Tutorial: Basic Analysis

WTF is the Anteater?

Tranalyzer2 (T2) was created at a Swiss operator out of the need that standard Cisco NetFlow did not supply the fields we needed for our troubleshooting and security work. We needed all kinds of encapsulated protocols, content info, advanced statistics and an easy way to extract information for traffic mining. And most important a tool which can digest really large pcaps and runs stable on an interface. Therefore, only code and functionality which is needed by the user is added. That should explain, why a lot of T2 is controlled by compiler switches, making it adaptable and lightweight. But no worries, we made compiling on different infrastructure easy for you.

Having also students with us, we saw they always reinventing the wheel when it came to traffic analysis, so in 2008 T2 became open source. Since then practical ideas from people working in the field and in research inspired the path of the Anteater.

This tutorial will teach you about the basic configuration, usage, basic plugins and post-processing philosophy. So, let’s first look at the basic protocol and output modes.

T2 operational modes

By default T2 operates in the following basic protocol modes:

  • Layer2
  • IPv4
  • IPv6
  • SCTP

By default since the 0.8.0 version T2 operates concurrently in all protocol modes and feeds output into the same files. If you are only interested in IPv4 and decapsulation of protocols such as L2TP, GRE, IPv[46]-in-IPv[46], etc is not relevant, T2 can easily be configured to do only this. Moreover L4 protocols support is supplied, e.g., SCTP which transforms all streams into extra flows, if enabled in networkHeaders.h. We will discuss at the end of the tutorial and in the Protocol Modes tutorial (coming soon).

T2 is capable to produce the following concurrent jobs.

Let’s have a quick look at these.

Flow

The most prominent one is flow, where traffic is aggregated into so called flows to process large amount of traffic. A flow is defined in T2 as A and opposite B Flow which are linked by a unique flowIndex, a 64 bit number. The default aggregation of T2 flows is

(vlan, srcIP, srcPort, dstIP, dstPort, L3protocol)

which covers most cases in corporate networks, as VLANs are very common. It can be extended to

(srcEther, dstEther, ethertype, vlan, srcIP, srcPort, dstIP, dstPort, sctpChannel, L3protocol)

or reduced to aggregating all traffic into a few flows, defining only several networks without VLANs, ports and protocols. The advanced flow aggregation modes are discussed in the Flexible Flow Aggregation tutorial.

Each plugin added to T2 will produce additional columns in the flow file, producing an output easy to process for any script language or standard tools, such as Excel or SPSS.

Packet

The packet mode’s output format is as scripting friendly as the flow output and thought of as a drill down instrument, which links back to flows and L7 content via the flowIndex. This mode is discussed in detail in the Packet Mode tutorial.

Monitoring

Network managers often need certain time sampled parameters, such as number of packets or bandwidth. T2 reports into standard tools, such as RRD. This mode is discussed in detail in the Monitoring Mode tutorial.

Alarm

Sometimes L3-4 or content driven rules or even a custom build AI classifier defines what is interesting for the user. Hence, the alarm mode enables each plugin to control flow processing and release to output. This mode is discussed in detail in the Alarm Mode tutorial.

Force

When operating on an interface sometimes the timeout of a flow is too long for appropriate reaction, e.g. when Malware is detected. So notification when a certain packet is seen is required. The force mode enables any plugin to control flow termination at any point in time. All following packets after flow release will be send to a new flow. This mode is discussed in detail in the Force Mode tutorial.

How to Anteater

In this chapter we will give you a practical introduction to the basic operations with the Anteater. The configuration is really easy thanks to numerous scripts, such as t2conf. So, if you are afraid of command line operations and header file (.h) editing, don’t worry! If you are a Windows 10 user, please follow the Installing Tranalyzer on Windows tutorial first.

Unpack and go

To get started download Tranalyzer and unpack the tar ball:

(BTW: lmw means Linux, Mac and Win10 tested) and for the un-initiated bash user, the $ in front of each command denotes the bash command line prompt. Do NOT copy it into your command shell!

$ tar -xf tranalyzer2-0.8.6lmw1.tar.gz
$ cd ~/tranalyzer2-0.8.6
$ ls
autogen.sh  ChangeLog  doc  plugins  README.md  scripts  setup.sh  tests  tranalyzer2  utils
$

You see the doc folder, the README.md file (compilation, dependencies for different OS) and the setup.sh script (among others). Tranalyzer2, aka, the core, can be found in the tranalyzer2 folder, while all the plugins can be found in the plugins folder.

$ cd plugins
$ ls
arpDecode   binSink           dhcpDecode  fnameLabel   icmpDecode  lldpDecode   mysqlSink    nFrstPkts   pcapd           protoStats    regex_pcre  snmpDecode  sslDecode     tcpFlags      tp0f          wavelet
autogen.sh  cdpDecode         dnsDecode   ftpDecode    igmpDecode  macRecorder  natNudel     ntpDecode   pktSIATHisto    psqlSink      sctpDecode  socketSink  stpDecode     tcpStates     txtSink
basicFlow   connStat          entropy     geoip        ircDecode   modbus       nDPI         ospfDecode  popDecode       pwX           smbDecode   sqliteSink  syslogDecode  telnetDecode  voipDetector
basicStats  descriptiveStats  findexer    httpSniffer  jsonSink    mongoSink    netflowSink  p0f         portClassifier  radiusDecode  smtpDecode  sshDecode   t2PSkel       tftpDecode    vrrpDecode
$

If you are a rookie to T2, use the setup.sh script under the tranalyzer root directory, it will install all tools, links, t2tools and environment variables for you and compiles T2 with the standard basic plugins.

$ ./setup.sh
...

If the setup finished successfully you are all set including t2_aliases.

The good and old fashion way without ./setup.sh is to invoke ./autogen.sh (note however that this method will NOT install t2_aliases)

$ ./autogen.sh
...

If you want to use the t2_aliases (t2build, t2conf, …) in your current bash window, you have to run the following command:

$ source scripts/t2_aliases
$

If a new bash window is opened all environmental variables will be automatically set. Now try to use the autocompletion: t2 tab-tab

t2          t2build     t2caplist   t2conf      t2dmon      t2doc       t2edit      t2fm        t2plot      t2PSkel     t2stat      t2timeline  t2wizard

t2 always points to the newest tranalyzer compiled under ~/tranalyzer2-0.8.6/tranalyzer2/src, so you do not need to move to this directory and type ./tranalyzer. t2build compiles the core and/or the plugins. t2conf helps you to configure the core and the plugins and t2stat helps you to send signals to the Anteater. These are the most important for you for the time being. We will come back to the t2 commands later.

Here is a list of the most important t2build options we need in this tutorial (If you want to know more look at the Building kung fu tutorial):

t2build -h show help
t2build compile T2 and standard plugins
t2build -u plugin unload plugin
t2build -a compile T2 and all plugins
t2build -c clean plugin directory
t2build -l list all plugins under plugin directory
t2build -R recompile all plugins under plugin directory

If you want to change any configuration of plugins or the core, run

t2conf plugin -D CONSTANT=value

We will practice that extensively in the following, so don’t worry. If you want to know more, have a look at the Configuration kung fu tutorial.

There is also a list of acronyms available to facilitate navigation:

tran goto latest version of t2
.tran goto the plugin directory
tranpl goto plugin directory of latest version
plugin goto root directory of plugin
t2doc plugin show doc of plugin

Let’s check it out!

$ tran
$ ls
autogen.sh  ChangeLog  doc  plugins  README.md  scripts  setup.sh  tests  tranalyzer2  utils
$ .tran
$ ls
001_protoStats.so  110_macRecorder.so     120_basicStats.so  132_tcpStates.so   150_tcpWin.so       500_connStat.so  ethertypes.txt  portmap.txt  subnets4_HLP.bin
100_basicFlow.so   111_portClassifier.so  130_tcpFlags.so    140_icmpDecode.so  310_httpSniffer.so  901_txtSink.so   manuf.txt       proto.txt    subnets6_HLP.bin
$ tranpl
$ ls
arpDecode   binSink           dhcpDecode  fnameLabel   icmpDecode  lldpDecode   mysqlSink    ntpDecode   pktSIATHisto    psqlSink      sctpDecode  socketSink  stpDecode     tcpFlags      tftpDecode    vrrpDecode
autogen.sh  cdpDecode         dnsDecode   ftpDecode    igmpDecode  macRecorder  nDPI         ospfDecode  popDecode       pwX           smbDecode   sqliteSink  stunDecode    tcpStates     tp0f          wavelet
basicFlow   connStat          entropy     geoip        ircDecode   modbus       netflowSink  p0f         portClassifier  radiusDecode  smtpDecode  sshDecode   syslogDecode  tcpWin        txtSink
basicStats  descriptiveStats  findexer    httpSniffer  jsonSink    mongoSink    nFrstPkts    pcapd       protoStats      regex_pcre    snmpDecode  sslDecode   t2PSkel       telnetDecode  voipDetector
$ basicStats
$ ls
AUTHORS  autogen.sh  ChangeLog  configure.ac  COPYING  doc  Makefile.am  NEWS  README  src  t2plconf  tests
$ t2doc tcpFlags
Documentation for plugin 'tcpFlags' does not exist... build it (Y/n)? y
... Popup of a pdf
$

See? All very simple. It is very helpful to read the documentation, which will be built by invoking t2doc

If the compilation fails, it will tell you what is missing, then refer to the README.md or copy the appropriate dependencies from here. If nothing works, look in the FAQ. If that does not solve your problem, write to the Anteater. He will definitely help you.

If setup is successful then you may start t2 with the help option for a quick test:

$ t2 -h
Tranalyzer 0.8.6 - High performance flow based network traffic analyzer

Usage:
    tranalyzer [OPTION...] <INPUT>

Input:
    -i IFACE     Listen on interface IFACE
    -r PCAP      Read packets from PCAP file or from stdin if PCAP is "-"
    -R FILE      Process every PCAP file listed in FILE
    -D EXPR[:SCHR][,STOP]
                 Process every PCAP file whose name matches EXPR, up to an
                 optional last index STOP. If STOP is omitted, then Tranalyzer
                 never stops. EXPR can be a filename, e.g., file.pcap0, or an
                 expression, such as "dump*.pcap00", where the star matches
                 anything (note the quotes to prevent the shell from
                 interpreting the expression). SCHR can be used to specify the
                 the last character before the index (default: 'p')

Output:
    -w PREFIX    Append PREFIX to any output file produced. If omitted, then
                 output is diverted to stdout
    -W PREFIX[:SIZE][,START]
                 Like -w, but fragment flow files according to SIZE, producing
                 files starting with index START. SIZE can be specified in bytes
                 (default), KB ('K'), MB ('M') or GB ('G'). Scientific notation,
                 i.e., 1e5 or 1E5 (=100000), can be used as well. If a 'f' is
                 appended, e.g., 10Kf, then SIZE denotes the number of flows.
    -l           Print end report in PREFIX_log.txt instead of stdout
    -s           Packet forensics mode

Optional arguments:
    -p PATH      Load plugins from path PATH instead of ~/.tranalyzer/plugins
    -b FILE      Use plugin list FILE instead of plugin_folder/plugins.txt
    -e FILE      Creates a PCAP file by extracting all packets belonging to
                 flow indexes listed in FILE (requires pcapd plugin)
    -f FACTOR    Sets hash multiplication factor
    -x ID        Sensor ID
    -c CPU       Bind tranalyzer to one core. If CPU is 0 then OS selects the
                 core to bind
    -F FILE      Read BPF filter from FILE

Help and documentation arguments:
    -v           Show the version of the program and exit
    -h           Show help options and exit

Remaining arguments:
    BPF          Berkeley Packet Filter command, as in tcpdump

If you cannot wait and would like to try it now on an interface, go ahead and use the -i option. Here we will read from pcaps, so only the -r, -R or -D options are relevant. The latter two are only useful if more than one pcap is to be analysed (learn more about that in the Multi File I/O tutorial!). For this tutorial, -r is the option of choice. The -w option defines where the flow files will be written to. If you omit it, T2 writes to the folder of the pcap and derives the output prefix from the pcap. The rest is currently not important.

A good practice for analysis and mining jobs is to create a separate data and results directory as follows:

$ mkdir ~/data
$ mkdir ~/results
$ cd data

Download the pcap annoloc2.pcap into your data folder either via a click on the link or via command line.

$ cd ~/data
$ wget https://tranalyzer.com/download/data/annoloc2.pcap
...
$

Now feed the pcap to the Anteater as follows:

$ t2 -r ~/data/annoloc2.pcap -w ~/results
================================================================================
Tranalyzer 0.8.6 (Anteater), Tarantula. PID: 98425
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: protoStats, 0.8.6
    02: basicFlow, 0.8.6
    03: macRecorder, 0.8.6
    04: portClassifier, 0.8.6
    05: basicStats, 0.8.6
    06: tcpFlags, 0.8.6
    07: tcpStates, 0.8.6
    08: icmpDecode, 0.8.6
    09: connStat, 0.8.6
    10: txtSink, 0.8.6
[INF] basicFlow: IPv4 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 313050 (313.05 K)
[INF] basicFlow: IPv6 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 21495 (21.50 K)
Processing file: /home/wurst/data/annoloc2.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1022171701.691172 sec (Thu 23 May 2002 16:35:01 GMT)
[WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500
Dump stop : 1022171726.640398 sec (Thu 23 May 2002 16:35:26 GMT)
Total dump duration: 24.949226 sec
Finished processing. Elapsed time: 0.852957 sec
Finished unloading flow memory. Time: 1.283424 sec
Percentage completed: 100.00%
Number of processed packets: 1219015 (1.22 M)
Number of processed bytes: 64082726 (64.08 M)
Number of raw bytes: 844642686 (844.64 M)
Number of pcap bytes: 83586990 (83.59 M)
Number of IPv4 packets: 1218588 (1.22 M) [99.96%]
Number of IPv6 packets: 180 [0.01%]
Number of A packets: 561591 (561.59 K) [46.07%]
Number of B packets: 657424 (657.42 K) [53.93%]
Number of A bytes: 29274086 (29.27 M) [45.68%]
Number of B bytes: 34808640 (34.81 M) [54.32%]
Average A packet load: 52.13
Average B packet load: 52.95
--------------------------------------------------------------------------------
basicStats: Biggest L2 Talker: 00:d0:02:6d:78:00: 57 [0.00%] packets
basicStats: Biggest L2 Talker: 00:d0:02:6d:78:00: 3420 (3.42 K) [0.01%] bytes
basicStats: Biggest L3 Talker: 138.212.189.38 (JP): 23601 (23.60 K) [1.94%] packets
basicStats: Biggest L3 Talker: 138.212.189.38 (JP): 35005508 (35.01 M) [54.63%] bytes
tcpFlags: Aggregated ipFlags: 0x3dff
tcpFlags: Aggregated tcpAnomaly: 0xff47
tcpFlags: Number of TCP scans, succ scans, syn retries, seq retries: 685, 2569 (2.57 K), 114, 933
tcpFlags: Number WinSz below 1: 2415 (2.42 K) [0.25%]
tcpStates: Aggregated anomaly flags: 0xdf
icmpDecode: Number of ICMP echo request packets: 224 [7.32%]
icmpDecode: Number of ICMP echo reply packets: 191 [6.24%]
icmpDecode: ICMP echo reply / request ratio: 0.85
connStat: Number of unique source IPs: 4292 (4.29 K)
connStat: Number of unique destination IPs: 2900 (2.90 K)
connStat: Number of unique source/destination IPs connections: 182
connStat: Max unique number of source IP / destination port connections: 413
connStat: IP prtcon/sdcon, prtcon/scon: 2.269231, 0.096226
connStat: Source IP with max connections: 138.212.189.66 (JP): 369 connections
connStat: Destination IP with max connections: 138.212.184.235 (JP): 403 connections
--------------------------------------------------------------------------------
Headers count: min: 2, max: 4, average: 3.01
Number of GRE packets: 20 [0.00%]
Number of IGMP packets: 12 [0.00%]
Number of ICMP packets: 3059 (3.06 K) [0.25%]
Number of ICMPv6 packets: 11 [0.00%]
Number of TCP packets: 948743 (948.74 K) [77.83%]
Number of TCP bytes: 52643546 (52.64 M) [82.15%]
Number of UDP packets: 266900 (266.90 K) [21.89%]
Number of UDP bytes: 11234272 (11.23 M) [17.53%]
Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 17589 (17.59 K)
Number of processed A flows: 9980 (9.98 K) [56.74%]
Number of processed B flows: 7609 (7.61 K) [43.26%]
Number of request     flows: 9452 (9.45 K) [53.74%]
Number of reply       flows: 8137 (8.14 K) [46.26%]
Total   A/B    flow asymmetry: 0.13
Total req/rply flow asymmetry: 0.07
Number of processed   packets/flows: 69.31
Number of processed A packets/flows: 56.27
Number of processed B packets/flows: 86.40
Number of processed total packets/s: 48859.83 (48.86 K)
Number of processed A+B packets/s: 48859.83 (48.86 K)
Number of processed A   packets/s: 22509.36 (22.51 K)
Number of processed   B packets/s: 26350.48 (26.35 K)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 704.99
Average full raw bandwidth: 270835712 b/s (270.84 Mb/s)
Average snapped bandwidth : 20548206 b/s (20.55 Mb/s)
Average full bandwidth : 270269600 b/s (270.27 Mb/s)
Max number of flows in memory: 15206 (15.21 K) [5.80%]
Memory usage: 0.18 GB [0.27%]
Aggregate flow status: 0x000018fa0202d044
[WRN] L3 SnapLength < Length in IP header
[WRN] L4 header snapped
[WRN] Consecutive duplicate IP ID
[WRN] IPv4/6 fragmentation header packet missing
[WRN] IPv4/6 packet fragmentation sequence not finished
[INF] IPv4
[INF] IPv6
[INF] IPv4/6 fragmentation
[INF] IPv4/6 in IPv4/6
[INF] GRE encapsulation
[INF] SSDP/UPnP flows
[INF] Ethernet flows
[INF] ARP flows
$

T2 produces an end report, which serves as an initial assessment of the pcap content and anomalies. After basic packet and byte statistics, each plugin adds some statistical or hex coded info between the ------ lines which will be discussed later. Moreover, flow based statistics are reported to assess the traffic seen on the wire. At the end, certain protocol based information and warnings about traffic content are reported to alert the user. Thus, an initial assessment is possible without even looking into flows or packets which is essential when dealing with large quantities of traffic.

