Tutorial: The Packet forensics mode

Description

This tutorial gives you an introduction to the packet mode of T2. It was designed to enable efficient postprocessing and as a means of drill down from the flows to the very packet. It uses the same format as the flow files and therefore can be processed by tawk or any tool of your choice. Each plugin can contribute to the packet mode, same as with flows. Flows and packets are linked by the unique flow index.

Preparation

Before we start, all unnecessary or older plugins should be deleted from the plugin folder ~/./tranalyzer/plugins. The plugins required for this tutorial (basicFlow, basicStats, tcpStates, ftpDecode and txtSink) should be recompiled.

# First, empty the plugins folder.
$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$ t2build basicFlow basicStats tcpStates ftpDecode txtSink
...
BUILD SUCCESSFUL

Compiling the basicFlow plugin took now a bit longer, because the subnet files for geolocation needed to be rebuilt. This is because -e also removes the subnetfile.

Another method is to just remove the .so files, and preserve the old subnet files:

$ rm ~/.tranalyzer/plugins/*.so
$ t2build basicFlow basicStats tcpStates ftpDecode txtSink

This way, the compilation will be considerable faster, as the subnetfile already exists.

If you didn’t create a separate data and results directory yet, please do it now in another cmd window:

$ mkdir ~/data
$ mkdir ~/results
$ cd data

The anonymized sample pcap can be downloaded here: faf-exercise.pcap. Please extract it under your data folder, if you have not already. Now you are all set for your first packet mode experience.

Activation of Packet Mode

The packet mode is activated by adding the -s option in the t2 command line. As we loaded the txtSink plugin, text output will now be provided on the command line. Invoke t2 with the -s option. Each packet now produces a separate line in the packet file.

$ t2 -r ~/data/faf-exercise.pcap -w ~/results -s
================================================================================
Tranalyzer 0.8.2 (Anteater), Tarantula. PID: 28393
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.3
    02: basicStats, 0.8.3
    03: tcpStates, 0.8.2
    04: ftpDecode, 0.8.2
    05: txtSink, 0.8.2
[INF] basicFlow: IPv4 Ver: 3, Rev: 20190114, Range Mode: 0, subnet ranges loaded: 2816255 (2.82 M)
[INF] basicFlow: IPv6 Ver: 3, Rev: 20190114, Range Mode: 0, subnet ranges loaded: 36634 (36.63 K)
Processing file: /home/wurst/data/faf-exercise.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1258544215.037210 sec (Wed 18 Nov 2009 11:36:55 GMT)
Dump stop : 1258594491.683288 sec (Thu 19 Nov 2009 01:34:51 GMT)
Total dump duration: 50276.646078 sec (13h 57m 56s)
Finished processing. Elapsed time: 0.139421 sec
Finished unloading flow memory. Time: 0.139459 sec
Percentage completed: 100.00%
Number of processed packets: 5902 (5.90 K)
Number of processed bytes: 4993414 (4.99 M)
Number of raw bytes: 4993414 (4.99 M)
Number of pcap bytes: 5087870 (5.09 M)
Number of IPv4 packets: 5902 (5.90 K) [100.00%]
Number of A packets: 1986 (1.99 K) [33.65%]
Number of B packets: 3916 (3.92 K) [66.35%]
Number of A bytes: 209315 (209.31 K) [4.19%]
Number of B bytes: 4784099 (4.78 M) [95.81%]
Average A packet load: 105.40
Average B packet load: 1221.68 (1.22 K)
--------------------------------------------------------------------------------
basicStats: Biggest Talker: 143.166.11.10: 3101 (3.10 K) [52.54%] packets
basicStats: Biggest Talker: 143.166.11.10: 4268858 (4.27 M) [85.49%] bytes
tcpStates: Aggregated anomaly flags: 0x4a
ftpDecode: Anomaly flags: 0x01
ftpDecode: Number of FTP packets: 22 [0.37%]
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 5902 (5.90 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 72
Number of processed A flows: 36 [50.00%]
Number of processed B flows: 36 [50.00%]
Number of request     flows: 36 [50.00%]
Number of reply       flows: 36 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed   packets/flows: 81.97
Number of processed A packets/flows: 55.17
Number of processed B packets/flows: 108.78
Number of processed total packets/s: 0.12
Number of processed A+B packets/s: 0.12
Number of processed A   packets/s: 0.04
Number of processed   B packets/s: 0.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.00
Average full raw bandwidth: 795 b/s
Average full bandwidth : 792 b/s
Max number of flows in memory: 18 [0.01%]
Memory usage: 0.35 GB [0.52%]
Aggregate flow status: 0x0000000000004000
[INF] IPv4
$

Nice, we observe total flow symmetry (flow asymmetry = 0), so no lonely flows, all IPv4, and we have ftp packets, which is readable content. Interesting, and the biggest talker, maybe it’s the FTP data flow? Let’s find out.

