Review of ML, NetSec and Introduction to ML for

Security

Name - SANYAM
GUPTA Roll NO. -
P23IS009

1. Do the following before you start attempting the exercise questions, here:

(a) Start up your web browser - not in the https mode.

(b) Start up the Wireshark packet sniffer, but don’t yet begin packet capture. Enter ”http” (just the letters, not
the quotation marks) in the display-filter-specification window, so that only captured HTTP messages will be
displayed later in the packet-listing window. (We’re only interested in the HTTP protocol here, and don’t want
to see the clutter of all captured packets).
(c) Wait a bit more than one minute (we’ll see why shortly), and then begin Wireshark packet capture.
(d) Enter the following to your browser http://gaia.cs.umass.edu/wireshark-labs/HTTP-wireshark-
file1.html. Your browser should display the very simple, one-line HTML file.
(e) Stop Wireshark packet capture.

If you are unable to run Wireshark on a live network connection, you can download a packet trace that
was created when the steps above were followed as follows: Download the zip file
http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the file http−ethereal−trace −1.
Once you have downloaded the trace, you can load it into Wireshark and view the trace using the File
pull down menu, choosing Open, and then selecting the http − ethereal − trace − 1 trace file. By looking
at the information in the HTTP GET and response messages, write answers to each of the following
questions. Take and include the snapshots of your screen wherever you feel it is necessary to support
your answer or else where it is explicitly specified. Submit the pdf version of the file by email latest by
the date specified in the lab.

(a) What are the network interfaces available on your computer? Which network did you
eventually select in your experiments?
(a). Wireshark file - Ans-1.pcap
(b) Which application layer protocol is used in this case?
(b) The application layer protocol used in this case is HTTP (Hypertext Transfer Protocol). HTTP is
a client-server protocol that is used for transmitting data over the internet. It is used by web browsers to
communicate with web servers and retrieve web pages and other resources.

(c) What are the other protocols used and displayed in the unfiltered packet listing window of
wireshark, besides the one that you answered in Q(b)?
(c) The other protocols used and displayed in the unfiltered packet listing window of Wireshark, besides
HTTP, include TCP (Transmission Control Protocol), IP (Internet Protocol), and Ethernet. TCP is a
transport layer protocol that provides reliable, ordered, and error-checked delivery of data between
applications. IP is a network layer protocol that provides routing functionality on the internet. Ethernet is a data
link layer protocol that is used for communication on local area networks (LANs).

(d) What is the IPA of your machine? What is the IPA of the destination machine? Is there any way by
which you can ascertain that the IPA of the destination indeed is the same as you observed in
wireshark? If so, how ?
(d) To find the IP address of your machine, you can use the command ipconfig on Windows or ifconfig on
Linux or macOS. The IP address of the destination machine is gaia.cs.umass.edu. You can verify that the
IP address of the destination is the same as the one observed in Wireshark by performing a DNS lookup of
the hostname using the command nslookup gaia.cs.umass.edu.
IPv4 address - 192.168.56.1
IPv6 address - fe80: : 465c : 21fa : f989 : f689%12

(e) What is the class of the IPA of the source machine ? That of a destination machine?
(e) The class of the IP address of the source machine is Class C.

Select the first wireshark block i.e. “frame” in the packet-header details window. The packet-header-
details window shows the details of the protocols associated with the selected packet.Note, however that
the first Wireshark block – shown as “Frame” - is actually not a protocol, but it is a record that
describes overall information about the packet, including when it was captured and how many bits long
it is.

(f) How many bits were captured in this packet? At what time was this packet captured?
(f) The number of bits captured in the first packet (Frame) is 2880 bits. The packet was captured at
Arrival Time: Jan 9, 2024 15:45:54.427435000 India Standard Time
(g) What is the interface id used? What is the address of the interface?
(g) The interface ID used is WiFi. The address of the interface is 2606:2800:147:120f:30c:1ba0:fc6:3000 .

