3. A)
Observations and Explanations:
There were numerous objects downloaded from both nytimes.com and vox.com. But vox.com had a lot of image files to download and thus the total size of objects downloaded from vox.com (around 25 MB) is very large compared to nytimes.com
(2 MB).
Considering vox.com: o Almost all the image files were downloaded from hostname: o o
o
o
cdn0.vox-cdn.com, cdn1.vox-cdn.com, cdn2.vox-cdn.com & cdn3.vox-cdn.com. Out of these four, three of them (0, 2, 3) had a common IP address. Thus most of the image traffic was sent to a particular server.
(After analyzing the pcap file--) All the four hostnames are the alias of another domain namely
“ddrgqsxlcy7wq.cloudfront.net”. …show more content…
Although this particular domain had multiple IP addresses assigned (to balance the load may be, as most of the query done on this domain are for images which are huge in size and thus can slow down the network), the DNS response for three (cdn0, cdn2, cdn3) returned the same IP (54.230.0.10) most of the times (was diff. for cdn2 & cdn0 in few cases) while it was different for cdn1.
Ideally it should have been that DNS followed the Round
Robin configuration for returning the IP addresses so that
there was no risk of skewing the load between target servers. Can also in a way help in fault-tolerance on network systems. o For cdn1 two different IPs (54.230.0.69 & 54.230.0.238) were returned. Both had equal load as 3 objects …show more content…
In the Screenshot above, cdn2 has a different IP
(54.230.2.234) in one case and cdn0 also has a different IP
(54.230.3.190) for three different objects.
o Now, because we parse har file w.r.t host name and pcap
w.r.t IP, all three of cdn0, cdn2, cdn3 have same TCP connections in the table as they have same IPs.
o Better way to read this would be to consider only non-zero download size connections for each of these three domains.
Haven’t implemented it to avoid irregularity in the table. It sort of gets implemented while making the download tree, so no problems there. o As expected, the connections are exhaustive and no two domains have same tuple of (src.port and dst.port).
o Any inconsistency in the table is mostly due to mismatches in har file and the pcap file.
E.g. 1:- total size of objects downloaded according to data of Wireshark is less for ping.chartbeat.com. The har file recorded 4 objects while pcap has data of only one. All these four are different objects.
E.g. 2:- The opposite is also observed i.e. there are cases where Wireshark captures a HTTP GET request but