Flow mode
Contents
Introduction
This tutorial details the use of the Flow mode being the default operational technique of the Anteater. As we discuss the enhanced aggregation and masking features in a different tutorial, we like to concentrate here on the flow timeout features often used in anomaly research, such as botnet detection and practical network monitoring applications.
Preparation
In order to do so, we need to prepare T2. If you did not complete the tutorials before, just follow the procedure described below.
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin
folder ~/.tranalyzer/plugins and compile only
basicFlow,
basicStats and
txtSink.
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
t2build tranalyzer2 basicFlow basicStats txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another cmd window, that facilitates your workflow:
mkdir ~/data ~/results
The anonymized sample PCAP being used here, can be downloaded here: faf-exercise.pcap. Please extract it under your ~/data folder. Now you are all set for T2 flow timeout experiments.
Flow timeout control
The Flow timeout controls of the Anteater is a core function, hence residing in the tranalyzer.h file:
tranalyzer2
vi src/tranalyzer.h
...
// Time mode
#define RELTIME 0 // 0: Absolute time, 1: Relative internal time
// Maximum lifetime of a flow
#define FDURLIMIT 0 // if > 0; forced flow life span of n +- 1 seconds
#define FDLSFINDEX 0 // if (FDURLIMIT) 0: Different findex; 1: Same findex for flows of a superflow
// The standard timeout for a flow in seconds
#define FLOW_TIMEOUT 182 // flow timeout after a packet is not seen after n seconds
...RELTIME defines the internal time base to be absolute or relative to the
pcap or interface ops start; default is absolute. For graphical applications,
it is sometimes convenient to have smaller time values relative to 0.
We used it in the Basic traffic volume and connection analysis tutorial
to produce a anomaly plot for the connStat plugin.
FLOW_TIMEOUT controls the timeout and releases flows from memory if no more packets are seen since FLOW_TIMEOUT seconds.
It is chosen a bit larger than three minutes, as most L7 protocols have lower
timeouts, so we capture most of them into one flow. Nevertheless, a large FLOW_TIMEOUT
saves flow allocation and output operations, but also increases the flow lifetime in memory.
So you need to optimize this value in high speed applications.
FDURLIMIT controls independent of FLOW_TIMEOUT the forced release of each flow in memory,
thus being a simulated Cisco flow mode. It is activated with a non zero value in seconds. Hence,
a value of 10 would terminate an active flow after 10 seconds if a new packet is encountered,
and start a new sub-flow with the next packet having the same flow hash. If there is no
new packet with the right hash value, then there is no flow release, until an appropriate packet
arrives.
This is very different from FLOW_TIMEOUT because any packet can trigger the flow termination.
It is a built in FORCE MODE as it does not use the T2_RM_FLOW(flowP) function, see
Force mode tutorial.
If FDURLIMIT is enabled FDLSFINDEX controls the enumeration of the sub-flows. Set it
to 1 and all sub-flows keep the findex of the original flow. Otherwise the findex
increments normally. This feature facilitates to extract sub-flows belonging to a flow.
================================================================================ Tranalyzer 0.9.4 (Anteater), Cobra. PID: 34246, Prio: 0, SID: 666 ================================================================================ Date: 1751988408.000923332 sec (Tue 08 Jul 2025 17:26:48 CEST) [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.4 02: basicStats, 0.9.4 03: txtSink, 0.9.4 [INF] IPv4 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 7237971 (7.24 M) [INF] IPv6 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 1419101 (1.42 M) Processing file: /home/user/data/faf-exercise.pcap Link layer type: Ethernet [EN10MB/1] Snapshot length: 65535 (65.53 K) Dump start: 1258544215.037210000 sec (Wed 18 Nov 2009 11:36:55 GMT) Dump stop : 1258594491.683288000 sec (Thu 19 Nov 2009 01:34:51 GMT) Total dump duration: 50276.646078000 sec (13h 57m 56s) Finished