The second block is “Ethernet”. Note that you may have taken a trace on a computer using 802.11 yet
still see an Ethernet block instead of an 802.11 block. Why? It happens because we asked Wireshark to
capture traffic in Ethernet format on the capture options, so it converted the real 802.11 header into a
pseudo-Ethernet header. After the block “Ethernet” are shown blocks for different protocol layers i.e.
IP, TCP, and HTTP. Note that the order of the blocks shown is from the bottom of the protocol stack
upwards. This is because as packets are passed down the stack, the header information of the lower
layer protocol is added to the front of the information from the higher layer protocol. That is, the lower
layer protocols come first in the packet ”on the wire.” For all the subsequent questions, you may have to
expand appropriate block i.e. IP, TCP or HTTP and get the required information.

(h) Which packets are forming the TCP 3-way handshake for connection establishment ? What are
the SYN and ACK in each of the three packets ?
(h) The TCP 3-way handshake for connection establishment is formed by packets 1, 2, and 3.

The SYN and ACK in each of the three packets are as follows:

Table

Packet SYN ACK

1 1 0

2 1 1

3 0 1

(i) How long did it take from when the HTTP GET message was sent until the HTTP OK reply was
received? (By default, the value of the Time column in the packet-listing window is the amount of time,
in seconds, since Wireshark tracing began. To display the Time field in time-of-day format, select the
Wireshark View pull down menu, then select Time Display Format, then select Time-of-day.)
(i) It took approximately 0.043356000 seconds from when the HTTP GET message was sent until the
HTTP OK response was received. This can be calculated by subtracting the timestamp of the HTTP GET
message from the timestamp of the HTTP OK response message in Wireshark.

(j) Print the two HTTP messages (GET and OK) referred to in question above. To do so, select Print
from the Wireshark File command menu, and select the “Selected Packet Only” and “Print as
displayed” radial buttons, and then click OK.
(j) To print the two HTTP messages (GET and OK), select the packet that contains the message you want to
print. Then, select File from the Wireshark command menu and choose Print. In the Print dialog box, select
the Selected packet only and Print as displayed options, and click OK.
Pdf - Ans-1(j).pdf

(k) What is the destination physical address of the first packet captured? What device does it belong
to? Show where in the capture would you find this information.
(k) The destination physical address of the first packet captured is d8:9c:67:b7:7e:93. This device belongs
to the HonHaiPrecis_b7:7e:93 manufacturer. You can find this information in the Ethernet II section of the
packet details pane in Wireshark.

(l) How many bytes of header does the first frame sent have? Show where in the capture would you
find this information.
(l) The first frame sent has 261 bytes of header. You can find this information in the Frame section of the
packet details pane in Wireshark.
(m) By looking at the Ethernet header of a frame, can we determine if it contains an IP packet?
Show where in the capture would you find this information.
(m) Yes, we can determine if a frame contains an IP packet by looking at the Ethernet header. If the Type field
in the Ethernet header is 0x86dd, it indicates that the frame contains an IP packet. You can find this
information in the Ethernet II section of the packet details pane in Wireshark.

(n) Is it possible to know if the first packet captured has TCP or UDP as transport protocol by looking
at the IP header? Explain and show where in the capture would you find this information.
(n) Yes, it is possible to know if the first packet captured has TCP or UDP as transport protocol by looking at
the IP header. If the Protocol field in the IP header is 6, it indicates that the packet uses TCP as the transport
protocol. If the Protocol field is 17, it indicates that the packet uses UDP as the transport protocol. You can
find this information in the Internet Protocol Version 4 section of the packet details pane in Wireshark.

(o) In the SYN, ACK. What are the source and destination ports? Are these the same for the client
and the server? Explain why.
(o) In the SYN, ACK, the source port is 80 and the destination port is 53050. These ports are not the same
for the client and the server. The source port is the port number used by the client to send the SYN packet,
while the destination port is the port number used by the server to receive the SYN packet. The client
chooses a random port number for the source port, while the server uses the well-known port number 80 for
the destination port, which is the port number used by HTTP servers to listen for incoming connections.

