Tutorial: Basic Analysis
WTF is the Anteater?
Tranalyzer2 (T2) was created at a Swiss operator out of the need that standard Cisco NetFlow did not supply the fields we needed for our troubleshooting and security work. We needed all kinds of encapsulated protocols, content info, advanced statistics and an easy way to extract information for traffic mining. And most important a tool which can digest really large pcaps and runs stable on an interface. Therefore, only code and functionality which is needed by the user is added. That should explain, why a lot of T2 is controlled by compiler switches, making it adaptable and lightweight. But no worries, we made compiling on different infrastructure easy for you.
Having also students with us, we saw they always reinventing the wheel when it came to traffic analysis, so in 2008 T2 became open source. Since then practical ideas from people working in the field and in research inspired the path of the Anteater.
This tutorial will teach you about the basic configuration, usage, basic plugins and post-processing philosophy. So, let’s first look at the basic protocol and output modes.
T2 operational modes
By default T2 operates in the following basic protocol modes:
- Layer2
- IPv4
- IPv6
- SCTP
By default since the 0.8.0 version T2 operates concurrently in all protocol modes and feeds output into the same files. If you are only interested in IPv4 and decapsulation of protocols such as L2TP, GRE, IPv[46]-in-IPv[46], etc is not relevant, T2 can easily be configured to do only this. Moreover L4 protocols support is supplied, e.g., SCTP which transforms all streams into extra flows, if enabled in networkHeaders.h. We will discuss at the end of the tutorial and in the Protocol Modes tutorial (coming soon).
T2 is capable to produce the following concurrent jobs.
- Flow
- Packet
- Monitoring
- Alarm
- Force
Let’s have a quick look at these.
Flow
The most prominent one is flow, where traffic is aggregated into so called flows to process large amount of traffic. A flow is defined in T2 as A and opposite B Flow which are linked by a unique flowIndex, a 64 bit number. The default aggregation of T2 flows is
(vlan, srcIP, srcPort, dstIP, dstPort, L3protocol)which covers most cases in corporate networks, as VLANs are very common. It can be extended to
(srcEther, dstEther, ethertype, vlan, srcIP, srcPort, dstIP, dstPort, sctpChannel, L3protocol)or reduced to aggregating all traffic into a few flows, defining only several networks without VLANs, ports and protocols. The advanced flow aggregation modes are discussed in the Flexible Flow Aggregation tutorial.
Each plugin added to T2 will produce additional columns in the flow file, producing an output easy to process for any script language or standard tools, such as Excel or SPSS.
Packet
The packet mode’s output format is as scripting friendly as the flow output and thought of as a drill down instrument, which links back to flows and L7 content via the flowIndex. This mode is discussed in detail in the Packet Mode tutorial.
Monitoring
Network managers often need certain time sampled parameters, such as number of packets or bandwidth. T2 reports into standard tools, such as RRD. This mode is discussed in detail in the Monitoring Mode tutorial.
Alarm
Sometimes L3-4 or content driven rules or even a custom build AI classifier defines what is interesting for the user. Hence, the alarm mode enables each plugin to control flow processing and release to output. This mode is discussed in detail in the Alarm Mode tutorial.
Force
When operating on an interface sometimes the timeout of a flow is too long for appropriate reaction, e.g. when Malware is detected. So notification when a certain packet is seen is required. The force mode enables any plugin to control flow termination at any point in time. All following packets after flow release will be send to a new flow. This mode is discussed in detail in the Force Mode tutorial.
How to Anteater
In this chapter we will give you a practical introduction to the basic operations with the Anteater. The configuration is really easy thanks to numerous scripts, such as t2conf. So, if you are afraid of command line operations and header file (.h) editing, don’t worry! If you are a Windows 10 user, please follow the Installing Tranalyzer on Windows tutorial first.
Unpack and go
To get started download Tranalyzer and unpack the tar ball:
(BTW: lmw means Linux, Mac and Win10 tested) and for the un-initiated bash user, the $ in front of each command denotes the bash command line prompt. Do NOT copy it into your command shell!
$ tar -xf tranalyzer2-0.8.6lmw1.tar.gz
$ cd ~/tranalyzer2-0.8.6
$ ls
autogen.sh ChangeLog doc plugins README.md scripts setup.sh tests tranalyzer2 utils
$You see the doc folder, the README.md file (compilation, dependencies for different OS) and the setup.sh script (among others). Tranalyzer2, aka, the core, can be found in the tranalyzer2 folder, while all the plugins can be found in the plugins folder.
$ cd plugins
$ ls
arpDecode binSink dhcpDecode fnameLabel icmpDecode lldpDecode mysqlSink nFrstPkts pcapd protoStats regex_pcre snmpDecode sslDecode tcpFlags tp0f wavelet
autogen.sh cdpDecode dnsDecode ftpDecode igmpDecode macRecorder natNudel ntpDecode pktSIATHisto psqlSink sctpDecode socketSink stpDecode tcpStates txtSink
basicFlow connStat entropy geoip ircDecode modbus nDPI ospfDecode popDecode pwX smbDecode sqliteSink syslogDecode telnetDecode voipDetector
basicStats descriptiveStats findexer httpSniffer jsonSink mongoSink netflowSink p0f portClassifier radiusDecode smtpDecode sshDecode t2PSkel tftpDecode vrrpDecode
$If you are a rookie to T2, use the setup.sh script under the tranalyzer root directory, it will install all tools, links, t2tools and environment variables for you and compiles T2 with the standard basic plugins.
$ ./setup.sh
...If the setup finished successfully you are all set including t2_aliases.
The good and old fashion way without ./setup.sh is to invoke ./autogen.sh (note however that this method will NOT install t2_aliases)
$ ./autogen.sh
...If you want to use the t2_aliases (t2build, t2conf, …) in your current bash window, you have to run the following command:
$ source scripts/t2_aliases
$If a new bash window is opened all environmental variables will be automatically set. Now try to use the autocompletion: t2 tab-tab
t2 t2build t2caplist t2conf t2dmon t2doc t2edit t2fm t2plot t2PSkel t2stat t2timeline t2wizardt2 always points to the newest tranalyzer compiled under ~/tranalyzer2-0.8.6/tranalyzer2/src, so you do not need to move to this directory and type ./tranalyzer. t2build compiles the core and/or the plugins. t2conf helps you to configure the core and the plugins and t2stat helps you to send signals to the Anteater. These are the most important for you for the time being. We will come back to the t2 commands later.
Here is a list of the most important t2build options we need in this tutorial (If you want to know more look at the Building kung fu tutorial):
t2build -h |
show help |
t2build |
compile T2 and standard plugins |
t2build -u plugin |
unload plugin |
t2build -a |
compile T2 and all plugins |
t2build -c |
clean plugin directory |
t2build -l |
list all plugins under plugin directory |
t2build -R |
recompile all plugins under plugin directory |
If you want to change any configuration of plugins or the core, run
t2conf plugin -D CONSTANT=valueWe will practice that extensively in the following, so don’t worry. If you want to know more, have a look at the Configuration kung fu tutorial.
There is also a list of acronyms available to facilitate navigation:
tran |
goto latest version of t2 |
.tran |
goto the plugin directory |
tranpl |
goto plugin directory of latest version |
plugin |
goto root directory of plugin |
t2doc plugin |
show doc of plugin |
Let’s check it out!
$ tran
$ ls
autogen.sh ChangeLog doc plugins README.md scripts setup.sh tests tranalyzer2 utils
$ .tran
$ ls
001_protoStats.so 110_macRecorder.so 120_basicStats.so 132_tcpStates.so 150_tcpWin.so 500_connStat.so ethertypes.txt portmap.txt subnets4_HLP.bin
100_basicFlow.so 111_portClassifier.so 130_tcpFlags.so 140_icmpDecode.so 310_httpSniffer.so 901_txtSink.so manuf.txt proto.txt subnets6_HLP.bin
$ tranpl
$ ls
arpDecode binSink dhcpDecode fnameLabel icmpDecode lldpDecode mysqlSink ntpDecode pktSIATHisto psqlSink sctpDecode socketSink stpDecode tcpFlags tftpDecode vrrpDecode
autogen.sh cdpDecode dnsDecode ftpDecode igmpDecode macRecorder nDPI ospfDecode popDecode pwX smbDecode sqliteSink stunDecode tcpStates tp0f wavelet
basicFlow connStat entropy geoip ircDecode modbus netflowSink p0f portClassifier radiusDecode smtpDecode sshDecode syslogDecode tcpWin txtSink
basicStats descriptiveStats findexer httpSniffer jsonSink mongoSink nFrstPkts pcapd protoStats regex_pcre snmpDecode sslDecode t2PSkel telnetDecode voipDetector
$ basicStats
$ ls
AUTHORS autogen.sh ChangeLog configure.ac COPYING doc Makefile.am NEWS README src t2plconf tests
$ t2doc tcpFlags
Documentation for plugin 'tcpFlags' does not exist... build it (Y/n)? y
... Popup of a pdf
$See? All very simple. It is very helpful to read the documentation, which will be built by invoking t2doc
If the compilation fails, it will tell you what is missing, then refer to the README.md or copy the appropriate dependencies from here. If nothing works, look in the FAQ. If that does not solve your problem, write to the Anteater. He will definitely help you.
If setup is successful then you may start t2 with the help option for a quick test:
$ t2 -h
Tranalyzer 0.8.6 - High performance flow based network traffic analyzer
Usage:
tranalyzer [OPTION...] <INPUT>
Input:
-i IFACE Listen on interface IFACE
-r PCAP Read packets from PCAP file or from stdin if PCAP is "-"
-R FILE Process every PCAP file listed in FILE
-D EXPR[:SCHR][,STOP]
Process every PCAP file whose name matches EXPR, up to an
optional last index STOP. If STOP is omitted, then Tranalyzer
never stops. EXPR can be a filename, e.g., file.pcap0, or an
expression, such as "dump*.pcap00", where the star matches
anything (note the quotes to prevent the shell from
interpreting the expression). SCHR can be used to specify the
the last character before the index (default: 'p')
Output:
-w PREFIX Append PREFIX to any output file produced. If omitted, then
output is diverted to stdout
-W PREFIX[:SIZE][,START]
Like -w, but fragment flow files according to SIZE, producing
files starting with index START. SIZE can be specified in bytes
(default), KB ('K'), MB ('M') or GB ('G'). Scientific notation,
i.e., 1e5 or 1E5 (=100000), can be used as well. If a 'f' is
appended, e.g., 10Kf, then SIZE denotes the number of flows.
-l Print end report in PREFIX_log.txt instead of stdout
-s Packet forensics mode
Optional arguments:
-p PATH Load plugins from path PATH instead of ~/.tranalyzer/plugins
-b FILE Use plugin list FILE instead of plugin_folder/plugins.txt
-e FILE Creates a PCAP file by extracting all packets belonging to
flow indexes listed in FILE (requires pcapd plugin)
-f FACTOR Sets hash multiplication factor
-x ID Sensor ID
-c CPU Bind tranalyzer to one core. If CPU is 0 then OS selects the
core to bind
-F FILE Read BPF filter from FILE
Help and documentation arguments:
-v Show the version of the program and exit
-h Show help options and exit
Remaining arguments:
BPF Berkeley Packet Filter command, as in tcpdumpIf you cannot wait and would like to try it now on an interface, go ahead and use the -i option. Here we will read from pcaps, so only the -r, -R or -D options are relevant. The latter two are only useful if more than one pcap is to be analysed (learn more about that in the Multi File I/O tutorial!). For this tutorial, -r is the option of choice. The -w option defines where the flow files will be written to. If you omit it, T2 writes to the folder of the pcap and derives the output prefix from the pcap. The rest is currently not important.
A good practice for analysis and mining jobs is to create a separate data and results directory as follows:
$ mkdir ~/data
$ mkdir ~/results
$ cd dataDownload the pcap annoloc2.pcap into your data folder either via a click on the link or via command line.
$ cd ~/data
$ wget https://tranalyzer.com/download/data/annoloc2.pcap
...
$Now feed the pcap to the Anteater as follows:
$ t2 -r ~/data/annoloc2.pcap -w ~/results
================================================================================
Tranalyzer 0.8.6 (Anteater), Tarantula. PID: 98425
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
01: protoStats, 0.8.6
02: basicFlow, 0.8.6
03: macRecorder, 0.8.6
04: portClassifier, 0.8.6
05: basicStats, 0.8.6
06: tcpFlags, 0.8.6
07: tcpStates, 0.8.6
08: icmpDecode, 0.8.6
09: connStat, 0.8.6
10: txtSink, 0.8.6
[INF] basicFlow: IPv4 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 313050 (313.05 K)
[INF] basicFlow: IPv6 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 21495 (21.50 K)
Processing file: /home/wurst/data/annoloc2.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1022171701.691172 sec (Thu 23 May 2002 16:35:01 GMT)
[WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500
Dump stop : 1022171726.640398 sec (Thu 23 May 2002 16:35:26 GMT)
Total dump duration: 24.949226 sec
Finished processing. Elapsed time: 0.852957 sec
Finished unloading flow memory. Time: 1.283424 sec
Percentage completed: 100.00%
Number of processed packets: 1219015 (1.22 M)
Number of processed bytes: 64082726 (64.08 M)
Number of raw bytes: 844642686 (844.64 M)
Number of pcap bytes: 83586990 (83.59 M)
Number of IPv4 packets: 1218588 (1.22 M) [99.96%]
Number of IPv6 packets: 180 [0.01%]
Number of A packets: 561591 (561.59 K) [46.07%]
Number of B packets: 657424 (657.42 K) [53.93%]
Number of A bytes: 29274086 (29.27 M) [45.68%]
Number of B bytes: 34808640 (34.81 M) [54.32%]
Average A packet load: 52.13
Average B packet load: 52.95
--------------------------------------------------------------------------------
basicStats: Biggest L2 Talker: 00:d0:02:6d:78:00: 57 [0.00%] packets
basicStats: Biggest L2 Talker: 00:d0:02:6d:78:00: 3420 (3.42 K) [0.01%] bytes
basicStats: Biggest L3 Talker: 138.212.189.38 (JP): 23601 (23.60 K) [1.94%] packets
basicStats: Biggest L3 Talker: 138.212.189.38 (JP): 35005508 (35.01 M) [54.63%] bytes
tcpFlags: Aggregated ipFlags: 0x3dff
tcpFlags: Aggregated tcpAnomaly: 0xff47
tcpFlags: Number of TCP scans, succ scans, syn retries, seq retries: 685, 2569 (2.57 K), 114, 933
tcpFlags: Number WinSz below 1: 2415 (2.42 K) [0.25%]
tcpStates: Aggregated anomaly flags: 0xdf
icmpDecode: Number of ICMP echo request packets: 224 [7.32%]
icmpDecode: Number of ICMP echo reply packets: 191 [6.24%]
icmpDecode: ICMP echo reply / request ratio: 0.85
connStat: Number of unique source IPs: 4292 (4.29 K)
connStat: Number of unique destination IPs: 2900 (2.90 K)
connStat: Number of unique source/destination IPs connections: 182
connStat: Max unique number of source IP / destination port connections: 413
connStat: IP prtcon/sdcon, prtcon/scon: 2.269231, 0.096226
connStat: Source IP with max connections: 138.212.189.66 (JP): 369 connections
connStat: Destination IP with max connections: 138.212.184.235 (JP): 403 connections
--------------------------------------------------------------------------------
Headers count: min: 2, max: 4, average: 3.01
Number of GRE packets: 20 [0.00%]
Number of IGMP packets: 12 [0.00%]
Number of ICMP packets: 3059 (3.06 K) [0.25%]
Number of ICMPv6 packets: 11 [0.00%]
Number of TCP packets: 948743 (948.74 K) [77.83%]
Number of TCP bytes: 52643546 (52.64 M) [82.15%]
Number of UDP packets: 266900 (266.90 K) [21.89%]
Number of UDP bytes: 11234272 (11.23 M) [17.53%]
Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed flows: 17589 (17.59 K)
Number of processed A flows: 9980 (9.98 K) [56.74%]
Number of processed B flows: 7609 (7.61 K) [43.26%]
Number of request flows: 9452 (9.45 K) [53.74%]
Number of reply flows: 8137 (8.14 K) [46.26%]
Total A/B flow asymmetry: 0.13
Total req/rply flow asymmetry: 0.07
Number of processed packets/flows: 69.31
Number of processed A packets/flows: 56.27
Number of processed B packets/flows: 86.40
Number of processed total packets/s: 48859.83 (48.86 K)
Number of processed A+B packets/s: 48859.83 (48.86 K)
Number of processed A packets/s: 22509.36 (22.51 K)
Number of processed B packets/s: 26350.48 (26.35 K)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 704.99
Average full raw bandwidth: 270835712 b/s (270.84 Mb/s)
Average snapped bandwidth : 20548206 b/s (20.55 Mb/s)
Average full bandwidth : 270269600 b/s (270.27 Mb/s)
Max number of flows in memory: 15206 (15.21 K) [5.80%]
Memory usage: 0.18 GB [0.27%]
Aggregate flow status: 0x000018fa0202d044
[WRN] L3 SnapLength < Length in IP header
[WRN] L4 header snapped
[WRN] Consecutive duplicate IP ID
[WRN] IPv4/6 fragmentation header packet missing
[WRN] IPv4/6 packet fragmentation sequence not finished
[INF] IPv4
[INF] IPv6
[INF] IPv4/6 fragmentation
[INF] IPv4/6 in IPv4/6
[INF] GRE encapsulation
[INF] SSDP/UPnP flows
[INF] Ethernet flows
[INF] ARP flows
$T2 produces an end report, which serves as an initial assessment of the pcap content and anomalies. After basic packet and byte statistics, each plugin adds some statistical or hex coded info between the ------ lines which will be discussed later. Moreover, flow based statistics are reported to assess the traffic seen on the wire. At the end, certain protocol based information and warnings about traffic content are reported to alert the user. Thus, an initial assessment is possible without even looking into flows or packets which is essential when dealing with large quantities of traffic.