processing. Elapsed time: 0.006183580 sec Finished unloading flow memory. Time: 0.006197531 sec Percentage completed: 100.00% Number of processed packets: 5902 (5.90 K) Number of processed bytes: 4993414 (4.99 M) Number of raw bytes: 4993414 (4.99 M) Number of pad bytes: 11668 (11.67 K) Number of pcap bytes: 5087870 (5.09 M) Number of IPv4 packets: 5902 (5.90 K) [100.00%] Number of A packets: 1986 (1.99 K) [33.65%] Number of B packets: 3916 (3.92 K) [66.35%] Number of A bytes: 209315 (209.31 K) [4.19%] Number of B bytes: 4784099 (4.78 M) [95.81%] <A packet load>: 105.40 <B packet load>: 1221.68 (1.22 K) -------------------------------------------------------------------------------- basicStats: Flow max(pktload): 1376 (1.38 K) basicStats: Flow max(b/s), pkts: 8273466 (8.27 Mb/s), 73 basicStats: Biggest L3 flow talker: 143.166.11.10 (US): 3101 (3.10 K) [52.54%] packets basicStats: Biggest L3 flow talker: 143.166.11.10 (US): 4268858 (4.27 M) [85.49%] bytes -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, avg: 3.00 Number of TCP packets: 5902 (5.90 K) [100.00%] Number of TCP bytes: 4993414 (4.99 M) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 73 Number of processed IPv4 flows: 73 [100.00%] Number of processed A flows: 37 [50.68%] Number of processed B flows: 36 [49.32%] Number of request flows: 36 [49.32%] Number of reply flows: 37 [50.68%] Total A/B flow asymmetry: 0.01 Total req/rply flow asymmetry: -0.01 Number of processed A+B packets/A+B flows: 80.85 Number of processed A packets/A flows: 53.68 Number of processed B packets/ B flows: 108.78 Number of processed total packets/s: 0.12 Number of processed A+B packets/s: 0.12 Number of processed A packets/s: 0.04 Number of processed B packets/s: 0.08 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <Number of processed flows/s>: 0.00 <Bandwidth>: 792 b/s <Raw bandwidth>: 795 b/s Max number of flows in memory: 18 [0.01%] Memory usage: 0.02 GB [0.03%] Aggregated flowStat=0x0400000000004000 [INF] IPv4 flows
The end report states that there are 73 flows in total and 1986 A flow packets and 3916 B flow packets. The Bandwidth is a bit low, but when you look at total dump duration it becomes clear. The standard bandwith estimation is an integral over the whole pcap period. If you want a more elaborate bandwidth statistics which is calculated in a shorter interval time set:
t2conf tranalyzer2 -D MIN_MAX_ESTIMATE=1 && t2build tranalyzer2 t2 -r ~/data/faf-exercise.pcap -w ~/results/... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~: 0.00 : 792 b/s : 795 b/s : 1799428 b/s (1.80 Mb/s) Stddev IIR raw bandwidth: 1527921 b/s (1.53 Mb/s) Max raw bandwidth: 5826800 b/s (5.83 Mb/s) Min raw bandwidth: 4320 b/s (4.32 Kb/s) Max number of flows in memory: 18 [0.01%] Memory usage: 0.02 GB [0.03%] Aggregated flowStat=0x0400000000004000 [INF] IPv4 flows
This mode is disabled by default, as not everybody needs it und we want the anteater to be lean.
Ok, now select a flow which is long enough to be early terminated, such as the one with port 1379 involved.
tawk 'port(1379)' ~/results/faf-exercise_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktsSnt pktsRcvd padBytesSnt l7BytesSnt l7BytesRcvd minL7PktSz maxL7PktSz avgL7PktSz stdL7PktSz minIAT maxIAT avgIAT stdIAT pktps bytps pktAsm bytAsm
A 10 0x0400000000004000 1258562467.749142000 1258562509.633370000 41.884228000 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "!Private network" 1379 63.245.221.11 us "!Mozilla Anycast" 80 6 14 18 90 1801 15606 0 455 128.6429 226.7397 0 22.97809 2.99173 6.691677 0.3342547 42.99948 -0.125 -0.7930717
B 10 0x0400000000004001 1258562467.754689000 1258562509.653962000 41.899273000 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 63.245.221.11 us "!Mozilla Anycast" 80 192.168.1.104 07 "!Private network" 1379 6 18 14 0 15606 1801 0 1380 867 653.2386 0 22.97829 2.327737 6.045996 0.4296017 372.4647 0.125 0.7930717Now let us forcefully terminate flows above a certain length in the next chapter.
Flow duration limit: FDURLIMIT
Set FDURLIMIT to 3, recompile and rerun T2 on the pcap. Then t2 will terminate every
flow with the time frame >= 3 seconds and restart a new flow with the same hash but
different findex.
