Flow masking and ranging aggregation
aggregation AGGREGATIONFLAG SRCPORTHW SRCPORTLW DSTPORTHW DSTPORTLW SUBNET_ON
Contents
Flow masking and ranging aggregation, WTF?
Imagine you are interested in flow based statistics of traffic between networks or between certain port ranges, or you like to get rid of VLANs or protocols? You are not? Go to some place else and make yourself useful. If yes, keep on reading.
Note, I’m not talking about the different L3/4 operational modes already listed in The basics tutorial. They are discussed in the L2/3 flow aggregation modes tutorial.
In this tutorial we explore the masking and ranging flexibility to redefine flows. So the option to remove one of these parameters or aggregate several IPs in one flow, e.g. all /24 or according to country and organization.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow basicStats connStat txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAPs used in this tutorial can be downloaded here:
Please save them in your ~/data folder.
Now you are all set!
T2 flow aggregation scheme
The constants controlling the flow aggregation are residing in tranalyzer.h.
Open the file and search for // Aggregation modes as shown below:
tranalyzer2
vi src/tranalyzer.h
...
#define SUBNET_ON 1 // Core control of subnet function for plugins
/* -------------------------------------------------------------------------- */
/* -------------------- DO NOT EDIT THE FOLLOWING BLOCKS -------------------- */
/* -------------------------------------------------------------------------- */
// Aggregation modes
#define L4PROT 0x01
#define DSTPORT 0x02
#define SRCPORT 0x04
#define DSTIP 0x08
#define SRCIP 0x10
#define VLANID 0x20
#define SUBNET 0x80
// SUBNET mode: IP flow aggregation network masks
#define CNTRY_MSK 0xff800000
#define TOR_MSK 0x00400000
#define ORG_MSK 0x003fffff
#define NETIDMSK (CNTRY_MSK | ORG_MSK) // netID mask
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
// Flow Aggregation
#define AGGREGATIONFLAG 0x00 // each bit: 1: aggregation activated, see aggregation modes defines above
#define SRCIP4CMSK 24 // src IPv4 aggregation CIDR mask
#define DSTIP4CMSK 24 // dst IPv4 aggregation CIDR mask
#define SRCIP6CMSK 120 // src IPv6 aggregation CIDR mask
#define DSTIP6CMSK 120 // dst IPv6 aggregation CIDR mask
#define SRCPORTLW 1 // src port lower bound
#define SRCPORTHW 1024 // src port upper bound
#define DSTPORTLW 1 // dst port lower bound
#define DSTPORTHW 1024 // dst port upper bound
...The aggregation modes define a specific bit in the eight bit AGGREGATIONFLAG. Default is 0x00,
so normal six tuple aggregation. From L4PROT to VLANID the aggregation operates directly on the 6-tuple
hash resulting in accumulation of packets from different 6-tuple flows. If SUBNET is set the subnet tables
are loaded as if SUBNET_ON is activated. Both are mutual exclusive, so SUBNET_ON can be 0 while the
AGGREGATIONFLAG = SUBNET. In the following the activation of each mode is discussed. Let’s start
simple with the network IP aggregation.
Network flow aggregation
Imagine you are interested in traffic only flowing between networks. e.g. 10.4.1.0/24 to 10.5.2.0/24 or from 10.4.5.0/24 to all outside networks. Or even better aggregate all traffic between universities of China and a specific corporation in USA, would that be neat? That will be possible in a later 0.8.x version. The practically tested and successful method of imposing a mask on the src or dst IP in the hash definition is currently the best alternative.
Switch on SRCIP and DSTIP, it does not make any sense to switch only one on, as we cannot know before the packets
is sorted into a masked flow which network mask is to apply. Try the default /24 mask.
The following configs are equivalent:
t2conf tranalyzer2 -D AGGREGATIONFLAG="(SRCIP | DSTIP)"
t2conf tranalyzer2 -D AGGREGATIONFLAG=0x18
Then compile and execute t2:
t2conf tranalyzer2 -D AGGREGATIONFLAG=0x18 && t2build -R
t2conf tranalyzer2 -G AGGREGATIONFLAG
AGGREGATIONFLAG = 0x18================================================================================ Tranalyzer 0.9.1 (Anteater), Cobra. PID: 58016, Prio: 0, SID: 666 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.1 02: basicStats, 0.9.1 03: connStat, 0.9.1 04: txtSink, 0.9.1 [INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K) [INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K) Processing file: /home/user/data/annoloc2.pcap Link layer type: Ethernet [EN10MB/1] Snapshot length: 66 Dump start: 1022171701.691172000 sec (Thu 23 May 2002 16:35:01 GMT) [WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500 Dump stop : 1022171726.640398000 sec (Thu 23 May 2002 16:35:26 GMT) Total dump duration: 24.949226000 sec Finished processing. Elapsed time: 0.516786744 sec Finished unloading flow memory. Time: 0.729231992 sec Percentage completed: 100.00% Number of processed packets: 1219015 (1.22 M) Number of processed bytes: 64082726 (64.08 M) Number of raw bytes: 844642686 (844.64 M) Number of pad bytes: 8591685635 (8.59 G) Number of pcap bytes: 83586990 (83.59 M) Number of IPv4 packets: 1218588 (1.22 M) [99.96%] Number of IPv6 packets: 180 [0.01%] Number of A packets: 564213 (564.21 K) [46.28%] Number of B packets: 654802 (654.80 K) [53.72%] Number of A bytes: 29447146 (29.45 M) [45.95%] Number of B bytes: 34635580 (34.64 M) [54.05%] <A packet load>: 52.19 <B packet load>: 52.89 -------------------------------------------------------------------------------- basicStats: Flow max(pktload): 1480 (1.48 K) basicStats: Flow max(b/s), pkts: 19015999488 (19.02 Gb/s), 2 basicStats: Biggest L2 flow talker: 00:d0:02:6d:78:00: 57 [0.00%] packets basicStats: Biggest L2 flow talker: 00:d0:02:6d:78:00: 2622 (2.62 K) [0.00%] bytes basicStats: Biggest L3 flow talker: 138.212.189.0 (JP): 23601 (23.60 K) [1.94%] packets basicStats: Biggest L3 flow talker: 138.212.189.0 (JP): 33731054 (33.73 M) [52.64%] bytes connStat: Number of unique source IPs: 2498 (2.50 K) connStat: Number of unique destination IPs: 1816 (1.82 K) connStat: Number of unique source/destination IPs connections: 186 connStat: Max unique number of source IP / destination port connections: 407 connStat: IP connF=connSipDprt/connSip: 0.162930 connStat: IP connG=connSipDprt/connSipDip: 2.188172 connStat: Source IP with max connections: 138.212.189.0 (JP): 499 connections connStat: Destination IP with max connections: 138.212.187.0 (JP): 690 connections connStat: Biggest L3 talker: 138.212.187.0 (JP): 141530 (141.53 K) [11.61%] packets connStat: Biggest L3 talker: 138.212.187.0 (JP): 169510114 (169.51 M) [264.52%] bytes -------------------------------------------------------------------------------- ...
As you can see, basicStats and connStat report now /24 networks. The resulting flow file is a bit shorter, because several IPv4/6 flows are aggregated into /24 or /120 flows respectively.