All plugins reside in the plugins folder and own a src (.h, .c), a doc (.tex, .pdf) and a test (auto-testing) directory. Important for now is the doc folder, where you will find a PDF describing the plugin. The complete documentation of Tranalyzer2, all the plugins and scripts can be found under doc/documentation.pdf. The rest will be discussed later.
The primary goal of this tutorial is to give you a basic introduction to the art of traffic mining using Tranalyzer. So without further ado, let’s start with the very basics!
Have fun!
Basic flow based plugins
For beginners, let’s start with the very basic flow plugins and only use flow based text output, aka the extended NetFlow7 flow output. We will only need the following:
| tranalyzer2 | Anteater’s core |
| basicFlow | Flow output definition + geo labeling + encapsulation info |
| basicStats | Basic statistics including Traffic Mining extensions |
| txtSink | Produces a tab separated text file: _flows.txt |
Let’s unload unnecessary compiled plugins first:
$ t2build -u protoStats macRecorder portClassifier tcpFlags tcpStates icmpDecode connStat
Plugin 'protoStats'
Plugin 'macRecorder'
Plugin 'portClassifier'
Plugin 'tcpFlags'
Plugin 'tcpStates'
Plugin 'icmpDecode'
Plugin 'connStat'
UNLOADING SUCCESSFUL
$Now restart the Anteater and have a look at what changed in the end report:
$ t2 -r ~/data/annoloc2.pcap -w ~/results
================================================================================
Tranalyzer 0.8.6 (Anteater), Tarantula. PID: 98636
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
01: basicFlow, 0.8.6
02: basicStats, 0.8.6
03: txtSink, 0.8.6
[INF] basicFlow: IPv4 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 313050 (313.05 K)
[INF] basicFlow: IPv6 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 21495 (21.50 K)
Processing file: /home/wurst/data/annoloc2.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1022171701.691172 sec (Thu 23 May 2002 16:35:01 GMT)
[WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500
Dump stop : 1022171726.640398 sec (Thu 23 May 2002 16:35:26 GMT)
Total dump duration: 24.949226 sec
Finished processing. Elapsed time: 0.441768 sec
Finished unloading flow memory. Time: 0.638205 sec
Percentage completed: 100.00%
Number of processed packets: 1219015 (1.22 M)
Number of processed bytes: 64082726 (64.08 M)
Number of raw bytes: 844642686 (844.64 M)
Number of pcap bytes: 83586990 (83.59 M)
Number of IPv4 packets: 1218588 (1.22 M) [99.96%]
Number of IPv6 packets: 180 [0.01%]
Number of A packets: 564227 (564.23 K) [46.29%]
Number of B packets: 654788 (654.79 K) [53.71%]
Number of A bytes: 29447862 (29.45 M) [45.95%]
Number of B bytes: 34634864 (34.63 M) [54.05%]
Average A packet load: 52.19
Average B packet load: 52.89
--------------------------------------------------------------------------------
basicStats: Biggest L2 Talker: 00:d0:02:6d:78:00: 57 [0.00%] packets
basicStats: Biggest L2 Talker: 00:d0:02:6d:78:00: 3420 (3.42 K) [0.01%] bytes
basicStats: Biggest L3 Talker: 138.212.189.38 (JP): 23601 (23.60 K) [1.94%] packets
basicStats: Biggest L3 Talker: 138.212.189.38 (JP): 35005508 (35.01 M) [54.63%] bytes
--------------------------------------------------------------------------------
Headers count: min: 2, max: 4, average: 3.01
Number of GRE packets: 20 [0.00%]
Number of IGMP packets: 12 [0.00%]
Number of ICMP packets: 3059 (3.06 K) [0.25%]
Number of ICMPv6 packets: 11 [0.00%]
Number of TCP packets: 948743 (948.74 K) [77.83%]
Number of TCP bytes: 52643546 (52.64 M) [82.15%]
Number of UDP packets: 266900 (266.90 K) [21.89%]
Number of UDP bytes: 11234272 (11.23 M) [17.53%]
Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed flows: 17086 (17.09 K)
Number of processed A flows: 9704 (9.70 K) [56.80%]
Number of processed B flows: 7382 (7.38 K) [43.20%]
Number of request flows: 9661 (9.66 K) [56.54%]
Number of reply flows: 7425 (7.42 K) [43.46%]
Total A/B flow asymmetry: 0.14
Total req/rply flow asymmetry: 0.13
Number of processed packets/flows: 71.35
Number of processed A packets/flows: 58.14
Number of processed B packets/flows: 88.70
Number of processed total packets/s: 48859.83 (48.86 K)
Number of processed A+B packets/s: 48859.83 (48.86 K)
Number of processed A packets/s: 22615.01 (22.61 K)
Number of processed B packets/s: 26244.82 (26.24 K)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 684.83
Average full raw bandwidth: 270835712 b/s (270.84 Mb/s)
Average snapped bandwidth : 20548206 b/s (20.55 Mb/s)
Average full bandwidth : 270269600 b/s (270.27 Mb/s)
Max number of flows in memory: 17086 (17.09 K) [6.52%]
Memory usage: 0.08 GB [0.11%]
Aggregate flow status: 0x000018fa0202d044
[WRN] L3 SnapLength < Length in IP header
[WRN] L4 header snapped
[WRN] Consecutive duplicate IP ID
[WRN] IPv4/6 fragmentation header packet missing
[WRN] IPv4/6 packet fragmentation sequence not finished
[INF] IPv4
[INF] IPv6
[INF] IPv4/6 fragmentation
[INF] IPv4/6 in IPv4/6
[INF] GRE encapsulation
[INF] SSDP/UPnP flows
[INF] Ethernet flows
[INF] ARP flows
$T2 produces an end report, which serves as an initial assessment of the pcap content and anomalies. Each plugin adds some info between the ------ lines. basicStats shows the biggest talker regarding traffic volume and country of origin. It is one of the first features relevant to understand large traffic pcaps. There are also biggest talkers in regard to number of connections. This will be discussed in Basic traffic volume and connection analysis.
So it is an old pcap from 2002 in the afternoon. It contains IPv4/6 and Ethernet traffic and the payload is snapped. At the bottom, you see warnings ([WRN]) and information ([INF]). It is decoded from the aggregated flow status, which denotes the OR info from all flows status registers.
There are packets snapped even down to the L2 header, fragments without header or end. The difference between the snapped bandwidth and the full raw bandwidth denotes that either the snaplength was small, maybe the default, or somebody actually mangled with the packet content. The average packet load is symmetric for A and B flow, very odd. The protocols used indicate that the traffic is either corporate or the wild. So if you want good traffic with content for your job, I wouldn’t trust that pcap and would send it right back to the customer.
T2 produces also the following files
$ ls
annoloc2_flows.txt annoloc2_headers.txtThe header file contains information about the columns of the flow file, such as time, column positions, T2 config, the name of the pcap file, vital interface information, etc. This information makes it easier to reproduce results from different experiments and it is good doc.
$ cat annoloc2_headers.txt
# Date: 1566316839.259591 sec (Tue 20 Aug 2019 18:00:39 CEST)
# Tranalyzer 0.8.6 (Anteater), Tarantula.
# Core configuration: L2, IPv4, IPv6
# sensorID: 666
# PID: 27697
# Command line: /home/wurst/tranalyzer -r /home/wurst/data/annoloc2.pcap -w /home/wurst/data/results/BW_2013/
# HW Info: eierfeile;Linux;5.2.9-arch1-1-ARCH;#1 SMP PREEMPT Fri Aug 16 11:29:43 UTC 2019;x86_64
#
# Plugins loaded:
# 01: basicFlow, version 0.8.6
# 02: basicStats, version 0.8.6
# 03: txtSink, version 0.8.6
#
# Col No. Type Name Description
1 C dir Flow direction
2 U64 flowInd Flow index
3 H64 flowStat Flow status and warnings
4 U64.U32 timeFirst Date time of first packet
5 U64.U32 timeLast Date time of last packet
6 U64.U32 duration Flow duration
7 U8 numHdrDesc Number of different headers descriptions
8 U16:R numHdrs Number of headers (depth) in hdrDesc
9 SC:R hdrDesc Headers description
10 MAC:R srcMac Mac source
11 MAC:R dstMac Mac destination
12 H16 ethType Ethernet type
13 U16:R ethVlanID VLAN IDs
14 IPX srcIP Source IP address
15 SC srcIPCC Source IP country code
16 S srcIPWho Source IP who
17 U16 srcPort Source port
18 IPX dstIP Destination IP address
19 SC dstIPCC Destination IP country code
20 S dstIPWho Destination IP who
21 U16 dstPort Destination port
22 U8 l4Proto Layer 4 protocol
23 U64 numPktsSnt Number of transmitted packets
24 U64 numPktsRcvd Number of received packets
25 U64 numBytesSnt Number of transmitted bytes
26 U64 numBytesRcvd Number of received bytes
27 U16 minPktSz Minimum layer 3 packet size
28 U16 maxPktSz Maximum layer 3 packet size
29 F avePktSize Average layer 3 packet size
30 F stdPktSize Standard deviation layer 3 packet size
31 F minIAT Minimum IAT
32 F maxIAT Maximum IAT
33 F aveIAT Average IAT
34 F stdIAT Standard deviation IAT
35 F pktps Send packets per second
36 F bytps Send bytes per second
37 F pktAsm Packet stream asymmetry
38 F bytAsm Byte stream asymmetry
$Now compare it with the flow file, the columns flowInd to l4Proto originate from basicFlow. After that and until bytAsym the columns are produced by the basicStats plugin. I picked some interesting flows which demonstrate T2 ops when traffic is mangled with, so all flows which are damaged due to a limited snapLength in the acquisition process. Let’s sort them out:
$ tawk -V flowStat=0x0000080f00000000
The flowStat column with value 0x0000080f00000000 is to be interpreted as follows:
bit | flowStat | Description
=============================================================================
32 | 0x0000 0001 0000 0000 | Acquired packet length < minimal L2 datagram
33 | 0x0000 0002 0000 0000 | Acquired packet length < packet length in L3 header
34 | 0x0000 0004 0000 0000 | Acquired packet length < minimal L3 Header
35 | 0x0000 0008 0000 0000 | Acquired packet length < minimal L4 Header
43 | 0x0000 0800 0000 0000 | Stop dissectingLet’s say we are only interested to weed out the ones where even the layer 2 header is damaged and T2 gave up further dissecting, then use the following tawk command:
$ tawk 'bitsanyset($flowStat, 0x0000080100000000)' annoloc2_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPWho srcPort dstIP dstIPCC dstIPWho dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm
A 260 0x0000080200028000 1022171701.707777 1022171701.707777 0.000000 1 4 eth:ipv4:ipv6:UNK(168) 00:d0:02:6d:78:00 00:60:08:2c:ca:8e 0x86dd cfb6:1c18:5010:faf0:7f66:0:101:80a -- "--" 0 6c2:6a7f:1:384b::c100 -- "--" 0 168 1 0 41630 0 41630 41630 41630 0 0 0 0 0 0 0 1 1
A 885 0x0000080200028000 1022171701.810764 1022171701.810764 0.000000 1 4 eth:ipv4:ipv6:UNK(133) 00:d0:02:6d:78:00 00:60:08:2c:ca:8e 0x86dd e499:578c:5090:81d0:891b:0:101:80a -- "--" 0 514:2343:2e3c:512::c100 -- "--" 0 133 1 0 55304 0 55304 55304 55304 0 0 0 0 0 0 0 1 1
A 1894 0x000008d200004000 1022171702.614414 1022171702.614414 0.000000 1 3 eth:ipv4:udp 00:80:48:b3:0e:ed 00:d0:02:6d:78:00 0x0800 138.212.188.118 jp "ASAHI KASEI CORPORATION" 0 201.9.46.255 br "Telemar Norte Leste S.A." 0 17 1 0 52 0 52 52 52 0 0 0 0 0 0 0 1 1
A 3047 0x0000080200028000 1022171704.484515 1022171704.484515 0.000000 1 4 eth:ipv4:ipv6:UNK(147) 00:d0:02:6d:78:00 00:a0:c9:07:e0:73 0x86dd baea:e860:8090:4470:cf67:0:101:50a -- "--" 0 baea:ee14:baeb:2ac::c100 -- "--" 0 147 1 0 18922 0 18922 18922 18922 0 0 0 0 0 0 0 1 1
A 3452 0x0000080200028000 1022171705.349871 1022171705.349871 0.000000 1 4 eth:ipv4:ipv6:UNK(126) 00:d0:02:6d:78:00 00:a0:c9:07:e0:73 0x86dd d973:ceac:5010:fa94:12db:0:101:80a -- "--" 0 12ea:b284:3:ceeb::c100 -- "--" 0 126 1 0 38816 0 38816 38816 38816 0 0 0 0 0 0 0 1 1
A 3992 0x0000080200005000 1022171706.878547 1022171707.000313 0.121766 2 4;4 eth:ipv4:gre:UNK(0x98c0);eth:ipv4:gre:UNK(0xb30d) 00:d0:02:6d:78:00 00:60:08:2c:ca:8e 0x0800 200.134.37.255 br "Associação Rede Nacional " 0 138.212.185.216 jp "ASAHI KASEI CORPORATION" 0 47 2 2 170 210 68 102 85 12.02081 0 0.121766 0.06088299 0.04305077 16.42495 1396.12 0 -0.1052632
B 3992 0x0000080200005001 1022171706.931865 1022171706.962666 0.030801 2 4;4 eth:ipv4:gre:UNK(0x9604);eth:ipv4:gre:UNK(0x386d) 00:60:08:2c:ca:8e 00:d0:02:6d:78:00 0x0800 138.212.185.216 jp "ASAHI KASEI CORPORATION" 0 200.134.37.255 br "Associação Rede Nacional " 0 47 2 2 210 170 76 134 105 20.5061 0 0.030801 0.0154005 0.0108898 64.93295 6817.96 0 0.1052632
A 4529 0x0000080200028000 1022171708.439927 1022171708.439927 0.000000 1 4 eth:ipv4:ipv6:UNK(95) 00:d0:02:6d:78:00 00:a0:c9:07:e0:73 0x86dd 48d5:5fad:50d0:16d0:4a16:0:101:80a -- "--" 0 53eb:c1d7:86:4d37::c100 -- "--" 0 95 1 0 28079 0 28079 28079 28079 0 0 0 0 0 0 0 1 1
A 4826 0x0000180200005000 1022171709.440443 1022171709.552021 0.111578 4 4;4;4;4 eth:ipv4:gre:UNK(0xa808);eth:ipv4:gre:UNK(0x7d69);eth:ipv4:gre:UNK(0x6f6d);eth:ipv4:gre:UNK(0x0104) 00:d0:02:6d:78:00 00:60:08:2d:05:66 0x0800 19.228.184.27 us "Ford Motor Company" 0 138.212.186.191 jp "ASAHI KASEI CORPORATION" 0 47 4 3 162 166 36 46 40.5 2.534484 0 0.111571 0.0278945 0.0363073 35.84936 1451.899 0.1428571 -0.01219512
B 4826 0x0000180200005001 1022171709.441758 1022171709.552128 0.110370 3 4;4;4 eth:ipv4:gre:UNK(0x5100);eth:ipv4:gre:UNK(0xc309);eth:ipv4:gre:UNK(0x1fa1) 00:60:08:2d:05:66 00:d0:02:6d:78:00 0x0800 138.212.186.191 jp "ASAHI KASEI CORPORATION" 0 19.228.184.27 us "Ford Motor Company" 0 47 3 4 166 162 48 66 55.33333 5.541092 0 0.109442 0.03679 0.0419465 27.1813 1504.032 -0.1428571 0.01219512
A 6023 0x0000080200028000 1022171713.252296 1022171713.252296 0.000000 1 4 eth:ipv4:ipv6:UNK(28) 00:d0:02:6d:78:00 00:a0:c9:07:e0:73 0x86dd 6f:1256:5050:4402:331e:0:101:50a -- "--" 0 223:fd3e:223:ff56::c100 -- "--" 0 28 1 0 2543 0 2543 2543 2543 0 0 0 0 0 0 0 1 1
A 6066 0x0000080200028000 1022171713.395746 1022171713.395746 0.000000 1 4 eth:ipv4:ipv6:UNK(229) 00:d0:02:6d:78:00 00:a0:c9:07:e0:73 0x86dd e29f:74ec:50d0:f53c:98e3:0:101:80a -- "--" 0 12ea:b5a9:3:cf3b::c100 -- "--" 0 229 1 0 22844 0 22844 22844 22844 0 0 0 0 0 0 0 1 1
A 6094 0x0000080200028000 1022171713.450109 1022171713.450109 0.000000 1 4 eth:ipv4:ipv6:UNK(64) 00:d0:02:6d:78:00 00:a0:c9:07:e0:73 0x86dd 392:fc19:5050:20e2:a7c3:0:101:80a -- "--" 0 be1:fcff:6ca:1b09::c100 -- "--" 0 64 1 0 174 0 174 174 174 0 0 0 0 0 0 0 1 1
A 6173 0x0000085200004000 1022171713.796490 1022171713.796491 0.000001 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:80:c8:8f:ca:5e 0x0800 16.46.171.138 us "HEWLETT PACKARD ENTERPRISE " 0 138.212.189.231 jp "ASAHI KASEI CORPORATION" 0 17 2 0 2377 0 897 1480 1188.5 206.1216 0 1e-06 5e-07 3.535534e-07 2000000 2.377e+09 1 1
A 6913 0x0000080200028000 1022171716.432198 1022171716.432198 0.000000 1 4 eth:ipv4:ipv6:UNK(223) 00:d0:02:6d:78:00 00:a0:c9:07:e0:73 0x86dd 75a4:9abd:80d0:4470:b5e2:317b:101:50a -- "--" 0 75a4:a071:75a4:be39::c100 -- "--" 0 223 1 0 9 0 9 9 9 0 0 0 0 0 0 0 1 1
A 7045 0x0000080200028000 1022171716.967592 1022171716.967592 0.000000 1 4 eth:ipv4:ipv6:UNK(228) 00:d0:02:6d:78:00 00:a0:c9:07:e0:73 0x86dd 4b9:f24c:8090:4470:4b24:0:101:50a -- "--" 0 4b9:f800:4ba:c98::c100 -- "--" 0 228 1 0 54359 0 54359 54359 54359 0 0 0 0 0 0 0 1 1
A 7462 0x0000080200028000 1022171718.639159 1022171718.639159 0.000000 1 4 eth:ipv4:ipv6:UNK(23) 00:d0:02:6d:78:00 00:a0:c9:07:e0:73 0x86dd 169e:bdd8:5090:4470:e911:0:101:50a -- "--" 0 5dc9:ed57:5dc9:f687::c100 -- "--" 0 23 1 0 47306 0 47306 47306 47306 0 0 0 0 0 0 0 1 1
A 7826 0x0000080200028000 1022171719.869360 1022171719.869360 0.000000 1 4 eth:ipv4:ipv6:UNK(79) 00:d0:02:6d:78:00 00:50:04:56:32:a7 0x86dd 1439:5c49:5050:4470:c74a:0:101:80a -- "--" 0 53eb:c64f:86:4da9::c100 -- "--" 0 79 1 0 17563 0 17563 17563 17563 0 0 0 0 0 0 0 1 1
A 8640 0x0000080200028000 1022171722.741406 1022171722.741406 0.000000 1 4 eth:ipv4:ipv6:UNK(131) 00:20:18:80:4a:b6 00:d0:02:6d:78:00 0x86dd 153c:303:5090:1920:4005:0:101:50a -- "--" 0 b9bd:772f:b9bd:94f7::c100 -- "--" 0 131 1 0 15927 0 15927 15927 15927 0 0 0 0 0 0 0 1 1
A 8665 0x0000080200028000 1022171722.847259 1022171722.847259 0.000000 1 4 eth:ipv4:ipv6:UNK(22) 00:d0:02:6d:78:00 00:20:18:80:4a:b6 0x86dd b2e:42d1:5010:faf0:96fa:0:101:50a -- "--" 0 e4ba:2af3:e4ba:365b::c100 -- "--" 0 22 1 0 44888 0 44888 44888 44888 0 0 0 0 0 0 0 1 1