t2conf tranalyzer2 -D FDURLIMIT=3 && t2build tranalyzer2
t2 -r ~/data/faf-exercise.pcap -w ~/results/faf-exercise3================================================================================ Tranalyzer 0.9.4 (Anteater), Cobra. PID: 28916, Prio: 0, SID: 666 ================================================================================ Date: 1751988328.000646342 sec (Tue 08 Jul 2025 17:25:28 CEST) [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.4 02: basicStats, 0.9.4 03: txtSink, 0.9.4 [INF] IPv4 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 7237971 (7.24 M) [INF] IPv6 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 1419101 (1.42 M) Processing file: /home/user/data/faf-exercise.pcap Link layer type: Ethernet [EN10MB/1] Snapshot length: 65535 (65.53 K) Dump start: 1258544215.037210000 sec (Wed 18 Nov 2009 11:36:55 GMT) Dump stop : 1258594491.683288000 sec (Thu 19 Nov 2009 01:34:51 GMT) Total dump duration: 50276.646078000 sec (13h 57m 56s) Finished processing. Elapsed time: 0.005439963 sec Finished unloading flow memory. Time: 0.005451805 sec Percentage completed: 100.00% Number of processed packets: 5902 (5.90 K) Number of processed bytes: 4993414 (4.99 M) Number of raw bytes: 4993414 (4.99 M) Number of pad bytes: 11668 (11.67 K) Number of pcap bytes: 5087870 (5.09 M) Number of IPv4 packets: 5902 (5.90 K) [100.00%] Number of A packets: 1986 (1.99 K) [33.65%] Number of B packets: 3916 (3.92 K) [66.35%] Number of A bytes: 209315 (209.31 K) [4.19%] Number of B bytes: 4784099 (4.78 M) [95.81%] <A packet load>: 105.40 <B packet load>: 1221.68 (1.22 K) -------------------------------------------------------------------------------- basicStats: Flow max(pktload): 1379 (1.38 K) basicStats: Flow max(b/s), pkts: 8273466 (8.27 Mb/s), 73 basicStats: Biggest L3 flow talker: 143.166.11.10 (US): 558 [9.45%] packets basicStats: Biggest L3 flow talker: 143.166.11.10 (US): 769189 (769.19 K) [15.40%] bytes -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, avg: 3.00 Number of TCP packets: 5902 (5.90 K) [100.00%] Number of TCP bytes: 4993414 (4.99 M) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 104 Number of processed IPv4 flows: 104 [100.00%] Number of processed A flows: 53 [50.96%] Number of processed B flows: 51 [49.04%] Number of request flows: 52 [50.00%] Number of reply flows: 52 [50.00%] Total A/B flow asymmetry: 0.02 Total req/rply flow asymmetry: 0.00 Number of processed A+B packets/A+B flows: 56.75 Number of processed A packets/A flows: 37.47 Number of processed B packets/ B flows: 76.78 Number of processed total packets/s: 0.12 Number of processed A+B packets/s: 0.12 Number of processed A packets/s: 0.04 Number of processed B packets/s: 0.08 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <Number of processed flows/s>: 0.00 <Bandwidth>: 792 b/s <Raw bandwidth>: 795 b/s Max number of flows in memory: 18 [0.01%] Memory usage: 0.02 GB [0.03%] Aggregated flowStat=0x0400020000004001 [INF] IPv4 flows
As expected we have now more flows, but the same amount of packets, otherwise something would be
very wrong. The reporting of basicStats changed as the packets of an specific IP are now scattered
over many flows. And the end report has the RMFLOW bit set to indicate that flows are forcefully
terminated.
If you extract now the same flow as above you realize that the flows have a smaller length
as three seconds. Note the time difference between timeLast of flow 10 and timeFirst of flow 11 of
10 seconds. Hence, after 10 seconds a new packet came in and flow 10 terminated with its last packet
at 1258562467.900050 and restarted B-flow 11 with this very packet at 1258562477.772691.
This happens when you have bursty traffic. If the traffic would be regular, all flows would have
a duration of three seconds. The RMFLOW bit indicates the flow where the FDURLIMIT timeout
occurred.
tawk 'port(1379)' ~/results/faf-exercise3_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktsSnt pktsRcvd padBytesSnt l7BytesSnt l7BytesRcvd minL7PktSz maxL7PktSz avgL7PktSz stdL7PktSz minIAT maxIAT avgIAT stdIAT pktps bytps pktAsm bytAsm
A 10 0x0400020000004000 1258562467.749142000 1258562467.900050000 0.150908000 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "!Private network" 1379 63.245.221.11 us "!Mozilla Anycast" 80 6 4 3 20 449 444 0 449 112.25 236.6438 0 0.144417 0.037727 0.07119286 26.50622 2975.323 0.1428571 0.005599104
B 10 0x0400000000004001 1258562467.754689000 1258562467.761692000 0.007003000 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 63.245.221.11 us "!Mozilla Anycast" 80 192.168.1.104 07 "!Private network" 1379 6 3 4 0 444 449 0 444 148 256.3435 0 0.006751 0.002334333 0.004294658 428.3878 63401.4 -0.1428571 -0.005599104
A 11 0x0400000000004000 1258562477.713894000 1258562478.454425000 0.740531000 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "!Private network" 1379 63.245.221.11 us "!Mozilla Anycast" 80 6 8 13 50 1352 15162 0 455 169 262.9383 0 0.380024 0.09256638 0.1367444 10.80306 1825.717 -0.2380952 -0.8362601
B 11 0x0400020000004001 1258562477.772691000 1258562478.454017000 0.681326000 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 63.245.221.11 us "!Mozilla Anycast" 80 192.168.1.104 07 "!Private network" 1379 6 13 8 0 15162 1352 10 1380 1166.308 518.9647 0 0.426916 0.05240969 0.13572 19.08044 22253.67 0.2380952 0.8362601
A 13 0x0400020000004000 1258562501.432514000 1258562501.432514000 0.000000000 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "!Private network" 1379 63.245.221.11 us "!Mozilla Anycast" 80 6 1 1 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0
B 13 0x0400000000004001 1258562501.432305000 1258562501.432305000 0.000000000 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 63.245.221.11 us "!Mozilla Anycast" 80 192.168.1.104 07 "!Private network" 1379 6 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
A 16 0x0400000000004000 1258562509.633370000 1258562509.633370000 0.000000000 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "!Private network" 1379 63.245.221.11 us "!Mozilla Anycast" 80 6 1 1 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0
B 16 0x0400000000004001 1258562509.653962000 1258562509.653962000 0.000000000 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 63.245.221.11 us "!Mozilla Anycast" 80 192.168.1.104 07 "!Private network" 1379 6 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0Yes I picked this traffic on purpose to demonstrate that behavior of T2.