tail -n 13 ~/results/annoloc2_flows.txt | tcol
B 129 0x0400000200004001 1022171701.710399000 1022171726.638720000 24.928321000 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:00:e8:8f:b7:93 0x0800 19.67.132.0 us "MAINT-APNIC-AP" 27005 138.212.185.0 jp "ASAHI KASEI CORPORATION" 27025 17 1782 1208 65571 153934 28 61 36.7963 6.171654 0 0.071746 0.01398895 0.009389925 71.48495 2630.382 0.1919732 -0.4025558 1 1 1 1 1 1 0 4198402
A 1109 0x0400000200004000 1022171701.919937000 1022171726.638720000 24.718783000 1 3 eth:ipv4:icmp 00:d0:02:6d:78:00 00:00:1c:b6:1a:53 0x0800 193.107.159.0 at "MYSYS-MNT" 0 138.212.184.0 jp "ASAHI KASEI CORPORATION" 0 1 104 0 2912 0 28 28 28 2.745626 0 0.249289 0.2376806 0.03044914 4.207327 117.8052 1 1 1 1 1 1 1 1 104 2912
A 324 0x0400000200004000 1022171701.712093000 1022171726.638722000 24.926629000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:bf:08:44:81 0x0800 19.59.134.0 us "MAINT-APNIC-AP" 65230 138.212.187.0 jp "ASAHI KASEI CORPORATION" 58290 6 9459 5223 13696632 0 1448 1448 1448 14.88834 0 0.067445 0.00263523 0.006631293 379.4737 549477.9 0.2885166 1 1 2 2 2 2 1 9459 13696632
B 324 0x0400000000004001 1022171701.713111000 1022171726.639230000 24.926119000 1 3 eth:ipv4:tcp 00:50:bf:08:44:81 00:d0:02:6d:78:00 0x0800 138.212.187.0 jp "ASAHI KASEI CORPORATION" 58290 19.59.134.0 us "MAINT-APNIC-AP" 65230 6 5223 9459 0 13696632 0 0 0 0 0 0.066113 0.004772384 0.008416669 209.5392 0 -0.2885166 -1 2 1 1 1 0.5 1 0 4198402
A 473 0x0400000000004000 1022171701.723484000 1022171726.638724000 24.915240000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:da:68:7f:84 0x0800 216.83.48.0 us "EthrNet LLC" 13600 138.212.188.0 jp "ASAHI KASEI CORPORATION" 20 6 864 1295 0 1767728 0 0 0 0 0 0.068622 0.02883708 0.01269573 34.67757 0 -0.1996295 -1 1 1 2 2 2 1 864 0
B 473 0x0400000200004001 1022171701.724443000 1022171726.640395000 24.915952000 1 3 eth:ipv4:tcp 00:50:da:68:7f:84 00:d0:02:6d:78:00 0x0800 138.212.188.0 jp "ASAHI KASEI CORPORATION" 20 216.83.48.0 us "EthrNet LLC" 13600 6 1295 864 1767728 0 1176 1460 1365.041 140.3612 0 0.112955 0.01924014 0.02731735 51.97474 70947.64 0.1996295 1 1 1 1 1 1 1 0 4198402
A 703 0x0400000200004000 1022171701.755879000 1022171726.638725000 24.882846000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:10:a7:02:4d:33 0x0800 70.98.46.0 us "Allstream Business US" 6699 138.212.185.0 jp "ASAHI KASEI CORPORATION" 2603 6 32 28 33280 96 666 1414 1040 418.7997 0 2.251048 0.777589 0.9006743 1.286026 1337.468 0.06666667 0.9942474 1 2 2 2 2 1 32 33280
B 703 0x0400000200004001 1022171701.902659000 1022171726.640383000 24.737724000 1 3 eth:ipv4:tcp 00:10:a7:02:4d:33 00:d0:02:6d:78:00 0x0800 138.212.185.0 jp "ASAHI KASEI CORPORATION" 2603 70.98.46.0 us "Allstream Business US" 6699 6 28 32 96 33280 0 8 3.428571 4.210036 0 2.292653 0.88349 0.8520955 1.131875 3.880713 -0.06666667 -0.9942474 2 1 1 1 0.5 1 0 4198402
A 9150 0x0400000200004000 1022171726.638730000 1022171726.638730000 0.000000000 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:04:75:85:fd:a2 0x0800 192.50.41.0 jp "imported inetnum object for JN" 64251 138.212.190.0 jp "ASAHI KASEI CORPORATION" 1112 17 1 0 6 0 6 6 6 6 0 0 0 0 0 0 1 1 1 1 1 1 1 1 6 36
A 21 0x0400000200004000 1022171701.691707000 1022171726.638737000 24.947030000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:00:e8:87:02:d1 0x0800 138.212.226.0 jp "ASAHI KASEI CORPORATION" 1103 138.212.185.0 jp "ASAHI KASEI CORPORATION" 445 6 543 985 1701 1407845 0 63 3.132597 13.76817 0 0.589 0.04594295 0.03578168 21.76612 68.18447 -0.289267 -0.9975864 1 1 2 2 2 1 5762 20820
B 21 0x0400000200004001 1022171701.692758000 1022171726.640391000 24.947633000 1 3 eth:ipv4:tcp 00:00:e8:87:02:d1 00:d0:02:6d:78:00 0x0800 138.212.185.0 jp "ASAHI KASEI CORPORATION" 445 138.212.226.0 jp "ASAHI KASEI CORPORATION" 1103 6 985 543 1407845 1701 183 1460 1429.284 196.5858 0 0.889418 0.02532757 0.0522222 39.4827 56432 0.289267 0.9975864 1 1 1 1 1 1 0 4198402
A 1035 0x0400000000004000 1022171701.876636000 1022171726.639226000 24.762590000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:01:02:b4:36:56 0x0800 133.26.84.0 jp "Meiji University" 4766 138.212.187.0 jp "ASAHI KASEI CORPORATION" 80 6 1692 2729 0 3970812 0 0 0 0 0 0.614191 0.01463511 0.04707645 68.32888 0 -0.2345623 -1 1 1 2 2 2 1 8168 0
B 1035 0x0400000200004001 1022171701.877349000 1022171726.639232000 24.761883000 1 3 eth:ipv4:tcp 00:01:02:b4:36:56 00:d0:02:6d:78:00 0x0800 138.212.187.0 jp "ASAHI KASEI CORPORATION" 80 133.26.84.0 jp "Meiji University" 4766 6 2729 1692 3970812 0 0 1460 1455.043 76.06284 0 0.480045 0.009073598 0.03994242 110.2097 160359.9 0.2345623 1 1 1 1 1 1 1 0 4198402Note the IP which is masked with SRCIP4CMSK and DSTIP4CMSK. If a list of IP contained in a flow
is desired set the constant BFO_SUBNET_IPLIST in basicFlow.h to 1. The number of IPs displayed
is defined by the constant BFO_MAX_IP, by default 5.
basicFlow
vi src/basicFlow.h
#define BFO_SUBNET_IPLIST 0 // 0: Display only the IP masked by SRCIP4/6CMSK and DSTIP4/6CMSK
// 1: Display a list of IP aggregated
...
// Maximum number of values to store
#define BFO_MAX_HDRDESC 4 // Maximum number of headers descriptions to store
#define BFO_MAX_MAC 3 // Maximum different MAC addresses to output
#define BFO_MAX_IP 5 // Maximum different IP addresses to output
#define BFO_MAX_MPLS 3 // Maximum MPLS headers/tags to output
#define BFO_MAX_VLAN 3 // Maximum VLAN headers/numbers to output
...Set BFO_SUBNET_IPLIST=1, recompile basicFlow and rerun T2 on the same pcap.
t2conf basicFlow -D BFO_SUBNET_IPLIST=1 && t2build basicFlow
t2 -r ~/data/annoloc2.pcap -w ~/results/
tail -n 13 ~/results/annoloc2_flows.txt | tcol
B 129 0x0400000200004001 1022171701.710399000 1022171726.638720000 24.928321000 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:00:e8:8f:b7:93 0x0800 19.67.132.240;19.67.132.229 us "MAINT-APNIC-AP" 27005 138.212.185.98 jp "ASAHI KASEI CORPORATION" 27025 17 1782 1208 65571 153934 28 61 36.7963 6.171654 0 0.071746 0.01398895 0.009389925 71.48495 2630.382 0.1919732 -0.4025558 1 1 1 1 1 1 0 4198402
A 1109 0x0400000200004000 1022171701.919937000 1022171726.638720000 24.718783000 1 3 eth:ipv4:icmp 00:d0:02:6d:78:00 00:00:1c:b6:1a:53 0x0800 193.107.159.17 at "MYSYS-MNT" 0 138.212.184.165 jp "ASAHI KASEI CORPORATION" 0 1 104 0 2912 0 28 28 28 2.745626 0 0.249289 0.2376806 0.03044914 4.207327 117.8052 1 1 1 1 1 1 1 1 104 2912
A 324 0x0400000200004000 1022171701.712093000 1022171726.638722000 24.926629000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:bf:08:44:81 0x0800 19.59.134.250 us "MAINT-APNIC-AP" 65230 138.212.187.240 jp "ASAHI KASEI CORPORATION" 58290 6 9459 5223 13696632 0 1448 1448 1448 14.88834 0 0.067445 0.00263523 0.006631293 379.4737 549477.9 0.2885166 1 1 2 2 2 2 1 9459 13696632
B 324 0x0400000000004001 1022171701.713111000 1022171726.639230000 24.926119000 1 3 eth:ipv4:tcp 00:50:bf:08:44:81 00:d0:02:6d:78:00 0x0800 138.212.187.240 jp "ASAHI KASEI CORPORATION" 58290 19.59.134.250 us "MAINT-APNIC-AP" 65230 6 5223 9459 0 13696632 0 0 0 0 0 0.066113 0.004772384 0.008416669 209.5392 0 -0.2885166 -1 2 1 1 1 0.5 1 0 4198402
A 473 0x0400000000004000 1022171701.723484000 1022171726.638724000 24.915240000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:da:68:7f:84 0x0800 216.83.48.236 us "EthrNet LLC" 13600 138.212.188.139 jp "ASAHI KASEI CORPORATION" 20 6 864 1295 0 1767728 0 0 0 0 0 0.068622 0.02883708 0.01269573 34.67757 0 -0.1996295 -1 1 1 2 2 2 1 864 0