A 8891 0x0000080200028000 1022171723.637810 1022171723.637810 0.000000 1 4 eth:ipv4:ipv6:UNK(231) 00:d0:02:6d:78:00 00:a0:c9:07:e0:73 0x86dd d9d3:fbc:5090:4470:9b77:0:101:80a -- "--" 0 63c:854c:15b:8f49::c100 -- "--" 0 231 1 0 58513 0 58513 58513 58513 0 0 0 0 0 0 0 1 1
A 985 0x0000081a00004000 1022171701.848919 1022171726.366145 24.517226 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:e0:29:04:0a:18 0x0800 201.232.53.168 co "EPM Telecomunicaciones S.A." 3289 138.212.189.228 jp "ASAHI KASEI CORPORATION" 1533 17 203 0 203200 0 58 1480 1000.985 661.1511 0 0.391237 0.1207745 0.1718241 8.279893 8288.051 1 1
A 3895 0x0000080a00005000 1022171706.645144 1022171726.589552 19.944408 4 4;4;4;4 eth:ipv4:gre:UNK(0xaa18);eth:ipv4:gre:UNK(0xe805);eth:ipv4:gre:UNK(0x1d11);eth:ipv4:gre:UNK(0x0e0f) 00:d0:02:6d:78:00 00:50:fc:20:5d:67 0x0800 201.9.4.49 br "Telemar Norte Leste S.A." 0 138.212.191.213 jp "ASAHI KASEI CORPORATION" 0 47 4 5 137 256 0 86 34.25 26.7212 0 11.01577 4.986102 3.825814 0.2005575 6.869093 -0.1111111 -0.302799
B 3895 0x0001080a00005001 1022171706.645835 1022171726.447349 19.801514 4 4;4;4;4 eth:ipv4:gre:UNK(0x8b00);eth:ipv4:gre:UNK(0x1400);eth:ipv4:gre:UNK(0x900a);eth:ipv4:gre:UNK(0xe6ef) 00:50:fc:20:5d:67 00:d0:02:6d:78:00 0x0800 138.212.191.213 jp "ASAHI KASEI CORPORATION" 0 201.9.4.49 br "Telemar Norte Leste S.A." 0 47 5 4 256 137 0 234 51.2 81.84808 0 10.97614 3.960303 3.838957 0.252506 12.9283 0.1111111 0.302799
A 98 0x0000081a00004000 1022171701.699706 1022171726.576813 24.877107 1 3 eth:ipv4:udp 00:80:48:b3:0e:ed 00:d0:02:6d:78:00 0x0800 138.212.188.118 jp "ASAHI KASEI CORPORATION" 655 201.9.46.255 br "Telemar Norte Leste S.A." 655 17 1014 508 765108 48768 52 1472 754.5444 706.6323 0 0.833577 0.02453363 0.04786205 40.76036 30755.5 0.3324573 0.8801587
A 1290 0x0000081a00004000 1022171702.058266 1022171726.575284 24.517018 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:10:60:59:f1:4b 0x0800 16.103.245.128 us "HEWLETT PACKARD ENTERPRISE " 1120 138.212.191.249 jp "ASAHI KASEI CORPORATION" 1461 17 134 0 103940 0 58 1480 775.6716 693.8904 0 0.747904 0.1829628 0.1880735 5.465591 4239.504 1 1
A 1291 0x000008f200004000 1022171702.058274 1022171726.575521 24.517247 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:10:60:59:f1:4b 0x0800 16.103.245.128 us "HEWLETT PACKARD ENTERPRISE " 0 138.212.191.249 jp "ASAHI KASEI CORPORATION" 0 17 64 0 94720 0 1480 1480 1480 0 0 0.747897 0.383082 0.08560037 2.610407 3863.403 1 1
A 9709 0x0000080200028000 1022171726.587705 1022171726.587705 0.000000 1 4 eth:ipv4:ipv6:UNK(114) 00:d0:02:6d:78:00 00:a0:c9:07:e0:73 0x86dd e8:3dce:50d0:2180:f660:0:101:80a -- "--" 0 514:2cf1:2e3c:ec2::c100 -- "--" 0 114 1 0 47 0 47 47 47 0 0 0 0 0 0 0 1 1
A 126 0x0000083a00004000 1022171701.700965 1022171726.594434 24.893469 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:80:c8:8f:ca:5e 0x0800 16.46.171.138 us "HEWLETT PACKARD ENTERPRISE " 4623 138.212.189.231 jp "ASAHI KASEI CORPORATION" 1490 17 742 0 952154 0 885 1480 1283.226 271.766 0 0.202366 0.03354916 0.04754491 29.80701 38249.15 1 1
A 406 0x0000081a00004000 1022171701.717743 1022171726.607895 24.890152 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:e0:29:04:0b:81 0x0800 18.14.224.62 us "Massachusetts Institute of " 4383 138.212.191.34 jp "ASAHI KASEI CORPORATION" 2428 17 136 0 154156 0 795 1472 1133.5 332.2789 0 0.665421 0.1830158 0.1876362 5.464008 6193.454 1 1
$If you don’t like tabs as a separator, change SEP_CHR from "\t" to any character(s) you like and recompile txtSink. The simplest method to do that is to use t2conf:
$ t2conf txtSink -D SEP_CHR='","'
$ t2build txtSink
...
$Alternatively, directly edit the value in utils/bin2txt.h:
Note however that some scripts and tools may require additional options if you change the default separator. So we will stick with tabs for this tutorial.
We use a lot of hex coded status variables because each info in the flow has to be multiplied by the number of flows T2 has to hold in memory and you will experience that selecting flows will be way easier with hex coding. Each bit has a meaning, please refer to basicFlow.pdf under doc/, e.g., by running t2doc basicFlow or type
$ tawk -V flowStat=0x0001080a00005001
The flowStat column with value 0x0001080a00005001 is to be interpreted as follows:
bit | flowStat | Description
=============================================================================
0 | 0x00000000 00000001 | Inverted flow, did not initiate connection
12 | 0x00000000 00001000 | GRE v1/2
14 | 0x00000000 00004000 | IPv4
33 | 0x00000002 00000000 | Acquired packet length < packet length in L3 header
35 | 0x00000008 00000000 | Acquired packet length < minimal L4 Header
43 | 0x00000800 00000000 | Stop dissecting
48 | 0x00010000 00000000 | Header description overrunA single A flow can be also the answering flow if the flowStat bit 0 is set. T2 sets this bit according to L4/7 info to the best of his knowledge. We will come back to that topic when discussing ICMP flows.
Now try to select flows yourself! Let’s say all flows of source port 443 and having an issue with the acquired packet length and where T2 stopped dissecting to prevent overrunning the pcap memory. A bitwise AND of flowStat and a mask is required and a selection of srcPort 443:
$ tawk 'bitsanyset($flowStat, 0x0000080f00000000) && sport(443)' annoloc2_flows.txt | tcol
dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPWho srcPort dstIP dstIPCC dstIPWho dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm
B 4072 0x0000000a00004001 1022171707.227811 1022171708.640243 1.412432 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:fc:2c:09:2a 0x0800 70.128.234.203 us "AT&T Corp." 443 138.212.190.164 jp "ASAHI KASEI CORPORATION" 1328 6 13 12 3907 917 0 536 300.5385 198.701 0 0.506266 0.1086486 0.118678 9.203983 2766.151 0.04 0.6198176
$A port 443 response from USA, AT&T to Japan the Asahi Kasei Corp. Interesting, somebody browsing? If you are really interested in what the person is doing, you need to add the sslDecode plugin or look into the traffic with httpSniffer, maybe they have a configuration error and everything is plain text. But careful! Look at the flowStat, it says that even the L4 header is clipped, so these content plugins are useless. Having so many warnings in your end report, you should immediately make the guy who gave you this crap eat furniture. Whoops, that was me. So better not.
Nevertheless, this happens in practice, so the warning flags are very useful to save valuable analysis time. Play around a little bit and you will discover how easy it is to select and assess the health and utility of specific flows or even whole pcaps.
Sometimes admins are only interested in standard 5 tuples (srcIP, srcPort, dstIP, dstPort, l4Proto), just plain NetFlow5 output. To configure that move to the plugins directory or use tranpl, a bash alias. Then move to basicFlow/src and open basicFlow.h Or just type the plugin name.
$ tranpl
$ cd basicFlow/src
$ vi basicFlow.hAlternatively:
$ basicFlow
$ vi src/basicFlow.hChange the following constants to 0:
...
BFO_MAC 1 // 1: Enables / 0: Disables MAC addresses output
BFO_ETHERTYPE 1 // 1: Enables / 0: Disables Ethertype header output
BFO_VLAN 1 // 0: Do not output VLAN information,
// 1: Output VLAN numbers,
// 2: Output VLAN headers as hex
// 3: Output decoded VLAN headers as TPID_PCP_DEI_VID (TODO)
...
BFO_SUBNET_TEST 1 // 1: Enables / 0: Disables subnet test
...
// Maximum number of values to store
BFO_MAX_HDRDESC 4 // Maximum number of headers descriptions to store
...Then move to basicStats, open basicStats.h
$ basicStats
$ vi src/basicStats.hAnd change these constants to 0
...
BS_REV_CNT 0 // 1: add reverse counts from opposite flow, 0: native send counts
BS_STATS 0 // 1: basic statistics, 0: only counts
...If you do not dare to edit .h files, then use the following command sequence:
$ t2conf basicFlow -D BFO_MAC=0 -D BFO_ETHERTYPE=0 -D BFO_VLAN=0 -D BFO_SUBNET_TEST=0 -D BFO_MAX_HDRDESC=0
$ t2conf basicStats -D BS_REV_CNT=0 -D BS_STATS=0
$Recompile the two plugins and invoke t2:
$ t2build basicFlow basicStats
$ t2 -r ~/data/annoloc2.pcap -w ~/results
...And here is your NetFlow5 output.
$ tawk 'bitsanyset($flowStat, 0x0000080100000000)' annoloc2_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration srcIP srcPort dstIP dstPort l4Proto numPktsSnt numBytesSnt
A 260 0x0000080200028000 1022171701.707777 1022171701.707777 0.000000 cfb6:1c18:5010:faf0:7f66:0:101:80a 0 6c2:6a7f:1:384b::c100 0 168 1 41630
A 885 0x0000080200028000 1022171701.810764 1022171701.810764 0.000000 e499:578c:5090:81d0:891b:0:101:80a 0 514:2343:2e3c:512::c100 0 133 1 55304
A 1894 0x000008d200004000 1022171702.614414 1022171702.614414 0.000000 138.212.188.118 0 201.9.46.255 0 17 1 52
A 3047 0x0000080200028000 1022171704.484515 1022171704.484515 0.000000 baea:e860:8090:4470:cf67:0:101:50a 0 baea:ee14:baeb:2ac::c100 0 147 1 18922
A 3452 0x0000080200028000 1022171705.349871 1022171705.349871 0.000000 d973:ceac:5010:fa94:12db:0:101:80a 0 12ea:b284:3:ceeb::c100 0 126 1 38816
A 3992 0x0000080200005000 1022171706.878547 1022171707.000313 0.121766 200.134.37.255 0 138.212.185.216 0 47 2 170
B 3992 0x0000080200005001 1022171706.931865 1022171706.962666 0.030801 138.212.185.216 0 200.134.37.255 0 47 2 210
A 4529 0x0000080200028000 1022171708.439927 1022171708.439927 0.000000 48d5:5fad:50d0:16d0:4a16:0:101:80a 0 53eb:c1d7:86:4d37::c100 0 95 1 28079
A 4826 0x0000180200005000 1022171709.440443 1022171709.552021 0.111578 19.228.184.27 0 138.212.186.191 0 47 4 162
B 4826 0x0000180200005001 1022171709.441758 1022171709.552128 0.110370 138.212.186.191 0 19.228.184.27 0 47 3 166
A 6023 0x0000080200028000 1022171713.252296 1022171713.252296 0.000000 6f:1256:5050:4402:331e:0:101:50a 0 223:fd3e:223:ff56::c100 0 28 1 2543
A 6066 0x0000080200028000 1022171713.395746 1022171713.395746 0.000000 e29f:74ec:50d0:f53c:98e3:0:101:80a 0 12ea:b5a9:3:cf3b::c100 0 229 1 22844
A 6094 0x0000080200028000 1022171713.450109 1022171713.450109 0.000000 392:fc19:5050:20e2:a7c3:0:101:80a 0 be1:fcff:6ca:1b09::c100 0 64 1 174
A 6173 0x0000085200004000 1022171713.796490 1022171713.796491 0.000001 16.46.171.138 0 138.212.189.231 0 17 2 2377
A 6913 0x0000080200028000 1022171716.432198 1022171716.432198 0.000000 75a4:9abd:80d0:4470:b5e2:317b:101:50a 0 75a4:a071:75a4:be39::c100 0 223 1 9
A 7045 0x0000080200028000 1022171716.967592 1022171716.967592 0.000000 4b9:f24c:8090:4470:4b24:0:101:50a 0 4b9:f800:4ba:c98::c100 0 228 1 54359
A 7462 0x0000080200028000 1022171718.639159 1022171718.639159 0.000000 169e:bdd8:5090:4470:e911:0:101:50a 0 5dc9:ed57:5dc9:f687::c100 0 23 1 47306
A 7826 0x0000080200028000 1022171719.869360 1022171719.869360 0.000000 1439:5c49:5050:4470:c74a:0:101:80a 0 53eb:c64f:86:4da9::c100 0 79 1 17563
A 8640 0x0000080200028000 1022171722.741406 1022171722.741406 0.000000 153c:303:5090:1920:4005:0:101:50a 0 b9bd:772f:b9bd:94f7::c100 0 131 1 15927
A 8665 0x0000080200028000 1022171722.847259 1022171722.847259 0.000000 b2e:42d1:5010:faf0:96fa:0:101:50a 0 e4ba:2af3:e4ba:365b::c100 0 22 1 44888
A 8891 0x0000080200028000 1022171723.637810 1022171723.637810 0.000000 d9d3:fbc:5090:4470:9b77:0:101:80a 0 63c:854c:15b:8f49::c100 0 231 1 58513
A 985 0x0000081a00004000 1022171701.848919 1022171726.366145 24.517226 201.232.53.168 3289 138.212.189.228 1533 17 203 203200
A 3895 0x0000080a00005000 1022171706.645144 1022171726.589552 19.944408 201.9.4.49 0 138.212.191.213 0 47 4 137
B 3895 0x0000080a00005001 1022171706.645835 1022171726.447349 19.801514 138.212.191.213 0 201.9.4.49 0 47 5 256
A 98 0x0000081a00004000 1022171701.699706 1022171726.576813 24.877107 138.212.188.118 655 201.9.46.255 655 17 1014 765108
A 1290 0x0000081a00004000 1022171702.058266 1022171726.575284 24.517018 16.103.245.128 1120 138.212.191.249 1461 17 134 103940
A 1291 0x000008f200004000 1022171702.058274 1022171726.575521 24.517247 16.103.245.128 0 138.212.191.249 0 17 64 94720
A 9709 0x0000080200028000 1022171726.587705 1022171726.587705 0.000000 e8:3dce:50d0:2180:f660:0:101:80a 0 514:2cf1:2e3c:ec2::c100 0 114 1 47
A 126 0x0000083a00004000 1022171701.700965 1022171726.594434 24.893469 16.46.171.138 4623 138.212.189.231 1490 17 742 952154
A 406 0x0000081a00004000 1022171701.717743 1022171726.607895 24.890152 18.14.224.62 4383 138.212.191.34 2428 17 136 154156
$flowInd and flowStat enable you to identify or select flows or connect packets to their flows. Sometimes people are just into simple boring NetFlow5 output, so use the following cut command:
$ tawk 'bitsanyset($flowStat, 0x0000080100000000)' annoloc2_flows.txt | cut -f 1,4- | tcol
%dir timeFirst timeLast duration srcIP srcPort dstIP dstPort l4Proto numPktsSnt numBytesSnt
A 1022171701.707777 1022171701.707777 0.000000 cfb6:1c18:5010:faf0:7f66:0:101:80a 0 6c2:6a7f:1:384b::c100 0 168 1 41630
A 1022171701.810764 1022171701.810764 0.000000 e499:578c:5090:81d0:891b:0:101:80a 0 514:2343:2e3c:512::c100 0 133 1 55304
A 1022171702.614414 1022171702.614414 0.000000 138.212.188.118 0 201.9.46.255 0 17 1 52
A 1022171704.484515 1022171704.484515 0.000000 baea:e860:8090:4470:cf67:0:101:50a 0 baea:ee14:baeb:2ac::c100 0 147 1 18922
A 1022171705.349871 1022171705.349871 0.000000 d973:ceac:5010:fa94:12db:0:101:80a 0 12ea:b284:3:ceeb::c100 0 126 1 38816
A 1022171706.878547 1022171707.000313 0.121766 200.134.37.255 0 138.212.185.216 0 47 2 170
B 1022171706.931865 1022171706.962666 0.030801 138.212.185.216 0 200.134.37.255 0 47 2 210
A 1022171708.439927 1022171708.439927 0.000000 48d5:5fad:50d0:16d0:4a16:0:101:80a 0 53eb:c1d7:86:4d37::c100 0 95 1 28079
A 1022171709.440443 1022171709.552021 0.111578 19.228.184.27 0 138.212.186.191 0 47 4 162
B 1022171709.441758 1022171709.552128 0.110370 138.212.186.191 0 19.228.184.27 0 47 3 166
A 1022171713.252296 1022171713.252296 0.000000 6f:1256:5050:4402:331e:0:101:50a 0 223:fd3e:223:ff56::c100 0 28 1 2543
A 1022171713.395746 1022171713.395746 0.000000 e29f:74ec:50d0:f53c:98e3:0:101:80a 0 12ea:b5a9:3:cf3b::c100 0 229 1 22844
A 1022171713.450109 1022171713.450109 0.000000 392:fc19:5050:20e2:a7c3:0:101:80a 0 be1:fcff:6ca:1b09::c100 0 64 1 174
A 1022171713.796490 1022171713.796491 0.000001 16.46.171.138 0 138.212.189.231 0 17 2 2377
A 1022171716.432198 1022171716.432198 0.000000 75a4:9abd:80d0:4470:b5e2:317b:101:50a 0 75a4:a071:75a4:be39::c100 0 223 1 9
A 1022171716.967592 1022171716.967592 0.000000 4b9:f24c:8090:4470:4b24:0:101:50a 0 4b9:f800:4ba:c98::c100 0 228 1 54359
A 1022171718.639159 1022171718.639159 0.000000 169e:bdd8:5090:4470:e911:0:101:50a 0 5dc9:ed57:5dc9:f687::c100 0 23 1 47306
A 1022171719.869360 1022171719.869360 0.000000 1439:5c49:5050:4470:c74a:0:101:80a 0 53eb:c64f:86:4da9::c100 0 79 1 17563
A 1022171722.741406 1022171722.741406 0.000000 153c:303:5090:1920:4005:0:101:50a 0 b9bd:772f:b9bd:94f7::c100 0 131 1 15927
A 1022171722.847259 1022171722.847259 0.000000 b2e:42d1:5010:faf0:96fa:0:101:50a 0 e4ba:2af3:e4ba:365b::c100 0 22 1 44888
A 1022171723.637810 1022171723.637810 0.000000 d9d3:fbc:5090:4470:9b77:0:101:80a 0 63c:854c:15b:8f49::c100 0 231 1 58513
A 1022171701.848919 1022171726.366145 24.517226 201.232.53.168 3289 138.212.189.228 1533 17 203 203200
A 1022171706.645144 1022171726.589552 19.944408 201.9.4.49 0 138.212.191.213 0 47 4 137
B 1022171706.645835 1022171726.447349 19.801514 138.212.191.213 0 201.9.4.49 0 47 5 256
A 1022171701.699706 1022171726.576813 24.877107 138.212.188.118 655 201.9.46.255 655 17 1014 765108
A 1022171702.058266 1022171726.575284 24.517018 16.103.245.128 1120 138.212.191.249 1461 17 134 103940
A 1022171702.058274 1022171726.575521 24.517247 16.103.245.128 0 138.212.191.249 0 17 64 94720
A 1022171726.587705 1022171726.587705 0.000000 e8:3dce:50d0:2180:f660:0:101:80a 0 514:2cf1:2e3c:ec2::c100 0 114 1 47
A 1022171701.700965 1022171726.594434 24.893469 16.46.171.138 4623 138.212.189.231 1490 17 742 952154
A 1022171701.717743 1022171726.607895 24.890152 18.14.224.62 4383 138.212.191.34 2428 17 136 154156
...