As you can see our flow 10 is now divided into four flows 10, 11, 13 and 16.
But if you want to select all the sub flows you need to select the
port or the full 6 tuple if there are many more flows this the same port
or IP pair. In order to facilitate that operation, since 0.8.8lmw2
the FDLSFINEX switch was added to label all subflows with the same
findex.
Flow duration, same index: FDLSFINDEX
In order to label all sub-flows with the same findex, the constant FDLSFINDEX
has to be enabled in conjunction with a non-zero value of FDURLIMIT
in tranalyzer.h or just use t2conf as indicated below.
t2conf tranalyzer2 -D FDLSFINDEX=1 && t2build tranalyzer2
t2 -r ~/data/faf-exercise.pcap -w ~/results/faf-exercise3f... -------------------------------------------------------------------------------- basicStats: Flow max(pktload): 1433 (1.43 K) basicStats: Flow max(b/s), pkts: 8615298 (8.62 Mb/s), 73 basicStats: Biggest L3 flow talker: 143.166.11.10 (US): 558 [9.45%] packets basicStats: Biggest L3 flow talker: 143.166.11.10 (US): 799321 (799.32 K) [16.01%] bytes -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, avg: 3.00 Number of TCP packets: 5902 (5.90 K) [100.00%] Number of TCP bytes: 4993414 (4.99 M) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 104 Number of processed IPv4 flows: 104 [100.00%] Number of processed A flows: 53 [50.96%] Number of processed B flows: 51 [49.04%] Number of request flows: 52 [50.00%] Number of reply flows: 52 [50.00%] ...
The end report looks the same as above with the exception that now
the FDLSIDX bit is set, indicating that all sub-flows belonging
to the original, un-terminated flow have now the same findex. Now select flow 10 again
and you discover that the flows 10, 11, 13 and 16 have now all findex 10
which is much easier to extract as indicated below.
tawk 'flow(10)' ~/results/faf-exercise3f_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktsSnt pktsRcvd padBytesSnt l7BytesSnt l7BytesRcvd minL7PktSz maxL7PktSz avgL7PktSz stdL7PktSz minIAT maxIAT avgIAT stdIAT pktps bytps pktAsm bytAsm
A 10 0x0400020000004000 1258562467.749142000 1258562467.900050000 0.150908000 1 80 fe:63:a3:b6:0d:22;46:d9:fe:63:a3:b6;ff:44:23:f6:80:ed 6d:59:a5:aa:46:d9;b1:e7:6d:59:a5:aa;0f:da:77:2f:6d:62 0x0800 192.168.1.104 07 "!Private network" 1379 63.245.221.11 us "!Mozilla Anycast" 80 6 4 3 20 673 614 54 503 168.25 235.2097 0 0.144417 0.037727 0.07119286 26.50622 4459.671 0.1428571 0.04584305
B 10 0x0400000000004001 1258562467.754689000 1258562467.761692000 0.007003000 1 1379 a5:aa:46:d9:fe:63;68:75:6e:64:65:72;42:3e:be:0f:da:77 eb:f0:b1:e7:6d:59;47:45:54:20:2f:74;65:0d:0a:0d:0a:45 0x0800 63.245.221.11 us "!Mozilla Anycast" 80 192.168.1.104 07 "!Private network" 1379 6 3 4 0 614 673 54 498 204.6667 254.0761 0 0.006751 0.002334333 0.004294658 428.3878 87676.71 -0.1428571 -0.04584305
A 10 0x4400000000004000 1258562477.713894000 1258562478.454425000 0.740531000 1 80 53:92:60:01:48:7c;0a:53:65:72:76:65;0e:29:7b:63:67:d3 ff:44:23:f6:80:ed;30:30:20:4f:4b:0d;f4:37:fa:7b:fd:92 0x0800 192.168.1.104 07 "!Private network" 1379 63.245.221.11 us "!Mozilla Anycast" 80 6 8 13 50 1784 15864 54 509 223 262.9383 0 0.380024 0.09256638 0.1367444 10.80306 2409.082 -0.2380952 -0.7978241