So change to your results cmd window:

$ ls
faf-exercise_flows.txt  faf-exercise_headers.txt  faf-exercise_packets.txt

An additional packets file has been created. Let’s have a look at it:

$ tcol faf-exercise_packets.txt | head -n 28
%pktNo  flowInd  flowStat            time               pktIAT      flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP           srcIPCC  srcIPWho             srcPort  dstIP           dstIPCC  dstIPWho             dstPort  l4Proto  pktLen  l7Len  l7Content
1       1        0x0000000000004000  1258544215.037210  0.000000    0.000000      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1258     77.67.44.206    es       akamai technologies  80       6        66      0      
2       1        0x0000000000004001  1258544215.202900  0.000000    0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    es       akamai technologies  80       192.168.1.104   02       private_reserved     1258     6        62      0      
3       1        0x0000000000004000  1258544215.203358  0.166148    0.166148      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1258     77.67.44.206    es       akamai technologies  80       6        64      0      
4       1        0x0000000000004000  1258544215.203850  0.000492    0.166640      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1258     77.67.44.206    es       akamai technologies  80       6        425     367    GET /softw/90/update/avg9infoavi.ctf HTTP/1.1\r\nUser-Agent: AVGINET9-WXPPX86 90 AVI=270.14.71/2510 BUILD=707 LOC=1033 LIC=9I-ASXNN-X4WGW-M0XFR-T84VX-3VX02 DIAG=51E OPF=0 PCA=\r\nHost: backup.avg.cz\r\nAccept: */*\r\nAccept-Encoding: identity,deflate,gzip\r\nIf-Modified-Since: Tue, 17 Nov 2009 20:41:10 GMT\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nx-avg-id:78-175947826\r\n\r\n
5       1        0x0000000000004001  1258544215.370055  0.167155    0.167155      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    es       akamai technologies  80       192.168.1.104   02       private_reserved     1258     6        1434    1380   HTTP/1.1 200 OK\r\nDate: Wed, 18 Nov 2009 11:39:48 GMT\r\nServer: Apache\r\nLast-Modified: Wed, 18 Nov 2009 09:04:15 GMT\r\nETag: "15c007-cea-478a186e401c0"\r\nAccept-Ranges: bytes\r\nContent-Length: 3306\r\nConnection: close\r\nContent-Type: text/plain\r\n\r\nAVG CTF Index File;ver(10)\r\nbin(u7avi1777ff.bin)grp(avi:1777)tm(0911180855)pri(2)len(6637487)\r\nbin(u7avi1777u1323ff.bin)grp(avi:1777)dep(avi:1323)tm(0911180855)pri(2)len(590030)\r\nbin(u7avi1777u1705ff.bin)grp(avi:1777)dep(avi:1705)tm(0911180855)pri(2)len(95323)\r\nbin(u7iavi2511ff.bin)grp(iavi:2511)tm(0911180855)pri(2)len(45641416)\r\nbin(u7iavi2511u2251fo.bin)grp(iavi:2511)dep(iavi:2251)tm(0911180855)pri(2)len(6175342)\r\nbin(u7iavi2511u2353fn.bin)grp(iavi:2511)dep(iavi:2353)tm(0911180855)pri(2)len(4506824)\r\nbin(u7iavi2511u2404fm.bin)grp(iavi:2511)dep(iavi:2404)tm(0911180855)pri(2)len(3342546)\r\nbin(u7iavi2511u2431fl.bin)grp(iavi:2511)dep(iavi:2431)tm(0911180855)pri(2)len(2609643)\r\nbin(u7iavi2511u2458fk.bin)grp(iavi:2511)dep(iavi:2458)tm(0911180855)pri(2)len(1380674)\r\nbin(u7iavi2511u2480fj.bin)grp(iavi:2511)dep(iavi:2480)tm(0911180855)pri(2)len(681743)\r\nbin(u7iavi2511u2490fi.bin)grp(iavi:2511)dep(iavi:2490)tm(0911180855)pri(2)len(555496)\r\nbin(u7iavi2511u2500fh.bin)grp(iavi:2511)dep(iavi:2500)tm(0911180855)pri(2)len(332906)\r\nbin(u7iavi2511u2505fh.bin)grp(iavi:2511)dep(iavi:2505)tm(0911180855)pri(2)len(204942)\r\nbin(u7iavi2511u2508
6       1        0x0000000000004001  1258544215.370067  0.000012    0.167167      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    es       akamai technologies  80       192.168.1.104   02       private_reserved     1258     6        375     321    fg.bin)grp(iavi:2511)dep(iavi:2508)tm(0911180855)pri(2)len(72274)\r\nbin(u7iavi2511u2510ff.bin)grp(iavi:2511)dep(iavi:2510)tm(0911180855)pri(2)len(30540)\r\nbin(u9ichjw4qt.bin)grp(ichjw:4)pri(2)tm(0907131859)len(113488)\r\nbin(u9ichjw4u2ia.bin)grp(ichjw:4)dep(ichjw:2)pri(2)tm(0907131859)len(94470)\r\nbin(u9ichjw4u3gq.bin)grp(ic