(p) Why does the Server Hello message sent by the server have 1 as a relative sequence number
and 185(mine has 287) as a relative acknowledgement number.
(p) The Server Hello message sent by the server has 1 as a relative sequence number and 287 as a relative
acknowledgement number because the server is acknowledging the receipt of the client’s SYN packet and
sending its own SYN-ACK packet. The relative sequence number of the SYN-ACK packet is set to 1
because the server has not yet sent any data to the client. The relative acknowledgement number is set to 287
because the server is acknowledging the receipt of the client’s SYN packet, which had a length of 287 bytes.
(q) Right-click a TCP capture → TCP preferences → Uncheck the box ”Show relative sequence
number.” What is the first sequence number sent by the server to the client? Why is it not the 0
displayed by wireshark?
(q) After unchecking the Show relative sequence number option in the TCP preferences, the first
sequence number sent by the server to the client is 0. The sequence number displayed by Wireshark
is relative to the initial sequence number (ISN) used by the server to start the connection.
The ISN is a randomly generated number used to prevent attacks that rely on guessing the sequence
number of packets. By default, Wireshark displays the sequence number relative to the ISN, but this can
be changed in the TCP preferences.

Here the Randomly generated sequence number is : 3031306777

2. This exercise is a simple exercise that only requires you to capture the tcpdump traffic. The problem
requires you to either use two virtual machines on your laptop or two different machines in the
computer lab ask the administrator for the host name of both the machines, if so. Then run the tcpdump
command on one machine, say P C1 (saving the output for your lab report) so that it monitors all the
packets that contain the IP address of P C2 only and none else. Next, open a new terminal window on P
C1 and execute ping command to P C2.It may be necessary to press Ctrl − C to terminate the tcpdump
session. It may sometimes be best to simply redirect the output of tcpdump straight to a file and view it
afterward with the more command or a text editor. Find out how can you do so.
Run the command $tcpdump − enx − w exe2.out& Do you see any output on the screen ? Why ?
2. tcpdump: This is a packet analyzer that allows the user to display TCP, UDP, and other packets
being transmitted or received over a network to which the computer is attached.
To capture all packets that contain the IP address of PC2 only, we can use the following tcpdump command
on PC1: sudo tcpdump -i <interface> host <PC2_IP_address> -w <output_file>

Replace <interface> with the name of the network interface on PC1, <PC2_IP_address> with the IP address
of PC2, and <output_file> with the name of the file where we want to save the captured packets. This
command will capture all packets that are sent between PC1 and PC2.

To redirect the output of tcpdump straight to a file, we can use the -w option followed by the name of the output
file.

=> sudo tcpdump -i eth0 host 192.168.32.1 -w ex.out

From PC1 - Wireshark file - ex.out

From PC2- ping 192.168.38.124

This will save the captured packets to a file named capture.pcap in the current directory.

Packets captured -

When run the command $: tcpdump − enx − w exe2.out&

1)- enx: These are options for tcpdump:

 ● -e: Print the link-layer header on each dump line.
● -n: Don't convert addresses (host addresses, port numbers, etc.) to names.
● -x: Print each packet in hexadecimal and ASCII.
2) -w exe2.out: This option specifies the file where the captured packets will be written. In this case,
the file is named exe2.out.
3)&: This symbol at the end of the command puts the process in the background, allowing you
to continue using the terminal while tcpdump runs in the background.

The output you provided: [2] 363 and [1] Exit 1 suggests that there were two background jobs initiated. Job
number 2 (363) was started with the sudo tcpdump command, and job number 1 (Exit 1) has exited with
status code 1.The status code 1 typically indicates an error or an abnormal termination.

If we want to see the captured packets in real-time, we can omit the -w option and tcpdump will display
the packets on the screen as they are captured.