$As you can see, flowInd is now gone. There are more tricks with tawk, many of which are discussed in the Post processing with TAWK tutorial.
Now reset basicFlow and basicStats to the default configuration, so change the constants back to 1 and recompile the plugins with t2build. This time, we will use t2conf to reconfigure the plugin:
$ t2conf basicFlow -D BFO_MAC=1 -D BFO_ETHERTYPE=1 -D BFO_VLAN=1 -D BFO_SUBNET_TEST=1 -D BFO_MAX_HDRDESC=4
$ t2conf basicStats -D BS_REV_CNT=1 -D BS_STATS=1
$ t2build basicFlow basicStats
...
$Much easier than editing the .h files, right?
Layer 4 based plugins
Now we are adding L4 information which does the following jobs:
| tcpFlags | IP, UDP, TCP aggregated flags and anomaly status |
| tcpStates | TCP state-machine and RFC checks. Terminates TCP flows after a RST or FIN |
For a much more detailed tutorial about tcpFlags, refer to the IP/TCP Troubleshooting and hidden figures tutorial.
Now compile them and run t2:
$ t2build tcpFlags tcpStates
...
$ t2 -r ~/data/annoloc2.pcap -w ~/results
...
--------------------------------------------------------------------------------
basicStats: Biggest Talker: 138.212.189.38: 23601 (23.60 K) [1.94%] packets
basicStats: Biggest Talker: 138.212.189.38: 35005508 (35.01 M) [54.63%] bytes
tcpFlags: Aggregated ipFlags: 0x3966
tcpFlags: Aggregated tcpAnomaly: 0xff47
tcpFlags: Number of TCP scans, succ scans, syn retries, seq retries: 685, 2569 (2.57 K), 114, 933
tcpFlags: Number WinSz below 1: 2415 (2.42 K) [0.25%]
tcpStates: Aggregated anomaly flags: 0xdf
--------------------------------------------------------------------------------
...Note that additional aggregated fields have appeared between the ------ lines of the end report:
| tcpFlags | ipFlags, tcpAnomaly, TCP scans, successful scans and retries and tcpWinSzMin: |
| all kinds of info for troubleshooting and security purposes | |
| tcpStates | aggregated anomaly flags, denoting deviations from RFC |
The hex numbers denote aggregated anomaly output, where each bit has a specific meaning. Note that there are many flows where the TCP window size drops below 1. There are also several retries and scans detected.
All bit fields are documented under each plugin folder or under doc/documentation.pdf. Alternatively use tawk -V name=value as discussed earlier.
Now you have NetFlow9/10 + a bit more. Look at all the anomaly bits in the end report. That is too much for the beginning. Let’s do something more interesting, let’s say your manager imposed the rule that nobody should communicate with China, because he thinks that there are no business ties with this country.
So he comes to you and demands the answer to the following question: Is there any traffic initiating connection egress to China?
$ tawk 'bitsanyset($flowStat, 1) == 0 && ($dstIPCC == "cn") { print $srcIP, $srcIPCC, $dstIP, $dstIPCC }' annoloc2_flows.txt | sort -V -u | tcol
138.212.184.34 jp 36.192.216.3 cn
138.212.184.42 jp 36.214.21.116 cn
138.212.184.71 jp 36.16.139.73 cn
138.212.184.71 jp 36.218.130.149 cn
138.212.184.225 jp 36.105.24.77 cn
138.212.185.98 jp 219.232.227.27 cn
138.212.185.166 jp 36.113.81.55 cn
138.212.185.166 jp 36.218.146.232 cn
138.212.185.186 jp 36.40.33.231 cn
138.212.185.186 jp 36.104.78.199 cn
...Here you have a list of IP’s communicating to China, the lowest bit in flowStat denotes the initiation of the connection, a 0 means the srcIP started the flow.
But you are interested in the flow details (the hdr() command adds the header to the resulting output, which otherwise would be filtered):
$ tawk 'hdr() || ($dstIPCC == "cn" && tcp())' annoloc2_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPWho srcPort dstIP dstIPCC dstIPWho dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpFStat ipMindIPID ipMaxdIPID ipMinTTL ipMaxTTL ipTTLChg ipTOS ipFlags ipOptCnt ipOptCpCl_Num ip6OptCntHH_D ip6OptHH_D tcpISeqN tcpPSeqCnt tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt tcpFlags tcpAnomaly tcpOptPktCnt tcpOptCnt tcpOptions tcpMSS tcpWS tcpTmS tcpTmER tcpEcI tcpUtm tcpBtm tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve tcpStates
B 2208 0x0000000200004001 1022171703.077130 1022171703.077130 0.000000 1 3 eth:ipv4:tcp 00:05:02:a7:59:98 00:d0:02:6d:78:00 0x0800 138.212.184.140 jp "ASAHI KASEI CORPORATION" 5500 36.204.73.10 cn "China TieTong Telecommunica" 57019 6 1 1 11 0 11 11 11 0 0 0 0 0 0 0 0 1 0x0064 65535 0 255 255 0 0x00 0x1840 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0x54 0x0004 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0.03941 0.03941 0.03941 0.03941 0 0.03941 0 0x43
A 3100 0x0000000000004000 1022171704.554485 1022171704.554485 0.000000 1 3 eth:ipv4:tcp 00:60:08:78:1b:63 00:d0:02:6d:78:00 0x0800 138.212.187.203 jp "ASAHI KASEI CORPORATION" 1825 36.176.200.106 cn "China Mobile Communications" 4567 6 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x0046 65535 0 128 128 0 0x00 0x0840 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3569114039 0 0 0 0 0 0 16384 16384 16384 16384 0 0 0 0 0x02 0x0000 1 4 0x00000016 1460 1 0 0 0 0.000000 0.000000 0 65535 0 0 0 0.108845 -1 0x03
B 3351 0x0000000000004001 1022171705.071644 1022171705.071644 0.000000 1 3 eth:ipv4:tcp 00:50:bf:59:85:48 00:d0:02:6d:78:00 0x0800 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 58.204.250.125 cn "China Education and Researc" 4120 6 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x0064 65535 0 128 128 0 0x00 0x0800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0xd4 0x0004 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0.008885 0.008885 0.008885 0.008885 0 0.008885 0 0x43
A 3376 0x0000000000004000 1022171705.145409 1022171705.145409 0.000000 1 3 eth:ipv4:tcp 00:60:08:78:1b:63 00:d0:02:6d:78:00 0x0800 138.212.187.203 jp "ASAHI KASEI CORPORATION" 1825 36.176.200.106 cn "China Mobile Communications" 4567 6 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x0046 65535 0 128 128 0 0x00 0x0840 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3569114039 0 0 0 0 0 0 16384 16384 16384 16384 0 0 0 0 0x02 0x0000 1 4 0x00000016 1460 1 0 0 0 0.000000 0.000000 0 65535 0 0 0 0.111789 -1 0x03
B 3616 0x0000000000004001 1022171705.707891 1022171705.707891 0.000000 1 3 eth:ipv4:tcp 00:00:1c:b6:16:3f 00:d0:02:6d:78:00 0x0800 138.212.185.186 jp "ASAHI KASEI CORPORATION" 6346 36.153.30.56 cn "China Mobile Communications" 4579 6 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x0064 65535 0 127 127 0 0x00 0x0800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0x54 0x0004 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0.002816 0.002816 0.002816 0.002816 0 0.002816 0 0x43
...Let’s assume that there are no business ties to China, right?! Or is it legal traffic…? Is there malware in the company? There is seriously something fishy.
Let’s ask more about anomalies, such as broken fragmentation, aka fragmentation positional errors:
$ tawk -V ipFlags
The ipFlags column is to be interpreted as follows:
bit | ipFlags | Description
=============================================================================
0 | 0x0001 | IP options corrupt
1 | 0x0002 | IPv4 packets out of order
2 | 0x0004 | IPv4 ID roll over
3 | 0x0008 | IP fragment below minimum
4 | 0x0010 | IP fragment out of range
5 | 0x0020 | More Fragment bit
6 | 0x0040 | IPv4: Don't Fragment bit, IPv6: reserve bit
7 | 0x0080 | Reserve bit
8 | 0x0100 | Fragmentation position error
9 | 0x0200 | Fragmentation sequence error
10 | 0x0400 | L3 checksum error
11 | 0x0800 | L4 checksum error
12 | 0x1000 | L3 header length snapped
13 | 0x2000 | Packet interdistance = 0
14 | 0x4000 | Packet interdistance < 0
15 | 0x8000 | TCP SYN flag with L7 content
So select all flows with fragmentation or anomalies:
$ tawk 'bitsanyset($ipFlags, 0x0318)' annoloc2_flows.txt | tcol
dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPWho srcPort dstIP dstIPCC dstIPWho dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpFStat ipMindIPID ipMaxdIPID ipMinTTL ipMaxTTL ipTTLChg ipTOS ipFlags ipOptCnt ipOptCpCl_Num ip6OptCntHH_D ip6OptHH_D tcpISeqN tcpPSeqCnt tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt tcpFlags tcpAnomaly tcpOptPktCnt tcpOptCnt tcpOptions tcpMSS tcpWS tcpTmS tcpTmER tcpEcI tcpUtm tcpBtm tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve tcpStates
A 1895 0x000008d200004000 1022171702.614414 1022171702.614414 0.000000 1 3 eth:ipv4:udp 00:80:48:b3:0e:ed 00:d0:02:6d:78:00 0x0800 138.212.188.118 jp "ASAHI KASEI CORPORATION" 0 201.9.46.255 br "Telemar Norte Leste S.A." 0 17 1 0 52 0 52 52 52 0 0 0 0 0 0 0 1 1 0x0000 65535 0 64 64 0 0x00 0x0900 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x00 0x0000 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 -1 0x00
A 6289 0x0000085200004000 1022171713.796490 1022171713.796491 0.000001 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:80:c8:8f:ca:5e 0x0800 16.46.171.138 us "HEWLETT PACKARD ENTERPRISE " 0 138.212.189.231 jp "ASAHI KASEI CORPORATION" 0 17 2 0 2377 0 897 1480 1188.5 206.1216 0 1e-06 5e-07 3.535534e-07 2000000 2.377e+09 1 1 0x0000 0 0 114 114 0 0x00 0x0920 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x00 0x0000 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 -1 0x00
A 985 0x0000081a00004000 1022171701.848919 1022171726.366145 24.517226 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:e0:29:04:0a:18 0x0800 201.232.53.168 co "EPM Telecomunicaciones S.A." 3289 138.212.189.228 jp "ASAHI KASEI CORPORATION" 1533 17 203 0 203200 0 58 1480 1000.985 661.1511 0 0.391237 0.1207745 0.1718241 8.279893 8288.051 1 1 0x0000 0 140 119 119 0 0x00 0x3920 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x00 0x0000 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 -1 0x00
A 1290 0x0000081a00004000 1022171702.058266 1022171726.575284 24.517018 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:10:60:59:f1:4b 0x0800 16.103.245.128 us "HEWLETT PACKARD ENTERPRISE " 1120 138.212.191.249 jp "ASAHI KASEI CORPORATION" 1461 17 134 0 103940 0 58 1480 775.6716 693.8904 0 0.747904 0.1829628 0.1880735 5.465591 4239.504 1 1 0x0000 0 4008 111 111 0 0x00 0x3924 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x00 0x0000 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 -1 0x00
A 1291 0x000008f200004000 1022171702.058274 1022171726.575521 24.517247 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:10:60:59:f1:4b 0x0800 16.103.245.128 us "HEWLETT PACKARD ENTERPRISE " 0 138.212.191.249 jp "ASAHI KASEI CORPORATION" 0 17 64 0 94720 0 1480 1480 1480 0 0 0.747897 0.383082 0.08560037 2.610407 3863.403 1 1 0x0000 1961 4008 111 111 0 0x00 0x0324 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x00 0x0000 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 -1 0x00
A 126 0x0000083a00004000 1022171701.700965 1022171726.594434 24.893469 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:80:c8:8f:ca:5e 0x0800 16.46.171.138 us "HEWLETT PACKARD ENTERPRISE " 4623 138.212.189.231 jp "ASAHI KASEI CORPORATION" 1490 17 742 0 952154 0 885 1480 1283.226 271.766 0 0.202366 0.03354916 0.04754491 29.80701 38249.15 1 1 0x0000 0 584 114 114 0 0x00 0x3a24 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x00 0x0000 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 -1 0x00
$Now let’s look for TCP anomalies, such as abnormal flag combinations appearing in packets. The column tcpAnomaly contains flags for combination of flags and anomalies concerning sequence numbers.