B 473 0x0400000200004001 1022171701.724443000 1022171726.640395000 24.915952000 1 3 eth:ipv4:tcp 00:50:da:68:7f:84 00:d0:02:6d:78:00 0x0800 138.212.188.139 jp "ASAHI KASEI CORPORATION" 20 216.83.48.236 us "EthrNet LLC" 13600 6 1295 864 1767728 0 1176 1460 1365.041 140.3612 0 0.112955 0.01924014 0.02731735 51.97474 70947.64 0.1996295 1 1 1 1 1 1 1 0 4198402
A 703 0x0400000200004000 1022171701.755879000 1022171726.638725000 24.882846000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:10:a7:02:4d:33 0x0800 70.98.46.15 us "Allstream Business US" 6699 138.212.185.188 jp "ASAHI KASEI CORPORATION" 2603 6 32 28 33280 96 666 1414 1040 418.7997 0 2.251048 0.777589 0.9006743 1.286026 1337.468 0.06666667 0.9942474 1 2 2 2 2 1 32 33280
B 703 0x0400000200004001 1022171701.902659000 1022171726.640383000 24.737724000 1 3 eth:ipv4:tcp 00:10:a7:02:4d:33 00:d0:02:6d:78:00 0x0800 138.212.185.188 jp "ASAHI KASEI CORPORATION" 2603 70.98.46.15 us "Allstream Business US" 6699 6 28 32 96 33280 0 8 3.428571 4.210036 0 2.292653 0.88349 0.8520955 1.131875 3.880713 -0.06666667 -0.9942474 2 1 1 1 0.5 1 0 4198402
A 9150 0x0400000200004000 1022171726.638730000 1022171726.638730000 0.000000000 1 3 eth:ipv4:udp 00:d0:02:6d:78:00 00:04:75:85:fd:a2 0x0800 192.50.41.136 jp "imported inetnum object for JN" 64251 138.212.190.218 jp "ASAHI KASEI CORPORATION" 1112 17 1 0 6 0 6 6 6 6 0 0 0 0 0 0 1 1 1 1 1 1 1 1 6 36
A 21 0x0400000200004000 1022171701.691707000 1022171726.638737000 24.947030000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:00:e8:87:02:d1 0x0800 138.212.226.85 jp "ASAHI KASEI CORPORATION" 1103 138.212.185.72 jp "ASAHI KASEI CORPORATION" 445 6 543 985 1701 1407845 0 63 3.132597 13.76817 0 0.589 0.04594295 0.03578168 21.76612 68.18447 -0.289267 -0.9975864 1 1 2 2 2 1 5762 20820
B 21 0x0400000200004001 1022171701.692758000 1022171726.640391000 24.947633000 1 3 eth:ipv4:tcp 00:00:e8:87:02:d1 00:d0:02:6d:78:00 0x0800 138.212.185.72 jp "ASAHI KASEI CORPORATION" 445 138.212.226.85 jp "ASAHI KASEI CORPORATION" 1103 6 985 543 1407845 1701 183 1460 1429.284 196.5858 0 0.889418 0.02532757 0.0522222 39.4827 56432 0.289267 0.9975864 1 1 1 1 1 1 0 4198402
A 1035 0x0400000000004000 1022171701.876636000 1022171726.639226000 24.762590000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:01:02:b4:36:56 0x0800 133.26.84.187 jp "Meiji University" 4766 138.212.187.109 jp "ASAHI KASEI CORPORATION" 80 6 1692 2729 0 3970812 0 0 0 0 0 0.614191 0.01463511 0.04707645 68.32888 0 -0.2345623 -1 1 1 2 2 2 1 8168 0
B 1035 0x0400000200004001 1022171701.877349000 1022171726.639232000 24.761883000 1 3 eth:ipv4:tcp 00:01:02:b4:36:56 00:d0:02:6d:78:00 0x0800 138.212.187.109 jp "ASAHI KASEI CORPORATION" 80 133.26.84.187 jp "Meiji University" 4766 6 2729 1692 3970812 0 0 1460 1455.043 76.06284 0 0.480045 0.009073598 0.03994242 110.2097 160359.9 0.2345623 1 1 1 1 1 1 1 0 4198402The first record contains two IP addresses aggregated into one flow.
Now try to set the aggregation mask for SRCIP4CMSK and DSTIP4CMSK to 8 using t2conf.
Recompile and rerun t2 as home work and see how many IP addresses are now aggregated in one flow.
Port flow aggregation
It serves a good purpose if you are interested in flow reduction with a specific statistically questions on your mind and not being interested in the actual flow content. So don’t load any L7 plugins in carving mode as the state machines get corrupted, as different packets from different six-tuple flows are aggregated.
It can be useful for all plugins which are NOT initiated by ports, all statistical plugins, httpSniffer.
In order to enable the port aggregation mode the following configs are equivalent:
t2conf tranalyzer2 -D AGGREGATIONFLAG="(SRCPORT | DSTPORT)"
t2conf tranalyzer2 -D AGGREGATIONFLAG=0x06
Then the constants listed below define the range of ports which be aggregated into port class 1, the rest is shoved into port class 0. The default class 1 is defined by the standardized ports.
tranalyzer2
vi src/tranalyzer.h
...
#define AGGREGATIONFLAG 0x00 // each bit: 1 : aggregation activated, see aggregation modes #defines above
...
#define SRCPORTLW 1 // src port lower bound
#define SRCPORTHW 1024 // src port upper bound
#define DSTPORTLW 1 // dst port lower bound
#define DSTPORTHW 1024 // dst port upper bound
...Let’s change the upper range to 23, aka Telnet. So we throw all services into class 1, which should not appear in modern networks anymore. Then switch on the appropriate aggregation mode, recompile the whole core + loaded plugins and rerun t2.
t2conf tranalyzer2 -D SRCPORTHW=23 -D DSTPORTHW=23 -D AGGREGATIONFLAG=0x06 && t2build -R
t2conf tranalyzer2 -G AGGREGATIONFLAG
AGGREGATIONFLAG = 0x06t2 -r ~/data/annoloc2.pcap -w ~/results/
<pre><samp>
...
--------------------------------------------------------------------------------
<span class="code-bold">basicStats:</span> Flow max(pktload): 1460 (1.46 K)
<span class="code-bold">basicStats:</span> Flow max(b/s), pkts: 4712000000 (4.71 Gb/s), 2
<span class="code-bold">basicStats:</span> Biggest L2 flow talker: 00:d0:02:6d:78:00: 57 [0.00%] packets
<span class="code-bold">basicStats:</span> Biggest L2 flow talker: 00:d0:02:6d:78:00: 2622 (2.62 K) [0.00%] bytes
<span class="code-bold">basicStats:</span> Biggest L3 flow talker: 139.45.174.202 (IE): 30343 (30.34 K) [2.49%] packets
<span class="code-bold">basicStats:</span> Biggest L3 flow talker: 139.45.174.202 (IE): 44264308 (44.26 M) [69.07%] bytes
<span class="code-bold">connStat:</span> Number of unique source IPs: 3655 (3.65 K)
<span class="code-bold">connStat:</span> Number of unique destination IPs: 3200 (3.20 K)
<span class="code-bold">connStat:</span> Number of unique source/destination IPs connections: 4
<span class="code-bold">connStat:</span> Max unique number of source IP / destination port connections: 586
<span class="code-bold">connStat:</span> IP connF=connSipDprt/connSip: 0.160328
<span class="code-bold">connStat:</span> IP connG=connSipDprt/connSipDip: 146.500000
<span class="code-bold">connStat:</span> Source IP with max connections: 138.212.189.66 (JP): 369 connections
<span class="code-bold">connStat:</span> Destination IP with max connections: 138.212.184.235 (JP): 400 connections
<span class="code-bold">connStat:</span> Biggest L3 talker: 138.212.189.38 (JP): 33706 (33.71 K) [2.77%] packets
<span class="code-bold">connStat:</span> Biggest L3 talker: 138.212.189.38 (JP): 48279870 (48.28 M) [75.34%] bytes
--------------------------------------------------------------------------------
Headers count: min: 2, max: 5, avg: 3.01
Number of ARP packets: 247 [0.02%]
Number of GRE packets: 20 [0.00%]
Number of IGMP packets: 12 [0.00%]
Number of ICMP packets: 3059 (3.06 K) [0.25%]
Number of ICMPv6 packets: 11 [0.00%]
Number of TCP packets: 948743 (948.74 K) [77.83%]
Number of TCP bytes: 52643546 (52.64 M) [82.15%]
Number of UDP packets: 266900 (266.90 K) [21.89%]
Number of UDP bytes: 11234272 (11.23 M) [17.53%]
Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed flows: 12971 (12.97 K)
Number of processed L2 flows: 99 [0.76%]
Number of processed IPv4 flows: 12810 (12.81 K) [98.76%]
Number of processed IPv6 flows: 62 [0.48%]
Number of processed A flows: 7518 (7.52 K) [57.96%]
Number of processed B flows: 5453 (5.45 K) [42.04%]
Number of request flows: 7517 (7.52 K) [57.95%]
Number of reply flows: 5454 (5.45 K) [42.05%]
Total A/B flow asymmetry: 0.16
Total req/rply flow asymmetry: 0.16
Number of processed A+B packets/A+B flows: 93.98
Number of processed A packets/A flows: 82.26
Number of processed B packets/ B flows: 110.14
Number of processed total packets/s: 48859.83 (48.86 K)
Number of processed A+B packets/s: 48859.83 (48.86 K)
Number of processed A packets/s: 24786.46 (24.79 K)
Number of processed B packets/s: 24073.37 (24.07 K)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...