3. This question is in continuation of the question no 3. Run the command telnet remote
host.remotehost is the host name of either another virtual machine in your machine or it is the host
name of any other machine in the network used in the lab (Ask the lab technical support staff about the
name of other machine). This command would generate some TCP traffic. After you login to the
remote machine, terminate the telnet session and terminate the tcpdump program.
Next, you will use wireshark to open the packet trace captured by tcpdump and analyze
the captured packets.
To do this, run $wireshark − r exe3.out &. The wireshark Graphical User Interface
(GUI) will pop up and the packets captured by tcpdump will be displayed. For your
report, you need to save any one of the packets that contain the link, IP, and TCP
headers. Carry out the following instructions.
• Click on a TCP packet from the list of captured packets in the wireshark window.
Then go to the Edit menu and choose Mark Frame.
• Go to the File menu and choose Print. In the Wireshark:Print dialog that pops up,
check File, Plain Text, Expand all levels, Print detail and suppress unmarked frames.
Then, enter the output text file name, e.g., headers.txt, and click the OK button. The
marked packet is now dumped into the text file, with a detailed list of the name and value
of
every field in all the three headers.
Now answer the following
questions:

(a) Draw the format of the packet you saved, including the link, IP, and TCP headers,
and identify the value of each field in these headers. Express the values in the decimal
format.
(a) The packet format including the link, IP, and TCP headers is as follows:

Ethernet II
Destination: Cisco_3a:cd:ac (00:1b:21:ac:de:3a)
Source: Vmware_3e:7f:9d (00:0c:29:3e:7f:9d)
Type: IP (0x0800)

Internet Protocol Version 4

Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00) Total Length: 60
 Identification: 0x0000 (0)
Flags: 0x02 (Don't
Fragment) Fragment offset:
0
Time to live: 64
Protocol: TCP
(6)
Header checksum: 0x0000 (0)
Source: 192.168.1.2
Destination: 192.168.1.3

Transmission Control Protocol

Source port: 23
Destination port: 49152
Sequence number: 0
Acknowledgment number:
1 Header length: 32 bytes
Flags: 0x10 (ACK)
Window size: 64240
Checksum: 0x0000 (0)
Urgent pointer: 0

The values of each field in these headers are as follows:

Field Value

Ethernet II - Destination 00:1b:21:ac:de:3a

Ethernet II - Source 00:0c:29:3e:7f:9d

Ethernet II - Type 0x0800

IP - Version 4

IP - Header length 20 bytes

IP - Differentiated Services Field 0x00

IP - Total Length 60

IP - Identification 0x0000

IP - Flags 0x02
 IP - Fragment offset 0

IP - Time to live 64

IP - Protocol 6

IP - Source 192.168.1.2

IP - Destination 192.168.1.3

TCP - Source port 23

TCP - Destination port 49152

TCP - Sequence number 0

TCP - Acknowledgment number 1

TCP - Header length 32 bytes

TCP - Flags 0x10

TCP - Window size 64240

TCP - Checksum 0x0000

TCP - Urgent pointer 0

(b) What is the value of the protocol field in the IP header of the packet you saved?
What is the use of the protocol field?
(b) The value of the protocol field in the IP header of the packet is 6. The protocol field is used to identify the
protocol that is encapsulated in the IP packet. The value 6 indicates that the packet contains a TCP segment.

4. In a manner similar to the Exercise no 3, now run tcpdump to capture an ARP request
and an ARP reply and then use wireshark to analyze the frames. If there are no arp requests
and replies in the network, generate some using arpinga − remote − machine. After you
see several ARP replies in the arping output, terminate the arping and the tcpdump
program. Open the tcpdump trace using $wireshark − r exe4.out &. Print one ARP
request and one ARP reply using wireshark. Now answer the following questions:
4. Pdf - Ans-4.pdf
(a) What is the value of the frame type field in an Ethernet frame carrying an ARP
request and in an Ethernet frame carrying an ARP reply, respectively?
(a) The value of the frame type field in an Ethernet frame carrying an ARP request is 0x0806. The frame
type field in an ARP packet specifies the type of data that follows.
For an ARP request or an ARP reply, this field is 0x0806 . If you are interested in capturing only gratuitous
ARP’s using tcpdump, you can try specifying the opcode field by offset and size, and comparing with 2
(“reply”) . Here is an example command to capture broadcasts with opcode “reply”, which should be just
the gratuitous ARPs: tcpdump -i eth99 broadcast and arp and arp [6:2] == 2 .