B 10 0x4400020000004001 1258562477.772691000 1258562478.454017000 0.681326000 1 1379 00:00:00:00:00:00;0a:53:65:72:76:65;ac:fc:04:db:61:d4 00:00:00:00:00:00;30:30:20:4f:4b:0d;56:29:14:c7:fc:a2 0x0800 63.245.221.11 us "!Mozilla Anycast" 80 192.168.1.104 07 "!Private network" 1379 6 13 8 0 15864 1784 64 1434 1220.308 518.9647 0 0.426916 0.05240969 0.13572 19.08044 23284.01 0.2380952 0.7978241
A 10 0x4400020000004000 1258562501.432514000 1258562501.432514000 0.000000000 1 80 8d:26:6f:2f:b2:39 b2:87:64:65:6c:99 0x0800 192.168.1.104 07 "!Private network" 1379 63.245.221.11 us "!Mozilla Anycast" 80 6 1 1 10 54 54 54 54 54 0 0 0 0 0 0 0 0 0
B 10 0x4400000000004001 1258562501.432305000 1258562501.432305000 0.000000000 1 1379 36:11:6e:37:b2:87 00:00:00:00:00:00 0x0800 63.245.221.11 us "!Mozilla Anycast" 80 192.168.1.104 07 "!Private network" 1379 6 1 1 0 54 54 54 54 54 0 0 0 0 0 0 0 0 0
A 10 0x4400000000004000 1258562509.633370000 1258562509.633370000 0.000000000 1 80 8d:26:6f:2f:b2:39 b2:87:64:65:6c:99 0x0800 192.168.1.104 07 "!Private network" 1379 63.245.221.11 us "!Mozilla Anycast" 80 6 1 1 10 54 54 54 54 54 0 0 0 0 0 0 0 0 0
B 10 0x4400000000004001 1258562509.653962000 1258562509.653962000 0.000000000 1 1379 5e:ce:75:33:b2:87 00:00:00:00:00:00 0x0800 63.245.221.11 us "!Mozilla Anycast" 80 192.168.1.104 07 "!Private network" 1379 6 1 1 0 54 54 54 54 54 0 0 0 0 0 0 0 0 0Now let’s explore the difference to the flow timeout.
No packets seen since: FLOW_TIMEOUT
As explained above the constant FLOW_TIMEOUT controls the lifetime of
a flow if a packet was not seen. Which is very different from the
FDURLIMIT which terminates a flow and starts a new flow after an
internal flow life time.
The timeout of flows can be very useful if you want to follow protocols and change the timeout in dependence of a protocol state, as implemented in tcpStates plugin.
FLOW_TIMEOUT is actually a float, so you can set a timeout Π seconds
if you like. We choose 3 as we like to compare it to the previous experiments.
So switch FDURLIMIT off, set FLOW_TIMEOUT to 3, recompile and
rerun t2 on the same pcap.
t2conf tranalyzer2 -D FDURLIMIT=0 -D FLOW_TIMEOUT=3 && t2build tranalyzer2
t2 -r ~/data/faf-exercise.pcap -w ~/results/faf-exercise3t... -------------------------------------------------------------------------------- basicStats: Flow max(pktload): 1376 (1.38 K) basicStats: Flow max(b/s), pkts: 8273466 (8.27 Mb/s), 73 basicStats: Biggest L3 flow talker: 143.166.11.10 (US): 3101 (3.10 K) [52.54%] packets basicStats: Biggest L3 flow talker: 143.166.11.10 (US): 4268858 (4.27 M) [85.49%] bytes >>>>>>> 7daa555d (a) -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, avg: 3.00 Number of TCP packets: 5902 (5.90 K) [100.00%] Number of TCP bytes: 4993414 (4.99 M) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 88 Number of processed IPv4 flows: 88 [100.00%] Number of processed A flows: 45 [51.14%] Number of processed B flows: 43 [48.86%] Number of request flows: 44 [50.00%] Number of reply flows: 44 [50.00%] Total A/B flow asymmetry: 0.02 Total req/rply flow asymmetry: 0.00 Number of processed A+B packets/A+B flows: 67.07 Number of processed A packets/A flows: 44.13 Number of processed B packets/ B flows: 91.07 Number of processed total packets/s: 0.12 Number of processed A+B packets/s: 0.12 Number of processed A packets/s: 0.04 Number of processed B packets/s: 0.08 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ...
Now we have 88 flows, not 73 as with 182 sec timeout or 104 with FDURLIMIT.