All plugins reside in the plugins folder and own a src (.h, .c), a doc (.tex, .pdf) and a test (auto-testing) directory. Important for now is the doc folder, where you will find a PDF describing the plugin. The complete documentation of Tranalyzer2, all the plugins and scripts can be found under doc/documentation.pdf. The rest will be discussed later.

The primary goal of this tutorial is to give you a basic introduction to the art of traffic mining using Tranalyzer. So without further ado, let’s start with the very basics!

Have fun!

Basic flow based plugins

For beginners, let’s start with the very basic flow plugins and only use flow based text output, aka the extended NetFlow7 flow output. We will only need the following:

tranalyzer2 Anteater’s core
basicFlow Flow output definition + geo labeling + encapsulation info
basicStats Basic statistics including Traffic Mining extensions
txtSink Produces a tab separated text file: _flows.txt

Let’s unload unnecessary compiled plugins first:

$ t2build -u protoStats macRecorder portClassifier tcpFlags tcpStates icmpDecode connStat

Plugin 'protoStats'


Plugin 'macRecorder'


Plugin 'portClassifier'


Plugin 'tcpFlags'


Plugin 'tcpStates'


Plugin 'icmpDecode'


Plugin 'connStat'


UNLOADING SUCCESSFUL
$

Now restart the Anteater and have a look at what changed in the end report:

$ t2 -r ~/data/annoloc2.pcap -w ~/results
================================================================================
Tranalyzer 0.8.6 (Anteater), Tarantula. PID: 98636
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.6
    02: basicStats, 0.8.6
    03: txtSink, 0.8.6
[INF] basicFlow: IPv4 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 313050 (313.05 K)
[INF] basicFlow: IPv6 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 21495 (21.50 K)
Processing file: /home/wurst/data/annoloc2.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1022171701.691172 sec (Thu 23 May 2002 16:35:01 GMT)
[WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500
Dump stop : 1022171726.640398 sec (Thu 23 May 2002 16:35:26 GMT)
Total dump duration: 24.949226 sec
Finished processing. Elapsed time: 0.441768 sec
Finished unloading flow memory. Time: 0.638205 sec
Percentage completed: 100.00%
Number of processed packets: 1219015 (1.22 M)
Number of processed bytes: 64082726 (64.08 M)
Number of raw bytes: 844642686 (844.64 M)
Number of pcap bytes: 83586990 (83.59 M)
Number of IPv4 packets: 1218588 (1.22 M) [99.96%]
Number of IPv6 packets: 180 [0.01%]
Number of A packets: 564227 (564.23 K) [46.29%]
Number of B packets: 654788 (654.79 K) [53.71%]
Number of A bytes: 29447862 (29.45 M) [45.95%]
Number of B bytes: 34634864 (34.63 M) [54.05%]
Average A packet load: 52.19
Average B packet load: 52.89
--------------------------------------------------------------------------------
basicStats: Biggest L2 Talker: 00:d0:02:6d:78:00: 57 [0.00%] packets
basicStats: Biggest L2 Talker: 00:d0:02:6d:78:00: 3420 (3.42 K) [0.01%] bytes
basicStats: Biggest L3 Talker: 138.212.189.38 (JP): 23601 (23.60 K) [1.94%] packets
basicStats: Biggest L3 Talker: 138.212.189.38 (JP): 35005508 (35.01 M) [54.63%] bytes
--------------------------------------------------------------------------------
Headers count: min: 2, max: 4, average: 3.01
Number of GRE packets: 20 [0.00%]
Number of IGMP packets: 12 [0.00%]
Number of ICMP packets: 3059 (3.06 K) [0.25%]
Number of ICMPv6 packets: 11 [0.00%]
Number of TCP packets: 948743 (948.74 K) [77.83%]
Number of TCP bytes: 52643546 (52.64 M) [82.15%]
Number of UDP packets: 266900 (266.90 K) [21.89%]
Number of UDP bytes: 11234272 (11.23 M) [17.53%]
Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 17086 (17.09 K)
Number of processed A flows: 9704 (9.70 K) [56.80%]
Number of processed B flows: 7382 (7.38 K) [43.20%]
Number of request     flows: 9661 (9.66 K) [56.54%]
Number of reply       flows: 7425 (7.42 K) [43.46%]
Total   A/B    flow asymmetry: 0.14
Total req/rply flow asymmetry: 0.13
Number of processed   packets/flows: 71.35
Number of processed A packets/flows: 58.14
Number of processed B packets/flows: 88.70
Number of processed total packets/s: 48859.83 (48.86 K)
Number of processed A+B packets/s: 48859.83 (48.86 K)
Number of processed A   packets/s: 22615.01 (22.61 K)
Number of processed   B packets/s: 26244.82 (26.24 K)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 684.83
Average full raw bandwidth: 270835712 b/s (270.84 Mb/s)
Average snapped bandwidth : 20548206 b/s (20.55 Mb/s)
Average full bandwidth : 270269600 b/s (270.27 Mb/s)
Max number of flows in memory: 17086 (17.09 K) [6.52%]
Memory usage: 0.08 GB [0.11%]
Aggregate flow status: 0x000018fa0202d044
[WRN] L3 SnapLength < Length in IP header
[WRN] L4 header snapped
[WRN] Consecutive duplicate IP ID
[WRN] IPv4/6 fragmentation header packet missing
[WRN] IPv4/6 packet fragmentation sequence not finished
[INF] IPv4
[INF] IPv6
[INF] IPv4/6 fragmentation
[INF] IPv4/6 in IPv4/6
[INF] GRE encapsulation
[INF] SSDP/UPnP flows
[INF] Ethernet flows
[INF] ARP flows
$

T2 produces an end report, which serves as an initial assessment of the pcap content and anomalies. Each plugin adds some info between the ------ lines. basicStats shows the biggest talker regarding traffic volume and country of origin. It is one of the first features relevant to understand large traffic pcaps. There are also biggest talkers in regard to number of connections. This will be discussed in Basic traffic volume and connection analysis.

So it is an old pcap from 2002 in the afternoon. It contains IPv4/6 and Ethernet traffic and the payload is snapped. At the bottom, you see warnings ([WRN]) and information ([INF]). It is decoded from the aggregated flow status, which denotes the OR info from all flows status registers.

There are packets snapped even down to the L2 header, fragments without header or end. The difference between the snapped bandwidth and the full raw bandwidth denotes that either the snaplength was small, maybe the default, or somebody actually mangled with the packet content. The average packet load is symmetric for A and B flow, very odd. The protocols used indicate that the traffic is either corporate or the wild. So if you want good traffic with content for your job, I wouldn’t trust that pcap and would send it right back to the customer.

T2 produces also the following files

$ ls
annoloc2_flows.txt	annoloc2_headers.txt

The header file contains information about the columns of the flow file, such as time, column positions, T2 config, the name of the pcap file, vital interface information, etc. This information makes it easier to reproduce results from different experiments and it is good doc.

$ cat annoloc2_headers.txt
# Date: 1566316839.259591 sec (Tue 20 Aug 2019 18:00:39 CEST)
# Tranalyzer 0.8.6 (Anteater), Tarantula.
# Core configuration: L2, IPv4, IPv6
# sensorID: 666
# PID: 27697
# Command line: /home/wurst/tranalyzer -r /home/wurst/data/annoloc2.pcap -w /home/wurst/data/results/BW_2013/
# HW Info: eierfeile;Linux;5.2.9-arch1-1-ARCH;#1 SMP PREEMPT Fri Aug 16 11:29:43 UTC 2019;x86_64
#
# Plugins loaded:
#   01: basicFlow, version 0.8.6
#   02: basicStats, version 0.8.6
#   03: txtSink, version 0.8.6
#
# Col No.       Type    Name    Description
1       C       dir     Flow direction
2       U64     flowInd Flow index
3       H64     flowStat        Flow status and warnings
4       U64.U32 timeFirst       Date time of first packet
5       U64.U32 timeLast        Date time of last packet
6       U64.U32 duration        Flow duration
7       U8      numHdrDesc      Number of different headers descriptions
8       U16:R   numHdrs Number of headers (depth) in hdrDesc
9       SC:R    hdrDesc Headers description
10      MAC:R   srcMac  Mac source
11      MAC:R   dstMac  Mac destination
12      H16     ethType Ethernet type
13      U16:R   ethVlanID       VLAN IDs
14      IPX     srcIP   Source IP address
15      SC      srcIPCC Source IP country code
16      S       srcIPWho        Source IP who
17      U16     srcPort Source port
18      IPX     dstIP   Destination IP address
19      SC      dstIPCC Destination IP country code
20      S       dstIPWho        Destination IP who
21      U16     dstPort Destination port
22      U8      l4Proto Layer 4 protocol
23      U64     numPktsSnt      Number of transmitted packets
24      U64     numPktsRcvd     Number of received packets
25      U64     numBytesSnt     Number of transmitted bytes
26      U64     numBytesRcvd    Number of received bytes
27      U16     minPktSz        Minimum layer 3 packet size
28      U16     maxPktSz        Maximum layer 3 packet size
29      F       avePktSize      Average layer 3 packet size
30      F       stdPktSize      Standard deviation layer 3 packet size
31      F       minIAT  Minimum IAT
32      F       maxIAT  Maximum IAT
33      F       aveIAT  Average IAT
34      F       stdIAT  Standard deviation IAT
35      F       pktps   Send packets per second
36      F       bytps   Send bytes per second
37      F       pktAsm  Packet stream asymmetry
38      F       bytAsm  Byte stream asymmetry
$

Now compare it with the flow file, the columns flowInd to l4Proto originate from basicFlow. After that and until bytAsym the columns are produced by the basicStats plugin. I picked some interesting flows which demonstrate T2 ops when traffic is mangled with, so all flows which are damaged due to a limited snapLength in the acquisition process. Let’s sort them out:

$ tawk -V flowStat=0x0000080f00000000

The flowStat column with value 0x0000080f00000000 is to be interpreted as follows:

   bit | flowStat              | Description
   =============================================================================
    32 | 0x0000 0001 0000 0000 | Acquired packet length < minimal L2 datagram
    33 | 0x0000 0002 0000 0000 | Acquired packet length < packet length in L3 header
    34 | 0x0000 0004 0000 0000 | Acquired packet length < minimal L3 Header
    35 | 0x0000 0008 0000 0000 | Acquired packet length < minimal L4 Header
    43 | 0x0000 0800 0000 0000 | Stop dissecting

Let’s say we are only interested to weed out the ones where even the layer 2 header is damaged and T2 gave up further dissecting, then use the following tawk command:

$ tawk 'bitsanyset($flowStat, 0x0000080100000000)' annoloc2_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc                                                                                              srcMac             dstMac             ethType  ethVlanID  srcIP                                  srcIPCC  srcIPWho                       srcPort  dstIP                      dstIPCC  dstIPWho                     dstPort  l4Proto  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT      stdIAT        pktps      bytps      pktAsm      bytAsm
A     260      0x0000080200028000  1022171701.707777  1022171701.707777  0.000000   1           4        eth:ipv4:ipv6:UNK(168)                                                                               00:d0:02:6d:78:00  00:60:08:2c:ca:8e  0x86dd              cfb6:1c18:5010:faf0:7f66:0:101:80a     --       "--"                           0        6c2:6a7f:1:384b::c100      --       "--"                         0        168      1           0            41630        0             41630     41630     41630       0           0       0         0           0             0          0          1           1
A     885      0x0000080200028000  1022171701.810764  1022171701.810764  0.000000   1           4        eth:ipv4:ipv6:UNK(133)                                                                               00:d0:02:6d:78:00  00:60:08:2c:ca:8e  0x86dd              e499:578c:5090:81d0:891b:0:101:80a     --       "--"                           0        514:2343:2e3c:512::c100    --       "--"                         0        133      1           0            55304        0             55304     55304     55304       0           0       0         0           0             0          0          1           1
A     1894     0x000008d200004000  1022171702.614414  1022171702.614414  0.000000   1           3        eth:ipv4:udp                                                                                         00:80:48:b3:0e:ed  00:d0:02:6d:78:00  0x0800              138.212.188.118                        jp       "ASAHI KASEI CORPORATION"      0        201.9.46.255               br       "Telemar Norte Leste S.A."   0        17       1           0            52           0             52        52        52          0           0       0         0           0             0          0          1           1
A     3047     0x0000080200028000  1022171704.484515  1022171704.484515  0.000000   1           4        eth:ipv4:ipv6:UNK(147)                                                                               00:d0:02:6d:78:00  00:a0:c9:07:e0:73  0x86dd              baea:e860:8090:4470:cf67:0:101:50a     --       "--"                           0        baea:ee14:baeb:2ac::c100   --       "--"                         0        147      1           0            18922        0             18922     18922     18922       0           0       0         0           0             0          0          1           1
A     3452     0x0000080200028000  1022171705.349871  1022171705.349871  0.000000   1           4        eth:ipv4:ipv6:UNK(126)                                                                               00:d0:02:6d:78:00  00:a0:c9:07:e0:73  0x86dd              d973:ceac:5010:fa94:12db:0:101:80a     --       "--"                           0        12ea:b284:3:ceeb::c100     --       "--"                         0        126      1           0            38816        0             38816     38816     38816       0           0       0         0           0             0          0          1           1
A     3992     0x0000080200005000  1022171706.878547  1022171707.000313  0.121766   2           4;4      eth:ipv4:gre:UNK(0x98c0);eth:ipv4:gre:UNK(0xb30d)                                                    00:d0:02:6d:78:00  00:60:08:2c:ca:8e  0x0800              200.134.37.255                         br       "Associação Rede Nacional "    0        138.212.185.216            jp       "ASAHI KASEI CORPORATION"    0        47       2           2            170          210           68        102       85          12.02081    0       0.121766  0.06088299  0.04305077    16.42495   1396.12    0           -0.1052632
B     3992     0x0000080200005001  1022171706.931865  1022171706.962666  0.030801   2           4;4      eth:ipv4:gre:UNK(0x9604);eth:ipv4:gre:UNK(0x386d)                                                    00:60:08:2c:ca:8e  00:d0:02:6d:78:00  0x0800              138.212.185.216                        jp       "ASAHI KASEI CORPORATION"      0        200.134.37.255             br       "Associação Rede Nacional "  0        47       2           2            210          170           76        134       105         20.5061     0       0.030801  0.0154005   0.0108898     64.93295   6817.96    0           0.1052632
A     4529     0x0000080200028000  1022171708.439927  1022171708.439927  0.000000   1           4        eth:ipv4:ipv6:UNK(95)                                                                                00:d0:02:6d:78:00  00:a0:c9:07:e0:73  0x86dd              48d5:5fad:50d0:16d0:4a16:0:101:80a     --       "--"                           0        53eb:c1d7:86:4d37::c100    --       "--"                         0        95       1           0            28079        0             28079     28079     28079       0           0       0         0           0             0          0          1           1
A     4826     0x0000180200005000  1022171709.440443  1022171709.552021  0.111578   4           4;4;4;4  eth:ipv4:gre:UNK(0xa808);eth:ipv4:gre:UNK(0x7d69);eth:ipv4:gre:UNK(0x6f6d);eth:ipv4:gre:UNK(0x0104)  00:d0:02:6d:78:00  00:60:08:2d:05:66  0x0800              19.228.184.27                          us       "Ford Motor Company"           0        138.212.186.191            jp       "ASAHI KASEI CORPORATION"    0        47       4           3            162          166           36        46        40.5        2.534484    0       0.111571  0.0278945   0.0363073     35.84936   1451.899   0.1428571   -0.01219512
B     4826     0x0000180200005001  1022171709.441758  1022171709.552128  0.110370   3           4;4;4    eth:ipv4:gre:UNK(0x5100);eth:ipv4:gre:UNK(0xc309);eth:ipv4:gre:UNK(0x1fa1)                           00:60:08:2d:05:66  00:d0:02:6d:78:00  0x0800              138.212.186.191                        jp       "ASAHI KASEI CORPORATION"      0        19.228.184.27              us       "Ford Motor Company"         0        47       3           4            166          162           48        66        55.33333    5.541092    0       0.109442  0.03679     0.0419465     27.1813    1504.032   -0.1428571  0.01219512
A     6023     0x0000080200028000  1022171713.252296  1022171713.252296  0.000000   1           4        eth:ipv4:ipv6:UNK(28)                                                                                00:d0:02:6d:78:00  00:a0:c9:07:e0:73  0x86dd              6f:1256:5050:4402:331e:0:101:50a       --       "--"                           0        223:fd3e:223:ff56::c100    --       "--"                         0        28       1           0            2543         0             2543      2543      2543        0           0       0         0           0             0          0          1           1
A     6066     0x0000080200028000  1022171713.395746  1022171713.395746  0.000000   1           4        eth:ipv4:ipv6:UNK(229)                                                                               00:d0:02:6d:78:00  00:a0:c9:07:e0:73  0x86dd              e29f:74ec:50d0:f53c:98e3:0:101:80a     --       "--"                           0        12ea:b5a9:3:cf3b::c100     --       "--"                         0        229      1           0            22844        0             22844     22844     22844       0           0       0         0           0             0          0          1           1
A     6094     0x0000080200028000  1022171713.450109  1022171713.450109  0.000000   1           4        eth:ipv4:ipv6:UNK(64)                                                                                00:d0:02:6d:78:00  00:a0:c9:07:e0:73  0x86dd              392:fc19:5050:20e2:a7c3:0:101:80a      --       "--"                           0        be1:fcff:6ca:1b09::c100    --       "--"                         0        64       1           0            174          0             174       174       174         0           0       0         0           0             0          0          1           1
A     6173     0x0000085200004000  1022171713.796490  1022171713.796491  0.000001   1           3        eth:ipv4:udp                                                                                         00:d0:02:6d:78:00  00:80:c8:8f:ca:5e  0x0800              16.46.171.138                          us       "HEWLETT PACKARD ENTERPRISE "  0        138.212.189.231            jp       "ASAHI KASEI CORPORATION"    0        17       2           0            2377         0             897       1480      1188.5      206.1216    0       1e-06     5e-07       3.535534e-07  2000000    2.377e+09  1           1
A     6913     0x0000080200028000  1022171716.432198  1022171716.432198  0.000000   1           4        eth:ipv4:ipv6:UNK(223)                                                                               00:d0:02:6d:78:00  00:a0:c9:07:e0:73  0x86dd              75a4:9abd:80d0:4470:b5e2:317b:101:50a  --       "--"                           0        75a4:a071:75a4:be39::c100  --       "--"                         0        223      1           0            9            0             9         9         9           0           0       0         0           0             0          0          1           1
A     7045     0x0000080200028000  1022171716.967592  1022171716.967592  0.000000   1           4        eth:ipv4:ipv6:UNK(228)                                                                               00:d0:02:6d:78:00  00:a0:c9:07:e0:73  0x86dd              4b9:f24c:8090:4470:4b24:0:101:50a      --       "--"                           0        4b9:f800:4ba:c98::c100     --       "--"                         0        228      1           0            54359        0             54359     54359     54359       0           0       0         0           0             0          0          1           1
A     7462     0x0000080200028000  1022171718.639159  1022171718.639159  0.000000   1           4        eth:ipv4:ipv6:UNK(23)                                                                                00:d0:02:6d:78:00  00:a0:c9:07:e0:73  0x86dd              169e:bdd8:5090:4470:e911:0:101:50a     --       "--"                           0        5dc9:ed57:5dc9:f687::c100  --       "--"                         0        23       1           0            47306        0             47306     47306     47306       0           0       0         0           0             0          0          1           1
A     7826     0x0000080200028000  1022171719.869360  1022171719.869360  0.000000   1           4        eth:ipv4:ipv6:UNK(79)                                                                                00:d0:02:6d:78:00  00:50:04:56:32:a7  0x86dd              1439:5c49:5050:4470:c74a:0:101:80a     --       "--"                           0        53eb:c64f:86:4da9::c100    --       "--"                         0        79       1           0            17563        0             17563     17563     17563       0           0       0         0           0             0          0          1           1
A     8640     0x0000080200028000  1022171722.741406  1022171722.741406  0.000000   1           4        eth:ipv4:ipv6:UNK(131)                                                                               00:20:18:80:4a:b6  00:d0:02:6d:78:00  0x86dd              153c:303:5090:1920:4005:0:101:50a      --       "--"                           0        b9bd:772f:b9bd:94f7::c100  --       "--"                         0        131      1           0            15927        0             15927     15927     15927       0           0       0         0           0             0          0          1           1
A     8665     0x0000080200028000  1022171722.847259  1022171722.847259  0.000000   1           4        eth:ipv4:ipv6:UNK(22)                                                                                00:d0:02:6d:78:00  00:20:18:80:4a:b6  0x86dd              b2e:42d1:5010:faf0:96fa:0:101:50a      --       "--"                           0        e4ba:2af3:e4ba:365b::c100  --       "--"                         0        22       1           0            44888        0             44888     44888     44888       0           0       0         0           0             0          0          1           1
A     8891     0x0000080200028000  1022171723.637810  1022171723.637810  0.000000   1           4        eth:ipv4:ipv6:UNK(231)                                                                               00:d0:02:6d:78:00  00:a0:c9:07:e0:73  0x86dd              d9d3:fbc:5090:4470:9b77:0:101:80a      --       "--"                           0        63c:854c:15b:8f49::c100    --       "--"                         0        231      1           0            58513        0             58513     58513     58513       0           0       0         0           0             0          0          1           1
A     985      0x0000081a00004000  1022171701.848919  1022171726.366145  24.517226  1           3        eth:ipv4:udp                                                                                         00:d0:02:6d:78:00  00:e0:29:04:0a:18  0x0800              201.232.53.168                         co       "EPM Telecomunicaciones S.A."  3289     138.212.189.228            jp       "ASAHI KASEI CORPORATION"    1533     17       203         0            203200       0             58        1480      1000.985    661.1511    0       0.391237  0.1207745   0.1718241     8.279893   8288.051   1           1
A     3895     0x0000080a00005000  1022171706.645144  1022171726.589552  19.944408  4           4;4;4;4  eth:ipv4:gre:UNK(0xaa18);eth:ipv4:gre:UNK(0xe805);eth:ipv4:gre:UNK(0x1d11);eth:ipv4:gre:UNK(0x0e0f)  00:d0:02:6d:78:00  00:50:fc:20:5d:67  0x0800              201.9.4.49                             br       "Telemar Norte Leste S.A."     0        138.212.191.213            jp       "ASAHI KASEI CORPORATION"    0        47       4           5            137          256           0         86        34.25       26.7212     0       11.01577  4.986102    3.825814      0.2005575  6.869093   -0.1111111  -0.302799
B     3895     0x0001080a00005001  1022171706.645835  1022171726.447349  19.801514  4           4;4;4;4  eth:ipv4:gre:UNK(0x8b00);eth:ipv4:gre:UNK(0x1400);eth:ipv4:gre:UNK(0x900a);eth:ipv4:gre:UNK(0xe6ef)  00:50:fc:20:5d:67  00:d0:02:6d:78:00  0x0800              138.212.191.213                        jp       "ASAHI KASEI CORPORATION"      0        201.9.4.49                 br       "Telemar Norte Leste S.A."   0        47       5           4            256          137           0         234       51.2        81.84808    0       10.97614  3.960303    3.838957      0.252506   12.9283    0.1111111   0.302799
A     98       0x0000081a00004000  1022171701.699706  1022171726.576813  24.877107  1           3        eth:ipv4:udp                                                                                         00:80:48:b3:0e:ed  00:d0:02:6d:78:00  0x0800              138.212.188.118                        jp       "ASAHI KASEI CORPORATION"      655      201.9.46.255               br       "Telemar Norte Leste S.A."   655      17       1014        508          765108       48768         52        1472      754.5444    706.6323    0       0.833577  0.02453363  0.04786205    40.76036   30755.5    0.3324573   0.8801587
A     1290     0x0000081a00004000  1022171702.058266  1022171726.575284  24.517018  1           3        eth:ipv4:udp                                                                                         00:d0:02:6d:78:00  00:10:60:59:f1:4b  0x0800              16.103.245.128                         us       "HEWLETT PACKARD ENTERPRISE "  1120     138.212.191.249            jp       "ASAHI KASEI CORPORATION"    1461     17       134         0            103940       0             58        1480      775.6716    693.8904    0       0.747904  0.1829628   0.1880735     5.465591   4239.504   1           1
A     1291     0x000008f200004000  1022171702.058274  1022171726.575521  24.517247  1           3        eth:ipv4:udp                                                                                         00:d0:02:6d:78:00  00:10:60:59:f1:4b  0x0800              16.103.245.128                         us       "HEWLETT PACKARD ENTERPRISE "  0        138.212.191.249            jp       "ASAHI KASEI CORPORATION"    0        17       64          0            94720        0             1480      1480      1480        0           0       0.747897  0.383082    0.08560037    2.610407   3863.403   1           1
A     9709     0x0000080200028000  1022171726.587705  1022171726.587705  0.000000   1           4        eth:ipv4:ipv6:UNK(114)                                                                               00:d0:02:6d:78:00  00:a0:c9:07:e0:73  0x86dd              e8:3dce:50d0:2180:f660:0:101:80a       --       "--"                           0        514:2cf1:2e3c:ec2::c100    --       "--"                         0        114      1           0            47           0             47        47        47          0           0       0         0           0             0          0          1           1
A     126      0x0000083a00004000  1022171701.700965  1022171726.594434  24.893469  1           3        eth:ipv4:udp                                                                                         00:d0:02:6d:78:00  00:80:c8:8f:ca:5e  0x0800              16.46.171.138                          us       "HEWLETT PACKARD ENTERPRISE "  4623     138.212.189.231            jp       "ASAHI KASEI CORPORATION"    1490     17       742         0            952154       0             885       1480      1283.226    271.766     0       0.202366  0.03354916  0.04754491    29.80701   38249.15   1           1
A     406      0x0000081a00004000  1022171701.717743  1022171726.607895  24.890152  1           3        eth:ipv4:udp                                                                                         00:d0:02:6d:78:00  00:e0:29:04:0b:81  0x0800              18.14.224.62                           us       "Massachusetts Institute of "  4383     138.212.191.34             jp       "ASAHI KASEI CORPORATION"    2428     17       136         0            154156       0             795       1472      1133.5      332.2789    0       0.665421  0.1830158   0.1876362     5.464008   6193.454   1           1
$

If you don’t like tabs as a separator, change SEP_CHR from "\t" to any character(s) you like and recompile txtSink. The simplest method to do that is to use t2conf:

$ t2conf txtSink -D SEP_CHR='","'
$ t2build txtSink
...
$

Alternatively, directly edit the value in utils/bin2txt.h:

Note however that some scripts and tools may require additional options if you change the default separator. So we will stick with tabs for this tutorial.

We use a lot of hex coded status variables because each info in the flow has to be multiplied by the number of flows T2 has to hold in memory and you will experience that selecting flows will be way easier with hex coding. Each bit has a meaning, please refer to basicFlow.pdf under doc/, e.g., by running t2doc basicFlow or type

$ tawk -V flowStat=0x0001080a00005001
The flowStat column with value 0x0001080a00005001 is to be interpreted as follows:

   bit | flowStat            | Description
   =============================================================================
     0 | 0x00000000 00000001 | Inverted flow, did not initiate connection
    12 | 0x00000000 00001000 | GRE v1/2
    14 | 0x00000000 00004000 | IPv4
    33 | 0x00000002 00000000 | Acquired packet length < packet length in L3 header
    35 | 0x00000008 00000000 | Acquired packet length < minimal L4 Header
    43 | 0x00000800 00000000 | Stop dissecting
    48 | 0x00010000 00000000 | Header description overrun

A single A flow can be also the answering flow if the flowStat bit 0 is set. T2 sets this bit according to L4/7 info to the best of his knowledge. We will come back to that topic when discussing ICMP flows.

Now try to select flows yourself! Let’s say all flows of source port 443 and having an issue with the acquired packet length and where T2 stopped dissecting to prevent overrunning the pcap memory. A bitwise AND of flowStat and a mask is required and a selection of srcPort 443:

$ tawk 'bitsanyset($flowStat, 0x0000080f00000000) && sport(443)' annoloc2_flows.txt | tcol
dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP           srcIPCC  srcIPWho      srcPort  dstIP            dstIPCC  dstIPWho                   dstPort  l4Proto  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT     stdIAT    pktps     bytps     pktAsm  bytAsm
B     4072     0x0000000a00004001  1022171707.227811  1022171708.640243  1.412432  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:50:fc:2c:09:2a  0x0800              70.128.234.203  us       "AT&T Corp."  443      138.212.190.164  jp       "ASAHI KASEI CORPORATION"  1328     6        13          12           3907         917           0         536       300.5385    198.701     0       0.506266  0.1086486  0.118678  9.203983  2766.151  0.04    0.6198176
$

A port 443 response from USA, AT&T to Japan the Asahi Kasei Corp. Interesting, somebody browsing? If you are really interested in what the person is doing, you need to add the sslDecode plugin or look into the traffic with httpSniffer, maybe they have a configuration error and everything is plain text. But careful! Look at the flowStat, it says that even the L4 header is clipped, so these content plugins are useless. Having so many warnings in your end report, you should immediately make the guy who gave you this crap eat furniture. Whoops, that was me. So better not.

Nevertheless, this happens in practice, so the warning flags are very useful to save valuable analysis time. Play around a little bit and you will discover how easy it is to select and assess the health and utility of specific flows or even whole pcaps.

Sometimes admins are only interested in standard 5 tuples (srcIP, srcPort, dstIP, dstPort, l4Proto), just plain NetFlow5 output. To configure that move to the plugins directory or use tranpl, a bash alias. Then move to basicFlow/src and open basicFlow.h Or just type the plugin name.

$ tranpl
$ cd basicFlow/src
$ vi basicFlow.h

Alternatively:

$ basicFlow
$ vi src/basicFlow.h

Change the following constants to 0:

Then move to basicStats, open basicStats.h

$ basicStats
$ vi src/basicStats.h

And change these constants to 0

If you do not dare to edit .h files, then use the following command sequence:

$ t2conf basicFlow -D BFO_MAC=0 -D BFO_ETHERTYPE=0 -D BFO_VLAN=0 -D BFO_SUBNET_TEST=0 -D BFO_MAX_HDRDESC=0
$ t2conf basicStats -D BS_REV_CNT=0 -D BS_STATS=0
$

Recompile the two plugins and invoke t2:

$ t2build basicFlow basicStats
$ t2 -r ~/data/annoloc2.pcap -w ~/results
...

And here is your NetFlow5 output.

$ tawk 'bitsanyset($flowStat, 0x0000080100000000)' annoloc2_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration   srcIP                                  srcPort  dstIP                      dstPort  l4Proto  numPktsSnt  numBytesSnt
A     260      0x0000080200028000  1022171701.707777  1022171701.707777  0.000000   cfb6:1c18:5010:faf0:7f66:0:101:80a     0        6c2:6a7f:1:384b::c100      0        168      1           41630
A     885      0x0000080200028000  1022171701.810764  1022171701.810764  0.000000   e499:578c:5090:81d0:891b:0:101:80a     0        514:2343:2e3c:512::c100    0        133      1           55304
A     1894     0x000008d200004000  1022171702.614414  1022171702.614414  0.000000   138.212.188.118                        0        201.9.46.255               0        17       1           52
A     3047     0x0000080200028000  1022171704.484515  1022171704.484515  0.000000   baea:e860:8090:4470:cf67:0:101:50a     0        baea:ee14:baeb:2ac::c100   0        147      1           18922
A     3452     0x0000080200028000  1022171705.349871  1022171705.349871  0.000000   d973:ceac:5010:fa94:12db:0:101:80a     0        12ea:b284:3:ceeb::c100     0        126      1           38816
A     3992     0x0000080200005000  1022171706.878547  1022171707.000313  0.121766   200.134.37.255                         0        138.212.185.216            0        47       2           170
B     3992     0x0000080200005001  1022171706.931865  1022171706.962666  0.030801   138.212.185.216                        0        200.134.37.255             0        47       2           210
A     4529     0x0000080200028000  1022171708.439927  1022171708.439927  0.000000   48d5:5fad:50d0:16d0:4a16:0:101:80a     0        53eb:c1d7:86:4d37::c100    0        95       1           28079
A     4826     0x0000180200005000  1022171709.440443  1022171709.552021  0.111578   19.228.184.27                          0        138.212.186.191            0        47       4           162
B     4826     0x0000180200005001  1022171709.441758  1022171709.552128  0.110370   138.212.186.191                        0        19.228.184.27              0        47       3           166
A     6023     0x0000080200028000  1022171713.252296  1022171713.252296  0.000000   6f:1256:5050:4402:331e:0:101:50a       0        223:fd3e:223:ff56::c100    0        28       1           2543
A     6066     0x0000080200028000  1022171713.395746  1022171713.395746  0.000000   e29f:74ec:50d0:f53c:98e3:0:101:80a     0        12ea:b5a9:3:cf3b::c100     0        229      1           22844
A     6094     0x0000080200028000  1022171713.450109  1022171713.450109  0.000000   392:fc19:5050:20e2:a7c3:0:101:80a      0        be1:fcff:6ca:1b09::c100    0        64       1           174
A     6173     0x0000085200004000  1022171713.796490  1022171713.796491  0.000001   16.46.171.138                          0        138.212.189.231            0        17       2           2377
A     6913     0x0000080200028000  1022171716.432198  1022171716.432198  0.000000   75a4:9abd:80d0:4470:b5e2:317b:101:50a  0        75a4:a071:75a4:be39::c100  0        223      1           9
A     7045     0x0000080200028000  1022171716.967592  1022171716.967592  0.000000   4b9:f24c:8090:4470:4b24:0:101:50a      0        4b9:f800:4ba:c98::c100     0        228      1           54359
A     7462     0x0000080200028000  1022171718.639159  1022171718.639159  0.000000   169e:bdd8:5090:4470:e911:0:101:50a     0        5dc9:ed57:5dc9:f687::c100  0        23       1           47306
A     7826     0x0000080200028000  1022171719.869360  1022171719.869360  0.000000   1439:5c49:5050:4470:c74a:0:101:80a     0        53eb:c64f:86:4da9::c100    0        79       1           17563
A     8640     0x0000080200028000  1022171722.741406  1022171722.741406  0.000000   153c:303:5090:1920:4005:0:101:50a      0        b9bd:772f:b9bd:94f7::c100  0        131      1           15927
A     8665     0x0000080200028000  1022171722.847259  1022171722.847259  0.000000   b2e:42d1:5010:faf0:96fa:0:101:50a      0        e4ba:2af3:e4ba:365b::c100  0        22       1           44888
A     8891     0x0000080200028000  1022171723.637810  1022171723.637810  0.000000   d9d3:fbc:5090:4470:9b77:0:101:80a      0        63c:854c:15b:8f49::c100    0        231      1           58513
A     985      0x0000081a00004000  1022171701.848919  1022171726.366145  24.517226  201.232.53.168                         3289     138.212.189.228            1533     17       203         203200
A     3895     0x0000080a00005000  1022171706.645144  1022171726.589552  19.944408  201.9.4.49                             0        138.212.191.213            0        47       4           137
B     3895     0x0000080a00005001  1022171706.645835  1022171726.447349  19.801514  138.212.191.213                        0        201.9.4.49                 0        47       5           256
A     98       0x0000081a00004000  1022171701.699706  1022171726.576813  24.877107  138.212.188.118                        655      201.9.46.255               655      17       1014        765108
A     1290     0x0000081a00004000  1022171702.058266  1022171726.575284  24.517018  16.103.245.128                         1120     138.212.191.249            1461     17       134         103940
A     1291     0x000008f200004000  1022171702.058274  1022171726.575521  24.517247  16.103.245.128                         0        138.212.191.249            0        17       64          94720
A     9709     0x0000080200028000  1022171726.587705  1022171726.587705  0.000000   e8:3dce:50d0:2180:f660:0:101:80a       0        514:2cf1:2e3c:ec2::c100    0        114      1           47
A     126      0x0000083a00004000  1022171701.700965  1022171726.594434  24.893469  16.46.171.138                          4623     138.212.189.231            1490     17       742         952154
A     406      0x0000081a00004000  1022171701.717743  1022171726.607895  24.890152  18.14.224.62                           4383     138.212.191.34             2428     17       136         154156
$

flowInd and flowStat enable you to identify or select flows or connect packets to their flows. Sometimes people are just into simple boring NetFlow5 output, so use the following cut command:

$ tawk 'bitsanyset($flowStat, 0x0000080100000000)' annoloc2_flows.txt | cut -f 1,4- | tcol
%dir  timeFirst          timeLast           duration   srcIP                                  srcPort  dstIP                      dstPort  l4Proto  numPktsSnt  numBytesSnt
A     1022171701.707777  1022171701.707777  0.000000   cfb6:1c18:5010:faf0:7f66:0:101:80a     0        6c2:6a7f:1:384b::c100      0        168      1           41630
A     1022171701.810764  1022171701.810764  0.000000   e499:578c:5090:81d0:891b:0:101:80a     0        514:2343:2e3c:512::c100    0        133      1           55304
A     1022171702.614414  1022171702.614414  0.000000   138.212.188.118                        0        201.9.46.255               0        17       1           52
A     1022171704.484515  1022171704.484515  0.000000   baea:e860:8090:4470:cf67:0:101:50a     0        baea:ee14:baeb:2ac::c100   0        147      1           18922
A     1022171705.349871  1022171705.349871  0.000000   d973:ceac:5010:fa94:12db:0:101:80a     0        12ea:b284:3:ceeb::c100     0        126      1           38816
A     1022171706.878547  1022171707.000313  0.121766   200.134.37.255                         0        138.212.185.216            0        47       2           170
B     1022171706.931865  1022171706.962666  0.030801   138.212.185.216                        0        200.134.37.255             0        47       2           210
A     1022171708.439927  1022171708.439927  0.000000   48d5:5fad:50d0:16d0:4a16:0:101:80a     0        53eb:c1d7:86:4d37::c100    0        95       1           28079
A     1022171709.440443  1022171709.552021  0.111578   19.228.184.27                          0        138.212.186.191            0        47       4           162
B     1022171709.441758  1022171709.552128  0.110370   138.212.186.191                        0        19.228.184.27              0        47       3           166
A     1022171713.252296  1022171713.252296  0.000000   6f:1256:5050:4402:331e:0:101:50a       0        223:fd3e:223:ff56::c100    0        28       1           2543
A     1022171713.395746  1022171713.395746  0.000000   e29f:74ec:50d0:f53c:98e3:0:101:80a     0        12ea:b5a9:3:cf3b::c100     0        229      1           22844
A     1022171713.450109  1022171713.450109  0.000000   392:fc19:5050:20e2:a7c3:0:101:80a      0        be1:fcff:6ca:1b09::c100    0        64       1           174
A     1022171713.796490  1022171713.796491  0.000001   16.46.171.138                          0        138.212.189.231            0        17       2           2377
A     1022171716.432198  1022171716.432198  0.000000   75a4:9abd:80d0:4470:b5e2:317b:101:50a  0        75a4:a071:75a4:be39::c100  0        223      1           9
A     1022171716.967592  1022171716.967592  0.000000   4b9:f24c:8090:4470:4b24:0:101:50a      0        4b9:f800:4ba:c98::c100     0        228      1           54359
A     1022171718.639159  1022171718.639159  0.000000   169e:bdd8:5090:4470:e911:0:101:50a     0        5dc9:ed57:5dc9:f687::c100  0        23       1           47306
A     1022171719.869360  1022171719.869360  0.000000   1439:5c49:5050:4470:c74a:0:101:80a     0        53eb:c64f:86:4da9::c100    0        79       1           17563
A     1022171722.741406  1022171722.741406  0.000000   153c:303:5090:1920:4005:0:101:50a      0        b9bd:772f:b9bd:94f7::c100  0        131      1           15927
A     1022171722.847259  1022171722.847259  0.000000   b2e:42d1:5010:faf0:96fa:0:101:50a      0        e4ba:2af3:e4ba:365b::c100  0        22       1           44888
A     1022171723.637810  1022171723.637810  0.000000   d9d3:fbc:5090:4470:9b77:0:101:80a      0        63c:854c:15b:8f49::c100    0        231      1           58513
A     1022171701.848919  1022171726.366145  24.517226  201.232.53.168                         3289     138.212.189.228            1533     17       203         203200
A     1022171706.645144  1022171726.589552  19.944408  201.9.4.49                             0        138.212.191.213            0        47       4           137
B     1022171706.645835  1022171726.447349  19.801514  138.212.191.213                        0        201.9.4.49                 0        47       5           256
A     1022171701.699706  1022171726.576813  24.877107  138.212.188.118                        655      201.9.46.255               655      17       1014        765108
A     1022171702.058266  1022171726.575284  24.517018  16.103.245.128                         1120     138.212.191.249            1461     17       134         103940
A     1022171702.058274  1022171726.575521  24.517247  16.103.245.128                         0        138.212.191.249            0        17       64          94720
A     1022171726.587705  1022171726.587705  0.000000   e8:3dce:50d0:2180:f660:0:101:80a       0        514:2cf1:2e3c:ec2::c100    0        114      1           47
A     1022171701.700965  1022171726.594434  24.893469  16.46.171.138                          4623     138.212.189.231            1490     17       742         952154
A     1022171701.717743  1022171726.607895  24.890152  18.14.224.62                           4383     138.212.191.34             2428     17       136         154156
...
$

As you can see, flowInd is now gone. There are more tricks with tawk, many of which are discussed in the Post processing with TAWK tutorial.

Now reset basicFlow and basicStats to the default configuration, so change the constants back to 1 and recompile the plugins with t2build. This time, we will use t2conf to reconfigure the plugin:

$ t2conf basicFlow -D BFO_MAC=1 -D BFO_ETHERTYPE=1 -D BFO_VLAN=1 -D BFO_SUBNET_TEST=1 -D BFO_MAX_HDRDESC=4
$ t2conf basicStats -D BS_REV_CNT=1 -D BS_STATS=1
$ t2build basicFlow basicStats
...
$

Much easier than editing the .h files, right?

Layer 4 based plugins

Now we are adding L4 information which does the following jobs:

tcpFlags IP, UDP, TCP aggregated flags and anomaly status
tcpStates TCP state-machine and RFC checks. Terminates TCP flows after a RST or FIN

For a much more detailed tutorial about tcpFlags, refer to the IP/TCP Troubleshooting and hidden figures tutorial.

Now compile them and run t2:

$ t2build tcpFlags tcpStates
...
$ t2 -r ~/data/annoloc2.pcap -w ~/results
...
--------------------------------------------------------------------------------
basicStats: Biggest Talker: 138.212.189.38: 23601 (23.60 K) [1.94%] packets
basicStats: Biggest Talker: 138.212.189.38: 35005508 (35.01 M) [54.63%] bytes
tcpFlags: Aggregated ipFlags: 0x3966
tcpFlags: Aggregated tcpAnomaly: 0xff47
tcpFlags: Number of TCP scans, succ scans, syn retries, seq retries: 685, 2569 (2.57 K), 114, 933
tcpFlags: Number WinSz below 1: 2415 (2.42 K) [0.25%]
tcpStates: Aggregated anomaly flags: 0xdf
--------------------------------------------------------------------------------
...

Note that additional aggregated fields have appeared between the ------ lines of the end report:

tcpFlags ipFlags, tcpAnomaly, TCP scans, successful scans and retries and tcpWinSzMin:
all kinds of info for troubleshooting and security purposes
tcpStates aggregated anomaly flags, denoting deviations from RFC

The hex numbers denote aggregated anomaly output, where each bit has a specific meaning. Note that there are many flows where the TCP window size drops below 1. There are also several retries and scans detected.

All bit fields are documented under each plugin folder or under doc/documentation.pdf. Alternatively use tawk -V name=value as discussed earlier.

Now you have NetFlow9/10 + a bit more. Look at all the anomaly bits in the end report. That is too much for the beginning. Let’s do something more interesting, let’s say your manager imposed the rule that nobody should communicate with China, because he thinks that there are no business ties with this country.

So he comes to you and demands the answer to the following question: Is there any traffic initiating connection egress to China?

$ tawk 'bitsanyset($flowStat, 1) == 0 && ($dstIPCC == "cn") { print $srcIP, $srcIPCC, $dstIP, $dstIPCC }' annoloc2_flows.txt | sort -V -u | tcol
138.212.184.34   jp  36.192.216.3     cn
138.212.184.42   jp  36.214.21.116    cn
138.212.184.71   jp  36.16.139.73     cn
138.212.184.71   jp  36.218.130.149   cn
138.212.184.225  jp  36.105.24.77     cn
138.212.185.98   jp  219.232.227.27   cn
138.212.185.166  jp  36.113.81.55     cn
138.212.185.166  jp  36.218.146.232   cn
138.212.185.186  jp  36.40.33.231     cn
138.212.185.186  jp  36.104.78.199    cn
...

Here you have a list of IP’s communicating to China, the lowest bit in flowStat denotes the initiation of the connection, a 0 means the srcIP started the flow.

But you are interested in the flow details (the hdr() command adds the header to the resulting output, which otherwise would be filtered):

$ tawk 'hdr() || ($dstIPCC == "cn" && tcp())' annoloc2_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP            srcIPCC  srcIPWho                   srcPort  dstIP           dstIPCC  dstIPWho                       dstPort  l4Proto  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT  aveIAT  stdIAT  pktps  bytps  pktAsm  bytAsm  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipTOS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpTmS  tcpTmER  tcpEcI  tcpUtm    tcpBtm    tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStates
B     2208     0x0000000200004001  1022171703.077130  1022171703.077130  0.000000  1           3        eth:ipv4:tcp  00:05:02:a7:59:98  00:d0:02:6d:78:00  0x0800              138.212.184.140  jp       "ASAHI KASEI CORPORATION"  5500     36.204.73.10    cn       "China TieTong Telecommunica"  57019    6        1           1            11           0             11        11        11          0           0       0       0       0       0      0      0       1       0x0064    65535       0           255       255       0         0x00   0x1840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      1               0             0            0            0            0               0              0                  1             0x54      0x0004      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0.03941        0.03941           0.03941           0.03941           0                    0.03941       0                0x43
A     3100     0x0000000000004000  1022171704.554485  1022171704.554485  0.000000  1           3        eth:ipv4:tcp  00:60:08:78:1b:63  00:d0:02:6d:78:00  0x0800              138.212.187.203  jp       "ASAHI KASEI CORPORATION"  1825     36.176.200.106  cn       "China Mobile Communications"  4567     6        1           1            0            0             0         0         0           0           0       0       0       0       0      0      0       0       0x0046    65535       0           128       128       0         0x00   0x0840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3569114039  0           0               0               0           0                      0               16384         16384        16384        16384        0               0              0                  0             0x02      0x0000      1             4          0x00000016  1460    1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0.108845      -1               0x03
B     3351     0x0000000000004001  1022171705.071644  1022171705.071644  0.000000  1           3        eth:ipv4:tcp  00:50:bf:59:85:48  00:d0:02:6d:78:00  0x0800              138.212.188.67   jp       "ASAHI KASEI CORPORATION"  1214     58.204.250.125  cn       "China Education and Researc"  4120     6        1           1            0            0             0         0         0           0           0       0       0       0       0      0      0       0       0x0064    65535       0           128       128       0         0x00   0x0800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      1               0             0            0            0            0               0              0                  1             0xd4      0x0004      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0.008885       0.008885          0.008885          0.008885          0                    0.008885      0                0x43
A     3376     0x0000000000004000  1022171705.145409  1022171705.145409  0.000000  1           3        eth:ipv4:tcp  00:60:08:78:1b:63  00:d0:02:6d:78:00  0x0800              138.212.187.203  jp       "ASAHI KASEI CORPORATION"  1825     36.176.200.106  cn       "China Mobile Communications"  4567     6        1           1            0            0             0         0         0           0           0       0       0       0       0      0      0       0       0x0046    65535       0           128       128       0         0x00   0x0840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3569114039  0           0               0               0           0                      0               16384         16384        16384        16384        0               0              0                  0             0x02      0x0000      1             4          0x00000016  1460    1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0.111789      -1               0x03
B     3616     0x0000000000004001  1022171705.707891  1022171705.707891  0.000000  1           3        eth:ipv4:tcp  00:00:1c:b6:16:3f  00:d0:02:6d:78:00  0x0800              138.212.185.186  jp       "ASAHI KASEI CORPORATION"  6346     36.153.30.56    cn       "China Mobile Communications"  4579     6        1           1            0            0             0         0         0           0           0       0       0       0       0      0      0       0       0x0064    65535       0           127       127       0         0x00   0x0800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      1               0             0            0            0            0               0              0                  1             0x54      0x0004      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0.002816       0.002816          0.002816          0.002816          0                    0.002816      0                0x43
...

Let’s assume that there are no business ties to China, right?! Or is it legal traffic…? Is there malware in the company? There is seriously something fishy.

Let’s ask more about anomalies, such as broken fragmentation, aka fragmentation positional errors:

$ tawk -V ipFlags

The ipFlags column is to be interpreted as follows:

   bit | ipFlags | Description
   =============================================================================
     0 | 0x0001  | IP options corrupt
     1 | 0x0002  | IPv4 packets out of order
     2 | 0x0004  | IPv4 ID roll over
     3 | 0x0008  | IP fragment below minimum
     4 | 0x0010  | IP fragment out of range
     5 | 0x0020  | More Fragment bit
     6 | 0x0040  | IPv4: Don't Fragment bit, IPv6: reserve bit
     7 | 0x0080  | Reserve bit
     8 | 0x0100  | Fragmentation position error
     9 | 0x0200  | Fragmentation sequence error
    10 | 0x0400  | L3 checksum error
    11 | 0x0800  | L4 checksum error
    12 | 0x1000  | L3 header length snapped
    13 | 0x2000  | Packet interdistance = 0
    14 | 0x4000  | Packet interdistance < 0
    15 | 0x8000  | TCP SYN flag with L7 content

So select all flows with fragmentation or anomalies:

$ tawk 'bitsanyset($ipFlags, 0x0318)' annoloc2_flows.txt | tcol
dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP            srcIPCC  srcIPWho                       srcPort  dstIP            dstIPCC  dstIPWho                    dstPort  l4Proto  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT      stdIAT        pktps     bytps      pktAsm  bytAsm  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipTOS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN  tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpTmS  tcpTmER  tcpEcI  tcpUtm    tcpBtm    tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStates
A     1895     0x000008d200004000  1022171702.614414  1022171702.614414  0.000000   1           3        eth:ipv4:udp  00:80:48:b3:0e:ed  00:d0:02:6d:78:00  0x0800              138.212.188.118  jp       "ASAHI KASEI CORPORATION"      0        201.9.46.255     br       "Telemar Norte Leste S.A."  0        17       1           0            52           0             52        52        52          0           0       0         0           0             0         0          1       1       0x0000    65535       0           64        64        0         0x00   0x0900   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00
A     6289     0x0000085200004000  1022171713.796490  1022171713.796491  0.000001   1           3        eth:ipv4:udp  00:d0:02:6d:78:00  00:80:c8:8f:ca:5e  0x0800              16.46.171.138    us       "HEWLETT PACKARD ENTERPRISE "  0        138.212.189.231  jp       "ASAHI KASEI CORPORATION"   0        17       2           0            2377         0             897       1480      1188.5      206.1216    0       1e-06     5e-07       3.535534e-07  2000000   2.377e+09  1       1       0x0000    0           0           114       114       0         0x00   0x0920   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00
A     985      0x0000081a00004000  1022171701.848919  1022171726.366145  24.517226  1           3        eth:ipv4:udp  00:d0:02:6d:78:00  00:e0:29:04:0a:18  0x0800              201.232.53.168   co       "EPM Telecomunicaciones S.A."  3289     138.212.189.228  jp       "ASAHI KASEI CORPORATION"   1533     17       203         0            203200       0             58        1480      1000.985    661.1511    0       0.391237  0.1207745   0.1718241     8.279893  8288.051   1       1       0x0000    0           140         119       119       0         0x00   0x3920   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00
A     1290     0x0000081a00004000  1022171702.058266  1022171726.575284  24.517018  1           3        eth:ipv4:udp  00:d0:02:6d:78:00  00:10:60:59:f1:4b  0x0800              16.103.245.128   us       "HEWLETT PACKARD ENTERPRISE "  1120     138.212.191.249  jp       "ASAHI KASEI CORPORATION"   1461     17       134         0            103940       0             58        1480      775.6716    693.8904    0       0.747904  0.1829628   0.1880735     5.465591  4239.504   1       1       0x0000    0           4008        111       111       0         0x00   0x3924   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00
A     1291     0x000008f200004000  1022171702.058274  1022171726.575521  24.517247  1           3        eth:ipv4:udp  00:d0:02:6d:78:00  00:10:60:59:f1:4b  0x0800              16.103.245.128   us       "HEWLETT PACKARD ENTERPRISE "  0        138.212.191.249  jp       "ASAHI KASEI CORPORATION"   0        17       64          0            94720        0             1480      1480      1480        0           0       0.747897  0.383082    0.08560037    2.610407  3863.403   1       1       0x0000    1961        4008        111       111       0         0x00   0x0324   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00
A     126      0x0000083a00004000  1022171701.700965  1022171726.594434  24.893469  1           3        eth:ipv4:udp  00:d0:02:6d:78:00  00:80:c8:8f:ca:5e  0x0800              16.46.171.138    us       "HEWLETT PACKARD ENTERPRISE "  4623     138.212.189.231  jp       "ASAHI KASEI CORPORATION"   1490     17       742         0            952154       0             885       1480      1283.226    271.766     0       0.202366  0.03354916  0.04754491    29.80701  38249.15   1       1       0x0000    0           584         114       114       0         0x00   0x3a24   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00
$

Now let’s look for TCP anomalies, such as abnormal flag combinations appearing in packets. The column tcpAnomaly contains flags for combination of flags and anomalies concerning sequence numbers.