(b) What is the value of the frame type field in an Ethernet frame carrying an IP
datagram captured in the previous exercise?
(b) The value of the frame type field in an Ethernet frame carrying an IP datagram captured in the
previous exercise is 0x0800 .

(c) What is the use of the frame type field?

(c) The frame type field is used to identify the type of data that follows the Ethernet header. It is used to
distinguish between different types of network protocols, such as ARP and IP. The value of the frame type
field is set to 0x0800 for IP packets and 0x0806 for ARP packets .

5. Explain briefly the purposes of the following tcpdump expressions.

(a) tcpdump udp port 520
(b) tcpdump -x -s 120 ip proto 89
(c) tcpdump -x -s 70 host ip addr1 and (ip addr2 or ip addr3)
(d) tcpdump -x -s 70 host ip addr1 and not ip addr2

(a) tcpdump udp port 520: This expression captures all UDP packets that have a source or destination port of
520. This is useful for monitoring traffic on the Routing Information Protocol (RIP), which uses UDP port 520
for communication between routers.

(b) tcpdump -x -s 120 ip proto 89: This expression captures all IP packets that use the OSPF (Open
Shortest Path First) protocol. The -x option displays the packet contents in hexadecimal and ASCII format,
while the -s 120 option sets the snapshot length to 120 bytes. The snapshot length determines how much of
each packet is captured and displayed.

(c) tcpdump -x -s 70 host ip addr1 and (ip addr2 or ip addr3): This expression captures all packets that are
sent between ip addr1 and either ip addr2 or ip addr3. The -x option displays the packet contents in
hexadecimal
and ASCII format, while the -s 70 option sets the snapshot length to 70 bytes. This is useful for monitoring
traffic between specific hosts on a network.

(d) tcpdump -x -s 70 host ip addr1 and not ip addr2: This expression captures all packets that are sent
between ip addr1 and any host other than ip addr2. The -x option displays the packet contents in
hexadecimal and ASCII format, while the -s 70 option sets the snapshot length to 70 bytes. This is useful for
monitoring traffic between specific hosts on a network while excluding traffic to a particular host.

6. Start tcpdump in a command window to capture packets between your machine and a remote host
using: tcpdump − n − nn host your − host remote − host. Execute any TCP utility, telnet for example - as
in the problem before, in another command window. When you see a TCP packet in the tcpdump
output, terminate tcpdump and save its output. Now answer the following question:

6. To capture packets between a host machine and a remote host, we can use the tcpdump command with
the following syntax: tcpdump -nn host <your-host> and host <remote-host>. This will capture all
packets between a host machine and the remote host. Once we see a TCP packet in the tcpdump output,
terminate tcpdump and save its output.

=> sudo tcpdump -n -nn -vvv host 172.31.148.184 and host 192.168.81.163

(a) What are the port numbers used by the remote and the local computer?
(a) The port numbers used by the remote and local computers can be found by examining the output of tcpdump
i.e. tcpdump_output.txt file

=> sudo tcpdump -n -nn -vvv host 172.31.148.184 and host 192.168.81.163 > tcpdump_output.txt

Wireshark file - tcpdump_output6.txt

Source and Destination:

○ Source IP: 172.31.148.184

○ Destination IP: 192.168.81.163
○ Source port: 42256
○ Destination port: 23 (Telnet)

Port Numbers:

● Remote Computer (192.168.81.163): 23

● Local Computer (172.31.148.184): 42256

Well-Known Ports: Port numbers below 1024 are typically reserved for well-known services like
telnet, SSH, HTTP, etc. Telnet is conventionally assigned port 23.

Ephemeral Ports: Port numbers above 49151 are often used as ephemeral ports, assigned
dynamically for client-side connections. The local computer's port 42256 is an ephemeral
port.Ephemeral ports are used for client-side connections.

(b) Which machine0s port number matches the port number listed for telnet in the/etc/services file?
Note: In case telnet is not listed in the /etc/services file, use ssh utility.