...See! Less flows, because now we aggregate all non port 23 flows into one. Let’s find the first 10 biggest talkers using unencrypted legacy services, you do not want to use anymore in your corporate network:
tawk '$srcPort == 1 { print $srcIP, $numPktsSnt }' ~/results/annoloc2_flows.txt | sort -nr -k2 | head -n 10
138.212.185.150 8696
138.212.190.31 5276
138.212.188.251 5107
138.212.185.102 4056
138.212.186.210 3259
138.212.190.31 3080
193.86.146.215 2885
138.212.188.139 2466
138.212.184.244 2273
138.212.187.170 2156Oups, that is bad news.
Protocol flow aggregation
The following configs are equivalent
t2conf tranalyzer2 -D AGGREGATIONFLAG=L4PROT
t2conf tranalyzer2 -D AGGREGATIONFLAG=0x01
Enable protocol flow aggregation, recompile and rerun t2 on the pcap.
t2conf tranalyzer2 -D AGGREGATIONFLAG=0x01 && t2build -R
t2conf tranalyzer2 -G AGGREGATIONFLAG
AGGREGATIONFLAG = 0x01... -------------------------------------------------------------------------------- basicStats: Flow max(pktload): 1472 (1.47 K) basicStats: Flow max(b/s), pkts: 4712000000 (4.71 Gb/s), 2 basicStats: Biggest L2 flow talker: 00:d0:02:6d:78:00: 57 [0.00%] packets basicStats: Biggest L2 flow talker: 00:d0:02:6d:78:00: 2622 (2.62 K) [0.00%] bytes basicStats: Biggest L3 flow talker: 138.212.189.38 (JP): 23601 (23.60 K) [1.94%] packets basicStats: Biggest L3 flow talker: 138.212.189.38 (JP): 33731054 (33.73 M) [52.64%] bytes connStat: Number of unique source IPs: 3774 (3.77 K) connStat: Number of unique destination IPs: 3090 (3.09 K) connStat: Number of unique source/destination IPs connections: 182 connStat: Max unique number of source IP / destination port connections: 413 connStat: IP connF=connSipDprt/connSip: 0.109433 connStat: IP connG=connSipDprt/connSipDip: 2.269231 connStat: Source IP with max connections: 138.212.189.66 (JP): 368 connections connStat: Destination IP with max connections: 138.212.184.235 (JP): 402 connections connStat: Biggest L3 talker: 138.212.189.38 (JP): 33706 (33.71 K) [2.77%] packets connStat: Biggest L3 talker: 138.212.189.38 (JP): 48279870 (48.28 M) [75.34%] bytes -------------------------------------------------------------------------------- Headers count: min: 2, max: 5, avg: 3.01 Number of ARP packets: 247 [0.02%] Number of GRE packets: 20 [0.00%] Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 17102 (17.10 K) Number of processed L2 flows: 99 [0.58%] Number of processed IPv4 flows: 16939 (16.94 K) [99.05%] Number of processed IPv6 flows: 64 [0.37%] Number of processed A flows: 9720 (9.72 K) [56.84%] Number of processed B flows: 7382 (7.38 K) [43.16%] Number of request flows: 9677 (9.68 K) [56.58%] Number of reply flows: 7425 (7.42 K) [43.42%] Total A/B flow asymmetry: 0.14 Total req/rply flow asymmetry: 0.13 Number of processed A+B packets/A+B flows: 71.28 Number of processed A packets/A flows: 58.05 Number of processed B packets/ B flows: 88.70 Number of processed total packets/s: 48859.83 (48.86 K) Number of processed A+B packets/s: 48859.83 (48.86 K) Number of processed A packets/s: 22615.09 (22.61 K) Number of processed B packets/s: 26244.74 (26.24 K) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ...
Now the protocol field is forced to 0 in the hash, and all flows are aggregated independently of the l4proto field of the IP header.
tawk 't2sort(numPktsSnt, 10)' ~/results/annoloc2_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm connSip connDip connSipDip connSipDprt connF connG connNumPCnt connNumBCnt
B 91 0x0400800200004001 1022171701.699480000 1022171726.636773000 24.937293000 1 3 eth:ipv4:tcp 00:00:21:d2:cc:72 00:d0:02:6d:78:00 0x0800 138.212.189.38 jp "ASAHI KASEI CORPORATION" 139 138.212.86.201 jp "Asahi Kasei Networks Corporati" 3429 0 23601 12342 33731054 42462 6 1460 1429.221 189.5272 0 0.253336 0.001056625 0.003716458 946.4139 1352635 0.313246 0.9974855 1 1 1 1 1 1 33706 48279870
A 91 0x0400000a00004000 1022171701.699996000 1022171726.637210000 24.937214000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:00:21:d2:cc:72 0x0800 138.212.86.201 jp "Asahi Kasei Networks Corporati" 3429 138.212.189.38 jp "ASAHI KASEI CORPORATION" 139 0 12342 23601 42462 33731054 0 63 3.440447 14.32136 0 0.36365 0.002020519 0.005329602 494.923 1702.756 -0.313246 -0.9974855 1 1 2 2 2 1 12342 42462
B 6228 0x0400000200004001 1022171714.045827000 1022171722.457644000 8.411817000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:10:5a:c5:96:1a 0x0800 139.45.174.202 ie "us-stripe-1-mnt" 56071 138.212.190.117 jp "ASAHI KASEI CORPORATION" 3837 0 10159 5692 14821880 0 0 1460 1458.99 32.96766 0 1.465593 0.0008280156 0.01485064 1207.706 1762031 0.2818119 1 1 2 3 1 1 0.3333333 30343 44264308
B 3584 0x0400000200004001 1022171705.686717000 1022171714.043794000 8.357077000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:10:5a:c5:96:1a 0x0800 139.45.174.202 ie "us-stripe-1-mnt" 56070 138.212.190.117 jp "ASAHI KASEI CORPORATION" 3820 0 10048 5709 14656900 0 0 1460 1458.688 37.40672 0 1.39519 0.0008317156 0.01430882 1202.334 1753831 0.2753697 1 1 2 5 1 1 0.2 30343 44264308
A 327 0x0400000200004000 1022171701.712093000 1022171726.638722000 24.926629000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:bf:08:44:81 0x0800 19.59.134.250 us "MAINT-APNIC-AP" 65230 138.212.187.240 jp "ASAHI KASEI CORPORATION" 58290 0 9459 5223 13696632 0 1448 1448 1448 14.88834 0 0.067445 0.00263523 0.006631293 379.4737 549477.9 0.2885166 1 1 1 2 2 2 1 9459 13696632
B 69 0x0400000200004001 1022171701.698940000 1022171726.629403000 24.930463000 1 3 eth:ipv4:tcp 00:50:fc:23:7a:c0 00:d0:02:6d:78:00 0x0800 138.212.187.219 jp "ASAHI KASEI CORPORATION" 139 138.212.36.145 jp "Asahi Kasei Networks Corporati" 2860 0 8978 4413 12814184 25156 68 1460 1427.287 188.7683 0 0.070768 0.002776838 0.005433218 360.1217 513997 0.3409006 0.9960814 1 2 1 3 3 3 0 4198402
B 77 0x0400000200004001 1022171701.699040000 1022171726.629407000 24.930367000 1 3 eth:ipv4:tcp 00:48:54:63:7b:6c 00:d0:02:6d:78:00 0x0800 138.212.190.224 jp "ASAHI KASEI CORPORATION" 139 138.212.36.145 jp "Asahi Kasei Networks Corporati" 2861 0 7319 3622 10446036 20736 39 1460 1427.249 189.3738 0 0.131045 0.003406252 0.006908146 293.5777 419008.5 0.3379033 0.9960377 1 1 1 1 1 1 0 4198402
B 31 0x0400000200004001 1022171701.715914000 1022171726.608383000 24.892469000 1 3 eth:ipv4:tcp 00:01:02:b4:36:56 00:d0:02:6d:78:00 0x0800 138.212.187.109 jp "ASAHI KASEI CORPORATION" 139 138.212.77.73 jp "Asahi Kasei Networks Corporati" 61340 0 7289 3811 10398387 10773 0 1460 1426.586 206.3522 0 0.204505 0.003415072 0.01081335 292.8195 417732.2 0.3133333 0.9979301 4 2 1 3 0.75 3 23691 33466670
A 4782 0x0400000200004000 1022171709.260746000 1022171716.327308000 7.066562000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:00:b4:a9:15:71 0x0800 133.26.75.121 jp "Meiji University" 36237 138.212.185.150 jp "ASAHI KASEI CORPORATION" 20 0 6865 4465 10008944 0 0 1460 1457.967 53.03892 0 0.404642 0.00102936 0.009474586 971.4766 1416381 0.211827 1 1 3 6 6 6 1 13412 19470658
B 8563 0x0400000200004001 1022171722.458182000 1022171726.637621000 4.179439000 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:10:5a:c5:96:1a 0x0800 139.45.174.202 ie "us-stripe-1-mnt" 56072 138.212.190.117 jp "ASAHI KASEI CORPORATION" 3854 0 6044 3358 8817920 0 0 1460 1458.954 33.76375 0 0.145115 0.0006915019 0.00266886 1446.127 2109833 0.2856839 1 1 1 1 1 1 1 30343 44264308VLAN flow aggregation
If you acquire your traffic from an LNS or on a trunk port the VLANs must be integrated in
the flow hash as different VLANs with the same five tuple should be separated. If your
traffic is stripped of VLANs, then you can ignore the VLAN ID, as it will always be 0.