$ tawk -V tcpAnomaly
The tcpAnomaly column is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     0 | 0x0001     | FIN-ACK flag
     1 | 0x0002     | SYN-ACK flag
     2 | 0x0004     | RST-ACK flag
     3 | 0x0008     | SYN-FIN flag, scan or malicious packet
     4 | 0x0010     | SYN-FIN-RST flag, potential malicious scan packet or channel
     5 | 0x0020     | FIN-RST flag, abnormal flow termination
     6 | 0x0040     | Null flag, potential NULL scan packet, or malicious channel
     7 | 0x0080     | XMas flag, potential Xmas scan packet, or malicious channel
     8 | 0x0100     | L4 option field corrupt or not acquired
     9 | 0x0200     | SYN retransmission
    10 | 0x0400     | Sequence Number retry
    11 | 0x0800     | Sequence Number out of order
    12 | 0x1000     | Sequence mess in flow order due to pcap packet loss
    13 | 0x2000     | Sequence number jump forward
    14 | 0x4000     | ACK number out of order
    15 | 0x8000     | Duplicate ACK

So select the following bit mask:

$ tawk 'bitsanyset($tcpAnomaly, 0x00f8)' annoloc2_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc            srcMac             dstMac             ethType  ethVlanID  srcIP                                    srcIPCC  srcIPWho                    srcPort  dstIP                                    dstIPCC  dstIPWho                    dstPort  l4Proto  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT      stdIAT       pktps       bytps      pktAsm      bytAsm       tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipTOS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpTmS  tcpTmER  tcpEcI  tcpUtm    tcpBtm    tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStates
A     887      0x0000000a00008000  1022171701.811168  1022171701.811168  0.000000   1           3        eth:ipv6:tcp       00:60:08:2c:ca:8e  00:40:05:56:05:f0  0x86dd              3ffe:7c9b:e2:4ca6:4c::b0                 --       "--"                        48458    3ffe:7c9b:f5:8b05::2f50                  --       "--"                        6667     6        1           0            0            0             0         0         0           0           0       0         0           0            0           0          1           0            0x0042    65535       0           64        64        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1014442254  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x83
A     852      0x0000000a00024000  1022171701.803251  1022171702.336097  0.532846   1           4        eth:ipv4:ipv4:tcp  00:d0:02:6d:78:00  00:00:21:ef:64:92  0x0800              201.98.74.248                            mx       "Uninet S.A. de C.V."       5642     19.54.248.131                            us       "Ford Motor Company"        997      6        2           2            101          125           12        89        50.5        27.22361    0       0.532846  0.266423    0.1883895    3.75343     189.5482   0           -0.1061947   0x0044    3493        3493        57        57        0         0x00   0x1840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  4122508806  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.110085          0.110085          0.0550425         0.03892093           0             -1               0x87
B     852      0x0000000a00024001  1022171701.903727  1022171702.226012  0.322285   1           4        eth:ipv4:ipv4:tcp  00:00:21:ef:64:92  00:d0:02:6d:78:00  0x0800              19.54.248.131                            us       "Ford Motor Company"        997      201.98.74.248                            mx       "Uninet S.A. de C.V."       5642     6        2           2            125          101           12        113       62.5        35.70889    0       0.322285  0.1611425   0.113945     6.205688    387.8555   0           0.1061947    0x0044    56884       56884       64        64        0         0x00   0x1840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  140052278   0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.100476          0.422761          0.2616185         0.113945             0.316661      0.1204089        0x87
A     2661     0x0000000a00008000  1022171703.710373  1022171703.859739  0.149366   1           3        eth:ipv6:tcp       00:01:02:af:4a:b4  00:80:48:cd:88:83  0x86dd              2001:70e8:d3ce:e200:de45:6dff:c7ad:c251  --       "--"                        32798    2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf  --       "--"                        6667     6        2           2            17           64            0         17        8.5         6.010407    0       0.149366  0.074683    0.05280886   13.38993    113.8144   0           -0.5802469   0x0044    65535       0           64        64        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1847667841  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.008073          0.008073          0.0040365         0.002854237          0             -1               0x87
B     2661     0x0000000a00008001  1022171703.742177  1022171703.851666  0.109489   1           3        eth:ipv6:tcp       00:80:48:cd:88:83  00:01:02:af:4a:b4  0x86dd              2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf  --       "--"                        6667     2001:70e8:d3ce:e200:de45:6dff:c7ad:c251  --       "--"                        32798    6        2           2            64           17            0         64        32          22.62742    0       0.109489  0.0547445   0.03871021   18.26667    584.5336   0           0.5802469    0x0044    65535       0           64        64        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1910873099  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.031804          0.141293          0.0865485         0.03871021           0.090585      0.03881529       0x87
A     4046     0x0000000a00008000  1022171706.884790  1022171707.007311  0.122521   1           3        eth:ipv6:tcp       00:60:08:2c:ca:8e  00:80:48:cd:88:83  0x86dd              2001:70e8:d3ce:e202::30:26               --       "--"                        2128     2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf  --       "--"                        6668     6        2           2            30           66            0         30        15          10.6066     0       0.122521  0.06126049  0.04331771   16.32373    244.856    0           -0.375       0x0044    65535       0           63        63        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3123119758  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.052077          0.052077          0.0260385         0.018412             0             -1               0x87
B     4046     0x0000000a00008001  1022171706.922668  1022171706.955234  0.032566   1           3        eth:ipv6:tcp       00:40:05:56:05:f0  00:60:08:2c:ca:8e  0x86dd              2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf  --       "--"                        6668     2001:70e8:d3ce:e202::30:26               --       "--"                        2128     6        2           2            66           30            0         66        33          23.33452    0       0.032566  0.016283    0.01151382   61.41375    2026.654   0           0.375        0x0044    65535       0           63        63        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3303108112  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.037878          0.070444          0.054161          0.01151382           0.08019949    0.02171566       0x87
A     4570     0x0000000a00024000  1022171708.338404  1022171708.552551  0.214147   1           4        eth:ipv4:ipv4:tcp  00:d0:02:6d:78:00  00:00:21:ef:64:92  0x0800              83.45.68.186                             es       "Telefonica de Espana SAU"  33790    19.54.248.131                            us       "Ford Motor Company"        997      6        2           1            77           81            12        65        38.5        18.73833    0       0.214147  0.1070735   0.0757124    9.339379    359.5661   0.3333333   -0.02531646  0x0044    5           5           48        48        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2293331853  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.203134          0.203134          0.101567          0.07181872           0             -1               0x87
B     4570     0x0000000a00024001  1022171708.349417  1022171708.349417  0.000000   1           4        eth:ipv4:ipv4:tcp  00:00:21:ef:64:92  00:d0:02:6d:78:00  0x0800              19.54.248.131                            us       "Ford Motor Company"        997      83.45.68.186                             es       "Telefonica de Espana SAU"  33790    6        1           2            81           77            81        81        81          0           0       0         0           0            0           0          -0.3333333  0.02531646   0x0044    65535       0           64        64        0         0x00   0x1840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3194778849  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.011013          0.011013          0.011013          0                    0.11258       0.07181872       0x87
A     5357     0x0000000a00008000  1022171710.810212  1022171710.810212  0.000000   1           3        eth:ipv6:tcp       00:40:05:56:05:f0  00:50:fc:20:90:a5  0x86dd              3ffe:7c9b:f5:8b05::2f50                  --       "--"                        6667     2001:70e8:d3ce:e200:de29:6aff:91cc:d9a   --       "--"                        2912     6        1           1            70           0             70        70        70          0           0       0         0           0            0           0          0           1            0x0046    65535       0           56        56        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  4066598530  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x83
B     5357     0x0000000a00008001  1022171710.910120  1022171710.910120  0.000000   1           3        eth:ipv6:tcp       00:50:fc:20:90:a5  00:40:05:56:05:f0  0x86dd              2001:70e8:d3ce:e200:de29:6aff:91cc:d9a   --       "--"                        2912     3ffe:7c9b:f5:8b05::2f50                  --       "--"                        6667     6        1           1            0            70            0         0         0           0           0       0         0           0            0           0          0           -1           0x0044    65535       0           64        64        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  293306349   0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.099908          0.099908          0.099908          0                    0.099908      0                0x83
A     5607     0x0000000a00024000  1022171711.507332  1022171711.632627  0.125295   1           4        eth:ipv4:ipv4:tcp  00:00:21:ef:64:92  00:d0:02:6d:78:00  0x0800              19.54.248.131                            us       "Ford Motor Company"        52912    19.54.241.75                             us       "Ford Motor Company"        6667     6        2           2            57           113           12        45        28.5        11.66726    0       0.125295  0.0626475   0.04429847   15.96233    454.9264   0           -0.3294118   0x0044    7946        7946        64        64        0         0x00   0x1844   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2270158897  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.097721          0.097721          0.0488605         0.03454959           0             -1               0x87
B     5607     0x0000000a00024001  1022171711.526090  1022171711.534906  0.008816   1           4        eth:ipv4:ipv4:tcp  00:d0:02:6d:78:00  00:00:21:ef:64:92  0x0800              19.54.241.75                             us       "Ford Motor Company"        6667     19.54.248.131                            us       "Ford Motor Company"        52912    6        2           2            113          57            12        101       56.5        31.46625    0       0.008816  0.004408    0.003116927  226.8602    12817.6    0           0.3294118    0x0044    14          14          62        62        0         0x00   0x1840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1379912589  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.018758          0.027574          0.023166          0.003116927          0.07202651    0.0346899        0x87
A     6268     0x0000000a00008000  1022171713.686548  1022171714.050885  0.364337   1           3        eth:ipv6:tcp       00:50:04:56:32:a7  00:80:48:cd:88:83  0x86dd              2001:70e8:d3ce:e200:de29:8cff:c040:71a9  --       "--"                        53731    2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf  --       "--"                        6669     6        2           2            30           66            0         30        15          10.6066     0       0.364337  0.1821685   0.1288126    5.489423    82.34135   0           -0.375       0x0044    65535       0           64        64        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  467287084   0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.09502           0.09502           0.04751           0.03359464           0             -1               0x87
B     6268     0x0000000a00008001  1022171713.686918  1022171713.955865  0.268947   1           3        eth:ipv6:tcp       00:80:48:cd:88:83  00:50:04:56:32:a7  0x86dd              2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf  --       "--"                        6669     2001:70e8:d3ce:e200:de29:8cff:c040:71a9  --       "--"                        53731    6        2           2            66           30            0         66        33          23.33452    0       0.268947  0.1344735   0.09508713   7.436409    245.4015   0           0.375        0x0044    65535       0           64        64        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1019170939  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.00037           0.269317          0.1348435         0.09508713           0.1823535     0.1008472        0x87
A     6822     0x0000000a00008000  1022171715.635220  1022171715.747770  0.112550   1           3        eth:ipv6:tcp       00:04:75:73:9b:a2  00:80:48:cd:88:83  0x86dd              2001:70e8:d3ce:e200:de40:21ff:b7dd:48e2  --       "--"                        32892    2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf  --       "--"                        6667     6        2           2            30           66            0         30        15          10.6066     0       0.11255   0.056275    0.03979243   17.76988    266.5482   0           -0.375       0x0044    65535       0           64        64        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2001477013  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.000191          0.000191          9.55e-05          6.75287e-05          0             -1               0x87
B     6822     0x0000000a00008001  1022171715.635444  1022171715.747579  0.112135   1           3        eth:ipv6:tcp       00:80:48:cd:88:83  00:04:75:73:9b:a2  0x86dd              2001:70e8:d3ce:e200:deaf:b9ff:1f0e:becf  --       "--"                        6667     2001:70e8:d3ce:e200:de40:21ff:b7dd:48e2  --       "--"                        32892    6        2           2            66           30            0         66        33          23.33452    0       0.112135  0.0560675   0.03964571   17.83564    588.5763   0           0.375        0x0044    65535       0           64        64        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1996385468  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.000224          0.112359          0.0562915         0.03964571           0.056387      0.03964576       0x87
A     8860     0x0000000a00008000  1022171722.738958  1022171722.847853  0.108895   1           3        eth:ipv6:tcp       00:40:05:56:05:f0  00:08:c7:ba:6c:98  0x86dd              3ffe:7c9b:f5:8b05::2f50                  --       "--"                        6667     2001:70e8:d3ce:e200:de49:4bff:1785:14ce  --       "--"                        2394     6        2           1            26           25            0         26        13          9.192389    0       0.108895  0.0544475   0.0385002    18.36632    238.7621   0.3333333   0.01960784   0x0044    65535       0           56        56        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2358934296  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.10646           0.10646           0.05323           0.03763929           0             -1               0x87
B     8860     0x0000000a00008001  1022171722.741393  1022171722.741393  0.000000   1           3        eth:ipv6:tcp       00:08:c7:ba:6c:98  00:40:05:56:05:f0  0x86dd              2001:70e8:d3ce:e200:de49:4bff:1785:14ce  --       "--"                        2394     3ffe:7c9b:f5:8b05::2f50                  --       "--"                        6667     6        1           2            25           26            25        25        25          0           0       0         0           0            0           0          -0.3333333  -0.01960784  0x0044    65535       0           64        64        0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2466350670  0           0               0               0           0                      0               0             0            0            0            0               0              0                  1             0x00      0x0040      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0.002435          0.002435          0.002435          0
...

Now you’re talking…

$ tawk -V tcpStates
The tcpStates column is to be interpreted as follows:

   bit | tcpStates | Description
   =============================================================================
     0 | 0x01      | Malformed connection establishment
     1 | 0x02      | Malformed teardown
     2 | 0x04      | Malformed flags during established connection
     3 | 0x08      | Packets detected after teardown
     4 | 0x10      | Packets detected after reset
     6 | 0x40      | Reset from sender
     7 | 0x80      | Potential evil behavior (scan)

Note, that even normal applications can produce such malformed flag combinations, especially from a specific OS, which a lot of people are using. Horrible. Look a bit for yourself.

The tcpFlags plugin is built for traffic forensics and troubleshooting. It contains information about L3/4 headers and issues, such as fragmentation L4 error/flow control and bandwidth/Round Trip Times (RTT) and some nitty-gritty tricks for security guys. Any section can be disabled in tcpFlags.h.

For you currently the following constants in tcpFlags.h are relevant for the beginning:

You can switch off the RTT estimation, calculation of checksums, the TCP window size features or the tricks with TCP seq/ack numbers. Although fragmentation in IPv4 today is mostly fishy, if you are not interested in it, switch it off. So the code becomes smaller and faster.

Let’s go over the most important fields you need to understand for a start.

There are still OS which increment the IPID by 1. This is a formidable feature to detect the load of a machine. Hence, T2 provides ipMindIPID and ipMaxdIPID column which denotes the min/max difference of IPIDs between packets. If the differences are large and we are sure of the 1 increment, several connections from that IP distribute packets. So, every connection will have jumps / flow. The ipMinTTL and ipMaxTTL give you an indication of how far your sniffing tap is from the senders IP address and whether several routing paths are involved.

ipFlags contains information about packet abnormalities and fragmentation mishaps. To see the meaning of the bits invoke:

$ tawk -V ipFlags
The ipFlags column is to be interpreted as follows:

   bit | ipFlags | Description
   =============================================================================
     0 | 0x0001  | IP options corrupt
     1 | 0x0002  | IPv4 packets out of order
     2 | 0x0004  | IPv4 ID roll over
     3 | 0x0008  | IP fragment below minimum
     4 | 0x0010  | IP fragment out of range
     5 | 0x0020  | More Fragment bit
     6 | 0x0040  | IPv4: Don't Fragment bit, IPv6: reserve bit
     7 | 0x0080  | Reserve bit
     8 | 0x0100  | Fragmentation position error
     9 | 0x0200  | Fragmentation sequence error
    10 | 0x0400  | L3 checksum error
    11 | 0x0800  | L4 checksum error
    12 | 0x1000  | L3 header length snapped
    13 | 0x2000  | Packet interdistance = 0
    14 | 0x4000  | Packet interdistance < 0
    15 | 0x8000  | TCP SYN flag with L7 content

tcpFlags is the standard NetFlow aggregation of the flags in the TCP header. So you can assess the communication state of the flow during observation.

A standard feature in NetFlow9 is the aggregation of all TCP flags occurring in a flow:

$ tawk -V tcpFlags
The tcpFlags column is to be interpreted as follows:

   bit | tcpFlags | Description
   =============================================================================
     0 | 0x01     | FIN: No more data, finish connection
     1 | 0x02     | SYN: Synchronize sequence numbers
     2 | 0x04     | RST: Reset connection
     3 | 0x08     | PSH: Push data
     4 | 0x10     | ACK: Acknowledgement field value valid
     5 | 0x20     | URG: Urgent pointer valid
     6 | 0x40     | ECE: ECN-Echo
     7 | 0x80     | CWR: Congestion Window Reduced flag is set

It represents valuable information about the state of a connection, and you can readily detect if a flow is complete, or the guy who acquired the data clipped it. flowStat will tell you that for each flow.

Basic traffic volume and connection analysis

To acquire an overview about a network and its communication behaviour, a graphical output is definitely helpful. graphviz is a wonderful program producing all kinds of graphs. T2 supplies a conversion example script grphvz which you may expand for your own purposes.

One basic approach is to look into the connection matrix or simply the connections between nodes. In the script, the graph edges are tagged with

  • flowStat direction bit, land of origin, tcpAnomaly, srcPort-dstPort, numPktsSnt, numBytesSnt.
  • Initiating flow: green, Response Flow: red
  • Width: numBytesSnt

So apply the already generated flow file to grphvz, convert the resulting .dot file to JPG and display it with eog or better feh. You may also use the interactive program xdot or dotty.

$ head -n 43 annoloc2_flows.txt > a_flows.txt
$ grphvz a_flows.txt
$ dotty a_flows_graph.dot

Or if you like a picture, use dot:

$ dot -Tjpg a_flows_graph.dot -o a_flows_graph.jpg
$ feh a_flows_graph.jpg

Or with the new scripts since the 0.8.3 version:

$ head -n 43 annoloc2_flows.txt > a_flows.txt
$ t2viz a_flows.txt
graphviz example: extracted the first 43 flows from annoloc2_flows.txt

If we had the full traffic plotted then you could identify large or biggest talkers, just by looking for the arrow with the largest width. But note that with larger number of flows, the performance of graphviz degrades rapidly. We produced a netgrapher which can handle very large connection matrices. Unfortunately this is not open source. If you are interested contact us here.