$ tawk -V tcpAnomaly
The tcpAnomaly column is to be interpreted as follows:
bit | tcpAnomaly | Description
=============================================================================
0 | 0x0001 | FIN-ACK flag
1 | 0x0002 | SYN-ACK flag
2 | 0x0004 | RST-ACK flag
3 | 0x0008 | SYN-FIN flag, scan or malicious packet
4 | 0x0010 | SYN-FIN-RST flag, potential malicious scan packet or channel
5 | 0x0020 | FIN-RST flag, abnormal flow termination
6 | 0x0040 | Null flag, potential NULL scan packet, or malicious channel
7 | 0x0080 | XMas flag, potential Xmas scan packet, or malicious channel
8 | 0x0100 | L4 option field corrupt or not acquired
9 | 0x0200 | SYN retransmission
10 | 0x0400 | Sequence Number retry
11 | 0x0800 | Sequence Number out of order
12 | 0x1000 | Sequence mess in flow order due to pcap packet loss
13 | 0x2000 | Sequence number jump forward
14 | 0x4000 | ACK number out of order
15 | 0x8000 | Duplicate ACKSo select the following bit mask:
$ tawk 'bitsanyset($tcpAnomaly, 0x00f8)' annoloc2_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPWho srcPort dstIP dstIPCC dstIPWho dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpFStat ipMindIPID ipMaxdIPID ipMinTTL ipMaxTTL ipTTLChg ipTOS ipFlags ipOptCnt ipOptCpCl_Num ip6OptCntHH_D ip6OptHH_D tcpISeqN tcpPSeqCnt tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt tcpFlags tcpAnomaly tcpOptPktCnt tcpOptCnt tcpOptions tcpMSS tcpWS tcpTmS tcpTmER tcpEcI tcpUtm tcpBtm tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve tcpStates
A 887 0x0000000a00008000 1022171701.811168 1022171701.811168 0.000000 1 3 eth:ipv6:tcp 00:60:08:2c:ca:8e 00:40:05:56:05:f0 0x86dd 3ffe:7c9b:e2:4ca6:4c::b0 -- "--" 48458 3ffe:7c9b:f5:8b05::2f50 -- "--" 6667 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0042 65535 0 64 64 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1014442254 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 -1 0x83
A 852 0x0000000a00024000 1022171701.803251 1022171702.336097 0.532846 1 4 eth:ipv4:ipv4:tcp 00:d0:02:6d:78:00 00:00:21:ef:64:92 0x0800 201.98.74.248 mx "Uninet S.A. de C.V." 5642 19.54.248.131 us "Ford Motor Company" 997 6 2 2 101 125 12 89 50.5 27.22361 0 0.532846 0.266423 0.1883895 3.75343 189.5482 0 -0.1061947 0x0044 3493 3493 57 57 0 0x00 0x1840 0 0x00_0x00000000 0_0 0x00000000_0x00000000 4122508806 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.110085 0.110085 0.0550425 0.03892093 0 -1 0x87
B 852 0x0000000a00024001 1022171701.903727 1022171702.226012 0.322285 1 4 eth:ipv4:ipv4:tcp 00:00:21:ef:64:92 00:d0:02:6d:78:00 0x0800 19.54.248.131 us "Ford Motor Company" 997 201.98.74.248 mx "Uninet S.A. de C.V." 5642 6 2 2 125 101 12 113 62.5 35.70889 0 0.322285 0.1611425 0.113945 6.205688 387.8555 0 0.1061947 0x0044 56884 56884 64 64 0 0x00 0x1840 0 0x00_0x00000000 0_0 0x00000000_0x00000000 140052278 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.100476 0.422761 0.2616185 0.113945 0.316661 0.1204089 0x87
A 2661 0x0000000a00008000 1022171703.710373 1022171703.859739 0.149366 1 3 eth:ipv6:tcp 00:01:02:af:4a:b4 00:80:48:cd:88:83 0x86dd 2001:70e8:d3ce:e200:de45:6dff:c7ad:c251 -- "--" 32798 2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf -- "--" 6667 6 2 2 17 64 0 17 8.5 6.010407 0 0.149366 0.074683 0.05280886 13.38993 113.8144 0 -0.5802469 0x0044 65535 0 64 64 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1847667841 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.008073 0.008073 0.0040365 0.002854237 0 -1 0x87
B 2661 0x0000000a00008001 1022171703.742177 1022171703.851666 0.109489 1 3 eth:ipv6:tcp 00:80:48:cd:88:83 00:01:02:af:4a:b4 0x86dd 2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf -- "--" 6667 2001:70e8:d3ce:e200:de45:6dff:c7ad:c251 -- "--" 32798 6 2 2 64 17 0 64 32 22.62742 0 0.109489 0.0547445 0.03871021 18.26667 584.5336 0 0.5802469 0x0044 65535 0 64 64 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1910873099 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.031804 0.141293 0.0865485 0.03871021 0.090585 0.03881529 0x87
A 4046 0x0000000a00008000 1022171706.884790 1022171707.007311 0.122521 1 3 eth:ipv6:tcp 00:60:08:2c:ca:8e 00:80:48:cd:88:83 0x86dd 2001:70e8:d3ce:e202::30:26 -- "--" 2128 2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf -- "--" 6668 6 2 2 30 66 0 30 15 10.6066 0 0.122521 0.06126049 0.04331771 16.32373 244.856 0 -0.375 0x0044 65535 0 63 63 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3123119758 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.052077 0.052077 0.0260385 0.018412 0 -1 0x87
B 4046 0x0000000a00008001 1022171706.922668 1022171706.955234 0.032566 1 3 eth:ipv6:tcp 00:40:05:56:05:f0 00:60:08:2c:ca:8e 0x86dd 2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf -- "--" 6668 2001:70e8:d3ce:e202::30:26 -- "--" 2128 6 2 2 66 30 0 66 33 23.33452 0 0.032566 0.016283 0.01151382 61.41375 2026.654 0 0.375 0x0044 65535 0 63 63 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3303108112 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.037878 0.070444 0.054161 0.01151382 0.08019949 0.02171566 0x87
A 4570 0x0000000a00024000 1022171708.338404 1022171708.552551 0.214147 1 4 eth:ipv4:ipv4:tcp 00:d0:02:6d:78:00 00:00:21:ef:64:92 0x0800 83.45.68.186 es "Telefonica de Espana SAU" 33790 19.54.248.131 us "Ford Motor Company" 997 6 2 1 77 81 12 65 38.5 18.73833 0 0.214147 0.1070735 0.0757124 9.339379 359.5661 0.3333333 -0.02531646 0x0044 5 5 48 48 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2293331853 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.203134 0.203134 0.101567 0.07181872 0 -1 0x87
B 4570 0x0000000a00024001 1022171708.349417 1022171708.349417 0.000000 1 4 eth:ipv4:ipv4:tcp 00:00:21:ef:64:92 00:d0:02:6d:78:00 0x0800 19.54.248.131 us "Ford Motor Company" 997 83.45.68.186 es "Telefonica de Espana SAU" 33790 6 1 2 81 77 81 81 81 0 0 0 0 0 0 0 -0.3333333 0.02531646 0x0044 65535 0 64 64 0 0x00 0x1840 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3194778849 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.011013 0.011013 0.011013 0 0.11258 0.07181872 0x87
A 5357 0x0000000a00008000 1022171710.810212 1022171710.810212 0.000000 1 3 eth:ipv6:tcp 00:40:05:56:05:f0 00:50:fc:20:90:a5 0x86dd 3ffe:7c9b:f5:8b05::2f50 -- "--" 6667 2001:70e8:d3ce:e200:de29:6aff:91cc:d9a -- "--" 2912 6 1 1 70 0 70 70 70 0 0 0 0 0 0 0 0 1 0x0046 65535 0 56 56 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 4066598530 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 -1 0x83
B 5357 0x0000000a00008001 1022171710.910120 1022171710.910120 0.000000 1 3 eth:ipv6:tcp 00:50:fc:20:90:a5 00:40:05:56:05:f0 0x86dd 2001:70e8:d3ce:e200:de29:6aff:91cc:d9a -- "--" 2912 3ffe:7c9b:f5:8b05::2f50 -- "--" 6667 6 1 1 0 70 0 0 0 0 0 0 0 0 0 0 0 -1 0x0044 65535 0 64 64 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 293306349 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.099908 0.099908 0.099908 0 0.099908 0 0x83
A 5607 0x0000000a00024000 1022171711.507332 1022171711.632627 0.125295 1 4 eth:ipv4:ipv4:tcp 00:00:21:ef:64:92 00:d0:02:6d:78:00 0x0800 19.54.248.131 us "Ford Motor Company" 52912 19.54.241.75 us "Ford Motor Company" 6667 6 2 2 57 113 12 45 28.5 11.66726 0 0.125295 0.0626475 0.04429847 15.96233 454.9264 0 -0.3294118 0x0044 7946 7946 64 64 0 0x00 0x1844 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2270158897 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.097721 0.097721 0.0488605 0.03454959 0 -1 0x87
B 5607 0x0000000a00024001 1022171711.526090 1022171711.534906 0.008816 1 4 eth:ipv4:ipv4:tcp 00:d0:02:6d:78:00 00:00:21:ef:64:92 0x0800 19.54.241.75 us "Ford Motor Company" 6667 19.54.248.131 us "Ford Motor Company" 52912 6 2 2 113 57 12 101 56.5 31.46625 0 0.008816 0.004408 0.003116927 226.8602 12817.6 0 0.3294118 0x0044 14 14 62 62 0 0x00 0x1840 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1379912589 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.018758 0.027574 0.023166 0.003116927 0.07202651 0.0346899 0x87
A 6268 0x0000000a00008000 1022171713.686548 1022171714.050885 0.364337 1 3 eth:ipv6:tcp 00:50:04:56:32:a7 00:80:48:cd:88:83 0x86dd 2001:70e8:d3ce:e200:de29:8cff:c040:71a9 -- "--" 53731 2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf -- "--" 6669 6 2 2 30 66 0 30 15 10.6066 0 0.364337 0.1821685 0.1288126 5.489423 82.34135 0 -0.375 0x0044 65535 0 64 64 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 467287084 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.09502 0.09502 0.04751 0.03359464 0 -1 0x87
B 6268 0x0000000a00008001 1022171713.686918 1022171713.955865 0.268947 1 3 eth:ipv6:tcp 00:80:48:cd:88:83 00:50:04:56:32:a7 0x86dd 2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf -- "--" 6669 2001:70e8:d3ce:e200:de29:8cff:c040:71a9 -- "--" 53731 6 2 2 66 30 0 66 33 23.33452 0 0.268947 0.1344735 0.09508713 7.436409 245.4015 0 0.375 0x0044 65535 0 64 64 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1019170939 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.00037 0.269317 0.1348435 0.09508713 0.1823535 0.1008472 0x87
A 6822 0x0000000a00008000 1022171715.635220 1022171715.747770 0.112550 1 3 eth:ipv6:tcp 00:04:75:73:9b:a2 00:80:48:cd:88:83 0x86dd 2001:70e8:d3ce:e200:de40:21ff:b7dd:48e2 -- "--" 32892 2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf -- "--" 6667 6 2 2 30 66 0 30 15 10.6066 0 0.11255 0.056275 0.03979243 17.76988 266.5482 0 -0.375 0x0044 65535 0 64 64 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2001477013 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.000191 0.000191 9.55e-05 6.75287e-05 0 -1 0x87
B 6822 0x0000000a00008001 1022171715.635444 1022171715.747579 0.112135 1 3 eth:ipv6:tcp 00:80:48:cd:88:83 00:04:75:73:9b:a2 0x86dd 2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf -- "--" 6667 2001:70e8:d3ce:e200:de40:21ff:b7dd:48e2 -- "--" 32892 6 2 2 66 30 0 66 33 23.33452 0 0.112135 0.0560675 0.03964571 17.83564 588.5763 0 0.375 0x0044 65535 0 64 64 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1996385468 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.000224 0.112359 0.0562915 0.03964571 0.056387 0.03964576 0x87
A 8860 0x0000000a00008000 1022171722.738958 1022171722.847853 0.108895 1 3 eth:ipv6:tcp 00:40:05:56:05:f0 00:08:c7:ba:6c:98 0x86dd 3ffe:7c9b:f5:8b05::2f50 -- "--" 6667 2001:70e8:d3ce:e200:de49:4bff:1785:14ce -- "--" 2394 6 2 1 26 25 0 26 13 9.192389 0 0.108895 0.0544475 0.0385002 18.36632 238.7621 0.3333333 0.01960784 0x0044 65535 0 56 56 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2358934296 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.10646 0.10646 0.05323 0.03763929 0 -1 0x87
B 8860 0x0000000a00008001 1022171722.741393 1022171722.741393 0.000000 1 3 eth:ipv6:tcp 00:08:c7:ba:6c:98 00:40:05:56:05:f0 0x86dd 2001:70e8:d3ce:e200:de49:4bff:1785:14ce -- "--" 2394 3ffe:7c9b:f5:8b05::2f50 -- "--" 6667 6 1 2 25 26 25 25 25 0 0 0 0 0 0 0 -0.3333333 -0.01960784 0x0044 65535 0 64 64 0 0x00 0x1800 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2466350670 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0x00 0x0040 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0.002435 0.002435 0.002435 0
...Now you’re talking…
$ tawk -V tcpStates
The tcpStates column is to be interpreted as follows:
bit | tcpStates | Description
=============================================================================
0 | 0x01 | Malformed connection establishment
1 | 0x02 | Malformed teardown
2 | 0x04 | Malformed flags during established connection
3 | 0x08 | Packets detected after teardown
4 | 0x10 | Packets detected after reset
6 | 0x40 | Reset from sender
7 | 0x80 | Potential evil behavior (scan)Note, that even normal applications can produce such malformed flag combinations, especially from a specific OS, which a lot of people are using. Horrible. Look a bit for yourself.
The tcpFlags plugin is built for traffic forensics and troubleshooting. It contains information about L3/4 headers and issues, such as fragmentation L4 error/flow control and bandwidth/Round Trip Times (RTT) and some nitty-gritty tricks for security guys. Any section can be disabled in tcpFlags.h.
For you currently the following constants in tcpFlags.h are relevant for the beginning:
...
RTT_ESTIMATE 1 // 1: Round trip time estimation
IPCHECKSUM 2 // 1: Calculation of L3 (IP) header checksum,
// 2: L3 + L4 (TCP,UDP) checksum
WINDOWSIZE 1 // 1: Calculation of TCP window size parameters
WINMIN 1 // Minimal window size threshold defining a healthy communication, below packets are counted
SEQ_ACK_NUM 1 // 1: SEQ/ACK number feature analysis
FRAG_ANALYZE 1 // 1: Fragmentation analysis
...You can switch off the RTT estimation, calculation of checksums, the TCP window size features or the tricks with TCP seq/ack numbers. Although fragmentation in IPv4 today is mostly fishy, if you are not interested in it, switch it off. So the code becomes smaller and faster.
Let’s go over the most important fields you need to understand for a start.
There are still OS which increment the IPID by 1. This is a formidable feature to detect the load of a machine. Hence, T2 provides ipMindIPID and ipMaxdIPID column which denotes the min/max difference of IPIDs between packets. If the differences are large and we are sure of the 1 increment, several connections from that IP distribute packets. So, every connection will have jumps / flow. The ipMinTTL and ipMaxTTL give you an indication of how far your sniffing tap is from the senders IP address and whether several routing paths are involved.
ipFlags contains information about packet abnormalities and fragmentation mishaps. To see the meaning of the bits invoke:
$ tawk -V ipFlags
The ipFlags column is to be interpreted as follows:
bit | ipFlags | Description
=============================================================================
0 | 0x0001 | IP options corrupt
1 | 0x0002 | IPv4 packets out of order
2 | 0x0004 | IPv4 ID roll over
3 | 0x0008 | IP fragment below minimum
4 | 0x0010 | IP fragment out of range
5 | 0x0020 | More Fragment bit
6 | 0x0040 | IPv4: Don't Fragment bit, IPv6: reserve bit
7 | 0x0080 | Reserve bit
8 | 0x0100 | Fragmentation position error
9 | 0x0200 | Fragmentation sequence error
10 | 0x0400 | L3 checksum error
11 | 0x0800 | L4 checksum error
12 | 0x1000 | L3 header length snapped
13 | 0x2000 | Packet interdistance = 0
14 | 0x4000 | Packet interdistance < 0
15 | 0x8000 | TCP SYN flag with L7 contenttcpFlags is the standard NetFlow aggregation of the flags in the TCP header. So you can assess the communication state of the flow during observation.
A standard feature in NetFlow9 is the aggregation of all TCP flags occurring in a flow:
$ tawk -V tcpFlags
The tcpFlags column is to be interpreted as follows:
bit | tcpFlags | Description
=============================================================================
0 | 0x01 | FIN: No more data, finish connection
1 | 0x02 | SYN: Synchronize sequence numbers
2 | 0x04 | RST: Reset connection
3 | 0x08 | PSH: Push data
4 | 0x10 | ACK: Acknowledgement field value valid
5 | 0x20 | URG: Urgent pointer valid
6 | 0x40 | ECE: ECN-Echo
7 | 0x80 | CWR: Congestion Window Reduced flag is setIt represents valuable information about the state of a connection, and you can readily detect if a flow is complete, or the guy who acquired the data clipped it. flowStat will tell you that for each flow.
Basic traffic volume and connection analysis
To acquire an overview about a network and its communication behaviour, a graphical output is definitely helpful. graphviz is a wonderful program producing all kinds of graphs. T2 supplies a conversion example script grphvz which you may expand for your own purposes.
One basic approach is to look into the connection matrix or simply the connections between nodes. In the script, the graph edges are tagged with
- flowStat direction bit, land of origin, tcpAnomaly, srcPort-dstPort, numPktsSnt, numBytesSnt.
- Initiating flow: green, Response Flow: red
- Width: numBytesSnt
So apply the already generated flow file to grphvz, convert the resulting .dot file to JPG and display it with eog or better feh. You may also use the interactive program xdot or dotty.
$ head -n 43 annoloc2_flows.txt > a_flows.txt
$ grphvz a_flows.txt
$ dotty a_flows_graph.dotOr if you like a picture, use dot:
$ dot -Tjpg a_flows_graph.dot -o a_flows_graph.jpg
$ feh a_flows_graph.jpgOr with the new scripts since the 0.8.3 version:
$ head -n 43 annoloc2_flows.txt > a_flows.txt
$ t2viz a_flows.txt
If we had the full traffic plotted then you could identify large or biggest talkers, just by looking for the arrow with the largest width. But note that with larger number of flows, the performance of graphviz degrades rapidly. We produced a netgrapher which can handle very large connection matrices. Unfortunately this is not open source. If you are interested contact us here.