What is the reason? If you select the same port 1379 as before, you discover
that flow 10 shows the same behavior as with FDURLIMIT set to 3 sec,
because all flows did not see a packet for 3 seconds, hence they terminate
and the following packet landed in the next flow. Oups, bad example to
show the difference? Actually not, because it illustrates the need to
be observant, because the circumstances of the traffic produce for the
this very flow the same flow chunks.
tawk 'port(1379)' ~/results/faf-exercise3t_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktsSnt pktsRcvd padBytesSnt l7BytesSnt l7BytesRcvd minL7PktSz maxL7PktSz avgL7PktSz stdL7PktSz minIAT maxIAT avgIAT stdIAT pktps bytps pktAsm bytAsm
A 10 0x0400000000004000 1258562467.749142000 1258562467.900050000 0.150908000 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "!Private network" 1379 63.245.221.11 us "!Mozilla Anycast" 80 6 4 3 20 449 444 0 449 112.25 236.6438 0 0.144417 0.037727 0.07119286 26.50622 2975.323 0.1428571 0.005599104
B 10 0x0400000000004001 1258562467.754689000 1258562467.761692000 0.007003000 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 63.245.221.11 us "!Mozilla Anycast" 80 192.168.1.104 07 "!Private network" 1379 6 3 4 0 444 449 0 444 148 256.3435 0 0.006751 0.002334333 0.004294658 428.3878 63401.4 -0.1428571 -0.005599104
A 11 0x0400000000004000 1258562477.713894000 1258562478.454425000 0.740531000 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "!Private network" 1379 63.245.221.11 us "!Mozilla Anycast" 80 6 8 13 50 1352 15162 0 455 169 262.9383 0 0.380024 0.09256638 0.1367444 10.80306 1825.717 -0.2380952 -0.8362601
B 11 0x0400000000004001 1258562477.772691000 1258562478.454017000 0.681326000 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 63.245.221.11 us "!Mozilla Anycast" 80 192.168.1.104 07 "!Private network" 1379 6 13 8 0 15162 1352 10 1380 1166.308 518.9647 0 0.426916 0.05240969 0.13572 19.08044 22253.67 0.2380952 0.8362601
A 13 0x0400000000004000 1258562501.432514000 1258562501.432514000 0.000000000 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "!Private network" 1379 63.245.221.11 us "!Mozilla Anycast" 80 6 1 1 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0
B 13 0x0400000000004001 1258562501.432305000 1258562501.432305000 0.000000000 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 63.245.221.11 us "!Mozilla Anycast" 80 192.168.1.104 07 "!Private network" 1379 6 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
A 16 0x0400000000004000 1258562509.633370000 1258562509.633370000 0.000000000 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "!Private network" 1379 63.245.221.11 us "!Mozilla Anycast" 80 6 1 1 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0
B 16 0x0400000000004001 1258562509.653962000 1258562509.653962000 0.000000000 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 63.245.221.11 us "!Mozilla Anycast" 80 192.168.1.104 07 "!Private network" 1379 6 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0Now look for port 49330, you will see two flows, one single A with one packet. The findex numbers differ from each other, therefore we select the port.
tawk 'port(49330)' ~/results/faf-exercise3t_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktsSnt pktsRcvd padBytesSnt l7BytesSnt l7BytesRcvd minL7PktSz maxL7PktSz avgL7PktSz stdL7PktSz minIAT maxIAT avgIAT stdIAT pktps bytps pktAsm bytAsm
A 42 0x0400000000004000 1258594163.408285000 1258594185.427968000 22.019683000 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "!Private network" 49330 143.166.11.10 us "DELL-BLK" 64334 6 1513 3101 10020 0 4268858 0 0 0 0 0 0.671332 0.01455366 0.03760424 68.71125 0 -0.3441699 -1
B 42 0x0400000000004001 1258594163.487027000 1258594185.427506000 21.940479000 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us "DELL-BLK" 64334 192.168.1.105 07 "!Private network" 49330 6 3101 1513 0 4268858 0 0 1380 1376.607 65.41798 0 0.67109 0.007075286 0.02775886 141.3369 194565.4 0.3441699 1
A 44 0x0400000000004000 1258594191.015208000 1258594191.015208000 0.000000000 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "!Private network" 49330 143.166.11.10 us "DELL-BLK" 64334 6 1 0 10 0 0 0 0 0 0 0 0 0 0 0 0 1 0The FLOW_TIMEOUT produces one more flow 44, a packet which comes after the timeout. Most of the packets
are coming very regularly, in contrast to flow 10 in the example above.
The same flow from the previous chapter shows nine flows mostly evenly 3 seconds long. See the differences between those modes? Compare it to the same flow from the previous chapter listed below.