Another method to find biggest talkers is to reverse sort with tawk. For example, we can extract the flows which sent the most packets (numPktsSnt) with the following command:

$ tawk 't2sort(numPktsSnt, 4)' annoloc2_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP           srcIPCC  srcIPWho                       srcPort  dstIP            dstIPCC  dstIPWho                       dstPort  l4Proto  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT        stdIAT       pktps     bytps     pktAsm     bytAsm      tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipTOS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpTmS  tcpTmER  tcpEcI  tcpUtm    tcpBtm    tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStates
B     91       0x0000000a00004001  1022171701.699480  1022171726.636773  24.937293  1           3        eth:ipv4:tcp  00:00:21:d2:cc:72  00:d0:02:6d:78:00  0x0800              138.212.189.38  jp       "ASAHI KASEI CORPORATION"      139      138.212.86.201   jp       "Asahi Kasei Networks Corpor"  3429     6        23601       12342        33733962     42462         103       1460      1429.344    188.7309    0       0.253336  0.001056625   0.003715082  946.4139  1352752   0.313246   0.9974856   0x0040    1           39          64        64        0         0x10   0x3840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3624816249  23576       34471811        24              677         42651                  0               33232         33232        33232        33232        0               0              0                  0             0x98      0xa800      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              0                 0.253317          0.001994585       0.004210955          0             -1               0x03
A     91       0x0000000a00004000  1022171701.699996  1022171726.637210  24.937214  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:00:21:d2:cc:72  0x0800              138.212.86.201  jp       "Asahi Kasei Networks Corpor"  3429     138.212.189.38   jp       "ASAHI KASEI CORPORATION"      139      6        12342       23601        42462        33733962      0         63        3.440447    14.30862    0       0.36365   0.002020519   0.00532618   494.923   1702.756  -0.313246  -0.9974856  0x00c0    1           21          127       127       0         0x00   0x1840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3835254416  12342       42651           0               11833       34124331               190             17520         17518.91     16201        17520        355             355            709                0             0x98      0xa100      169           507        0x00000022  0       1      0       0        0       0.000000  0.000000  0              0                 0.110333          0.0002984816      0.001134035          0             -1               0x03
B     6344     0x0000000a00004001  1022171714.045827  1022171722.457644  8.411817   1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:10:5a:c5:96:1a  0x0800              139.45.174.202  ie       "Stripe Inc"                   56071    138.212.190.117  jp       "ASAHI KASEI CORPORATION"      3837     6        10159       5692         14821880     0             0         1460      1458.99     29.41481    0       1.465593  0.0008280156  0.01468998   1207.706  1762031   0.2818119  1           0x0044    1           33832       59        250       1         0x18   0x3842   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1837334633  10159       14999999        0               1           0                      2               5840          5840         5840         5840         0               0              0                  0             0xdb      0xa003      1             4          0x00000016  1460    1      0       0        0       0.000000  0.000000  0.005066       0                 0.219088          0.001750757       0.003134686          0.002583663   0.01960833       0x02
B     3610     0x0000000a00004001  1022171705.686717  1022171714.043794  8.357077   1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:10:5a:c5:96:1a  0x0800              139.45.174.202  ie       "Stripe Inc"                   56070    138.212.190.117  jp       "ASAHI KASEI CORPORATION"      3820     6        10048       5709         14656900     0             0         1460      1458.688    34.27719    0       1.39519   0.0008317156  0.0141066    1202.334  1753831   0.2753697  1           0x0044    1           44772       59        250       1         0x18   0x3842   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1835183641  10048       14999999        0               1           0                      2               5840          5840         5840         5840         0               0              0                  0             0xdb      0xa003      1             4          0x00000016  1460    1      0       0        0       0.000000  0.000000  0.006276       0                 0.240063          0.001985467       0.003686316          0.002785216   0.01874814       0x02
$

Note that the number 4 in the tawk statement above denotes the number of lines to display. If you omit it, all lines will be displayed.

We can also extract the four flows which sent the most bytes (numBytesSnt):

$ tawk 't2sort(numBytesSnt, 4)' annoloc2_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP           srcIPCC  srcIPWho                   srcPort  dstIP            dstIPCC  dstIPWho                       dstPort  l4Proto  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT        stdIAT       pktps     bytps     pktAsm     bytAsm     tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipTOS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpTmS     tcpTmER    tcpEcI  tcpUtm          tcpBtm             tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStates
B     91       0x0000000a00004001  1022171701.699480  1022171726.636773  24.937293  1           3        eth:ipv4:tcp  00:00:21:d2:cc:72  00:d0:02:6d:78:00  0x0800              138.212.189.38  jp       "ASAHI KASEI CORPORATION"  139      138.212.86.201   jp       "Asahi Kasei Networks Corpor"  3429     6        23601       12342        33733962     42462         103       1460      1429.344    188.7309    0       0.253336  0.001056625   0.003715082  946.4139  1352752   0.313246   0.9974856  0x0040    1           39          64        64        0         0x10   0x3840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3624816249  23576       34471811        24              677         42651                  0               33232         33232        33232        33232        0               0              0                  0             0x98      0xa800      0             0          0x00000000  0       1      0          0          0       0.000000        0.000000           0              0                 0.253317          0.001994585       0.004210955          0             -1               0x03
B     6344     0x0000000a00004001  1022171714.045827  1022171722.457644  8.411817   1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:10:5a:c5:96:1a  0x0800              139.45.174.202  ie       "Stripe Inc"               56071    138.212.190.117  jp       "ASAHI KASEI CORPORATION"      3837     6        10159       5692         14821880     0             0         1460      1458.99     29.41481    0       1.465593  0.0008280156  0.01468998   1207.706  1762031   0.2818119  1          0x0044    1           33832       59        250       1         0x18   0x3842   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1837334633  10159       14999999        0               1           0                      2               5840          5840         5840         5840         0               0              0                  0             0xdb      0xa003      1             4          0x00000016  1460    1      0          0          0       0.000000        0.000000           0.005066       0                 0.219088          0.001750757       0.003134686          0.002583663   0.01960833       0x02
B     3610     0x0000000a00004001  1022171705.686717  1022171714.043794  8.357077   1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:10:5a:c5:96:1a  0x0800              139.45.174.202  ie       "Stripe Inc"               56070    138.212.190.117  jp       "ASAHI KASEI CORPORATION"      3820     6        10048       5709         14656900     0             0         1460      1458.688    34.27719    0       1.39519   0.0008317156  0.0141066    1202.334  1753831   0.2753697  1          0x0044    1           44772       59        250       1         0x18   0x3842   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1835183641  10048       14999999        0               1           0                      2               5840          5840         5840         5840         0               0              0                  0             0xdb      0xa003      1             4          0x00000016  1460    1      0          0          0       0.000000        0.000000           0.006276       0                 0.240063          0.001985467       0.003686316          0.002785216   0.01874814       0x02
A     325      0x0000000200004000  1022171701.712093  1022171726.638722  24.926629  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:50:bf:08:44:81  0x0800              19.59.134.250   us       "Ford Motor Company"       65230    138.212.187.240  jp       "ASAHI KASEI CORPORATION"      58290    6        9459        5223         13696632     0             1448      1448      1448        0           0       0.067445  0.00263523    0.006627299  379.4737  549477.9  0.2885166  1          0x0050    1           387         53        53        0         0x08   0x3844   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2192448358  9415        15002728        44              0           0                      0               33304         33304        33304        33304        0               0              0                  0             0xd0      0xa000      9459          28377      0x00000102  0       1      199361062  113909808  0.01    1993610.575439  1020178116.063283  0              0                 0.066065          0.008232069       0.01009581           0             -1               0x03
$

The best method to spot connection anomalies is to visualize time, connecting IPs and connection counts. The connStat plugin produces the appropriate numbers for this task.

It adds four columns:

  • connections src IP (connSip),
  • connections dst IP (connDip),
  • connections between srcIP and dstIP (connSipDip)
  • number of unique destination port connections of a certain srcIP (connSipDprt)

Moreover, an experimental feature connF = connSipDprt / connSip is added which describes the ratio of port connections of a srcIP and the total connection count of the very srcIP during the lifetime of this flow.

$ t2build connStat
$ t2 -r ~/data/annoloc2.pcap -w ~/results
================================================================================
Tranalyzer 0.8.6 (Anteater), Tarantula. PID: 9928
================================================================================
...
--------------------------------------------------------------------------------
...
connStat: Number of unique source IPs: 4413 (4.41 K)
connStat: Number of unique destination IPs: 3209 (3.21 K)
connStat: Number of unique source/destination IPs connections: 182
connStat: Max unique number of source IP / destination port connections: 413
connStat: IP prtcon/sdcon, prtcon/scon: 2.269231, 0.093587
connStat: Source IP with max connections: 138.212.189.66 (JP): 366 connections
connStat: Destination IP with max connections: 138.212.184.235 (JP): 402 connections
--------------------------------------------------------------------------------
...
$

The end report contribution of connStat provides you with connection oriented facts of your traffic. So you should record these numbers at certain dates and times to establish a normal baseline.

If the sending/receiving IPs in your network, exceeds the maximum of your recordings and the unique local addresses exceed the amount of your machines in the network, something is definitely wrong.

Same for the number of receiving IPs and the ratio of src and dst IPs. The 5th line consists of experimental numbers which served well in finding malware, so if the prtcon/sdcon and prtcon/scon are >> 1 you should look a bit closer at this traffic. In a future tutorial T2 Kungfu I’ll try to elaborate more on that matter.

The biggest connection initiator or connector and the biggest endpoint connector at the end of the connStat report gives you an indication where to look first, when inspecting a flow file. Note here also an information about the country.

An example tawk command is shown below extracting only the initiation flows from the biggest connection initiator printing only connection relevant features (the not command is used instead of ! to prevent tawk from filtering out the header (note that the hdr() function could also have been used)).

$ tawk 'not(bitsanyset($flowStat, 1)) && shost("138.212.189.66") { print $timeFirst, $timeLast, $srcIP, $srcIPCC, $connSip, $connSipDip, connSipDprt, $connF }' annoloc2_flows.txt | LC_ALL=C sort -t$'\t' -n -k3,3 | head -n 25 | tcol
timeFirst          timeLast           srcIP           srcIPCC  connSip  connSipDip  89  connF
1022171701.715552  1022171701.715552  138.212.189.66  jp       366      2           89  1.128415
1022171701.748589  1022171724.156283  138.212.189.66  jp       84       2           89  0.02380952
1022171701.748589  1022171725.854193  138.212.189.66  jp       40       2           89  0.05
1022171701.748591  1022171725.224952  138.212.189.66  jp       62       2           89  0.03225806
1022171701.748593  1022171701.748593  138.212.189.66  jp       365      1           89  0.002739726
1022171701.748593  1022171725.983912  138.212.189.66  jp       30       2           89  0.06666667
1022171701.748603  1022171726.344313  138.212.189.66  jp       23       2           89  0.08695652
1022171701.748605  1022171726.559487  138.212.189.66  jp       5        2           89  0.8
1022171701.833674  1022171707.884734  138.212.189.66  jp       291      1           89  1.085911
1022171701.834407  1022171701.834407  138.212.189.66  jp       364      2           89  1.129121
1022171701.845499  1022171701.845499  138.212.189.66  jp       363      2           89  1.126722
1022171701.847836  1022171725.854167  138.212.189.66  jp       41       2           89  0.04878049
1022171701.847851  1022171725.858100  138.212.189.66  jp       37       2           89  0.05405406
1022171701.847851  1022171726.446242  138.212.189.66  jp       17       2           89  0.1176471
1022171701.847852  1022171726.417256  138.212.189.66  jp       9        2           89  0.2222222
1022171701.847853  1022171701.847853  138.212.189.66  jp       362      1           89  0.002762431
1022171701.847854  1022171726.546581  138.212.189.66  jp       10       2           89  0.2
1022171701.868853  1022171701.868853  138.212.189.66  jp       361      1           89  1.127424
1022171701.878890  1022171701.878890  138.212.189.66  jp       360      2           89  1.127778
1022171701.922395  1022171701.922395  138.212.189.66  jp       359      2           89  1.125348
1022171701.947721  1022171726.546595  138.212.189.66  jp       7        1           89  0.1428571
1022171701.960091  1022171701.960091  138.212.189.66  jp       358      1           89  1.122905
1022171702.048266  1022171726.446250  138.212.189.66  jp       20       2           89  0.35
1022171702.089215  1022171702.089215  138.212.189.66  jp       357      2           89  1.123249
$

Up until now, we have used absolute time stamps. For static plots, the relative time to the beginning of the pcap is easier to grasp. So first move to tranalyzer/src and open the file tranalyzer.h

$ tranalyzer2
$ vi src/tranalyzer.h

There you will see a lot of stuff to configure, this is a lot of fun for later. We look for RELTIME. Change it to 1 as shown below

If you are afraid to edit .h files, here is the t2conf command which does the same:

$ t2conf tranalyzer2 -D RELTIME=1
$

And recompile all plugins used so far, because certain plugins such as basicFlow are using the RELTIME switch. Then, rerun t2:

$ t2build -R
$ t2 -r ~/data/annoloc2.pcap -w ~/results
================================================================================
Tranalyzer 0.8.6 (Anteater), Tarantula. PID: 10282
================================================================================
...
$

For visualization, we only need to extract the said three features and pipe it into t2plot to create a nice 3D graphics in logarithmic scale of the z-axis.

$ tawk 'ipv4() { if ($connSip) print $timeFirst, $srcIP, $connSip }' annoloc2_flows.txt | t2plot -t "Simple connStat anomaly graph" -sx 0:25  -sy 0:2800000000 -v 60,75 -lz -r 1
connStat anomaly graph log scale zoomed: $timeFirst, $srcIP, $connSip

You can now instantly identify the time based evolution of all IP addresses and spot the biggest connecter, get the count range and select him with a simple if clause in an awk or tawk script. The IP addresses are converted to hex by t2plot. The -r 1 option re-plots the graph every second, so that you can turn it using your mouse.

If you use the gpq3x script you can produce an online waterfall plot with the same characteristics. Together with t2 rrd monitoring you then have an efficient online graphical anomaly detection.

Timeline flow analysis

Often, typical patterns emerge from the time based flow production. So if an IP stands out in the connStat end report, a flow connection diagram can be useful. Just extract the biggest connector from above 138.212.189.66, store the extracted flows in a new file and run the t2timeline script as indicated below.

$ tawk 'host("138.212.189.66")' annoloc2_flows.txt > annoloc2_ip.txt
$ t2timeline -r -ws 700,400 annoloc2_ip.txt
Timeline of IP 138.212.189.66, annoloc2_flows.txt

The greens are requesting flows while the reds are response flows. The z-axis denotes the flowInd number. If you point the mouse on the beginning of a flow several flow parameters are displayed helping you to identify flows. Maybe there are still too many flows to see something, but you could now select certain protocols, such as TCP or ports, such as port 80. Write a short tawk and rerun the t2timeline script yourself.

Moreover, the timeline graph is very useful to assess the creation of training data for AI. For example, if you have a two class problem, the timelines of all pcaps of the two classes should look similar, if and only if the requirement is that the flows are created by the same equipment and relative timing, certain encrypted content classification task, have these requirements to produce a reasonable classifier. If then the timeline plots differ drastically, you caught somebody producing garbage training data. Because if you use it your classifier will find features, which do not correlate with the problem at hand.

And don’t forget to reset RELTIME to 0 if you intend to do more tutorials, as most of them are based on absolute time. Here is the t2conf command.

$ t2conf tranalyzer2 -D RELTIME=0
$ t2build -R
...
$

Global statistical plugins

After inspecting the T2 end report, we have a good overview about the pcap state, certain abnormalities and statistics. As each network has its specific protocol statistics, T2 provides several global plugins which produce specific protocols statistics.

protoStat and icmpDecode are standard to be scrutinized after inspecting the end report. protoStat generates annoloc2_protocols.txt which is sorted according to Layer 2-4 protocol numbers.

I unloaded plugins not needed here to reduce the amount of confusing output and loaded icmpDecode and protoStat.

$ t2build -u tcpStates tcpFlags connStat basicStats
...
$ t2build icmpDecode protoStats

...

$ t2 -r ~/data/annoloc2.pcap -w ~/results
===============================================================================
Tranalyzer 0.8.6 (Anteater), Tarantula. PID: 5885
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: protoStats, 0.8.6
    02: basicFlow, 0.8.6
    03: icmpDecode, 0.8.6
    04: txtSink, 0.8.6
...
--------------------------------------------------------------------------------
icmpDecode: Number of ICMP echo request packets: 224 [7.32%]
icmpDecode: Number of ICMP echo reply packets: 191 [6.24%]
icmpDecode: ICMP echo reply / request ratio: 0.85
--------------------------------------------------------------------------------
...

As you can see icmpDecode produces the important measure of reply / request ratio, for a rapid assessment of malicious activity, also the relative amount of request and reply packets are a valuable indication.

More detailed information about the general picture is provided in the protocols file from protoStat:

$ tcol annoloc2_protocols.txt
# Total packets: 1219015 (1.22 M)
# Total bytes: 64082726 (64.08 M)
# L2/3 Protocol                                               Packets                           Bytes            Description
0x0800                                                        1218588 [ 99.96%]              64061156 [ 99.97%]  Internet Protocol version 4 (IPv4)
0x0806                                                            247 [  0.02%]                 10374 [  0.02%]  Address Resolution Protocol (ARP)
0x86dd                                                            180 [  0.01%]                 11196 [  0.02%]  Internet Protocol version 6 (IPv6)

# Total IPv4 packets: 1218588 (1.22 M) [99.96%]
# Total IPv6 packets: 180 [0.01%]
# L4 Protocol                                                 Packets                           Bytes            Description
  1                                                              3059 [  0.25%]                191934 [  0.30%]  Internet Control Message Protocol (ICMP)
  2                                                                12 [  0.00%]                   456 [  0.00%]  Internet Group Management Protocol (IGMP)
  6                                                            948743 [ 77.83%]              52643546 [ 82.15%]  Transmission Control Protocol (TCP)
 17                                                            266900 [ 21.89%]              11234272 [ 17.53%]  User Datagram Protocol (UDP)
 22                                                                 1 [  0.00%]                    34 [  0.00%]  XEROX NS IDP
 23                                                                 1 [  0.00%]                    34 [  0.00%]  Trunk-1
 28                                                                 1 [  0.00%]                    34 [  0.00%]  Internet Reliable Transaction
 47                                                                20 [  0.00%]                   680 [  0.00%]  General Routing Encapsulation
 48                                                                 1 [  0.00%]                    34 [  0.00%]  Mobile Host Routing Protocol
 58                                                                11 [  0.00%]                   682 [  0.00%]  Internet Control Message Protocol for IPv6 (ICMPv6)
 59                                                                 1 [  0.00%]                    34 [  0.00%]  No Next Header for IPv6
 64                                                                 1 [  0.00%]                    34 [  0.00%]  SATNET and Backroom EXPAK
 79                                                                 1 [  0.00%]                    34 [  0.00%]  WIDEBAND EXPAK
...