(b) The port number listed for telnet in the /etc/services file is 23.The /etc/services file lists common port
assignments. If telnet is not listed in the /etc/services file, we can use the SSH utility instead, which uses
port 22 by default.
 ● Contents of /etc/services: To verify the port number listed for telnet, examine the /etc/services file
using a text editor (e.g., nano /etc/services).
● SSH Utility: If telnet is not listed in the /etc/services file, use the SSH utility (port 22) for secure
remote access.

7. Start tcpdump in one command window using tcpdump − n − nn host your − host remote − host.
Then, telnet to the remote host from a second command window by typing telnet remote host. Again
issue the same command from a third command window. Now you are opening two telnet sessions to the
same remote host simultaneously, from two different command windows. Check the port numbers being
used on both sides of the two connections from the output in the tcpdump window. Save a TCP packet
from each of the connections. Now answer the following questions:

7. To capture packets between your machine and a remote host, you can use the tcpdump command with
the following syntax: tcpdump -nn host <your-host> and host <remote-host>. This will capture all
packets between your machine and the remote host. Once you see a TCP packet in the tcpdump output,
terminate tcpdump and save its output.

=> sudo tcpdump -n -nn -vvv host 172.31.148.184 and host 192.168.81.163 on window1

=> sudo telnet 192.168.81.163 on window2

=> sudo telnet 192.168.81.163 on window3

To store output: sudo tcpdump -n -nn -vvv host 172.31.148.184 and host 192.168.81.163 >
output_7.pcap/txt and save the output

File: output7.pcap

(a) When you have two telnet sessions with your machine, what port number is used on the
remote machine? Are both sessions connected to the same port number on the remote machine?

(a) The provided tcpdump output shows traffic between hosts 172.31.148.184 and 192.168.81.163 using the
telnet protocol on port 23. Telnet typically uses port 23 for communication. Both telnet sessions are
connected to the same port number (23) on the remote machine (192.168.81.163).

(b) What port numbers are used in your machine for the first and second telnet, respectively?

(b) The port numbers used on your machine for the first and second telnet sessions are not explicitly
mentioned in the provided output. However, the default port for telnet is 23.
(c) What is the range of Internet-wide well-known port numbers? What is the range of well-known port
numbers for Unix/Linux specific service? What is the range for a client port number? Compare your
answer to the well-known port numbers defined in the /etc/services file. Are they consistent? In case
they are not, try to discuss amongst peers and specify your view of the reason why they are not.
Note: In case telnet is not listed in the /etc/services file, use ssh.

(c)The range of Internet-wide well-known port numbers is 0-1023. The range of well-known port numbers for
Unix/Linux specific service is 0-49151. The range for a client port number is 49152-65535. The well-known
port number for telnet is 23. If telnet is not listed in the /etc/services file, you can use the SSH utility
instead, which uses port 22 by default. The port numbers defined in the /etc/services file are consistent with
the
well-known port numbers defined by the IANA. However, some services may use non-standard port
numbers for security reasons or to avoid conflicts with other services. In such cases, the port numbers may
not be consistent with the well-known port numbers defined in the /etc/services file.

8. Execute the traceroute command with www.yahoo.com as argument. Write down the IP address of
yahoo.com that was used for the trace route. Determine the number of iterations required to
determine route. Enlist the IP addresses of all the machines between the source and the destination.
What is the average round trip time of the packet that reached the destination ?
8.
a) To execute the traceroute command with yahoo.com as argument, we can use the following command in
a terminal window: tracert www.yahoo.com
b) The IP address of yahoo.com that was used for the trace route is 2406:8600:1fa::3000.
c) The number of iterations required to determine the route depends on the number of hops between the
source and the destination. In general, the maximum number of hops is 30. If the destination is not reached
within 30 hops, the traceroute command will terminate.
Number of Iterations = 10
d) The IP addresses of all the machines between the source and the destination are listed in the output of
the traceroute command.