tawk 'port(49330)' ~/results/faf-exercise3f_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktsSnt pktsRcvd padBytesSnt l7BytesSnt l7BytesRcvd minL7PktSz maxL7PktSz avgL7PktSz stdL7PktSz minIAT maxIAT avgIAT stdIAT pktps bytps pktAsm bytAsm
A 36 0x0400000000004000 1258594163.408285000 1258594165.927703000 2.519418000 1 64334 6f:64:65:20:28:31;73:69:76:65:20:4d;ff:00:74:41:8d:45 73:69:76:65:20:4d;04:02:13:6f:4b:cd;09:80:bd:e9:fe:ff 0x0800 192.168.1.105 07 "!Private network" 49330 143.166.11.10 us "DELL-BLK" 64334 6 64 103 230 4308 143572 54 82 67.3125 11.70744 0 0.671332 0.03936591 0.116794 25.40269 1709.919 -0.2335329 -0.9417365
B 36 0x0400020000004001 1258594163.487027000 1258594165.927248000 2.440221000 1 49330 4b:cd:73:69:76:65;20:b7:0d:5d:25:d7;6a:5d:b3:75:06:86 01:01:04:02:13:6f;40:36:58:4a:06:7c;00:00:00:00:00:1c 0x0800 143.166.11.10 us "DELL-BLK" 64334 192.168.1.105 07 "!Private network" 49330 6 103 64 0 143572 4308 55 1434 1393.903 256.4751 0 0.67109 0.02369147 0.09814402 42.20929 58835.65 0.2335329 0.9417365
A 36 0x4400000000004000 1258594166.005912000 1258594168.988792000 2.982880000 1 64334 35:90:67:71:15:c1;4b:34:e8:e4:32:c2;f1:a7:67:71:15:c1 72:2e:6c:a9:4a:b6;67:71:15:c1:5c:92;bd:62:dc:62:7d:17 0x0800 192.168.1.105 07 "!Private network" 49330 143.166.11.10 us "DELL-BLK" 64334 6 223 444 1600 12838 635316 54 74 57.56951 5.874717 0 0.079202 0.01337614 0.02873054 74.75996 4303.894 -0.3313343 -0.960386
B 36 0x4400020000004001 1258594166.005251000 1258594168.988590000 2.983339000 1 49330 20:b7:0d:5d:25:d7;64:8f:94:1e:39:1d;3d:a9:d9:9b:e3:70 40:36:58:4a:06:7c;86:94:0f:95:c7:74;d7:c2:b0:23:80:77 0x0800 143.166.11.10 us "DELL-BLK" 64334 192.168.1.105 07 "!Private network" 49330 6 444 223 0 635316 12838 134 1434 1430.892 64.14875 0 0.079166 0.006719231 0.02134633 148.8265 212954.7 0.3313343 0.960386
A 36 0x4400000000004000 1258594169.065239000 1258594171.945675000 2.880436000 1 64334 db:7c:58:f8:e7:c6;1f:88:a4:9d:18:76;ff:25:95:84:69:f2 e2:a9:31:cb:0a:5f;9c:d9:2b:f5:73:55;29:cb:97:0c:ac:60 0x0800 192.168.1.105 07 "!Private network" 49330 143.166.11.10 us "DELL-BLK" 64334 6 194 402 1370 11160 575611 54 66 57.52577 5.517236 0 0.128673 0.01484761 0.03102435 67.35091 3874.414 -0.3489933 -0.9619613
B 36 0x4400020000004001 1258594169.064789000 1258594171.944501000 2.879712000 1 49330 20:b7:0d:5d:25:d7;99:e1:f1:11:d1:9a 40:36:58:4a:06:7c;74:97:7e:53:6b:82 0x0800 143.166.11.10 us "DELL-BLK" 64334 192.168.1.105 07 "!Private network" 49330 6 402 194 0 575611 11160 577 1434 1431.868 42.74804 0 0.128665 0.007163462 0.02279602 139.5973 199884.9 0.3489933 0.9619613
A 36 0x4400000000004000 1258594172.021878000 1258594174.978021000 2.956143000 1 64334 a8:11:a9:8d:21:5a;86:cf:16:c4:b1:28;01:37:9b:6a:46:36 8d:81:3b:ac:da:18;79:36:3f:ef:b6:e5;c7:17:6f:fe:9f:05 0x0800 192.168.1.105 07 "!Private network" 49330 143.166.11.10 us "DELL-BLK" 64334 6 226 436 1430 13320 625039 54 82 58.93805 6.9197 0 0.124433 0.01308028 0.02926938 76.45097 4505.872 -0.3172205 -0.958268
B 36 0x4400020000004001 1258594172.021456000 1258594174.977086000 2.955630000 1 49330 20:b7:0d:5d:25:d7;29:2d:49:4b:5b:14 40:36:58:4a:06:7c;ae:d8:e2:0a:d8:1a 0x0800 143.166.11.10 us "DELL-BLK" 64334 192.168.1.105 07 "!Private network" 49330 6 436 226 0 625039 13320 1249 1434 1433.576 8.871373 0 0.124927 0.006778968 0.02222792 147.5151 211474 0.3172205 0.958268