Notwithstanding, it might be interesting to aggregate all VLANs with the same five tuple in one flow. One interesting incident, where T2 came to the rescue was a case where egress/ingress traffic was separated in two different VLANs; an accidental misconfiguration.
So the VLAN mode produced perfect flows and when I switched VLAN aggregation off I had twice the amount of flows, and that made me go to the customer and ask a question like: WTF? And he answered: WTF! And then we found a lot of WTF stuff including illegal access…
First, reset the aggregation mode:
t2conf tranalyzer2 -D AGGREGATIONFLAG=0x00 && t2build -R
t2conf tranalyzer2 -G AGGREGATIONFLAG
AGGREGATIONFLAG = 0x00Then, feed the 802.1Q_tunneling.cap PCAP file to T2 in order to see how the normal flow output looks like:
t2 -r ~/data/802.1Q_tunneling.cap -w ~/results================================================================================ Tranalyzer 0.9.1 (Anteater), Cobra. PID: 62159, Prio: 0, SID: 666 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.1 02: basicStats, 0.9.1 03: connStat, 0.9.1 04: txtSink, 0.9.1 [INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K) [INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K) Processing file: /home/user/data/802.1Q_tunneling.cap Link layer type: Ethernet [EN10MB/1] Snapshot length: 65535 (65.53 K) Dump start: 1277840495.135052000 sec (Tue 29 Jun 2010 19:41:35 GMT) Dump stop : 1277840530.538713000 sec (Tue 29 Jun 2010 19:42:10 GMT) Total dump duration: 35.403661000 sec Finished processing. Elapsed time: 0.000140915 sec Finished unloading flow memory. Time: 0.000272500 sec Percentage completed: 100.00% Number of processed packets: 26 Number of processed bytes: 4686 (4.69 K) Number of raw bytes: 4686 (4.69 K) Number of pcap bytes: 5126 (5.13 K) Number of IPv4 packets: 20 [76.92%] Number of A packets: 16 [61.54%] Number of B packets: 10 [38.46%] Number of A bytes: 3466 (3.47 K) [73.97%] Number of B bytes: 1220 (1.22 K) [26.03%] <A packet load>: 216.62 <B packet load>: 122.00 -------------------------------------------------------------------------------- basicStats: Flow max(pktload): 353 basicStats: Flow max(b/s), pkts: 483870 (483.87 Kb/s), 5 basicStats: Biggest L2 flow talker: 00:13:c3:df:ae:18: 1 [3.85%] packets basicStats: Biggest L2 flow talker: 00:0f:34:5f:16:8d: 353 [7.53%] bytes basicStats: Biggest L3 flow talker: 10.118.10.1: 5 [19.23%] packets basicStats: Biggest L3 flow talker: 10.118.10.1: 360 [7.68%] bytes connStat: Number of unique source IPs: 2 connStat: Number of unique destination IPs: 2 connStat: Number of unique source/destination IPs connections: 2 connStat: Max unique number of source IP / destination port connections: 2 connStat: IP connF=connSipDprt/connSip: 1.000000 connStat: IP connG=connSipDprt/connSipDip: 1.000000 connStat: Source IP with max connections: 10.118.10.1: 1 connections connStat: Destination IP with max connections: 10.118.10.2: 1 connections connStat: Biggest L3 talker: 10.118.10.1: 5 [19.23%] packets connStat: Biggest L3 talker: 10.118.10.1: 360 [7.68%] bytes -------------------------------------------------------------------------------- Headers count: min: 3, max: 5, avg: 4.69 Max VLAN header count: 2 Number of LLC packets: 6 [23.08%] Number of ICMP packets: 20 [76.92%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 10 Number of processed L2 flows: 6 [60.00%] Number of processed IPv4 flows: 4 [40.00%] Number of processed A flows: 8 [80.00%] Number of processed B flows: 2 [20.00%] Number of request flows: 8 [80.00%] Number of reply flows: 2 [20.00%] Total A/B flow asymmetry: 0.60 Total req/rply flow asymmetry: 0.60 Number of processed A+B packets/A+B flows: 2.60 Number of processed A packets/A flows: 2.00 Number of processed B packets/ B flows: 5.00 Number of processed total packets/s: 0.73 Number of processed A+B packets/s: 0.73 Number of processed A packets/s: 0.45 Number of processed B packets/s: 0.28 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <Number of processed flows/s>: 0.28 <Bandwidth>: 551 b/s <Raw bandwidth>: 1059 b/s (1.06 Kb/s) Max number of flows in memory: 10 [0.00%] Memory usage: 0.07 GB [0.10%] Aggregated flowStat=0x0400000000004104 [INF] Layer 2 flows [INF] IPv4 flows [INF] VLAN encapsulation
Max VLAN header count: 2… Hmmm, that means, the packets are encapsulated maximal in two VLANs. Right, let’s look at the flows:
tcol ~/results/802.1Q_tunneling_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm connSip connDip connSipDip connSipDprt connF connG connNumPCnt connNumBCnt
A 1 0x0400000000004100 1277840495.135052000 1277840495.141708000 0.006656000 1 5 eth:vlan{2}:ipv4:icmp 00:13:c3:df:ae:18 00:1b:d4:1b:a4:d8 0x0800 118;10 10.118.10.1 04 "Private network" 0 10.118.10.2 04 "Private network" 0 1 5 5 360 360 72 72 72 32.19938 0 0.00188 0.0013312 0.0009233078 751.2019 54086.54 0 0 1 1 2 2 2 1 5 360
B 1 0x0400000000004101 1277840495.135910000 1277840495.142543000 0.006633000 1 5 eth:vlan{2}:ipv4:icmp 00:1b:d4:1b:a4:d8 00:13:c3:df:ae:18 0x0800 118;10 10.118.10.2 04 "Private network" 0 10.118.10.1 04 "Private network" 0 1 5 5 360 360 72 72 72 32.19938 0 0.001721 0.0013266 0.0008943002 753.8067 54274.09 0 0 1 1 1 1 1 1 5 360
A 2 0x0400000000004100 1277840503.708352000 1277840503.714432000 0.006080000 1 5 eth:vlan{2}:ipv4:icmp 00:19:aa:7d:e6:88 00:21:55:c8:f1:3c 0x0800 209;20 10.209.20.3 04 "Private network" 0 10.209.20.4 04 "Private network" 0 1 5 5 360 360 72 72 72 32.19938 0 0.001733 0.001216 0.0008592694 822.3684 59210.52 0 0 1 1 2 2 2 1 5 360
B 2 0x0400000000004101 1277840503.709181000 1277840503.715133000 0.005952000 1 5 eth:vlan{2}:ipv4:icmp 00:21:55:c8:f1:3c 00:19:aa:7d:e6:88 0x0800 209;20 10.209.20.4 04 "Private network" 0 10.209.20.3 04 "Private network" 0 1 5 5 360 360 72 72 72 32.19938 0 0.001666 0.0011904 0.0007853201 840.0538 60483.87 0 0 1 1 1 1 1 1 5 360
A 3 0x0000000000000104 1277840510.969363000 1277840510.969363000 0.000000000 1 4 eth:vlan:llc:cdp 00:13:c3:df:ae:18 01:00:0c:cd:cd:d0 0x2000 41078 - - "-" 0 - - "-" 0 0 1 0 349 0 349 349 349 349 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0
A 4 0x0000000000000104 1277840511.384783000 1277840511.384783000 0.000000000 1 4 eth:vlan:llc:cdp 00:19:aa:7d:e6:88 01:00:0c:cd:cd:d0 0x2000 41169 - - "-" 0 - - "-" 0 0 1 0 347 0 347 347 347 347 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0
A 5 0x0000000000000004 1277840525.369320000 1277840525.369320000 0.000000000 1 3 eth:llc:cdp 00:0f:34:5f:16:8d 01:00:0c:cc:cc:cc 0x2000 - - "-" 0 - - "-" 0 0 1 0 353 0 353 353 353 353 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0
A 6 0x0000000000000004 1277840525.404193000 1277840525.404193000 0.000000000 1 3 eth:llc:cdp 00:13:c4:12:0f:0d 01:00:0c:cc:cc:cc 0x2000 - - "-" 0 - - "-" 0 0 1 0 353 0 353 353 353 353 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0
A 7 0x0000000000000104 1277840528.106320000 1277840528.106320000 0.000000000 1 4 eth:vlan:llc:cdp 00:1b:d4:1b:a4:d8 01:00:0c:cd:cd:d0 0x2000 41078 - - "-" 0 - - "-" 0 0 1 0 349 0 349 349 349 349 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0
A 8 0x0000000000000104 1277840530.538713000 1277840530.538713000 0.000000000 1 4 eth:vlan:llc:cdp 00:21:55:c8:f1:3c 01:00:0c:cd:cd:d0 0x2000 41169 - - "-" 0 - - "-" 0 0 1 0 347 0 347 347 347 347 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0Now switch on the VLAN aggregation mode using either of the following configs, which are equivalent:
t2conf tranalyzer2 -D AGGREGATIONFLAG=VLANID
t2conf tranalyzer2 -D AGGREGATIONFLAG=0x20
So make the flow aggregation independent of the VLAN ID.
