So you'll note that there are very clear spikes at 552 and 576 total packet size. Further, note that the curve falls off _extremely_ rapidly. From that, I argue that case (2) _cannot_ be the case because any type of random distribution would be much smoother.
(2) is a random distribution plus some spikes, plus some modality due to TCP's that can only generate packets of <= N bytes for different popular MSS's. So I think it still works (but will save more detailed analysis till later ....).
2) What OS is using a 512 MSS?
From a bunch of (~ 20,000) traces in my study, looks like
Irix 4.0/5.3, BSDI 1.1/2.0, OSF/1 3.0/3.2, and often but not always SunOS use either 512 or 536, or sometimes 500, 524, or 548 (BSDI). Never anything higher. This doesn't mean they *can't* use anything higher, just that they never found an opportunity to do so. 512 is far and away the most common MSS in the traces. (All the TCP's in the traces are BSD variants except for Solaris and Linux.)
256?
My best guess is SLIP links.
4) 41 bytes is pretty obviously interactive traffic. Is the intuition correct?
That's my guess too.
What's so special about 44, 52, 48 and 56?
Ack/SYN/FIN's with options.
What do people do with 4, 8, 12 and 16 bytes of data? And why not any of the odd values?
Because option sizes are rounded up to multiples of 4 bytes. Vern