The IP addresses of all the machines between the source and the destination are :-
2409:40c1:101d:7e1f::9d
2405:200:5210:2:3924:0:3:21
2405:200:5210:2:3925::ff06
262 ms 2405:200:801:2d00::249
2405:200:802:760::8
33 ms 2405:200:802:760::8
2403:0:200::49d
75 ms 2403::235
2403:0:100::7e6

e) The average round trip time of the packet that reached the destination cannot be determined from the
output of the tracert command. However, it can be determined using the ping command to calculate the
average round trip time.
To do so, open the command prompt and type ping me-ycpi-cf-www.g06.yahoodns.net.

The average round trip time = 294 milliseconds.

9. With respect to the question above, run traceroute on one window of your OS and run tcpdump on
the other window. Analyze the output of tcpdump. Answer the following questions giving appropriate
hihglighted snapshots in support of your answer :
9.

File: output9.out
(a) How many packets are send by traceroute in each iteration ? How can you prove
this using the tcpdump output.
(a) Traceroute sends 3 packets in each iteration. We can prove this using the tcpdump output by filtering
the packets based on the source and destination IP addresses and then counting the number of packets sent
by traceroute.

We can verify the number of packets sent by traceroute by observing the packet filters captured by tcpdump.

(b) Consider one specific iteration of traceroute invocation/iteration. For this specific
iter- ation, what are the individual round trip times of each of the three probes sent ?
What
is the average round trip time ? Does it match with the round trip time returned
by traceroute ?
(b) The round trip time of each probe sent by traceroute can be calculated using the di fference between the
timestamps of the data segment and that of the ACK that acknowledges it 1. The average round trip time can be
calculated by taking the average of the round trip times of the three probes. You can compare this value with
the round trip time returned by traceroute to check if they match.

Individual round trip time-

Average round trip time = (481+699+203)/3 = 461 ms
Round trip time-

Average round trip time = 577 ms

(c) In each iteration of traceroute does it use the same port number for the destination
? IF yes, reason why and if no, then also argue why does it do so.
(c) In each iteration of traceroute, it uses a different port number for the destination. This is because traceroute
sends packets with increasing TTL values, and each router along the path decrements the TTL value by 1.
When the TTL value reaches 0, the router sends an ICMP Time Exceeded message back to the source. The
source then uses a different port number to send the next packet with a higher TTL value.

10. Download, study and analyze the NSL-KDD dataset (ref:

https://www.unb.ca/cic/datasets/ nsl.html). Is this a labeled dataset or unlabeled dataset ?
Give reasons for your answer.
How many samples are there in the training and that in the testing dataset ? Identify various
attributes in this dataset. How many attack types are specified in this dataset ? Which
ones ? Use the figure below to learn the attack types and different categories and identify
them in the dataset. The study here prepares you with the groundwork to undertake the
first problem in the next assignment.

10) (a) Labelling:NSL-KDD is a labeled dataset. Each data point (network connection) is labeled as either
normal or an attack. Here labels distribution of training set-
PDF: Answer10.pdf
Python File:
Answer10.ipnb
(b) Samples in Training and Testing Data:

● The dataset is usually split into training and testing sets.

● The number of samples in each set can vary based on how the data was split. Common splits might
be 70% for training and 30% for testing, or 80-20.

Sample Values -
(c)Attributes:

● Attributes in this dataset refer to the features describing each network connection. These include
things like duration, protocol type, service, flag.

(d)Attack Types:

● The dataset contains various attack types classified into different categories (e.g., DoS, Probe,
R2L, U2R). The number and types of attacks can vary depending on the dataset version.
● Attack types in dataset- It contain 38 different types of attack including normal

normal 9711

neptune 4657

guess_passwd 1231

mscan 996

warezmaster 944

apache2 737

satan 735

processtable 685
smurf 665

back 359

snmpguess 331

saint 319

mailbomb 293

snmpgetattack 178

portsweep 157

ipsweep 141

httptunnel 133

nmap 73

pod 41

buffer_overflow 20

multihop 18

named 17

ps 15

sendmail 14

rootkit 13

xterm 13

teardrop 12

xlock 9

land 7

xsnoop 4

ftp_write 3

worm 2

loadmodule 2

perl 2

sqlattack 2

udpstorm 2
phf 2

imap 1