t2conf tranalyzer2 -D AGGREGATIONFLAG=0x20 && t2build -R
t2 -r ~/data/802.1Q_tunneling.cap -w ~/results/... -------------------------------------------------------------------------------- basicStats: Biggest L2 talker: 00:13:c3:df:ae:18: 1 [3.85%] packets basicStats: Biggest L2 talker: 00:13:c3:df:ae:18: 375 [8.00%] bytes basicStats: Biggest L3 talker: 10.118.10.1: 5 [19.23%] packets basicStats: Biggest L3 talker: 10.118.10.1: 610 [13.02%] bytes connStat: Number of unique source IPs: 2 connStat: Number of unique destination IPs: 2 connStat: Number of unique source/destination IPs connections: 2 connStat: Max unique number of source IP / destination port connections: 2 connStat: IP prtcon/sdcon, prtcon/scon: 1.000000, 1.000000 connStat: Source IP with max connections: 10.118.10.1: 1 connections connStat: Destination IP with max connections: 10.118.10.2: 1 connections -------------------------------------------------------------------------------- Headers count: min: 3, max: 5, average: 4.69 Max VLAN header count: 2 Number of LLC packets: 6 [23.08%] Number of GRE packets: 6 [23.08%] Number of ICMP packets: 20 [76.92%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 10 Number of processed A flows: 8 [80.00%] Number of processed B flows: 2 [20.00%] Number of request flows: 8 [80.00%] Number of reply flows: 2 [20.00%] Total A/B flow asymmetry: 0.60 Total req/rply flow asymmetry: 0.60 Number of processed packets/flows: 2.60 Number of processed A packets/flows: 2.00 Number of processed B packets/flows: 5.00 Number of processed total packets/s: 0.73 Number of processed A+B packets/s: 0.73 Number of processed A packets/s: 0.45 Number of processed B packets/s: 0.28 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ...
Damn! But why do we have the same amount of flows? Is T2 broken? Or did we take something not into account?
Ahhh, the VLANs and IPs are always different. If you look now at the ethVlanID it is empty, aka not used
in the hash. The Ethernet flows have different srcMac, so they stay separate as well. Oups, …
tcol ~/results/802.1Q_tunneling_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm connSip connDip connSipDip connSipDprt connF
A 1 0x0400000000004100 1277840495.135052 1277840495.141708 0.006656 1 5 eth:vlan{2}:ipv4:icmp 00:13:c3:df:ae:18 00:1b:d4:1b:a4:d8 0x0800 10.118.10.1 04 "Private network" 0 10.118.10.2 04 "Private network" 0 1 5 5 360 360 72 72 72 0 0 0.00188 0.0013312 0.0004990491 751.2019 54086.54 0 0 1 1 2 2 2
B 1 0x0400000000004101 1277840495.135910 1277840495.142543 0.006633 1 5 eth:vlan{2}:ipv4:icmp 00:1b:d4:1b:a4:d8 00:13:c3:df:ae:18 0x0800 10.118.10.2 04 "Private network" 0 10.118.10.1 04 "Private network" 0 1 5 5 360 360 72 72 72 0 0 0.001721 0.0013266 0.0005040318 753.8067 54274.09 0 0 1 1 1 1 1
A 2 0x0400000000004100 1277840503.708352 1277840503.714432 0.006080 1 5 eth:vlan{2}:ipv4:icmp 00:19:aa:7d:e6:88 00:21:55:c8:f1:3c 0x0800 10.209.20.3 04 "Private network" 0 10.209.20.4 04 "Private network" 0 1 5 5 360 360 72 72 72 0 0 0.001733 0.001216 0.0004763269 822.3684 59210.52 0 0 1 1 2 2 2
B 2 0x0400000000004101 1277840503.709181 1277840503.715133 0.005952 1 5 eth:vlan{2}:ipv4:icmp 00:21:55:c8:f1:3c 00:19:aa:7d:e6:88 0x0800 10.209.20.4 04 "Private network" 0 10.209.20.3 04 "Private network" 0 1 5 5 360 360 72 72 72 0 0 0.001666 0.0011904 0.0004731365 840.0538 60483.87 0 0 1 1 1 1 1
A 3 0x0000000000000104 1277840510.969363 1277840510.969363 0.000000 1 4 eth:vlan:llc:cdp 00:13:c3:df:ae:18 01:00:0c:cd:cd:d0 0x2000 - - "-" 0 - - "-" 0 0 1 0 349 0 349 349 349 0 0 0 0 0 0 0 1 1 0 0 0 0 0
A 4 0x0000000000000104 1277840511.384783 1277840511.384783 0.000000 1 4 eth:vlan:llc:cdp 00:19:aa:7d:e6:88 01:00:0c:cd:cd:d0 0x2000 - - "-" 0 - - "-" 0 0 1 0 347 0 347 347 347 0 0 0 0 0 0 0 1 1 0 0 0 0 0
A 5 0x0000000000000004 1277840525.369320 1277840525.369320 0.000000 1 3 eth:llc:cdp 00:0f:34:5f:16:8d 01:00:0c:cc:cc:cc 0x2000 - - "-" 0 - - "-" 0 0 1 0 353 0 353 353 353 0 0 0 0 0 0 0 1 1 0 0 0 0 0
A 6 0x0000000000000004 1277840525.404193 1277840525.404193 0.000000 1 3 eth:llc:cdp 00:13:c4:12:0f:0d 01:00:0c:cc:cc:cc 0x2000 - - "-" 0 - - "-" 0 0 1 0 353 0 353 353 353 0 0 0 0 0 0 0 1 1 0 0 0 0 0
A 7 0x0000000000000104 1277840528.106320 1277840528.106320 0.000000 1 4 eth:vlan:llc:cdp 00:1b:d4:1b:a4:d8 01:00:0c:cd:cd:d0 0x2000 - - "-" 0 - - "-" 0 0 1 0 349 0 349 349 349 0 0 0 0 0 0 0 1 1 0 0 0 0 0
A 8 0x0000000000000104 1277840530.538713 1277840530.538713 0.000000 1 4 eth:vlan:llc:cdp 00:21:55:c8:f1:3c 01:00:0c:cd:cd:d0 0x2000 - - "-" 0 - - "-" 0 0 1 0 347 0 347 347 347 0 0 0 0 0 0 0 1 1 0 0 0 0 0Try to add the network aggregation mode for srcIP and dstIP, how many flows do you expect now?
Subnet aggregation
For people who are interested in the big picture, being interested in flows between organizations
or even bigger between countries, the SUBNET aggregation mode comes in handy. To achieve a maximal
compression L4PROT, DSTPORT, SRCPORT are ignored as well in the flow hash.
So set the AGGREGATIONFLAG as follows (both commands are equivalent);
t2conf tranalyzer2 -D AGGREGATIONFLAG="(SUBNET | L4PROT | DSTPORT | SRCPORT)"
t2conf tranalyzer2 -D AGGREGATIONFLAG=0x87
As indicated below, rebuild T2 and all active plugins and run it on annoloc2.pcap as it contains more organizations.
t2conf tranalyzer2 -D AGGREGATIONFLAG=0x87 && t2build -R
t2conf tranalyzer2 -G AGGREGATIONFLAG
AGGREGATIONFLAG = 0x87... -------------------------------------------------------------------------------- basicStats: Biggest L2 talker: 00:d0:02:6d:78:00: 57 [0.00%] packets basicStats: Biggest L2 talker: 00:d0:02:6d:78:00: 3420 (3.42 K) [0.01%] bytes basicStats: Biggest L3 talker: N/A (JP): 79352 (79.35 K) [6.51%] packets basicStats: Biggest L3 talker: N/A (JP): 112279659 (112.28 M) [175.21%] bytes connStat: Number of unique source IPs: 634 connStat: Number of unique destination IPs: 467 connStat: Number of unique source/destination IPs connections: 4 connStat: Max unique number of source IP / destination port connections: 922 connStat: IP prtcon/sdcon, prtcon/scon: 230.500000, 1.454259 connStat: Source IP with max connections: N/A (JP): 463 connections connStat: Destination IP with max connections: N/A (JP): 623 connections -------------------------------------------------------------------------------- Headers count: min: 2, max: 5, average: 3.01 Number of GRE packets: 20 [0.00%] Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 2391 (2.39 K) Number of processed A flows: 1290 (1.29 K) [53.95%] Number of processed B flows: 1101 (1.10 K) [46.05%] Number of request flows: 1279 (1.28 K) [53.49%] Number of reply flows: 1112 (1.11 K) [46.51%] Total A/B flow asymmetry: 0.08 Total req/rply flow asymmetry: 0.07 Number of processed packets/flows: 509.83 Number of processed A packets/flows: 513.87 Number of processed B packets/flows: 505.10 Number of processed total packets/s: 48859.83 (48.86 K) Number of processed A+B packets/s: 48859.83 (48.86 K) Number of processed A packets/s: 26569.88 (26.57 K) Number of processed B packets/s: 22289.95 (22.29 K) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ...