7       1        0x0000000000004000  1258544215.370501  0.166651    0.333291      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1258     77.67.44.206    es       akamai technologies  80       6        64      0      
8       1        0x0000000000004001  1258544215.370560  0.000493    0.167660      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    es       akamai technologies  80       192.168.1.104   02       private_reserved     1258     6        1434    1380   hjw:4)dep(ichjw:3)pri(2)tm(0907131859)len(13313)\r\nbin(u9idat249b243tc.bin)grp(idat:249)dif(idat:243)pri(2)tm(0911051401)len(621430)\r\nbin(u9idat249b245bp.bin)grp(idat:249)dif(idat:245)pri(2)tm(0911051401)len(197648)\r\nbin(u9idat249b246mj.bin)grp(idat:249)dif(idat:246)pri(2)tm(0911051400)len(159289)\r\nbin(u9idat249b247uh.bin)grp(idat:249)dif(idat:247)pri(2)tm(0911051400)len(95680)\r\nbin(u9idat249le.bin)grp(idat:249)pri(2)tm(0911051400)len(1927074)\r\nbin(u9ifw42jx.bin)grp(ifw:42)pri(2)tm(0911131400)len(541853)\r\nbin(u9ifw42u38we.bin)grp(ifw:42)dep(ifw:38)pri(2)tm(0911131400)len(123575)\r\nbin(u9ifw42u39ke.bin)grp(ifw:42)dep(ifw:39)pri(2)tm(0911131400)len(92745)\r\nbin(u9ifw42u40dc.bin)grp(ifw:42)dep(ifw:40)pri(2)tm(0911131400)len(67292)\r\nbin(u9ifw42u41tz.bin)grp(ifw:42)dep(ifw:41)pri(2)tm(0911131400)len(18393)\r\nbin(x8all234yc.bin)grp(xplph:0012;xplsb:0099;xplsb2:0118;xplsc:0149)tm(0911180700)pri(2)len(1146352)\r\nbin(x8xplph_12gj.bin)grp(xplph:12)tm(0910280700)pri(2)len(4551)\r\nbin(x8xplsb2_118c8.bin)grp(xplsb2:118)tm(0911180700)pri(2)len(4989)\r\nbin(x8xplsb_9946.bin)grp(xplsb:99)tm(0911160700)pri(2)len(985460)\r\nbin(x8xplsb_99d9546.bin)grp(xplsb:99)dif(xplsb:95)tm(0911160700)pri(2)len(32267)\r\nbin(x8xplsb_99d9646.bin)grp(xplsb:99)dif(xplsb:96)tm(0911160700)pri(2)len(3505)\r\nbin(x8xplsb_99d9746.bin)grp(xplsb:99)dif(xplsb:97)tm(0911160700)pri(2)len(644)\r\nbin(x8xplsb_99d9846.bin
9       1        0x0000000000004001  1258544215.370571  0.000011    0.167671      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    es       akamai technologies  80       192.168.1.104   02       private_reserved     1258     6        520     466    )grp(xplsb:99)dif(xplsb:98)tm(0911160700)pri(2)len(581)\r\nbin(x8xplsc_149c8.bin)grp(xplsc:149)tm(0911180700)pri(2)len(151922)\r\nbin(x8xplsc_149d145c8.bin)grp(xplsc:149)dif(xplsc:145)tm(0911180700)pri(2)len(2561)\r\nbin(x8xplsc_149d146c8.bin)grp(xplsc:149)dif(xplsc:146)tm(0911180700)pri(2)len(1921)\r\nbin(x8xplsc_149d147c8.bin)grp(xplsc:149)dif(xplsc:147)tm(0911180700)pri(2)len(1767)\r\nbin(x8xplsc_149d148c8.bin)grp(xplsc:149)dif(xplsc:148)tm(0911180700)pri(2)len(1411)\r\n
10      1        0x0000000000004001  1258544215.370580  0.000009    0.167680      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    es       akamai technologies  80       192.168.1.104   02       private_reserved     1258     6        54      0      
11      1        0x0000000000004000  1258544215.370997  0.000496    0.333787      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1258     77.67.44.206    es       akamai technologies  80       6        64      0      
12      1        0x0000000000004000  1258544215.372742  0.001745    0.335532      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1258     77.67.44.206    es       akamai technologies  80       6        64      0      
13      1        0x0000000000004001  1258544215.537951  0.167371    0.335051      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    es       akamai technologies  80       192.168.1.104   02       private_reserved     1258     6        54      0      
14      2        0x0000000000004000  1258544216.385370  0.000000    0.000000      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1259     77.67.44.206    es       akamai technologies  80       6        66      0      