A 36 0x4400000000004000 1258594175.055730000 1258594177.968394000 2.912664000 1 64334 1f:93:d9:2e:17:f1;34:cc:ea:ef:04:61;51:c6:08:2a:ae:a5 37:64:68:30:f6:78;44:a4:74:6f:5f:42;79:8e:65:d3:d1:f1 0x0800 192.168.1.105 07 "!Private network" 49330 143.166.11.10 us "DELL-BLK" 64334 6 233 527 1760 13586 754960 54 82 58.30901 8.075032 0 0.079708 0.0125007 0.02839396 79.9955 4664.458 -0.3868421 -0.9646449
B 36 0x4400020000004001 1258594175.055030000 1258594177.966989000 2.911959000 1 49330 20:b7:0d:5d:25:d7;bf:37:09:ad:90:41;35:51:96:70:6e:50 40:36:58:4a:06:7c;8f:cd:a5:bc:6d:02;97:e4:4a:25:76:c9 0x0800 143.166.11.10 us "DELL-BLK" 64334 192.168.1.105 07 "!Private network" 49330 6 527 233 0 754960 13586 750 1434 1432.562 30.21223 0 0.07942 0.005525537 0.01979873 180.9778 259261.9 0.3868421 0.9646449
A 36 0x4400000000004000 1258594178.040853000 1258594180.952029000 2.911176000 1 64334 22:30:af:3d:9e:1c;2a:f7:81:67:e2:47;e0:da:4a:86:94:77 51:a3:5b:b4:68:c1;4e:8b:e3:fe:a5:b2;9d:cd:c8:01:28:7f 0x0800 192.168.1.105 07 "!Private network" 49330 143.166.11.10 us "DELL-BLK" 64334 6 261 558 1670 15254 799321 54 74 58.44444 6.051954 0 0.078208 0.01115393 0.0268771 89.65449 5239.807 -0.3626374 -0.9625474
B 36 0x4400020000004001 1258594178.040152000 1258594180.951598000 2.911446000 1 49330 20:b7:0d:5d:25:d7;ff:c9:2f:09:63:f2 40:36:58:4a:06:7c;37:43:6e:ad:d6:f6 0x0800 143.166.11.10 us "DELL-BLK" 64334 192.168.1.105 07 "!Private network" 49330 6 558 261 0 799321 15254 583 1434 1432.475 36.11706 0 0.078343 0.005217646 0.01916558 191.6573 274544.3 0.3626374 0.9625474
A 36 0x4400000000004000 1258594181.028734000 1258594183.937406000 2.908672000 1 64334 f5:69:e6:87:99:1e;70:ce:95:5d:ca:97;79:c7:a1:8e:1b:3a 48:ad:11:b0:73:08;ca:b6:29:8e:58:8f;74:6c:eb:d8:d9:71 0x0800 192.168.1.105 07 "!Private network" 49330 143.166.11.10 us "DELL-BLK" 64334 6 221 476 1480 12922 682466 54 82 58.47059 6.707335 0 0.079713 0.01316141 0.02917532 75.97969 4442.577 -0.3658537 -0.9628351
B 36 0x4400020000004001 1258594181.028052000 1258594183.937122000 2.909070000 1 49330 20:b7:0d:5d:25:d7;c9:85:3a:55:c3:52 40:36:58:4a:06:7c;41:9b:2c:e9:b8:c9 0x0800 143.166.11.10 us "DELL-BLK" 64334 192.168.1.105 07 "!Private network" 49330 6 476 221 0 682466 12922 1316 1434 1433.752 5.445974 0 0.079432 0.006111494 0.02087659 163.6262 234599.4 0.3658537 0.9628351
A 36 0x4400020000004000 1258594184.015600000 1258594185.427968000 1.412368000 1 64334 bb:7b:2c:4e:c5:26;3f:ff:ed:4c:fe:48;ac:50:de:51:ac:5e 54:51:0a:5d:0c:a1;fc:c7:f5:8a:e0:1d;a4:b4:6e:7c:d4:ef 0x0800 192.168.1.105 07 "!Private network" 49330 143.166.11.10 us "DELL-BLK" 64334 6 91 155 480 5622 220035 54 82 61.78022 9.515863 0 0.079954 0.01552053 0.0312843 64.43079 3980.549 -0.2601626 -0.9501722
B 36 0x4400000000004001 1258594184.015154000 1258594185.427506000 1.412352000 1 49330 20:b7:0d:5d:25:d7;25:06:08:2b:06:01;2c:2d:49:d0:30:82 40:36:58:4a:06:7c;01:04:29:30:27:30;00:00:00:00:00:00 0x0800 143.166.11.10 us "DELL-BLK" 64334 192.168.1.105 07 "!Private network" 49330 6 155 91 0 220035 5622 54 1434 1419.581 130.0157 0 0.079416 0.009111947 0.02503189 109.746 155793.3 0.2601626 0.9501722
A 36 0x4400000000004000 1258594191.015208000 1258594191.015208000 0.000000000 1 64334 70:6c:65:74:65:2e 65:72:20:63:6f:6d 0x0800 192.168.1.105 07 "!Private network" 49330 143.166.11.10 us "DELL-BLK" 64334 6 1 0 10 54 0 54 54 54 0 0 0 0 0 0 0 1 1Conclusion
Do not forget to reset the config to default for the other tutorials.
t2conf --reset -a && t2build -R
Have fun experimenting!