Note that the amount of flows is now drastically reduced and basicStats and connStat report only the country and not the IP anymore. L2 output stays the same as it is not aggregated according to country or organization.
Select the last 10 flows from the results directory and look at the IP columns. As flows are now
aggregated into country and organizations, all the IPs covered by theses flow parameters are
listed under srcIP and dstIP. Same for any other flow parameter such as VLAN ID or Ethernet address.
tail -n 10 ~/results/annoloc2_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm connSip connDip connSipDip connSipDprt connF
A 262 0x0400000200004000 1022171701.755879 1022171726.638725 24.882846 2 3;3 eth:ipv4:tcp;eth:ipv4:udp 00:d0:02:6d:78:00 00:10:a7:02:4d:33;00:10:5a:9a:7b:b2;00:00:1c:b6:16:3f 0x0800 70.98.46.15;70.99.42.203;70.96.59.158;70.99.32.168;70.98.52.230 us "Allstream Business US" 0 138.212.185.188;138.212.188.76;138.212.185.186;138.212.186.19;138.212.188.67 jp "ASAHI KASEI CORPORATION" 0 0 361 595 33379 767756 0 1414 92.4626 313.5428 0 0.848498 0.06892753 0.13587 14.50799 1341.446 -0.2447699 -0.9166707 1 4 2 2 2
B 262 0x0400000200004001 1022171701.902659 1022171726.640383 24.737724 2 3;3 eth:ipv4:tcp;eth:ipv4:udp 00:10:a7:02:4d:33;00:10:5a:9a:7b:b2;00:00:1c:b6:16:3f 00:d0:02:6d:78:00 0x0800 138.212.185.188;138.212.188.76;138.212.185.186;138.212.186.19;138.212.189.66 jp "ASAHI KASEI CORPORATION" 0 70.98.46.15;70.99.42.203;70.96.59.158;70.99.32.168;216.187.138.121 us "Allstream Business US" 0 0 595 361 767756 33379 0 1452 1290.346 376.2223 0 0.843078 0.04157602 0.1172496 24.05233 31035.84 0.2447699 0.9166707 4 1 1 1 0.25
A 24 0x0400000200004000 1022171701.692722 1022171726.639225 24.946503 2 3;3 eth:ipv4:udp;eth:ipv4:icmp 00:d0:02:6d:78:00 00:10:a7:04:8c:e7;00:10:a7:02:4d:33 0x0800 201.71.5.135;201.71.5.18 br "SIMONE BARBOSA DO NASCIMENTO S" 0 138.212.188.0;138.212.185.188 jp "ASAHI KASEI CORPORATION" 0 0 1948 1521 64242 95562 15 81 32.97844 5.965079 0 0.091936 0.01280621 0.01250342 78.0871 2575.191 0.1230902 -0.1959901 1 3 2 2 2
B 24 0x0400000200004001 1022171701.699995 1022171726.638731 24.938736 1 3 eth:ipv4:udp 00:10:a7:02:4d:33;00:10:a7:04:8c:e7 00:d0:02:6d:78:00 0x0800 138.212.185.188;138.212.188.0 jp "ASAHI KASEI CORPORATION" 0 201.71.5.18;201.71.5.135 br "SIMONE BARBOSA DO NASCIMENTO S" 0 0 1521 1948 95562 64242 2 1002 62.8284 48.12328 0 0.077883 0.01639627 0.01056307 60.98946 3831.87 -0.1230902 0.1959901 3 1 1 1 0.3333333
A 25 0x0400000200004000 1022171701.692728 1022171726.639232 24.946504 1 3 eth:ipv4:tcp 00:01:02:b4:36:56;00:00:b4:a9:15:71 00:d0:02:6d:78:00 0x0800 138.212.187.109;138.212.185.150 jp "ASAHI KASEI CORPORATION" 1 133.26.84.187;133.26.75.121 jp "Meiji University" 0 0 21733 21530 18978704 19467995 0 1460 873.2667 715.3718 0 0.192009 0.001147856 0.003702144 871.1842 760776.1 0.004692231 -0.0127265 2 1 2 4 2
B 25 0x0400000200004001 1022171701.700968 1022171726.639226 24.938258 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:01:02:b4:36:56;00:00:b4:a9:15:71 0x0800 133.26.84.187;133.26.75.121 jp "Meiji University" 0 138.212.187.109;138.212.185.150 jp "ASAHI KASEI CORPORATION" 1 0 21530 21733 19467995 18978704 0 1460 904.2265 708.6259 0 0.198618 0.001158304 0.003675067 863.3322 780647.8 -0.004692231 0.0127265 1 2 1 3 3
A 1 0x0400100200004000 1022171701.691172 1022171726.640398 24.949226 2 3;3 eth:ipv4:tcp;eth:ipv4:udp 00:e0:4c:48:3a:a4;00:80:48:b3:21:69;00:4f:4e:02:84:25 00:d0:02:6d:78:00;00:40:33:28:8b:1b;00:80:48:cd:85:0e 0x0800 138.212.185.53;138.212.188.131;138.212.188.165;138.212.179.166;138.212.187.180 jp "ASAHI KASEI CORPORATION" 1 138.212.213.164;138.212.233.169;138.212.233.135;138.212.232.65;138.212.238.16 jp "ASAHI KASEI CORPORATION" 0 0 79352 49511 107963925 827100 0 1460 1360.57 303.0083 0 0.038743 0.0003144112 0.0005775219 3180.54 4327346 0.2315715 0.9847948 1 2 2 2 2
B 1 0x0400000a00004001 1022171701.691327 1022171726.640388 24.949061 2 3;3 eth:ipv4:tcp;eth:ipv4:udp 00:d0:02:6d:78:00;00:40:33:28:8b:1b;00:48:54:7a:23:90 00:50:fc:0b:d9:f9;00:00:e8:87:02:d1;00:20:18:8a:fd:9b 0x0800 138.212.227.96;138.212.226.85;138.212.234.148;138.212.226.8;138.212.228.43 jp "ASAHI KASEI CORPORATION" 0 138.212.188.78;138.212.185.72;138.212.190.77;138.212.184.32;138.212.188.196 jp "ASAHI KASEI CORPORATION" 1 0 49511 79352 827100 107963925 0 720 16.70538 32.12636 0 0.039945 0.0005039101 0.0006851798 1984.484 33151.55 -0.2315715 -0.9847948 2 1 1 1 0.5
A 5 0x0401080a00005000 1022171701.691178 1022171726.640398 24.949220 4 3;3;3;4 eth:ipv4:udp;eth:ipv4:tcp;eth:ipv4:icmp;eth:ipv4:gre:UNK(0x08a8) 00:d0:02:6d:78:00 00:50:04:2b:e6:2f;00:40:f4:21:e6:56;00:04:76:24:0e:f4 0x0800 19.32.78.208;19.132.119.69;136.5.216.114;19.67.220.218;19.6.61.6 us "Ford Motor Company" 0 138.212.184.93;138.212.188.21;138.212.188.99;138.212.187.94;138.212.190.146 jp "ASAHI KASEI CORPORATION" 0 0 69456 61949 16853704 47169356 0 1460 242.653 510.8112 0 0.038853 0.0003592089 0.0005340053 2783.895 675520.2 0.05712872 -0.4735115 1 1 2 2 2
B 5 0x0401080a00005001 1022171701.691697 1022171726.640389 24.948692 4 3;3;3;4 eth:ipv4:tcp;eth:ipv4:udp;eth:ipv4:icmp;eth:ipv4:gre:UNK(0x0051) 00:04:76:24:0e:f4;00:20:af:d2:17:09;00:c0:26:55:f7:dc 00:d0:02:6d:78:00 0x0800 138.212.188.99;138.212.191.88;138.212.190.148;138.212.184.98;138.212.190.146 jp "ASAHI KASEI CORPORATION" 0 136.5.216.114;19.172.33.164;19.6.48.20;19.52.50.196;19.6.61.6 us "Ford Motor Company" 0 0 61949 69456 47169356 16853704 0 1460 761.4224 664.3212 0 0.039878 0.0004027295 0.0006338434 2483.056 1890654 -0.05712872 0.4735115 1 1 1 1 1The length of each header in the flow file is defined in basicFlow.h below
basicFlow
vi src/basicFlow.h
...
