NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Re: Catalog of Measurement Tools

Lauren Weinstein writes:

> I'd like to start gathering a "catalog" of existing Internet
> measurement tools (including tools already published, and those that
> are "private" but available) as a foundation for an initial set of
> recommended software that folks can use to begin exploring the
> capabilities and conditions of their own Internet connectivity.
> If you have suggestions, please send them to the list (comments from
> the group regarding these packages would be very useful) along with
> some details about what functions they perform, how easy they are to
> use (suitable for consumers or pros?), and any other relevant
> information (free?  shareware?  commercial?  OS types supported?)
> It's time to get some initial metrics churning.  Thanks.

The experts on Internet measurement techniques who come to mind for
me are the folks at CAIDA; I wonder if anyone has been in touch with
them to see if they're curious about neutrality-related empirical

I'm in the process of writing a tool called pcapdiff with the goal
of comparing libpcap capture files made simultaneously at the two
ends of a communication.  This makes it easier to detect packet
injection, particularly if you don't know in advance what to look
for.  The idea of writing this was partly inspired by your original
blog post proposing what became nnsquad, and I expect to have
something ready in the next week or two to accompany a piece I'm
writing on how to use packet sniffers to detect packet injection.

The basic concept is that you have a local.pcap and a remote.pcap
file which show all the packets sent and all the packets received
between a pair of hosts during a given time period, whether or
not a human being had reason to suspect suspicious activity.  Then
you see the ways in which packets in one file correspond to packets
in the other file.  If we ignore fragmentation and duplicate packets
for the time being, there are five cases that can occur:

a packet...

{ in local.pcap and remote.pcap - normal condition
{ in local.pcap, not in remote.pcap, sent by local - dropped outbound packet
{ in remote.pcap, not in local.pcap, sent by remote - dropped inbound packet
{ in local.pcap, not in remote.pcap, sent by remote - spoofed inbound packet
{ in remote.pcap, not in local.pcap, sent by local - spoofed outbound packet

This interpretation treats an _altered_ packet as a combination of a drop
and a spoof, which is a correct interpretation in some sense, depending on
your metaphysical notions of packet identity.

I already have a prototype that distinguishes these conditions and can be
used to identify the packets in question and produce some statistics, but
there are a few tricky points, such as what counts as making two packets
identical or not identical, and whether to try to handle fragmentation and

By the way, Cory Doctorow pointed out that he mentioned the idea of empirical
network neutrality measurements in a 2006 column at


Seth Schoen
Staff Technologist                                schoen@eff.org
Electronic Frontier Foundation                    http://www.eff.org/
454 Shotwell Street, San Francisco, CA  94110     1 415 436 9333 x107