To understand the tcpdump(1) output throughout the paper, we provide a simple key here. tcpdump(1) generates the following kind of output if invoked via tcpdump -nne. The first -n tells tcpdump not to resolve hostnames and the second does prevent it from resolving the ports to service names. The parameter -e is used to get the MAC addresses of the traffic in the output.
[fontsize=\scriptsize]
19:27:01.454488 00:00:0c:04:b2:33 > 00:03:e3:d9:26:c0, ethertype IPv4 (0x0800),
[1] [2] [3] [4]
length 1687: IP 138.97.18.88.63259 > 64.154.80.51.80: P 0: 1633(1633) ack 1634 win 33580
[5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
[1] TimeStamp [8] Destination IP
[2] SourceMac [9] Destination Port
[3] DestinationMac [10] TCP Flags
[4] Network Protocol [11] TCP Sequence Number
[5] IP Packet Length [12] TCP Last Sequence Number
[6] Source IP [13] TCP Length
[7] Source Port [14] ACK flag
A parser for tcpdump(1) output can be found in afterglow-database.tar.gz at http://sourceforge.net/project/showfiles.php?group_id=125211. The script is called tcpdump2sql.pl. It is jsed to populate our MySQL database with the events in order to easier access them (see also Appendix B).