// Maximum number of values to store
#define BFO_MAX_HDRDESC 4 // Maximum number of headers descriptions to store
#define BFO_MAX_MAC 3 // Maximum different MAC addresses to output
#define BFO_MAX_IP 5 // Maximum different IP addresses to output
#define BFO_MAX_MPLS 3 // Maximum MPLS headers/tags to output
#define BFO_MAX_VLAN 3 // Maximum VLAN headers/numbers to output
...Let’s set the maximal IPs to 10 and see what happens.
t2conf basicFlow -D BFO_MAX_IP=10 && t2build basicFlow
t2 -r ~/data/annoloc2.pcap -w ~/results/
Now the list of IPs is longer
tail -n 10 ~/results/annoloc2_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm connSip connDip connSipDip connSipDprt connF
A 262 0x0400000200004000 1022171701.755879 1022171726.638725 24.882846 2 3;3 eth:ipv4:tcp;eth:ipv4:udp 00:d0:02:6d:78:00 00:10:a7:02:4d:33;00:10:5a:9a:7b:b2;00:00:1c:b6:16:3f 0x0800 70.98.46.15;70.99.42.203;70.96.59.158;70.99.32.168;70.98.52.230;70.96.180.209;70.99.40.231 us "Allstream Business US" 0 138.212.185.188;138.212.188.76;138.212.185.186;138.212.186.19;138.212.188.67;138.212.187.4;138.212.186.208;138.212.189.232;138.212.191.219 jp "ASAHI KASEI CORPORATION" 0 0 361 595 33379 767756 0 1414 92.4626 313.5428 0 0.848498 0.06892753 0.13587 14.50799 1341.446 -0.2447699 -0.9166707 1 4 2 2 2
B 262 0x0400000200004001 1022171701.902659 1022171726.640383 24.737724 2 3;3 eth:ipv4:tcp;eth:ipv4:udp 00:10:a7:02:4d:33;00:10:5a:9a:7b:b2;00:00:1c:b6:16:3f 00:d0:02:6d:78:00 0x0800 138.212.185.188;138.212.188.76;138.212.185.186;138.212.186.19;138.212.189.66;138.212.188.67;138.212.187.4;138.212.186.208;138.212.189.232;138.212.191.219 jp "ASAHI KASEI CORPORATION" 0 70.98.46.15;70.99.42.203;70.96.59.158;70.99.32.168;216.187.138.121;70.98.52.230;70.96.180.209;70.99.40.231 us "Allstream Business US" 0 0 595 361 767756 33379 0 1452 1290.346 376.2223 0 0.843078 0.04157602 0.1172496 24.05233 31035.84 0.2447699 0.9166707 4 1 1 1 0.25
A 24 0x0400000200004000 1022171701.692722 1022171726.639225 24.946503 2 3;3 eth:ipv4:udp;eth:ipv4:icmp 00:d0:02:6d:78:00 00:10:a7:04:8c:e7;00:10:a7:02:4d:33 0x0800 201.71.5.135;201.71.5.18 br "SIMONE BARBOSA DO NASCIMENTO S" 0 138.212.188.0;138.212.185.188 jp "ASAHI KASEI CORPORATION" 0 0 1948 1521 64242 95562 15 81 32.97844 5.965079 0 0.091936 0.01280621 0.01250342 78.0871 2575.191 0.1230902 -0.1959901 1 3 2 2 2
B 24 0x0400000200004001 1022171701.699995 1022171726.638731 24.938736 1 3 eth:ipv4:udp 00:10:a7:02:4d:33;00:10:a7:04:8c:e7 00:d0:02:6d:78:00 0x0800 138.212.185.188;138.212.188.0 jp "ASAHI KASEI CORPORATION" 0 201.71.5.18;201.71.5.135 br "SIMONE BARBOSA DO NASCIMENTO S" 0 0 1521 1948 95562 64242 2 1002 62.8284 48.12328 0 0.077883 0.01639627 0.01056307 60.98946 3831.87 -0.1230902 0.1959901 3 1 1 1 0.3333333
A 25 0x0400000200004000 1022171701.692728 1022171726.639232 24.946504 1 3 eth:ipv4:tcp 00:01:02:b4:36:56;00:00:b4:a9:15:71 00:d0:02:6d:78:00 0x0800 138.212.187.109;138.212.185.150 jp "ASAHI KASEI CORPORATION" 1 133.26.84.187;133.26.75.121 jp "Meiji University" 0 0 21733 21530 18978704 19467995 0 1460 873.2667 715.3718 0 0.192009 0.001147856 0.003702144 871.1842 760776.1 0.004692231 -0.0127265 2 1 2 4 2
B 25 0x0400000200004001 1022171701.700968 1022171726.639226 24.938258 1 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:01:02:b4:36:56;00:00:b4:a9:15:71 0x0800 133.26.84.187;133.26.75.121 jp "Meiji University" 0 138.212.187.109;138.212.185.150 jp "ASAHI KASEI CORPORATION" 1 0 21530 21733 19467995 18978704 0 1460 904.2265 708.6259 0 0.198618 0.001158304 0.003675067 863.3322 780647.8 -0.004692231 0.0127265 1 2 1 3 3
A 1 0x0400100200004000 1022171701.691172 1022171726.640398 24.949226 2 3;3 eth:ipv4:tcp;eth:ipv4:udp 00:e0:4c:48:3a:a4;00:80:48:b3:21:69;00:4f:4e:02:84:25 00:d0:02:6d:78:00;00:40:33:28:8b:1b;00:80:48:cd:85:0e 0x0800 138.212.185.53;138.212.188.131;138.212.188.165;138.212.179.166;138.212.187.180;138.212.184.19;138.212.185.72;138.212.189.58;138.212.190.169;138.212.190.77 jp "ASAHI KASEI CORPORATION" 1 138.212.213.164;138.212.233.169;138.212.233.135;138.212.232.65;138.212.238.16;138.212.224.83;138.212.226.85;138.212.224.11;138.212.228.14;138.212.234.148 jp "ASAHI KASEI CORPORATION" 0 0 79352 49511 107963925 827100 0 1460 1360.57 303.0083 0 0.038743 0.0003144112 0.0005775219 3180.54 4327346 0.2315715 0.9847948 1 2 2 2 2
B 1 0x0400000a00004001 1022171701.691327 1022171726.640388 24.949061 2 3;3 eth:ipv4:tcp;eth:ipv4:udp 00:d0:02:6d:78:00;00:40:33:28:8b:1b;00:48:54:7a:23:90 00:50:fc:0b:d9:f9;00:00:e8:87:02:d1;00:20:18:8a:fd:9b 0x0800 138.212.227.96;138.212.226.85;138.212.234.148;138.212.226.8;138.212.228.43;138.212.226.46;138.212.226.157;138.212.235.98;138.212.212.51;138.212.228.14 jp "ASAHI KASEI CORPORATION" 0 138.212.188.78;138.212.185.72;138.212.190.77;138.212.184.32;138.212.188.196;138.212.189.38;138.212.187.49;138.212.189.132;138.212.184.52;138.212.190.169 jp "ASAHI KASEI CORPORATION" 1 0 49511 79352 827100 107963925 0 720 16.70538 32.12636 0 0.039945 0.0005039101 0.0006851798 1984.484 33151.55 -0.2315715 -0.9847948 2 1 1 1 0.5
A 5 0x0401080a00005000 1022171701.691178 1022171726.640398 24.949220 4 3;3;3;4 eth:ipv4:udp;eth:ipv4:tcp;eth:ipv4:icmp;eth:ipv4:gre:UNK(0x08a8) 00:d0:02:6d:78:00 00:50:04:2b:e6:2f;00:40:f4:21:e6:56;00:04:76:24:0e:f4 0x0800 19.32.78.208;19.132.119.69;136.5.216.114;19.67.220.218;19.6.61.6;19.49.74.170;19.103.202.194;19.112.182.3;19.82.177.168;19.40.244.207 us "Ford Motor Company" 0 138.212.184.93;138.212.188.21;138.212.188.99;138.212.187.94;138.212.190.146;138.212.186.231;138.212.187.16;138.212.185.98;138.212.186.166;138.212.184.165 jp "ASAHI KASEI CORPORATION" 0 0 69456 61949 16853704 47169356 0 1460 242.653 510.8112 0 0.038853 0.0003592089 0.0005340053 2783.895 675520.2 0.05712872 -0.4735115 1 1 2 2 2
B 5 0x0401080a00005001 1022171701.691697 1022171726.640389 24.948692 4 3;3;3;4 eth:ipv4:tcp;eth:ipv4:udp;eth:ipv4:icmp;eth:ipv4:gre:UNK(0x0051) 00:04:76:24:0e:f4;00:20:af:d2:17:09;00:c0:26:55:f7:dc 00:d0:02:6d:78:00 0x0800 138.212.188.99;138.212.191.88;138.212.190.148;138.212.184.98;138.212.190.146;138.212.191.117;138.212.186.208;138.212.188.21;138.212.184.165;138.212.190.67 jp "ASAHI KASEI CORPORATION" 0 136.5.216.114;19.172.33.164;19.6.48.20;19.52.50.196;19.6.61.6;19.67.158.252;19.146.93.46;19.32.3.2;19.112.107.128;19.206.104.104 us "Ford Motor Company" 0 0 61949 69456 47169356 16853704 0 1460 761.4224 664.3212 0 0.039878 0.0004027295 0.0006338434 2483.056 1890654 -0.05712872 0.4735115 1 1 1 1 1Conclusion
So, that is enough for today and don’t forget to reset the aggregation configuration again for the next tutorials.
t2conf --reset -a && t2build -R
Have fun!