# Total TCP packets: 948743 (948.74 K) [77.83%]
# Total TCP bytes: 52643546 (52.64 M) [82.15%]
# TCP Port                                                    Packets                           Bytes            Description
   13                                                               2 [  0.00%]                   108 [  0.00%]  Daytime (RFC 867)
   20                                                          120418 [ 12.69%]               6703628 [ 12.73%]  File Transfer [Default Data]
   21                                                            2082 [  0.22%]                113512 [  0.22%]  File Transfer [Control]
   22                                                            3793 [  0.40%]                213006 [  0.40%]  The Secure Shell (SSH) Protocol
   23                                                             309 [  0.03%]                 16686 [  0.03%]  Telnet
   25                                                             134 [  0.01%]                  8676 [  0.02%]  Simple Mail Transfer Protocol (SMTP)
   49                                                             175 [  0.02%]                  9558 [  0.02%]  Login Host Protocol (TACACS)
   53                                                               8 [  0.00%]                   528 [  0.00%]  Domain Name Server (DNS)
   65                                                              13 [  0.00%]                   742 [  0.00%]  TACACS-Database Service
   66                                                               8 [  0.00%]                   448 [  0.00%]  Oracle SQL*NET
   67                                                               8 [  0.00%]                   448 [  0.00%]  Bootstrap Protocol Server
   68                                                               6 [  0.00%]                   324 [  0.00%]  Bootstrap Protocol Client
   80                                                           73283 [  7.72%]               4037878 [  7.67%]  World Wide Web HTTP
   81                                                           10937 [  1.15%]                609542 [  1.16%]  Cobalt cube web access or trojan
   83                                                              47 [  0.00%]                  2538 [  0.00%]  MIT ML Device
...

# Total UDP packets: 266900 (266.90 K) [21.89%]
# Total UDP bytes: 11234272 (11.23 M) [17.53%]
# UDP Port                                                    Packets                           Bytes            Description
    0                                                              67 [  0.03%]                  2278 [  0.02%]
   37                                                             321 [  0.12%]                 13482 [  0.12%]  Time
   53                                                            2928 [  1.10%]                158112 [  1.41%]  Domain Name Server (DNS)
   67                                                              14 [  0.01%]                   588 [  0.01%]  Bootstrap Protocol Server
  123                                                              34 [  0.01%]                  1428 [  0.01%]  Network Time Protocol
  137                                                             503 [  0.19%]                 21126 [  0.19%]  NETBIOS Name Service
  138                                                             152 [  0.06%]                  6384 [  0.06%]  NETBIOS Datagram Service
  161                                                             212 [  0.08%]                  8904 [  0.08%]  SNMP
  412                                                               7 [  0.00%]                   294 [  0.00%]  Trap Convention Port
  427                                                               3 [  0.00%]                   126 [  0.00%]  Server Location
...

Here as well the biggest protocol talker is interesting to begin an analysis. The script protStat sorts the protocols file according to number of packets or bytes. The -p option defines the lower limit of probability to display. We selected 1% and added the UDP-Lite and SCTP protocols:

$ t2conf protoStats -D UDPLITE_STAT=1 -D SCTP_STAT=1
$ t2build protoStas
...
$ t2 -r ~/data/annoloc2.pcap -w ~/results
...
$ protStat -p=1 annoloc2_protocols.txt
L2/3 Protocol	     Packets	                       Bytes	        Description
0x0800	             1218588 [ 99.96%]	            64061156 [ 99.97%]	Internet Protocol version 4 (IPv4)

L4 Protocol	     Packets	                       Bytes	        Description
  6	              948743 [ 77.83%]	            52643546 [ 82.15%]	Transmission Control Protocol (TCP)
 17	              266900 [ 21.89%]	            11234272 [ 17.53%]	User Datagram Protocol (UDP)

TCP Port	     Packets	                       Bytes	        Description
  139	              203627 [ 21.46%]	            11051370 [ 20.99%]	NETBIOS Session Service
   20	              120418 [ 12.69%]	             6703628 [ 12.73%]	File Transfer [Default Data]
   80	               73283 [  7.72%]	             4037878 [  7.67%]	World Wide Web HTTP
  445	               27611 [  2.91%]	             1495334 [  2.84%]	Microsoft-DS
 4662	               26586 [  2.80%]	             1484248 [  2.82%]	OrbitNet Message Service
 1214	               20702 [  2.18%]	             1134572 [  2.16%]	KAZAA
56071	               15851 [  1.67%]	              855970 [  1.63%]
56070	               15757 [  1.66%]	              850894 [  1.62%]
58290	               14682 [  1.55%]	              969012 [  1.84%]
 6699	               13711 [  1.45%]	              757674 [  1.44%]
   81	               10937 [  1.15%]	              609542 [  1.16%]	Cobalt cube web access or trojan

UDP Port	     Packets	                       Bytes	        Description
27005	               34284 [ 12.85%]	             1439928 [ 12.82%]	FLEX LM (1-10)
27960	               24798 [  9.29%]	             1041516 [  9.27%]
 7777	               15241 [  5.71%]	              640122 [  5.70%]	cbt
28920	               14301 [  5.36%]	              600642 [  5.35%]
10007	               11847 [  4.44%]	              497574 [  4.43%]	MVS Capacity
27115	               11220 [  4.20%]	              471240 [  4.19%]
12203	               10654 [  3.99%]	              447468 [  3.98%]
27963	                8591 [  3.22%]	              360822 [  3.21%]
28015	                8458 [  3.17%]	              355236 [  3.16%]
27016	                7948 [  2.98%]	              333816 [  2.97%]
27116	                7508 [  2.81%]	              315336 [  2.81%]
27025	                7347 [  2.75%]	              308574 [  2.75%]
 1111	                7312 [  2.74%]	              307104 [  2.73%]	LM Social Server
28910	                6865 [  2.57%]	              288330 [  2.57%]
27035	                6511 [  2.44%]	              273462 [  2.43%]
27961	                4869 [  1.82%]	              204498 [  1.82%]
 7000	                3879 [  1.45%]	              162918 [  1.45%]	file server itself
28901	                3619 [  1.36%]	              151998 [  1.35%]
 1028	                3570 [  1.34%]	              149940 [  1.33%]
62626	                3364 [  1.26%]	              141288 [  1.26%]
61996	                3324 [  1.25%]	              139608 [  1.24%]
28001	                2984 [  1.12%]	              125328 [  1.12%]
   53	                2928 [  1.10%]	              158112 [  1.41%]	Domain Name Server (DNS)

UDP-Lite Port	     Packets	                       Bytes	        Description

SCTP Port	     Packets	                       Bytes	        Description

$

So no UPD-Lite or SCTP packets.

We have 0.25% ICMP traffic, which is not abnormal for that type of traffic. Often it is necessary to look at the ICMP messages in detail because some may indicate problems or even malicious behaviour. For that icmpDecode provides a detailed statistical overview:

$ lsx 22 annoloc2_icmpStats.txt
Total number of ICMP packets: 3070 (3.07 K) [0.25%]

Number of ICMP packets: 3059 (3.06 K) [0.25%]
Number of ICMPv6 packets: 11 [0.00%]

ICMP echo reply / request ratio: 0.853

# ICMP Type           Code                               Packets
ICMP_ECHOREQUEST      -                                      224 [  7.32%]
ICMP_ECHOREPLY        -                                      191 [  6.24%]
ICMP_DEST_UNREACH     ICMP_HOST_UNREACH                       25 [  0.82%]
ICMP_DEST_UNREACH     ICMP_PORT_UNREACH                     2603 [ 85.09%]
ICMP_TIME_EXCEEDED    ICMP_EXC_TTL                            14 [  0.46%]
ICMP_TIME_EXCEEDED    ICMP_EXC_FRAGTIME                        2 [  0.07%]

# ICMPv6 Type         Code                               Packets
ICMP6_RTER_ADVERT     -                                        5 [ 45.45%]
ICMP6_NBOR_SOLICIT    -                                        3 [ 27.27%]
ICMP6_NBOR_ADVERT     -                                        3 [ 27.27%]
$

Note that if we had more messages, we could use protStat to sort and filter annoloc2_icmpStats.txt.

Now let’s find all hosts sending ICMP messages:

$ tawk 'icmp()' annoloc2_flows.txt | tcol
...

By scrolling to the right you see the icmpBFTypH_TypL_Code bit field. So we are interested in ICMP_HOST_UNREACH and ICMP_PORT_UNREACH, code 3. So the 3rd parameter should be 23=0x0008.

$ tawk '{ split($icmpBFTypH_TypL_Code, A, "_"); if (bitsanyset(A[3], 0x8)) print }' annoloc2_flows.txt | head -n 15 | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc        srcMac             dstMac             ethType  ethVlanID  srcIP           srcIPCC  srcIPWho                   srcPort  dstIP            dstIPCC  dstIPWho                       dstPort  l4Proto  icmpStat  icmpTCcnt  icmpBFTypH_TypL_Code          icmpTmGtw   icmpEchoSuccRatio  icmpPFindex
A     59       0x0000000200004001  1022171701.692762  1022171701.692762  0.000000  1           3        eth:ipv4:icmp  00:80:48:b3:22:ef  00:d0:02:6d:78:00  0x0800              138.212.187.10  jp       "ASAHI KASEI CORPORATION"  0        201.116.148.149  mx       "Uninet S.A. de C.V."          0        1        0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  0
A     893      0x0000000200004001  1022171701.812425  1022171701.812425  0.000000  1           3        eth:ipv4:icmp  00:80:48:d7:ed:7a  00:d0:02:6d:78:00  0x0800              138.212.189.88  jp       "ASAHI KASEI CORPORATION"  0        201.116.161.83   mx       "Uninet S.A. de C.V."          0        1        0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  890
A     1069     0x0000000200004001  1022171701.889357  1022171701.889357  0.000000  1           3        eth:ipv4:icmp  00:48:54:7a:04:0f  00:d0:02:6d:78:00  0x0800              138.212.184.71  jp       "ASAHI KASEI CORPORATION"  0        146.208.9.41     us       "Keysight Technologies"        0        1        0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1052
A     1204     0x0000000200004001  1022171701.980834  1022171701.980834  0.000000  1           3        eth:ipv4:icmp  00:d0:02:6d:78:00  00:80:48:b3:22:c4  0x0800              138.213.40.91   --       "--"                       0        138.212.189.66   jp       "ASAHI KASEI CORPORATION"      0        1        0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1180
A     1232     0x0000000200004001  1022171702.009674  1022171702.009674  0.000000  1           3        eth:ipv4:icmp  00:48:54:7a:04:0f  00:d0:02:6d:78:00  0x0800              138.212.184.71  jp       "ASAHI KASEI CORPORATION"  0        36.237.77.156    tw       "Data Communication Business"  0        1        0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1222
A     1557     0x0000000200004001  1022171702.247453  1022171702.247453  0.000000  1           3        eth:ipv4:icmp  00:04:76:22:07:90  00:d0:02:6d:78:00  0x0800              138.212.186.88  jp       "ASAHI KASEI CORPORATION"  0        201.19.77.72     br       "Telemar Norte Leste S.A."     0        1        0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1555
A     1572     0x0000000200004001  1022171702.265015  1022171702.265015  0.000000  1           3        eth:ipv4:icmp  00:08:a1:1d:3f:f1  00:d0:02:6d:78:00  0x0800              138.212.191.25  jp       "ASAHI KASEI CORPORATION"  0        19.50.144.156    us       "Ford Motor Company"           0        1        0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1570
A     1717     0x0000000200004001  1022171702.396273  1022171702.396273  0.000000  1           3        eth:ipv4:icmp  00:80:48:b3:24:eb  00:d0:02:6d:78:00  0x0800              138.212.190.25  jp       "ASAHI KASEI CORPORATION"  0        19.6.20.159      us       "Ford Motor Company"           0        1        0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1710
A     1740     0x0000000200004001  1022171702.417049  1022171702.417049  0.000000  1           3        eth:ipv4:icmp  00:80:48:b3:22:ef  00:d0:02:6d:78:00  0x0800              138.212.187.10  jp       "ASAHI KASEI CORPORATION"  0        65.171.40.80     us       "Sprint"                       0        1        0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1739
A     1749     0x0000000200004001  1022171702.423157  1022171702.423157  0.000000  1           3        eth:ipv4:icmp  00:80:48:b3:22:ef  00:d0:02:6d:78:00  0x0800              138.212.187.10  jp       "ASAHI KASEI CORPORATION"  0        193.108.29.243   lv       "Infoserv-Riga Ltd"            0        1        0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1747
A     1819     0x0000000200004001  1022171702.510250  1022171702.510250  0.000000  1           3        eth:ipv4:icmp  00:80:48:b3:22:ef  00:d0:02:6d:78:00  0x0800              138.212.187.10  jp       "ASAHI KASEI CORPORATION"  0        138.213.33.28    --       "--"                           0        1        0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1814
A     1876     0x0000000200004000  1022171722.772690  1022171722.785414  0.012724  1           3        eth:ipv4:icmp  00:d0:02:6d:78:00  00:50:da:37:f6:03  0x0800              193.133.161.22  gb       "Verizon UK Limited"       0        138.212.191.75   jp       "ASAHI KASEI CORPORATION"      0        1        0x01      9          0x00000000_0x00000008_0x0008  0x00000000  0                  7706
B     1876     0x0000000200004001  1022171702.597916  1022171702.597916  0.000000  1           3        eth:ipv4:icmp  00:50:da:37:f6:03  00:d0:02:6d:78:00  0x0800              138.212.191.75  jp       "ASAHI KASEI CORPORATION"  0        193.133.161.22   gb       "Verizon UK Limited"           0        1        0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1875
A     1905     0x0000000200004001  1022171702.623420  1022171702.623420  0.000000  1           3        eth:ipv4:icmp  00:d0:02:6d:78:00  00:50:fc:44:99:fd  0x0800              201.74.106.234  br       "CLARO S.A."               0        138.212.187.11   jp       "ASAHI KASEI CORPORATION"      0        1        0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1871
$

The bitfields are useful for selecting flows, but if you like a bit more human readability, set ICMP_TC_MD to 0, recompile and rerun t2, as indicated below:

