April 03, 2012 • 3 min read
First off, thanks to everyone who sent in a solution. Joe shows us the solution on Youtube, or try the challenge yourself below!
This challenge involves a packet capture taken during a Speedtest.net session. How Speedtest.net works is actually very interesting. The upload and download bandwidth reported are not simply the maximum bytes per second achieved at any point.
Visit the CloudShark capture session below. During this capture, a speed test is started on IPv4 host 192.168.1.104. The test starts with with the download speed portion and then moves on to the upload portion. The capture session is approximately 36 seconds long. At some point during the capture session, the amount of bandwidth used in the upload direction becomes greater than the bandwidth used in the download direction. Using a round number of seconds like 1, 2, etc, what is that point in time? Hint: Try using the new CloudShark Graphs to explore the capture session.
http://cloudshark.org/captures/2a0d5954d36f
The solution to this challenge is found by visualizing the capture file using CloudShark graphs. However, before we visualize the data, we need to understand what to see. If we look at the conversations view https://www.cloudshark.org/analysis/010dc29d08f7/conversations) for this capture, we see that almost 10MB of data is exchanged between 192.168.1.104 and 69.241.108.46. This is our bandwidth test.
Now we can create a CloudShark graph and view the download and upload traffic. Since the speednet test is running on 192.168.1.104, packets with a destination address of 192.168.1.104 and source address of 69.241.108.46 are considered “download” traffic. The reverse is also true. Packets with a destination address of 69.241.108.46 and source address of 192.168.1.104 are considered “upload” traffic.
Now, lets create a bandwidth graph and use these addresses as filters.
We can enter display filters when creating a graph and change the label using the { label } notation.
ip.dst == 192.168.1.104 and ip.src == 69.241.108.46 { Download } ip.dst == 69.241.108.46 and ip.src == 192.168.1.104 { Upload }
We’ve saved the graph as speedtest-net so you can view it below. Select the “Open in Editor” option to see the actual display filters and try customizing it further.
http://cloudshark.org/captures/2a0d5954d36f/graphs/speedtest-net
Using this CloudShark graph, you can see that around 17 seconds, the upload traffic kicks in and becomes greater than the download bandwidth. The display time interval also has a big impact on what you see. We used a resolution of 1 second. However, if you use a smaller display time, you’ll see a higher resolution graph and can see the exact time the download portion stops and the upload portion begins.
Until next time!