Another method to find biggest talkers is to reverse sort with tawk. For example, we can extract the flows which sent the most packets (numPktsSnt) with the following command:
$ tawk 't2sort(numPktsSnt, 4)' annoloc2_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPWho srcPort dstIP dstIPCC dstIPWho dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpFStat ipMindIPID ipMaxdIPID ipMinTTL ipMaxTTL ipTTLChg ipTOS ipFlags ipOptCnt ipOptCpCl_Num ip6OptCntHH_D ip6OptHH_D tcpISeqN tcpPSeqCnt tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt tcpFlags tcpAnomaly tcpOptPktCnt tcpOptCnt tcpOptions tcpMSS tcpWS tcpTmS tcpTmER tcpEcI tcpUtm tcpBtm tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve tcpStates
B 91 0x0000000a00004001 1022171701.699480 1022171726.636773 24.937293 1 3 eth:ipv4:tcp 00:00:21:d2:cc:72 00:d0:02:6d:78:00 0x0800 138.212.189.38 jp "ASAHI KASEI CORPORATION" 139 138.212.86.201 jp "Asahi Kasei Networks Corpor" 3429 6 23601 12342 33733962 42462 103 1460 1429.344 188.7309 0 0.253336 0.001056625 0.003715082 946.4139 1352752 0.313246 0.9974856 0x0040 1 39 64 64 0 0x10 0x3840 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3624816249 23576 34471811 24 677 42651 0 33232 33232 33232 33232 0 0 0 0 0x98 0xa800 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0 0.253317 0.001994585 0.004210955 0 -1 0x03
A 91 0x0000000a00004000 1022171701.699996 1022171726.637210 24.937214 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:00:21:d2:cc:72 0x0800 138.212.86.201 jp "Asahi Kasei Networks Corpor" 3429 138.212.189.38 jp "ASAHI KASEI CORPORATION" 139 6 12342 23601 42462 33733962 0 63 3.440447 14.30862 0 0.36365 0.002020519 0.00532618 494.923 1702.756 -0.313246 -0.9974856 0x00c0 1 21 127 127 0 0x00 0x1840 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3835254416 12342 42651 0 11833 34124331 190 17520 17518.91 16201 17520 355 355 709 0 0x98 0xa100 169 507 0x00000022 0 1 0 0 0 0.000000 0.000000 0 0 0.110333 0.0002984816 0.001134035 0 -1 0x03
B 6344 0x0000000a00004001 1022171714.045827 1022171722.457644 8.411817 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:10:5a:c5:96:1a 0x0800 139.45.174.202 ie "Stripe Inc" 56071 138.212.190.117 jp "ASAHI KASEI CORPORATION" 3837 6 10159 5692 14821880 0 0 1460 1458.99 29.41481 0 1.465593 0.0008280156 0.01468998 1207.706 1762031 0.2818119 1 0x0044 1 33832 59 250 1 0x18 0x3842 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1837334633 10159 14999999 0 1 0 2 5840 5840 5840 5840 0 0 0 0 0xdb 0xa003 1 4 0x00000016 1460 1 0 0 0 0.000000 0.000000 0.005066 0 0.219088 0.001750757 0.003134686 0.002583663 0.01960833 0x02
B 3610 0x0000000a00004001 1022171705.686717 1022171714.043794 8.357077 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:10:5a:c5:96:1a 0x0800 139.45.174.202 ie "Stripe Inc" 56070 138.212.190.117 jp "ASAHI KASEI CORPORATION" 3820 6 10048 5709 14656900 0 0 1460 1458.688 34.27719 0 1.39519 0.0008317156 0.0141066 1202.334 1753831 0.2753697 1 0x0044 1 44772 59 250 1 0x18 0x3842 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1835183641 10048 14999999 0 1 0 2 5840 5840 5840 5840 0 0 0 0 0xdb 0xa003 1 4 0x00000016 1460 1 0 0 0 0.000000 0.000000 0.006276 0 0.240063 0.001985467 0.003686316 0.002785216 0.01874814 0x02
$Note that the number 4 in the tawk statement above denotes the number of lines to display. If you omit it, all lines will be displayed.
We can also extract the four flows which sent the most bytes (numBytesSnt):
$ tawk 't2sort(numBytesSnt, 4)' annoloc2_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPWho srcPort dstIP dstIPCC dstIPWho dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpFStat ipMindIPID ipMaxdIPID ipMinTTL ipMaxTTL ipTTLChg ipTOS ipFlags ipOptCnt ipOptCpCl_Num ip6OptCntHH_D ip6OptHH_D tcpISeqN tcpPSeqCnt tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt tcpFlags tcpAnomaly tcpOptPktCnt tcpOptCnt tcpOptions tcpMSS tcpWS tcpTmS tcpTmER tcpEcI tcpUtm tcpBtm tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve tcpStates
B 91 0x0000000a00004001 1022171701.699480 1022171726.636773 24.937293 1 3 eth:ipv4:tcp 00:00:21:d2:cc:72 00:d0:02:6d:78:00 0x0800 138.212.189.38 jp "ASAHI KASEI CORPORATION" 139 138.212.86.201 jp "Asahi Kasei Networks Corpor" 3429 6 23601 12342 33733962 42462 103 1460 1429.344 188.7309 0 0.253336 0.001056625 0.003715082 946.4139 1352752 0.313246 0.9974856 0x0040 1 39 64 64 0 0x10 0x3840 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3624816249 23576 34471811 24 677 42651 0 33232 33232 33232 33232 0 0 0 0 0x98 0xa800 0 0 0x00000000 0 1 0 0 0 0.000000 0.000000 0 0 0.253317 0.001994585 0.004210955 0 -1 0x03
B 6344 0x0000000a00004001 1022171714.045827 1022171722.457644 8.411817 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:10:5a:c5:96:1a 0x0800 139.45.174.202 ie "Stripe Inc" 56071 138.212.190.117 jp "ASAHI KASEI CORPORATION" 3837 6 10159 5692 14821880 0 0 1460 1458.99 29.41481 0 1.465593 0.0008280156 0.01468998 1207.706 1762031 0.2818119 1 0x0044 1 33832 59 250 1 0x18 0x3842 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1837334633 10159 14999999 0 1 0 2 5840 5840 5840 5840 0 0 0 0 0xdb 0xa003 1 4 0x00000016 1460 1 0 0 0 0.000000 0.000000 0.005066 0 0.219088 0.001750757 0.003134686 0.002583663 0.01960833 0x02
B 3610 0x0000000a00004001 1022171705.686717 1022171714.043794 8.357077 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:10:5a:c5:96:1a 0x0800 139.45.174.202 ie "Stripe Inc" 56070 138.212.190.117 jp "ASAHI KASEI CORPORATION" 3820 6 10048 5709 14656900 0 0 1460 1458.688 34.27719 0 1.39519 0.0008317156 0.0141066 1202.334 1753831 0.2753697 1 0x0044 1 44772 59 250 1 0x18 0x3842 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1835183641 10048 14999999 0 1 0 2 5840 5840 5840 5840 0 0 0 0 0xdb 0xa003 1 4 0x00000016 1460 1 0 0 0 0.000000 0.000000 0.006276 0 0.240063 0.001985467 0.003686316 0.002785216 0.01874814 0x02
A 325 0x0000000200004000 1022171701.712093 1022171726.638722 24.926629 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:bf:08:44:81 0x0800 19.59.134.250 us "Ford Motor Company" 65230 138.212.187.240 jp "ASAHI KASEI CORPORATION" 58290 6 9459 5223 13696632 0 1448 1448 1448 0 0 0.067445 0.00263523 0.006627299 379.4737 549477.9 0.2885166 1 0x0050 1 387 53 53 0 0x08 0x3844 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2192448358 9415 15002728 44 0 0 0 33304 33304 33304 33304 0 0 0 0 0xd0 0xa000 9459 28377 0x00000102 0 1 199361062 113909808 0.01 1993610.575439 1020178116.063283 0 0 0.066065 0.008232069 0.01009581 0 -1 0x03
$The best method to spot connection anomalies is to visualize time, connecting IPs and connection counts. The connStat plugin produces the appropriate numbers for this task.
It adds four columns:
- connections src IP (
connSip), - connections dst IP (
connDip), - connections between srcIP and dstIP (
connSipDip) - number of unique destination port connections of a certain srcIP (
connSipDprt)
Moreover, an experimental feature connF = connSipDprt / connSip is added which describes the ratio of port connections of a srcIP and the total connection count of the very srcIP during the lifetime of this flow.
$ t2build connStat
$ t2 -r ~/data/annoloc2.pcap -w ~/results
================================================================================
Tranalyzer 0.8.6 (Anteater), Tarantula. PID: 9928
================================================================================
...
--------------------------------------------------------------------------------
...
connStat: Number of unique source IPs: 4413 (4.41 K)
connStat: Number of unique destination IPs: 3209 (3.21 K)
connStat: Number of unique source/destination IPs connections: 182
connStat: Max unique number of source IP / destination port connections: 413
connStat: IP prtcon/sdcon, prtcon/scon: 2.269231, 0.093587
connStat: Source IP with max connections: 138.212.189.66 (JP): 366 connections
connStat: Destination IP with max connections: 138.212.184.235 (JP): 402 connections
--------------------------------------------------------------------------------
...
$The end report contribution of connStat provides you with connection oriented facts of your traffic. So you should record these numbers at certain dates and times to establish a normal baseline.
If the sending/receiving IPs in your network, exceeds the maximum of your recordings and the unique local addresses exceed the amount of your machines in the network, something is definitely wrong.
Same for the number of receiving IPs and the ratio of src and dst IPs. The 5th line consists of experimental numbers which served well in finding malware, so if the prtcon/sdcon and prtcon/scon are >> 1 you should look a bit closer at this traffic. In a future tutorial T2 Kungfu I’ll try to elaborate more on that matter.
The biggest connection initiator or connector and the biggest endpoint connector at the end of the connStat report gives you an indication where to look first, when inspecting a flow file. Note here also an information about the country.
An example tawk command is shown below extracting only the initiation flows from the biggest connection initiator printing only connection relevant features (the not command is used instead of ! to prevent tawk from filtering out the header (note that the hdr() function could also have been used)).
$ tawk 'not(bitsanyset($flowStat, 1)) && shost("138.212.189.66") { print $timeFirst, $timeLast, $srcIP, $srcIPCC, $connSip, $connSipDip, connSipDprt, $connF }' annoloc2_flows.txt | LC_ALL=C sort -t$'\t' -n -k3,3 | head -n 25 | tcol
timeFirst timeLast srcIP srcIPCC connSip connSipDip 89 connF
1022171701.715552 1022171701.715552 138.212.189.66 jp 366 2 89 1.128415
1022171701.748589 1022171724.156283 138.212.189.66 jp 84 2 89 0.02380952
1022171701.748589 1022171725.854193 138.212.189.66 jp 40 2 89 0.05
1022171701.748591 1022171725.224952 138.212.189.66 jp 62 2 89 0.03225806
1022171701.748593 1022171701.748593 138.212.189.66 jp 365 1 89 0.002739726
1022171701.748593 1022171725.983912 138.212.189.66 jp 30 2 89 0.06666667
1022171701.748603 1022171726.344313 138.212.189.66 jp 23 2 89 0.08695652
1022171701.748605 1022171726.559487 138.212.189.66 jp 5 2 89 0.8
1022171701.833674 1022171707.884734 138.212.189.66 jp 291 1 89 1.085911
1022171701.834407 1022171701.834407 138.212.189.66 jp 364 2 89 1.129121
1022171701.845499 1022171701.845499 138.212.189.66 jp 363 2 89 1.126722
1022171701.847836 1022171725.854167 138.212.189.66 jp 41 2 89 0.04878049
1022171701.847851 1022171725.858100 138.212.189.66 jp 37 2 89 0.05405406
1022171701.847851 1022171726.446242 138.212.189.66 jp 17 2 89 0.1176471
1022171701.847852 1022171726.417256 138.212.189.66 jp 9 2 89 0.2222222
1022171701.847853 1022171701.847853 138.212.189.66 jp 362 1 89 0.002762431
1022171701.847854 1022171726.546581 138.212.189.66 jp 10 2 89 0.2
1022171701.868853 1022171701.868853 138.212.189.66 jp 361 1 89 1.127424
1022171701.878890 1022171701.878890 138.212.189.66 jp 360 2 89 1.127778
1022171701.922395 1022171701.922395 138.212.189.66 jp 359 2 89 1.125348
1022171701.947721 1022171726.546595 138.212.189.66 jp 7 1 89 0.1428571
1022171701.960091 1022171701.960091 138.212.189.66 jp 358 1 89 1.122905
1022171702.048266 1022171726.446250 138.212.189.66 jp 20 2 89 0.35
1022171702.089215 1022171702.089215 138.212.189.66 jp 357 2 89 1.123249
$Up until now, we have used absolute time stamps. For static plots, the relative time to the beginning of the pcap is easier to grasp. So first move to tranalyzer/src and open the file tranalyzer.h
$ tranalyzer2
$ vi src/tranalyzer.hThere you will see a lot of stuff to configure, this is a lot of fun for later. We look for RELTIME. Change it to 1 as shown below
If you are afraid to edit .h files, here is the t2conf command which does the same:
$ t2conf tranalyzer2 -D RELTIME=1
$And recompile all plugins used so far, because certain plugins such as basicFlow are using the RELTIME switch. Then, rerun t2:
$ t2build -R
$ t2 -r ~/data/annoloc2.pcap -w ~/results
================================================================================
Tranalyzer 0.8.6 (Anteater), Tarantula. PID: 10282
================================================================================
...
$For visualization, we only need to extract the said three features and pipe it into t2plot to create a nice 3D graphics in logarithmic scale of the z-axis.
$ tawk 'ipv4() { if ($connSip) print $timeFirst, $srcIP, $connSip }' annoloc2_flows.txt | t2plot -t "Simple connStat anomaly graph" -sx 0:25 -sy 0:2800000000 -v 60,75 -lz -r 1
You can now instantly identify the time based evolution of all IP addresses and spot the biggest connecter, get the count range and select him with a simple if clause in an awk or tawk script. The IP addresses are converted to hex by t2plot. The -r 1 option re-plots the graph every second, so that you can turn it using your mouse.
If you use the gpq3x script you can produce an online waterfall plot with the same characteristics. Together with t2 rrd monitoring you then have an efficient online graphical anomaly detection.
Timeline flow analysis
Often, typical patterns emerge from the time based flow production. So if an IP stands out in the connStat end report, a flow connection diagram can be useful. Just extract the biggest connector from above 138.212.189.66, store the extracted flows in a new file and run the t2timeline script as indicated below.
$ tawk 'host("138.212.189.66")' annoloc2_flows.txt > annoloc2_ip.txt
$ t2timeline -r -ws 700,400 annoloc2_ip.txt
The greens are requesting flows while the reds are response flows. The z-axis denotes the flowInd number. If you point the mouse on the beginning of a flow several flow parameters are displayed helping you to identify flows. Maybe there are still too many flows to see something, but you could now select certain protocols, such as TCP or ports, such as port 80. Write a short tawk and rerun the t2timeline script yourself.
Moreover, the timeline graph is very useful to assess the creation of training data for AI. For example, if you have a two class problem, the timelines of all pcaps of the two classes should look similar, if and only if the requirement is that the flows are created by the same equipment and relative timing, certain encrypted content classification task, have these requirements to produce a reasonable classifier. If then the timeline plots differ drastically, you caught somebody producing garbage training data. Because if you use it your classifier will find features, which do not correlate with the problem at hand.
And don’t forget to reset RELTIME to 0 if you intend to do more tutorials, as most of them are based on absolute time. Here is the t2conf command.
$ t2conf tranalyzer2 -D RELTIME=0
$ t2build -R
...
$Global statistical plugins
After inspecting the T2 end report, we have a good overview about the pcap state, certain abnormalities and statistics. As each network has its specific protocol statistics, T2 provides several global plugins which produce specific protocols statistics.
protoStat and icmpDecode are standard to be scrutinized after inspecting the end report. protoStat generates annoloc2_protocols.txt which is sorted according to Layer 2-4 protocol numbers.
I unloaded plugins not needed here to reduce the amount of confusing output and loaded icmpDecode and protoStat.
$ t2build -u tcpStates tcpFlags connStat basicStats
...
$ t2build icmpDecode protoStats
...
$ t2 -r ~/data/annoloc2.pcap -w ~/results
===============================================================================
Tranalyzer 0.8.6 (Anteater), Tarantula. PID: 5885
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
01: protoStats, 0.8.6
02: basicFlow, 0.8.6
03: icmpDecode, 0.8.6
04: txtSink, 0.8.6
...
--------------------------------------------------------------------------------
icmpDecode: Number of ICMP echo request packets: 224 [7.32%]
icmpDecode: Number of ICMP echo reply packets: 191 [6.24%]
icmpDecode: ICMP echo reply / request ratio: 0.85
--------------------------------------------------------------------------------
...As you can see icmpDecode produces the important measure of reply / request ratio, for a rapid assessment of malicious activity, also the relative amount of request and reply packets are a valuable indication.
More detailed information about the general picture is provided in the protocols file from protoStat:
$ tcol annoloc2_protocols.txt
# Total packets: 1219015 (1.22 M)
# Total bytes: 64082726 (64.08 M)
# L2/3 Protocol Packets Bytes Description
0x0800 1218588 [ 99.96%] 64061156 [ 99.97%] Internet Protocol version 4 (IPv4)
0x0806 247 [ 0.02%] 10374 [ 0.02%] Address Resolution Protocol (ARP)
0x86dd 180 [ 0.01%] 11196 [ 0.02%] Internet Protocol version 6 (IPv6)
# Total IPv4 packets: 1218588 (1.22 M) [99.96%]
# Total IPv6 packets: 180 [0.01%]
# L4 Protocol Packets Bytes Description
1 3059 [ 0.25%] 191934 [ 0.30%] Internet Control Message Protocol (ICMP)
2 12 [ 0.00%] 456 [ 0.00%] Internet Group Management Protocol (IGMP)
6 948743 [ 77.83%] 52643546 [ 82.15%] Transmission Control Protocol (TCP)
17 266900 [ 21.89%] 11234272 [ 17.53%] User Datagram Protocol (UDP)
22 1 [ 0.00%] 34 [ 0.00%] XEROX NS IDP
23 1 [ 0.00%] 34 [ 0.00%] Trunk-1
28 1 [ 0.00%] 34 [ 0.00%] Internet Reliable Transaction
47 20 [ 0.00%] 680 [ 0.00%] General Routing Encapsulation
48 1 [ 0.00%] 34 [ 0.00%] Mobile Host Routing Protocol
58 11 [ 0.00%] 682 [ 0.00%] Internet Control Message Protocol for IPv6 (ICMPv6)
59 1 [ 0.00%] 34 [ 0.00%] No Next Header for IPv6
64 1 [ 0.00%] 34 [ 0.00%] SATNET and Backroom EXPAK
79 1 [ 0.00%] 34 [ 0.00%] WIDEBAND EXPAK
...
