tags:

views:

220

answers:

4
Q: 

Probability of finding TCP packets with the same payload?

I had a discussion with a developer earlier today re identifying TCP packets going out on a particular interface with the same payload. He told me that the probability of finding a TCP packet that has an equal payload (even if the same data is sent out several times) is very low due to the way TCP packets are constructed at system level. I was aware this may be the case due to the system's MTU settings (usually 1500 bytes) etc., but what sort of probability stats am I really looking at? Are there any specific protocols that would make it easier identifying matching payloads?

Thanks,

A

+1  A: 

EDIT: Sorry, my original idea was ridiculous.

You got me interested so I googled a little bit and found this. If you wanted to write your own tool you would probably have to inspect each payload, the easiest way would probably be some sort of hash/checksum to check for identical payloads. Just make sure you are checking the payload, not the whole packet.

As for the statistics I will have to defer to someone with greater knowledge on the workings of TCP.

mdec  2008-09-17 10:34:15
+2  A: 

It is the protocol running over tcp that defines the uniqueness of the payload, not the tcp protocol itself.

For example, you might naively think that HTTP requests would all be identical when asking for a server's home page, but the referrer and user agent strings make the payloads different.

Similarly, if the response is dynamically generated, it may have a date header:

Date: Fri, 12 Sep 2008 10:44:27 GMT

So that will render the response payloads different. However, subsequent payloads may be identical, if the content is static.

Keep in mind that the actual packets will be different because of differing sequence numbers, which are supposed to be incrementing and pseudorandom.

Chris  2008-09-17 11:28:01
+2  A: 

Chris is right. More specifically, two or three pieces of information in the packet header should be different:

  • the sequence number (which is intended to be unpredictable) which is increases with the number of bytes transmitted and received.
  • the timestamp, a field containing two timestamps (although this field is optional).
  • the checksum, since both the payload and header are checksummed, including the changing sequence number.
Desty  2008-09-17 11:57:04
+1  A: 

Sending the same PAYLOAD is probably fairly common (particularly if you're running some sort of network service). If you mean sending out the same tcp segment (header and all) or the whole network packet (ip and up), then the probability is substantially reduced.

jdizzle  2009-02-27 16:41:52

related questions

Algorithm to score similarness of sets of numbers
Recommend an Open Source .NET Statistics Library
What does "Create Statistics" do in SQL Server 2005?
Opensource Implementation of the Alias Method
How to get the temperature of motherboard of a PC (and other hardware statistics)?
What would a Database Diagram (ER Diagram/Table Layout) look like for measuring distribution of something?
Explain the quantile() function in R
How do you visualize logfiles in realtime?
Statistically removing erroneous values
What is the best Java numerical method package?
What's the correct term for "number of std deviations" away from a mean
How often should Oracle database statistics be run?
What emails clients are being used out there?
[R] How to access the last value in a vector?
What is the easiest way to get total number for lines of code (LOC) in SQL Server?
Hidden Markov Models
What is the deployment rate of the .NET framework?
How do I calculate the "cost" of a crash?
How do i generate a histogram for a given probability distribution (for functional testing a server)
Call Visitors web stat program from PHP
Is it OK to drop sql statistics?
How do I display database query statistics on Wordpress site?
User access log to SQL Server
How do I calculate these statistics?