$ t2conf icmpDecode -D ICMP_TC_MD=1
$ t2build icmpDecode
...
$ t2 -r ~/data/annoloc2.pcap -w ~/results
$ tawk '$icmpTCcnt > 0' annoloc2_flows.txt | head -n 22 | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc        srcMac             dstMac             ethType  ethVlanID  srcIP            srcIPCC  srcIPWho                       srcPort  dstIP            dstIPCC  dstIPWho                       dstPort  l4Proto  icmpStat  icmpTCcnt  icmpType_Code                        icmpTmGtw   icmpEchoSuccRatio  icmpPFindex
A     59       0x0000000200004001  1022171701.692762  1022171701.692762  0.000000  1           3        eth:ipv4:icmp  00:80:48:b3:22:ef  00:d0:02:6d:78:00  0x0800              138.212.187.10   jp       "ASAHI KASEI CORPORATION"      0        201.116.148.149  mx       "Uninet S.A. de C.V."          0        1        0x01      1          3_3                                  0x00000000  0                  0
A     893      0x0000000200004001  1022171701.812425  1022171701.812425  0.000000  1           3        eth:ipv4:icmp  00:80:48:d7:ed:7a  00:d0:02:6d:78:00  0x0800              138.212.189.88   jp       "ASAHI KASEI CORPORATION"      0        201.116.161.83   mx       "Uninet S.A. de C.V."          0        1        0x01      1          3_3                                  0x00000000  0                  890
A     1069     0x0000000200004001  1022171701.889357  1022171701.889357  0.000000  1           3        eth:ipv4:icmp  00:48:54:7a:04:0f  00:d0:02:6d:78:00  0x0800              138.212.184.71   jp       "ASAHI KASEI CORPORATION"      0        146.208.9.41     us       "Keysight Technologies"        0        1        0x01      1          3_3                                  0x00000000  0                  1052
A     1177     0x0000000200004001  1022171701.956543  1022171701.956543  0.000000  1           3        eth:ipv4:icmp  00:d0:02:6d:78:00  00:80:48:b3:22:c4  0x0800              201.118.86.105   mx       "Uninet S.A. de C.V."          0        138.212.189.66   jp       "ASAHI KASEI CORPORATION"      0        1        0x01      1          3_1                                  0x00000000  0                  1166
A     1204     0x0000000200004001  1022171701.980834  1022171701.980834  0.000000  1           3        eth:ipv4:icmp  00:d0:02:6d:78:00  00:80:48:b3:22:c4  0x0800              138.213.40.91    --       "--"                           0        138.212.189.66   jp       "ASAHI KASEI CORPORATION"      0        1        0x01      1          3_3                                  0x00000000  0                  1180
A     1232     0x0000000200004001  1022171702.009674  1022171702.009674  0.000000  1           3        eth:ipv4:icmp  00:48:54:7a:04:0f  00:d0:02:6d:78:00  0x0800              138.212.184.71   jp       "ASAHI KASEI CORPORATION"      0        36.237.77.156    tw       "Data Communication Business"  0        1        0x01      1          3_3                                  0x00000000  0                  1222
A     1557     0x0000000200004001  1022171702.247453  1022171702.247453  0.000000  1           3        eth:ipv4:icmp  00:04:76:22:07:90  00:d0:02:6d:78:00  0x0800              138.212.186.88   jp       "ASAHI KASEI CORPORATION"      0        201.19.77.72     br       "Telemar Norte Leste S.A."     0        1        0x01      1          3_3                                  0x00000000  0                  1555
A     1572     0x0000000200004001  1022171702.265015  1022171702.265015  0.000000  1           3        eth:ipv4:icmp  00:08:a1:1d:3f:f1  00:d0:02:6d:78:00  0x0800              138.212.191.25   jp       "ASAHI KASEI CORPORATION"      0        19.50.144.156    us       "Ford Motor Company"           0        1        0x01      1          3_3                                  0x00000000  0                  1570
A     1717     0x0000000200004001  1022171702.396273  1022171702.396273  0.000000  1           3        eth:ipv4:icmp  00:80:48:b3:24:eb  00:d0:02:6d:78:00  0x0800              138.212.190.25   jp       "ASAHI KASEI CORPORATION"      0        19.6.20.159      us       "Ford Motor Company"           0        1        0x01      1          3_3                                  0x00000000  0                  1710
A     1740     0x0000000200004001  1022171702.417049  1022171702.417049  0.000000  1           3        eth:ipv4:icmp  00:80:48:b3:22:ef  00:d0:02:6d:78:00  0x0800              138.212.187.10   jp       "ASAHI KASEI CORPORATION"      0        65.171.40.80     us       "Sprint"                       0        1        0x01      1          3_3                                  0x00000000  0                  1739
A     1749     0x0000000200004001  1022171702.423157  1022171702.423157  0.000000  1           3        eth:ipv4:icmp  00:80:48:b3:22:ef  00:d0:02:6d:78:00  0x0800              138.212.187.10   jp       "ASAHI KASEI CORPORATION"      0        193.108.29.243   lv       "Infoserv-Riga Ltd"            0        1        0x01      1          3_3                                  0x00000000  0                  1747
A     1819     0x0000000200004001  1022171702.510250  1022171702.510250  0.000000  1           3        eth:ipv4:icmp  00:80:48:b3:22:ef  00:d0:02:6d:78:00  0x0800              138.212.187.10   jp       "ASAHI KASEI CORPORATION"      0        138.213.33.28    --       "--"                           0        1        0x01      1          3_3                                  0x00000000  0                  1814
A     1876     0x0000000200004000  1022171722.772690  1022171722.785414  0.012724  1           3        eth:ipv4:icmp  00:d0:02:6d:78:00  00:50:da:37:f6:03  0x0800              193.133.161.22   gb       "Verizon UK Limited"           0        138.212.191.75   jp       "ASAHI KASEI CORPORATION"      0        1        0x01      9          3_3;3_3;3_3;3_3;3_3;3_3;3_3;3_3;3_3  0x00000000  0                  7706
B     1876     0x0000000200004001  1022171702.597916  1022171702.597916  0.000000  1           3        eth:ipv4:icmp  00:50:da:37:f6:03  00:d0:02:6d:78:00  0x0800              138.212.191.75   jp       "ASAHI KASEI CORPORATION"      0        193.133.161.22   gb       "Verizon UK Limited"           0        1        0x01      1          3_3                                  0x00000000  0                  1875
A     1905     0x0000000200004001  1022171702.623420  1022171702.623420  0.000000  1           3        eth:ipv4:icmp  00:d0:02:6d:78:00  00:50:fc:44:99:fd  0x0800              201.74.106.234   br       "CLARO S.A."                   0        138.212.187.11   jp       "ASAHI KASEI CORPORATION"      0        1        0x01      1          3_3                                  0x00000000  0                  1871
A     1985     0x0000000200004001  1022171702.721365  1022171702.721365  0.000000  1           3        eth:ipv4:icmp  00:d0:02:6d:78:00  00:80:48:b3:22:c4  0x0800              139.97.6.149     fi       "ELISA"                        0        138.212.189.66   jp       "ASAHI KASEI CORPORATION"      0        1        0x01      1          3_3                                  0x00000000  0                  1973
A     1994     0x0000000200004001  1022171702.739522  1022171702.739522  0.000000  1           3        eth:ipv4:icmp  00:80:48:d7:ed:7a  00:d0:02:6d:78:00  0x0800              138.212.189.88   jp       "ASAHI KASEI CORPORATION"      0        216.218.79.22    us       "Farmers Telephone Cooperati"  0        1        0x01      1          3_3                                  0x00000000  0                  1993
A     2035     0x0000000200004001  1022171702.768754  1022171702.768754  0.000000  1           3        eth:ipv4:icmp  00:80:48:b3:22:ef  00:d0:02:6d:78:00  0x0800              138.212.187.10   jp       "ASAHI KASEI CORPORATION"      0        201.108.14.212   mx       "Uninet S.A. de C.V."          0        1        0x01      1          3_3                                  0x00000000  0                  2009
A     2061     0x0000000a00004000  1022171702.799287  1022171702.799287  0.000000  1           3        eth:ipv4:icmp  00:d0:02:6d:78:00  00:a0:c9:1e:a4:19  0x0800              70.101.52.210    us       "Frontier Communications of "  0        138.212.184.246  jp       "ASAHI KASEI CORPORATION"      0        1        0x01      1          8_0                                  0x99bb0002  1                  0
B     2061     0x0000000a00004001  1022171702.799877  1022171702.799877  0.000000  1           3        eth:ipv4:icmp  00:a0:c9:1e:a4:19  00:d0:02:6d:78:00  0x0800              138.212.184.246  jp       "ASAHI KASEI CORPORATION"      0        70.101.52.210    us       "Frontier Communications of "  0        1        0x01      1          0_0                                  0x99bb0002  0                  0
A     2062     0x0000000a00004000  1022171702.800596  1022171702.800596  0.000000  1           3        eth:ipv4:icmp  00:d0:02:6d:78:00  00:10:5a:64:e9:36  0x0800              70.101.52.210    us       "Frontier Communications of "  0        138.212.184.247  jp       "ASAHI KASEI CORPORATION"      0        1        0x01      1          8_0                                  0x99bc0002  1                  0
$

Now you see the sequence of code 3 separated by ;.

Add layer 2/4 information

Information about MACs and ports which helps you decoding certain number can be added:

macRecorder records all MAC pairs during a connection, packet counts and MAC decoding
portClassifer human readable ports

Unload icmpDecode and load both plugins:

$ t2build -u icmpDecode
...
$ t2build macRecorder portClassifier tcpStates
...
BUILD SUCCESSFUL

$ t2 -r ~/data/annoloc2.pcap -w ~/results
================================================================================
Tranalyzer 0.8.6 (Anteater), Tarantula. PID: 9539
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.6
    02: macRecorder, 0.8.6
    03: portClassifier, 0.8.6
    04: tcpStates, 0.8.6
    05: txtSink, 0.8.6
...
$

In the flow file below, you will now see from the macRecorder plugin all MAC addresses including packet counts per flow. If redundant routing is presents you will see minimum two MAC pairs per flow. It is also useful to detect broken network cards, then you see several random MAC pairs. In the case of redundant routing, the packet counts should be almost equal. If this is not the case, then something is wrong. Moreover the manufacturer of the interface card is listed, so that the user does not need to look it up on the web. The portClassifier is somewhat misleading, as it does not really classifies, but instead transforms the port number into a human readable string, such as https for port 443 in our case.

$ head -n 22 annoloc2_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP            srcIPCC  srcIPWho                       srcPort  dstIP            dstIPCC  dstIPWho                       dstPort  l4Proto  macPairs  srcMac_dstMac_numP                     srcManuf_dstManuf  dstPortClassN  dstPortClass  tcpStates
A     265      0x0000000000004000  1022171701.709116  1022171701.709116  0.000000  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:50:fc:0e:21:56  0x0800              209.171.12.143   ca       "TELUS Communications Inc."    4987     138.212.185.230  jp       "ASAHI KASEI CORPORATION"      41250    6        1         00:d0:02:6d:78:00_00:50:fc:0e:21:56_1  Ditech_EdimaxTe    41250          unknown       0xc3
A     447      0x0000000000004000  1022171701.721366  1022171701.721366  0.000000  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:50:fc:3b:62:78  0x0800              217.41.129.13    gb       "BT Infrastructure Layer"      58872    138.212.187.186  jp       "ASAHI KASEI CORPORATION"      80       6        1         00:d0:02:6d:78:00_00:50:fc:3b:62:78_1  Ditech_EdimaxTe    80             http          0xc3
A     392      0x0000000000004000  1022171701.716998  1022171701.716998  0.000000  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:50:bf:59:85:48  0x0800              36.242.181.230   jp       "SoftBank Corp."               4685     138.212.188.67   jp       "ASAHI KASEI CORPORATION"      1214     6        1         00:d0:02:6d:78:00_00:50:bf:59:85:48_1  Ditech_Metallig    1214           kazaa         0x03
B     392      0x0000000000004001  1022171701.732313  1022171701.732313  0.000000  1           3        eth:ipv4:tcp  00:50:bf:59:85:48  00:d0:02:6d:78:00  0x0800              138.212.188.67   jp       "ASAHI KASEI CORPORATION"      1214     36.242.181.230   jp       "SoftBank Corp."               4685     6        1         00:50:bf:59:85:48_00:d0:02:6d:78:00_1  Metallig_Ditech    1214           kazaa         0x43
A     906      0x0000000000004000  1022171701.816638  1022171701.816638  0.000000  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:60:08:69:80:dd  0x0800              161.135.53.11    us       "Federal Express Corp."        5001     138.212.191.94   jp       "ASAHI KASEI CORPORATION"      80       6        1         00:d0:02:6d:78:00_00:60:08:69:80:dd_1  Ditech_3com        80             http          0x03
B     906      0x0000000000004001  1022171701.817195  1022171701.817195  0.000000  1           3        eth:ipv4:tcp  00:60:08:69:80:dd  00:d0:02:6d:78:00  0x0800              138.212.191.94   jp       "ASAHI KASEI CORPORATION"      80       161.135.53.11    us       "Federal Express Corp."        5001     6        1         00:60:08:69:80:dd_00:d0:02:6d:78:00_1  3com_Ditech        80             http          0x43
A     1027     0x0000000000004000  1022171701.872817  1022171701.872817  0.000000  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:80:48:b3:13:27  0x0800              146.162.158.230  gb       "Norwich Union Insurance Lim"  2849     138.212.184.193  jp       "ASAHI KASEI CORPORATION"      6346     6        1         00:d0:02:6d:78:00_00:80:48:b3:13:27_1  Ditech_CompexUs    6346           gnutella-svc  0x03
B     1027     0x0000000000004001  1022171701.873426  1022171701.873426  0.000000  1           3        eth:ipv4:tcp  00:80:48:b3:13:27  00:d0:02:6d:78:00  0x0800              138.212.184.193  jp       "ASAHI KASEI CORPORATION"      6346     146.162.158.230  gb       "Norwich Union Insurance Lim"  2849     6        1         00:80:48:b3:13:27_00:d0:02:6d:78:00_1  CompexUs_Ditech    6346           gnutella-svc  0x43
A     1154     0x0000000000004000  1022171701.939627  1022171701.939627  0.000000  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:50:bf:59:85:48  0x0800              193.133.224.57   gb       "Verizon UK Limited"           3286     138.212.188.67   jp       "ASAHI KASEI CORPORATION"      1214     6        1         00:d0:02:6d:78:00_00:50:bf:59:85:48_1  Ditech_Metallig    1214           kazaa         0x03
B     1154     0x0000000000004001  1022171701.947575  1022171701.947575  0.000000  1           3        eth:ipv4:tcp  00:50:bf:59:85:48  00:d0:02:6d:78:00  0x0800              138.212.188.67   jp       "ASAHI KASEI CORPORATION"      1214     193.133.224.57   gb       "Verizon UK Limited"           3286     6        1         00:50:bf:59:85:48_00:d0:02:6d:78:00_1  Metallig_Ditech    1214           kazaa         0x43
A     867      0x0000000a00004000  1022171701.805350  1022171701.805350  0.000000  1           3        eth:ipv4:tcp  00:60:b0:b5:da:10  00:d0:02:6d:78:00  0x0800              138.212.184.48   jp       "ASAHI KASEI CORPORATION"      6666     36.74.248.27     id       "Telekomunikasi Indonesia"     1108     6        1         00:60:b0:b5:da:10_00:d0:02:6d:78:00_1  HewlettP_Ditech    1108           ratio-adp     0x03
B     867      0x0000000000004001  1022171702.012658  1022171702.012658  0.000000  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:60:b0:b5:da:10  0x0800              36.74.248.27     id       "Telekomunikasi Indonesia"     1108     138.212.184.48   jp       "ASAHI KASEI CORPORATION"      6666     6        1         00:d0:02:6d:78:00_00:60:b0:b5:da:10_1  Ditech_HewlettP    1108           ratio-adp     0x43
A     864      0x0000000a00004000  1022171701.805329  1022171702.066438  0.261109  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:60:b0:ec:34:27  0x0800              19.54.241.65     us       "Ford Motor Company"           6667     138.212.191.209  jp       "ASAHI KASEI CORPORATION"      45891    6        1         00:d0:02:6d:78:00_00:60:b0:ec:34:27_3  Ditech_HewlettP    45891          unknown       0x03
B     864      0x0000000000004001  1022171701.806695  1022171702.066682  0.259987  1           3        eth:ipv4:tcp  00:60:b0:ec:34:27  00:d0:02:6d:78:00  0x0800              138.212.191.209  jp       "ASAHI KASEI CORPORATION"      45891    19.54.241.65     us       "Ford Motor Company"           6667     6        1         00:60:b0:ec:34:27_00:d0:02:6d:78:00_3  HewlettP_Ditech    45891          unknown       0x43
A     1336     0x0000000000004000  1022171702.098369  1022171702.098369  0.000000  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:60:08:69:80:dd  0x0800              216.21.10.20     us       "XNS Technology Group Inc."    1305     138.212.191.94   jp       "ASAHI KASEI CORPORATION"      80       6        1         00:d0:02:6d:78:00_00:60:08:69:80:dd_1  Ditech_3com        80             http          0x03
B     1336     0x0000000000004001  1022171702.098389  1022171702.098389  0.000000  1           3        eth:ipv4:tcp  00:60:08:69:80:dd  00:d0:02:6d:78:00  0x0800              138.212.191.94   jp       "ASAHI KASEI CORPORATION"      80       216.21.10.20     us       "XNS Technology Group Inc."    1305     6        1         00:60:08:69:80:dd_00:d0:02:6d:78:00_1  3com_Ditech        80             http          0x43
A     1512     0x0000000000004000  1022171702.202157  1022171702.202157  0.000000  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:80:48:b3:22:c4  0x0800              19.150.217.57    us       "Ford Motor Company"           1678     138.212.189.66   jp       "ASAHI KASEI CORPORATION"      1214     6        1         00:d0:02:6d:78:00_00:80:48:b3:22:c4_1  Ditech_CompexUs    1214           kazaa         0xc3
A     1534     0x0000000000004000  1022171702.222212  1022171702.222212  0.000000  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:c0:26:a4:7b:d8  0x0800              216.233.229.167  us       "MCI Communications Services"  3782     138.212.185.86   jp       "ASAHI KASEI CORPORATION"      1058     6        1         00:d0:02:6d:78:00_00:c0:26:a4:7b:d8_1  Ditech_LansTech    1058           nim           0x03
B     1534     0x0000000000004001  1022171702.228940  1022171702.228940  0.000000  1           3        eth:ipv4:tcp  00:c0:26:a4:7b:d8  00:d0:02:6d:78:00  0x0800              138.212.185.86   jp       "ASAHI KASEI CORPORATION"      1058     216.233.229.167  us       "MCI Communications Services"  3782     6        1         00:c0:26:a4:7b:d8_00:d0:02:6d:78:00_1  LansTech_Ditech    1058           nim           0x43
A     1040     0x0000000000004000  1022171702.240159  1022171702.240159  0.000000  1           3        eth:ipv4:tcp  00:d0:02:6d:78:00  00:50:fc:3b:62:78  0x0800              210.162.178.146  jp       "NTT COMMUNICATIONS CORPORAT"  1044     138.212.187.186  jp       "ASAHI KASEI CORPORATION"      80       6        1         00:d0:02:6d:78:00_00:50:fc:3b:62:78_1  Ditech_EdimaxTe    80             http          0x43
B     1040     0x0000000a00004001  1022171701.877481  1022171702.014438  0.136957  1           3        eth:ipv4:tcp  00:50:fc:3b:62:78  00:d0:02:6d:78:00  0x0800              138.212.187.186  jp       "ASAHI KASEI CORPORATION"      80       210.162.178.146  jp       "NTT COMMUNICATIONS CORPORAT"  1044     6        1         00:50:fc:3b:62:78_00:d0:02:6d:78:00_2  EdimaxTe_Ditech    80             http          0x03
$

Now you got a quick insight into basic plugins. You can now start using T2 on your own pcaps or look into other tutorials about specifics of traffic mining, or specific plugins. Don’t forget to reset all the plugins into the default mode and recompile. Here are the t2conf commands for the plugins used in this tutorial:

$ t2conf protoStats -D UDPLITE_STAT=0 -D SCTP_STAT=0
$ t2conf basicFlow -D BFO_MAC=1 -D BFO_ETHERTYPE=1 -D BFO_VLAN=1 -D BFO_SUBNET_TEST=1 -D BFO_MAX_HDRDESC=4
$ t2conf basicStats -D BS_REV_CNT=1 -D BS_STATS=1
$ t2conf icmpDecode -D ICMP_TC_MD=0
$ t2conf tranalyzer2 -D RELTIME=0
$ t2build -R
...
$

Have fun!!

Operational mode switching: ETH, IPv4/6, SCTP

T2 can operate in several operational modes. The default is dual IP stack (IPv4 and IPv6) and L2 Ethernet flow production. In order to accelerate T2, it can be switched into IPv4 or IPv6 mode or into a plain L2 flow/packet producer depending on your demands or your network.

Search for user defines in networkHeaders.h and have a look at the default settings:

Moreover SCTP to flow transformation is supported. Which is by default disabled, because it requires additional code the standard admin does not need. The researcher or protocol expert might need that functionality, so set SCTP_ACTIVATE to 1. The constant SCTP_STATFINDEX controls whether all SCTP streams are sorted into several flows with the same flow index or different incrementing flow indexes.

Compile all plugins, as you may have plugins which implement the SCTP flow segregation, e.g., sctpDecode.

$ t2conf tranalyzer2 -D SCTP_ACTIVATE=1
$ t2build -R
...
$

Now run t2 with your SCTP pcap or run it on an interface where SCTP traffic is present. For more details, refer to the SCTP tutorial.

Now you got a quick insight into T2 functionality, basic plugin operations and workflow. You can start using T2 on your own pcaps or look into other tutorials about specifics of your interest.

Have fun!!