# Total TCP packets: 948743 (948.74 K) [77.83%]
# Total TCP bytes: 52643546 (52.64 M) [82.15%]
# TCP Port Packets Bytes Description
13 2 [ 0.00%] 108 [ 0.00%] Daytime (RFC 867)
20 120418 [ 12.69%] 6703628 [ 12.73%] File Transfer [Default Data]
21 2082 [ 0.22%] 113512 [ 0.22%] File Transfer [Control]
22 3793 [ 0.40%] 213006 [ 0.40%] The Secure Shell (SSH) Protocol
23 309 [ 0.03%] 16686 [ 0.03%] Telnet
25 134 [ 0.01%] 8676 [ 0.02%] Simple Mail Transfer Protocol (SMTP)
49 175 [ 0.02%] 9558 [ 0.02%] Login Host Protocol (TACACS)
53 8 [ 0.00%] 528 [ 0.00%] Domain Name Server (DNS)
65 13 [ 0.00%] 742 [ 0.00%] TACACS-Database Service
66 8 [ 0.00%] 448 [ 0.00%] Oracle SQL*NET
67 8 [ 0.00%] 448 [ 0.00%] Bootstrap Protocol Server
68 6 [ 0.00%] 324 [ 0.00%] Bootstrap Protocol Client
80 73283 [ 7.72%] 4037878 [ 7.67%] World Wide Web HTTP
81 10937 [ 1.15%] 609542 [ 1.16%] Cobalt cube web access or trojan
83 47 [ 0.00%] 2538 [ 0.00%] MIT ML Device
...
# Total UDP packets: 266900 (266.90 K) [21.89%]
# Total UDP bytes: 11234272 (11.23 M) [17.53%]
# UDP Port Packets Bytes Description
0 67 [ 0.03%] 2278 [ 0.02%]
37 321 [ 0.12%] 13482 [ 0.12%] Time
53 2928 [ 1.10%] 158112 [ 1.41%] Domain Name Server (DNS)
67 14 [ 0.01%] 588 [ 0.01%] Bootstrap Protocol Server
123 34 [ 0.01%] 1428 [ 0.01%] Network Time Protocol
137 503 [ 0.19%] 21126 [ 0.19%] NETBIOS Name Service
138 152 [ 0.06%] 6384 [ 0.06%] NETBIOS Datagram Service
161 212 [ 0.08%] 8904 [ 0.08%] SNMP
412 7 [ 0.00%] 294 [ 0.00%] Trap Convention Port
427 3 [ 0.00%] 126 [ 0.00%] Server Location
...Here as well the biggest protocol talker is interesting to begin an analysis. The script protStat sorts the protocols file according to number of packets or bytes. The -p option defines the lower limit of probability to display. We selected 1% and added the UDP-Lite and SCTP protocols:
$ t2conf protoStats -D UDPLITE_STAT=1 -D SCTP_STAT=1
$ t2build protoStas
...
$ t2 -r ~/data/annoloc2.pcap -w ~/results
...
$ protStat -p=1 annoloc2_protocols.txt
L2/3 Protocol Packets Bytes Description
0x0800 1218588 [ 99.96%] 64061156 [ 99.97%] Internet Protocol version 4 (IPv4)
L4 Protocol Packets Bytes Description
6 948743 [ 77.83%] 52643546 [ 82.15%] Transmission Control Protocol (TCP)
17 266900 [ 21.89%] 11234272 [ 17.53%] User Datagram Protocol (UDP)
TCP Port Packets Bytes Description
139 203627 [ 21.46%] 11051370 [ 20.99%] NETBIOS Session Service
20 120418 [ 12.69%] 6703628 [ 12.73%] File Transfer [Default Data]
80 73283 [ 7.72%] 4037878 [ 7.67%] World Wide Web HTTP
445 27611 [ 2.91%] 1495334 [ 2.84%] Microsoft-DS
4662 26586 [ 2.80%] 1484248 [ 2.82%] OrbitNet Message Service
1214 20702 [ 2.18%] 1134572 [ 2.16%] KAZAA
56071 15851 [ 1.67%] 855970 [ 1.63%]
56070 15757 [ 1.66%] 850894 [ 1.62%]
58290 14682 [ 1.55%] 969012 [ 1.84%]
6699 13711 [ 1.45%] 757674 [ 1.44%]
81 10937 [ 1.15%] 609542 [ 1.16%] Cobalt cube web access or trojan
UDP Port Packets Bytes Description
27005 34284 [ 12.85%] 1439928 [ 12.82%] FLEX LM (1-10)
27960 24798 [ 9.29%] 1041516 [ 9.27%]
7777 15241 [ 5.71%] 640122 [ 5.70%] cbt
28920 14301 [ 5.36%] 600642 [ 5.35%]
10007 11847 [ 4.44%] 497574 [ 4.43%] MVS Capacity
27115 11220 [ 4.20%] 471240 [ 4.19%]
12203 10654 [ 3.99%] 447468 [ 3.98%]
27963 8591 [ 3.22%] 360822 [ 3.21%]
28015 8458 [ 3.17%] 355236 [ 3.16%]
27016 7948 [ 2.98%] 333816 [ 2.97%]
27116 7508 [ 2.81%] 315336 [ 2.81%]
27025 7347 [ 2.75%] 308574 [ 2.75%]
1111 7312 [ 2.74%] 307104 [ 2.73%] LM Social Server
28910 6865 [ 2.57%] 288330 [ 2.57%]
27035 6511 [ 2.44%] 273462 [ 2.43%]
27961 4869 [ 1.82%] 204498 [ 1.82%]
7000 3879 [ 1.45%] 162918 [ 1.45%] file server itself
28901 3619 [ 1.36%] 151998 [ 1.35%]
1028 3570 [ 1.34%] 149940 [ 1.33%]
62626 3364 [ 1.26%] 141288 [ 1.26%]
61996 3324 [ 1.25%] 139608 [ 1.24%]
28001 2984 [ 1.12%] 125328 [ 1.12%]
53 2928 [ 1.10%] 158112 [ 1.41%] Domain Name Server (DNS)
UDP-Lite Port Packets Bytes Description
SCTP Port Packets Bytes Description
$So no UPD-Lite or SCTP packets.
We have 0.25% ICMP traffic, which is not abnormal for that type of traffic. Often it is necessary to look at the ICMP messages in detail because some may indicate problems or even malicious behaviour. For that icmpDecode provides a detailed statistical overview:
$ lsx 22 annoloc2_icmpStats.txt
Total number of ICMP packets: 3070 (3.07 K) [0.25%]
Number of ICMP packets: 3059 (3.06 K) [0.25%]
Number of ICMPv6 packets: 11 [0.00%]
ICMP echo reply / request ratio: 0.853
# ICMP Type Code Packets
ICMP_ECHOREQUEST - 224 [ 7.32%]
ICMP_ECHOREPLY - 191 [ 6.24%]
ICMP_DEST_UNREACH ICMP_HOST_UNREACH 25 [ 0.82%]
ICMP_DEST_UNREACH ICMP_PORT_UNREACH 2603 [ 85.09%]
ICMP_TIME_EXCEEDED ICMP_EXC_TTL 14 [ 0.46%]
ICMP_TIME_EXCEEDED ICMP_EXC_FRAGTIME 2 [ 0.07%]
# ICMPv6 Type Code Packets
ICMP6_RTER_ADVERT - 5 [ 45.45%]
ICMP6_NBOR_SOLICIT - 3 [ 27.27%]
ICMP6_NBOR_ADVERT - 3 [ 27.27%]
$Note that if we had more messages, we could use protStat to sort and filter annoloc2_icmpStats.txt.
Now let’s find all hosts sending ICMP messages:
$ tawk 'icmp()' annoloc2_flows.txt | tcol
...By scrolling to the right you see the icmpBFTypH_TypL_Code bit field. So we are interested in ICMP_HOST_UNREACH and ICMP_PORT_UNREACH, code 3. So the 3rd parameter should be 23=0x0008.
$ tawk '{ split($icmpBFTypH_TypL_Code, A, "_"); if (bitsanyset(A[3], 0x8)) print }' annoloc2_flows.txt | head -n 15 | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPWho srcPort dstIP dstIPCC dstIPWho dstPort l4Proto icmpStat icmpTCcnt icmpBFTypH_TypL_Code icmpTmGtw icmpEchoSuccRatio icmpPFindex
A 59 0x0000000200004001 1022171701.692762 1022171701.692762 0.000000 1 3 eth:ipv4:icmp 00:80:48:b3:22:ef 00:d0:02:6d:78:00 0x0800 138.212.187.10 jp "ASAHI KASEI CORPORATION" 0 201.116.148.149 mx "Uninet S.A. de C.V." 0 1 0x01 1 0x00000000_0x00000008_0x0008 0x00000000 0 0
A 893 0x0000000200004001 1022171701.812425 1022171701.812425 0.000000 1 3 eth:ipv4:icmp 00:80:48:d7:ed:7a 00:d0:02:6d:78:00 0x0800 138.212.189.88 jp "ASAHI KASEI CORPORATION" 0 201.116.161.83 mx "Uninet S.A. de C.V." 0 1 0x01 1 0x00000000_0x00000008_0x0008 0x00000000 0 890
A 1069 0x0000000200004001 1022171701.889357 1022171701.889357 0.000000 1 3 eth:ipv4:icmp 00:48:54:7a:04:0f 00:d0:02:6d:78:00 0x0800 138.212.184.71 jp "ASAHI KASEI CORPORATION" 0 146.208.9.41 us "Keysight Technologies" 0 1 0x01 1 0x00000000_0x00000008_0x0008 0x00000000 0 1052
A 1204 0x0000000200004001 1022171701.980834 1022171701.980834 0.000000 1 3 eth:ipv4:icmp 00:d0:02:6d:78:00 00:80:48:b3:22:c4 0x0800 138.213.40.91 -- "--" 0 138.212.189.66 jp "ASAHI KASEI CORPORATION" 0 1 0x01 1 0x00000000_0x00000008_0x0008 0x00000000 0 1180
A 1232 0x0000000200004001 1022171702.009674 1022171702.009674 0.000000 1 3 eth:ipv4:icmp 00:48:54:7a:04:0f 00:d0:02:6d:78:00 0x0800 138.212.184.71 jp "ASAHI KASEI CORPORATION" 0 36.237.77.156 tw "Data Communication Business" 0 1 0x01 1 0x00000000_0x00000008_0x0008 0x00000000 0 1222
A 1557 0x0000000200004001 1022171702.247453 1022171702.247453 0.000000 1 3 eth:ipv4:icmp 00:04:76:22:07:90 00:d0:02:6d:78:00 0x0800 138.212.186.88 jp "ASAHI KASEI CORPORATION" 0 201.19.77.72 br "Telemar Norte Leste S.A." 0 1 0x01 1 0x00000000_0x00000008_0x0008 0x00000000 0 1555
A 1572 0x0000000200004001 1022171702.265015 1022171702.265015 0.000000 1 3 eth:ipv4:icmp 00:08:a1:1d:3f:f1 00:d0:02:6d:78:00 0x0800 138.212.191.25 jp "ASAHI KASEI CORPORATION" 0 19.50.144.156 us "Ford Motor Company" 0 1 0x01 1 0x00000000_0x00000008_0x0008 0x00000000 0 1570
A 1717 0x0000000200004001 1022171702.396273 1022171702.396273 0.000000 1 3 eth:ipv4:icmp 00:80:48:b3:24:eb 00:d0:02:6d:78:00 0x0800 138.212.190.25 jp "ASAHI KASEI CORPORATION" 0 19.6.20.159 us "Ford Motor Company" 0 1 0x01 1 0x00000000_0x00000008_0x0008 0x00000000 0 1710
A 1740 0x0000000200004001 1022171702.417049 1022171702.417049 0.000000 1 3 eth:ipv4:icmp 00:80:48:b3:22:ef 00:d0:02:6d:78:00 0x0800 138.212.187.10 jp "ASAHI KASEI CORPORATION" 0 65.171.40.80 us "Sprint" 0 1 0x01 1 0x00000000_0x00000008_0x0008 0x00000000 0 1739
A 1749 0x0000000200004001 1022171702.423157 1022171702.423157 0.000000 1 3 eth:ipv4:icmp 00:80:48:b3:22:ef 00:d0:02:6d:78:00 0x0800 138.212.187.10 jp "ASAHI KASEI CORPORATION" 0 193.108.29.243 lv "Infoserv-Riga Ltd" 0 1 0x01 1 0x00000000_0x00000008_0x0008 0x00000000 0 1747
A 1819 0x0000000200004001 1022171702.510250 1022171702.510250 0.000000 1 3 eth:ipv4:icmp 00:80:48:b3:22:ef 00:d0:02:6d:78:00 0x0800 138.212.187.10 jp "ASAHI KASEI CORPORATION" 0 138.213.33.28 -- "--" 0 1 0x01 1 0x00000000_0x00000008_0x0008 0x00000000 0 1814
A 1876 0x0000000200004000 1022171722.772690 1022171722.785414 0.012724 1 3 eth:ipv4:icmp 00:d0:02:6d:78:00 00:50:da:37:f6:03 0x0800 193.133.161.22 gb "Verizon UK Limited" 0 138.212.191.75 jp "ASAHI KASEI CORPORATION" 0 1 0x01 9 0x00000000_0x00000008_0x0008 0x00000000 0 7706
B 1876 0x0000000200004001 1022171702.597916 1022171702.597916 0.000000 1 3 eth:ipv4:icmp 00:50:da:37:f6:03 00:d0:02:6d:78:00 0x0800 138.212.191.75 jp "ASAHI KASEI CORPORATION" 0 193.133.161.22 gb "Verizon UK Limited" 0 1 0x01 1 0x00000000_0x00000008_0x0008 0x00000000 0 1875
A 1905 0x0000000200004001 1022171702.623420 1022171702.623420 0.000000 1 3 eth:ipv4:icmp 00:d0:02:6d:78:00 00:50:fc:44:99:fd 0x0800 201.74.106.234 br "CLARO S.A." 0 138.212.187.11 jp "ASAHI KASEI CORPORATION" 0 1 0x01 1 0x00000000_0x00000008_0x0008 0x00000000 0 1871
$The bitfields are useful for selecting flows, but if you like a bit more human readability, set ICMP_TC_MD to 0, recompile and rerun t2, as indicated below:
$ t2conf icmpDecode -D ICMP_TC_MD=1
$ t2build icmpDecode
...
$ t2 -r ~/data/annoloc2.pcap -w ~/results
$ tawk '$icmpTCcnt > 0' annoloc2_flows.txt | head -n 22 | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPWho srcPort dstIP dstIPCC dstIPWho dstPort l4Proto icmpStat icmpTCcnt icmpType_Code icmpTmGtw icmpEchoSuccRatio icmpPFindex
A 59 0x0000000200004001 1022171701.692762 1022171701.692762 0.000000 1 3 eth:ipv4:icmp 00:80:48:b3:22:ef 00:d0:02:6d:78:00 0x0800 138.212.187.10 jp "ASAHI KASEI CORPORATION" 0 201.116.148.149 mx "Uninet S.A. de C.V." 0 1 0x01 1 3_3 0x00000000 0 0
A 893 0x0000000200004001 1022171701.812425 1022171701.812425 0.000000 1 3 eth:ipv4:icmp 00:80:48:d7:ed:7a 00:d0:02:6d:78:00 0x0800 138.212.189.88 jp "ASAHI KASEI CORPORATION" 0 201.116.161.83 mx "Uninet S.A. de C.V." 0 1 0x01 1 3_3 0x00000000 0 890
A 1069 0x0000000200004001 1022171701.889357 1022171701.889357 0.000000 1 3 eth:ipv4:icmp 00:48:54:7a:04:0f 00:d0:02:6d:78:00 0x0800 138.212.184.71 jp "ASAHI KASEI CORPORATION" 0 146.208.9.41 us "Keysight Technologies" 0 1 0x01 1 3_3 0x00000000 0 1052
A 1177 0x0000000200004001 1022171701.956543 1022171701.956543 0.000000 1 3 eth:ipv4:icmp 00:d0:02:6d:78:00 00:80:48:b3:22:c4 0x0800 201.118.86.105 mx "Uninet S.A. de C.V." 0 138.212.189.66 jp "ASAHI KASEI CORPORATION" 0 1 0x01 1 3_1 0x00000000 0 1166
A 1204 0x0000000200004001 1022171701.980834 1022171701.980834 0.000000 1 3 eth:ipv4:icmp 00:d0:02:6d:78:00 00:80:48:b3:22:c4 0x0800 138.213.40.91 -- "--" 0 138.212.189.66 jp "ASAHI KASEI CORPORATION" 0 1 0x01 1 3_3 0x00000000 0 1180
A 1232 0x0000000200004001 1022171702.009674 1022171702.009674 0.000000 1 3 eth:ipv4:icmp 00:48:54:7a:04:0f 00:d0:02:6d:78:00 0x0800 138.212.184.71 jp "ASAHI KASEI CORPORATION" 0 36.237.77.156 tw "Data Communication Business" 0 1 0x01 1 3_3 0x00000000 0 1222
A 1557 0x0000000200004001 1022171702.247453 1022171702.247453 0.000000 1 3 eth:ipv4:icmp 00:04:76:22:07:90 00:d0:02:6d:78:00 0x0800 138.212.186.88 jp "ASAHI KASEI CORPORATION" 0 201.19.77.72 br "Telemar Norte Leste S.A." 0 1 0x01 1 3_3 0x00000000 0 1555
A 1572 0x0000000200004001 1022171702.265015 1022171702.265015 0.000000 1 3 eth:ipv4:icmp 00:08:a1:1d:3f:f1 00:d0:02:6d:78:00 0x0800 138.212.191.25 jp "ASAHI KASEI CORPORATION" 0 19.50.144.156 us "Ford Motor Company" 0 1 0x01 1 3_3 0x00000000 0 1570
A 1717 0x0000000200004001 1022171702.396273 1022171702.396273 0.000000 1 3 eth:ipv4:icmp 00:80:48:b3:24:eb 00:d0:02:6d:78:00 0x0800 138.212.190.25 jp "ASAHI KASEI CORPORATION" 0 19.6.20.159 us "Ford Motor Company" 0 1 0x01 1 3_3 0x00000000 0 1710
A 1740 0x0000000200004001 1022171702.417049 1022171702.417049 0.000000 1 3 eth:ipv4:icmp 00:80:48:b3:22:ef 00:d0:02:6d:78:00 0x0800 138.212.187.10 jp "ASAHI KASEI CORPORATION" 0 65.171.40.80 us "Sprint" 0 1 0x01 1 3_3 0x00000000 0 1739
A 1749 0x0000000200004001 1022171702.423157 1022171702.423157 0.000000 1 3 eth:ipv4:icmp 00:80:48:b3:22:ef 00:d0:02:6d:78:00 0x0800 138.212.187.10 jp "ASAHI KASEI CORPORATION" 0 193.108.29.243 lv "Infoserv-Riga Ltd" 0 1 0x01 1 3_3 0x00000000 0 1747
A 1819 0x0000000200004001 1022171702.510250 1022171702.510250 0.000000 1 3 eth:ipv4:icmp 00:80:48:b3:22:ef 00:d0:02:6d:78:00 0x0800 138.212.187.10 jp "ASAHI KASEI CORPORATION" 0 138.213.33.28 -- "--" 0 1 0x01 1 3_3 0x00000000 0 1814
A 1876 0x0000000200004000 1022171722.772690 1022171722.785414 0.012724 1 3 eth:ipv4:icmp 00:d0:02:6d:78:00 00:50:da:37:f6:03 0x0800 193.133.161.22 gb "Verizon UK Limited" 0 138.212.191.75 jp "ASAHI KASEI CORPORATION" 0 1 0x01 9 3_3;3_3;3_3;3_3;3_3;3_3;3_3;3_3;3_3 0x00000000 0 7706
B 1876 0x0000000200004001 1022171702.597916 1022171702.597916 0.000000 1 3 eth:ipv4:icmp 00:50:da:37:f6:03 00:d0:02:6d:78:00 0x0800 138.212.191.75 jp "ASAHI KASEI CORPORATION" 0 193.133.161.22 gb "Verizon UK Limited" 0 1 0x01 1 3_3 0x00000000 0 1875
A 1905 0x0000000200004001 1022171702.623420 1022171702.623420 0.000000 1 3 eth:ipv4:icmp 00:d0:02:6d:78:00 00:50:fc:44:99:fd 0x0800 201.74.106.234 br "CLARO S.A." 0 138.212.187.11 jp "ASAHI KASEI CORPORATION" 0 1 0x01 1 3_3 0x00000000 0 1871
A 1985 0x0000000200004001 1022171702.721365 1022171702.721365 0.000000 1 3 eth:ipv4:icmp 00:d0:02:6d:78:00 00:80:48:b3:22:c4 0x0800 139.97.6.149 fi "ELISA" 0 138.212.189.66 jp "ASAHI KASEI CORPORATION" 0 1 0x01 1 3_3 0x00000000 0 1973
A 1994 0x0000000200004001 1022171702.739522 1022171702.739522 0.000000 1 3 eth:ipv4:icmp 00:80:48:d7:ed:7a 00:d0:02:6d:78:00 0x0800 138.212.189.88 jp "ASAHI KASEI CORPORATION" 0 216.218.79.22 us "Farmers Telephone Cooperati" 0 1 0x01 1 3_3 0x00000000 0 1993
A 2035 0x0000000200004001 1022171702.768754 1022171702.768754 0.000000 1 3 eth:ipv4:icmp 00:80:48:b3:22:ef 00:d0:02:6d:78:00 0x0800 138.212.187.10 jp "ASAHI KASEI CORPORATION" 0 201.108.14.212 mx "Uninet S.A. de C.V." 0 1 0x01 1 3_3 0x00000000 0 2009
A 2061 0x0000000a00004000 1022171702.799287 1022171702.799287 0.000000 1 3 eth:ipv4:icmp 00:d0:02:6d:78:00 00:a0:c9:1e:a4:19 0x0800 70.101.52.210 us "Frontier Communications of " 0 138.212.184.246 jp "ASAHI KASEI CORPORATION" 0 1 0x01 1 8_0 0x99bb0002 1 0
B 2061 0x0000000a00004001 1022171702.799877 1022171702.799877 0.000000 1 3 eth:ipv4:icmp 00:a0:c9:1e:a4:19 00:d0:02:6d:78:00 0x0800 138.212.184.246 jp "ASAHI KASEI CORPORATION" 0 70.101.52.210 us "Frontier Communications of " 0 1 0x01 1 0_0 0x99bb0002 0 0
A 2062 0x0000000a00004000 1022171702.800596 1022171702.800596 0.000000 1 3 eth:ipv4:icmp 00:d0:02:6d:78:00 00:10:5a:64:e9:36 0x0800 70.101.52.210 us "Frontier Communications of " 0 138.212.184.247 jp "ASAHI KASEI CORPORATION" 0 1 0x01 1 8_0 0x99bc0002 1 0
$Now you see the sequence of code 3 separated by ;.
Add layer 2/4 information
Information about MACs and ports which helps you decoding certain number can be added:
| macRecorder | records all MAC pairs during a connection, packet counts and MAC decoding |
| portClassifer | human readable ports |
Unload icmpDecode and load both plugins:
$ t2build -u icmpDecode
...
$ t2build macRecorder portClassifier tcpStates
...
BUILD SUCCESSFUL
$ t2 -r ~/data/annoloc2.pcap -w ~/results
================================================================================
Tranalyzer 0.8.6 (Anteater), Tarantula. PID: 9539
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
01: basicFlow, 0.8.6
02: macRecorder, 0.8.6
03: portClassifier, 0.8.6
04: tcpStates, 0.8.6
05: txtSink, 0.8.6
...
$In the flow file below, you will now see from the macRecorder plugin all MAC addresses including packet counts per flow. If redundant routing is presents you will see minimum two MAC pairs per flow. It is also useful to detect broken network cards, then you see several random MAC pairs. In the case of redundant routing, the packet counts should be almost equal. If this is not the case, then something is wrong. Moreover the manufacturer of the interface card is listed, so that the user does not need to look it up on the web. The portClassifier is somewhat misleading, as it does not really classifies, but instead transforms the port number into a human readable string, such as https for port 443 in our case.
$ head -n 22 annoloc2_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPWho srcPort dstIP dstIPCC dstIPWho dstPort l4Proto macPairs srcMac_dstMac_numP srcManuf_dstManuf dstPortClassN dstPortClass tcpStates
A 265 0x0000000000004000 1022171701.709116 1022171701.709116 0.000000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:fc:0e:21:56 0x0800 209.171.12.143 ca "TELUS Communications Inc." 4987 138.212.185.230 jp "ASAHI KASEI CORPORATION" 41250 6 1 00:d0:02:6d:78:00_00:50:fc:0e:21:56_1 Ditech_EdimaxTe 41250 unknown 0xc3
A 447 0x0000000000004000 1022171701.721366 1022171701.721366 0.000000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:fc:3b:62:78 0x0800 217.41.129.13 gb "BT Infrastructure Layer" 58872 138.212.187.186 jp "ASAHI KASEI CORPORATION" 80 6 1 00:d0:02:6d:78:00_00:50:fc:3b:62:78_1 Ditech_EdimaxTe 80 http 0xc3
A 392 0x0000000000004000 1022171701.716998 1022171701.716998 0.000000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:bf:59:85:48 0x0800 36.242.181.230 jp "SoftBank Corp." 4685 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 6 1 00:d0:02:6d:78:00_00:50:bf:59:85:48_1 Ditech_Metallig 1214 kazaa 0x03
B 392 0x0000000000004001 1022171701.732313 1022171701.732313 0.000000 1 3 eth:ipv4:tcp 00:50:bf:59:85:48 00:d0:02:6d:78:00 0x0800 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 36.242.181.230 jp "SoftBank Corp." 4685 6 1 00:50:bf:59:85:48_00:d0:02:6d:78:00_1 Metallig_Ditech 1214 kazaa 0x43
A 906 0x0000000000004000 1022171701.816638 1022171701.816638 0.000000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:60:08:69:80:dd 0x0800 161.135.53.11 us "Federal Express Corp." 5001 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 6 1 00:d0:02:6d:78:00_00:60:08:69:80:dd_1 Ditech_3com 80 http 0x03
B 906 0x0000000000004001 1022171701.817195 1022171701.817195 0.000000 1 3 eth:ipv4:tcp 00:60:08:69:80:dd 00:d0:02:6d:78:00 0x0800 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 161.135.53.11 us "Federal Express Corp." 5001 6 1 00:60:08:69:80:dd_00:d0:02:6d:78:00_1 3com_Ditech 80 http 0x43
A 1027 0x0000000000004000 1022171701.872817 1022171701.872817 0.000000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:80:48:b3:13:27 0x0800 146.162.158.230 gb "Norwich Union Insurance Lim" 2849 138.212.184.193 jp "ASAHI KASEI CORPORATION" 6346 6 1 00:d0:02:6d:78:00_00:80:48:b3:13:27_1 Ditech_CompexUs 6346 gnutella-svc 0x03
B 1027 0x0000000000004001 1022171701.873426 1022171701.873426 0.000000 1 3 eth:ipv4:tcp 00:80:48:b3:13:27 00:d0:02:6d:78:00 0x0800 138.212.184.193 jp "ASAHI KASEI CORPORATION" 6346 146.162.158.230 gb "Norwich Union Insurance Lim" 2849 6 1 00:80:48:b3:13:27_00:d0:02:6d:78:00_1 CompexUs_Ditech 6346 gnutella-svc 0x43
A 1154 0x0000000000004000 1022171701.939627 1022171701.939627 0.000000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:bf:59:85:48 0x0800 193.133.224.57 gb "Verizon UK Limited" 3286 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 6 1 00:d0:02:6d:78:00_00:50:bf:59:85:48_1 Ditech_Metallig 1214 kazaa 0x03
B 1154 0x0000000000004001 1022171701.947575 1022171701.947575 0.000000 1 3 eth:ipv4:tcp 00:50:bf:59:85:48 00:d0:02:6d:78:00 0x0800 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 193.133.224.57 gb "Verizon UK Limited" 3286 6 1 00:50:bf:59:85:48_00:d0:02:6d:78:00_1 Metallig_Ditech 1214 kazaa 0x43
A 867 0x0000000a00004000 1022171701.805350 1022171701.805350 0.000000 1 3 eth:ipv4:tcp 00:60:b0:b5:da:10 00:d0:02:6d:78:00 0x0800 138.212.184.48 jp "ASAHI KASEI CORPORATION" 6666 36.74.248.27 id "Telekomunikasi Indonesia" 1108 6 1 00:60:b0:b5:da:10_00:d0:02:6d:78:00_1 HewlettP_Ditech 1108 ratio-adp 0x03
B 867 0x0000000000004001 1022171702.012658 1022171702.012658 0.000000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:60:b0:b5:da:10 0x0800 36.74.248.27 id "Telekomunikasi Indonesia" 1108 138.212.184.48 jp "ASAHI KASEI CORPORATION" 6666 6 1 00:d0:02:6d:78:00_00:60:b0:b5:da:10_1 Ditech_HewlettP 1108 ratio-adp 0x43
A 864 0x0000000a00004000 1022171701.805329 1022171702.066438 0.261109 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:60:b0:ec:34:27 0x0800 19.54.241.65 us "Ford Motor Company" 6667 138.212.191.209 jp "ASAHI KASEI CORPORATION" 45891 6 1 00:d0:02:6d:78:00_00:60:b0:ec:34:27_3 Ditech_HewlettP 45891 unknown 0x03
B 864 0x0000000000004001 1022171701.806695 1022171702.066682 0.259987 1 3 eth:ipv4:tcp 00:60:b0:ec:34:27 00:d0:02:6d:78:00 0x0800 138.212.191.209 jp "ASAHI KASEI CORPORATION" 45891 19.54.241.65 us "Ford Motor Company" 6667 6 1 00:60:b0:ec:34:27_00:d0:02:6d:78:00_3 HewlettP_Ditech 45891 unknown 0x43
A 1336 0x0000000000004000 1022171702.098369 1022171702.098369 0.000000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:60:08:69:80:dd 0x0800 216.21.10.20 us "XNS Technology Group Inc." 1305 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 6 1 00:d0:02:6d:78:00_00:60:08:69:80:dd_1 Ditech_3com 80 http 0x03
B 1336 0x0000000000004001 1022171702.098389 1022171702.098389 0.000000 1 3 eth:ipv4:tcp 00:60:08:69:80:dd 00:d0:02:6d:78:00 0x0800 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 216.21.10.20 us "XNS Technology Group Inc." 1305 6 1 00:60:08:69:80:dd_00:d0:02:6d:78:00_1 3com_Ditech 80 http 0x43
A 1512 0x0000000000004000 1022171702.202157 1022171702.202157 0.000000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:80:48:b3:22:c4 0x0800 19.150.217.57 us "Ford Motor Company" 1678 138.212.189.66 jp "ASAHI KASEI CORPORATION" 1214 6 1 00:d0:02:6d:78:00_00:80:48:b3:22:c4_1 Ditech_CompexUs 1214 kazaa 0xc3
A 1534 0x0000000000004000 1022171702.222212 1022171702.222212 0.000000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:c0:26:a4:7b:d8 0x0800 216.233.229.167 us "MCI Communications Services" 3782 138.212.185.86 jp "ASAHI KASEI CORPORATION" 1058 6 1 00:d0:02:6d:78:00_00:c0:26:a4:7b:d8_1 Ditech_LansTech 1058 nim 0x03
B 1534 0x0000000000004001 1022171702.228940 1022171702.228940 0.000000 1 3 eth:ipv4:tcp 00:c0:26:a4:7b:d8 00:d0:02:6d:78:00 0x0800 138.212.185.86 jp "ASAHI KASEI CORPORATION" 1058 216.233.229.167 us "MCI Communications Services" 3782 6 1 00:c0:26:a4:7b:d8_00:d0:02:6d:78:00_1 LansTech_Ditech 1058 nim 0x43
A 1040 0x0000000000004000 1022171702.240159 1022171702.240159 0.000000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:fc:3b:62:78 0x0800 210.162.178.146 jp "NTT COMMUNICATIONS CORPORAT" 1044 138.212.187.186 jp "ASAHI KASEI CORPORATION" 80 6 1 00:d0:02:6d:78:00_00:50:fc:3b:62:78_1 Ditech_EdimaxTe 80 http 0x43
B 1040 0x0000000a00004001 1022171701.877481 1022171702.014438 0.136957 1 3 eth:ipv4:tcp 00:50:fc:3b:62:78 00:d0:02:6d:78:00 0x0800 138.212.187.186 jp "ASAHI KASEI CORPORATION" 80 210.162.178.146 jp "NTT COMMUNICATIONS CORPORAT" 1044 6 1 00:50:fc:3b:62:78_00:d0:02:6d:78:00_2 EdimaxTe_Ditech 80 http 0x03
$Now you got a quick insight into basic plugins. You can now start using T2 on your own pcaps or look into other tutorials about specifics of traffic mining, or specific plugins. Don’t forget to reset all the plugins into the default mode and recompile. Here are the t2conf commands for the plugins used in this tutorial:
$ t2conf protoStats -D UDPLITE_STAT=0 -D SCTP_STAT=0
$ t2conf basicFlow -D BFO_MAC=1 -D BFO_ETHERTYPE=1 -D BFO_VLAN=1 -D BFO_SUBNET_TEST=1 -D BFO_MAX_HDRDESC=4
$ t2conf basicStats -D BS_REV_CNT=1 -D BS_STATS=1
$ t2conf icmpDecode -D ICMP_TC_MD=0
$ t2conf tranalyzer2 -D RELTIME=0
$ t2build -R
...
$Have fun!!
Operational mode switching: ETH, IPv4/6, SCTP
T2 can operate in several operational modes. The default is dual IP stack (IPv4 and IPv6) and L2 Ethernet flow production. In order to accelerate T2, it can be switched into IPv4 or IPv6 mode or into a plain L2 flow/packet producer depending on your demands or your network.
Search for user defines in networkHeaders.h and have a look at the default settings:
// Constant Definition
// user defines
#define IPV6_ACTIVATE 2 // 0: IPv4 only, 1: IPv6 only, 2: dual mode
#define ETH_ACTIVATE 1 // 0: No Ethernet flows,
// 1: Activate Ethernet flows,
// 2: Also use Ethernet addresses for IPv4/6 flows
#define SCTP_ACTIVATE 0 // 1: activate SCTP streams -> Flows
#define SCTP_STATFINDEX 1 // 1: if SCTP_ACTIVATE = 1 then (1: findex constant for all SCTP streams in a packet 0: findex increments)
#define MULTIPKTSUP 0 // multi-packet suppression
#define T2_PRI_HDRDESC 1 // 1: keep track of the headers traversed
#define T2_HDRDESC_AGGR 1 // 1: aggregate repetitive headers, e.g., vlan{2}
#define T2_HDRDESC_LEN 128 // max length of the headers descriptionMoreover SCTP to flow transformation is supported. Which is by default disabled, because it requires additional code the standard admin does not need. The researcher or protocol expert might need that functionality, so set SCTP_ACTIVATE to 1. The constant SCTP_STATFINDEX controls whether all SCTP streams are sorted into several flows with the same flow index or different incrementing flow indexes.
Compile all plugins, as you may have plugins which implement the SCTP flow segregation, e.g., sctpDecode.
$ t2conf tranalyzer2 -D SCTP_ACTIVATE=1
$ t2build -R
...
$Now run t2 with your SCTP pcap or run it on an interface where SCTP traffic is present. For more details, refer to the SCTP tutorial.
Now you got a quick insight into T2 functionality, basic plugin operations and workflow. You can start using T2 on your own pcaps or look into other tutorials about specifics of your interest.
Have fun!!