15      2        0x0000000000004001  1258544216.551313  0.000000    0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    es       akamai technologies  80       192.168.1.104   02       private_reserved     1259     6        62      0      
16      2        0x0000000000004000  1258544216.551760  0.166390    0.166390      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1259     77.67.44.206    es       akamai technologies  80       6        64      0      
17      2        0x0000000000004000  1258544216.554751  0.002991    0.169381      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1259     77.67.44.206    es       akamai technologies  80       6        380     322    GET /softw/90/update/u7avi1777u1705ff.bin HTTP/1.1\r\nUser-Agent: AVGINET9-WXPPX86 90 AVI=270.14.71/2510 BUILD=707 LOC=1033 LIC=9I-ASXNN-X4WGW-M0XFR-T84VX-3VX02 DIAG=51E OPF=0 PCA=\r\nHost: backup.avg.cz\r\nAccept: */*\r\nAccept-Encoding: identity,deflate,gzip\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nx-avg-id:78-175947826\r\n\r\n
18      2        0x0000000000004001  1258544216.720958  0.169645    0.169645      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    es       akamai technologies  80       192.168.1.104   02       private_reserved     1259     6        518     464    HTTP/1.1 302 Found\r\nDate: Wed, 18 Nov 2009 11:39:49 GMT\r\nServer: Apache\r\nLocation: http://aa.avg.com/softw/90/update/u7avi1777u1705ff.bin\r\nContent-Length: 238\r\nConnection: close\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>302 Found</title>\n</head><body>\n<h1>Found</h1>\n<p>The document has moved <a href="http://aa.avg.com/softw/90/update/u7avi1777u1705ff.bin">here</a>.</p>\n</body></html>\n
19      2        0x0000000000004001  1258544216.720970  0.000012    0.169657      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    es       akamai technologies  80       192.168.1.104   02       private_reserved     1259     6        54      0      
20      2        0x0000000000004000  1258544216.721401  0.166650    0.336031      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1259     77.67.44.206    es       akamai technologies  80       6        64      0      
21      2        0x0000000000004000  1258544216.723144  0.001743    0.337774      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1259     77.67.44.206    es       akamai technologies  80       6        64      0      
22      2        0x0000000000004001  1258544216.888595  0.167625    0.337282      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    es       akamai technologies  80       192.168.1.104   02       private_reserved     1259     6        54      0      
23      3        0x0000000000004000  1258544216.908284  0.000000    0.000000      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1260     198.189.255.75  us       --                   80       6        66      0      
24      3        0x0000000000004001  1258544216.915576  0.000000    0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       --                   80       192.168.1.104   02       private_reserved     1260     6        62      0      
25      3        0x0000000000004000  1258544216.916026  0.007742    0.007742      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1260     198.189.255.75  us       --                   80       6        64      0      
26      3        0x0000000000004000  1258544216.929764  0.013738    0.021480      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved     1260     198.189.255.75  us       --                   80       6        377     319    GET /softw/90/update/u7avi1777u1705ff.bin HTTP/1.1\r\nUser-Agent: AVGINET9-WXPPX86 90 AVI=270.14.71/2510 BUILD=707 LOC=1033 LIC=9I-ASXNN-X4WGW-M0XFR-T84VX-3VX02 DIAG=51E OPF=0 PCA=\r\nHost: aa.avg.com\r\nAccept: */*\r\nAccept-Encoding: identity,deflate,gzip\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nx-avg-id:78-175947826\r\n\r\n
27      3        0x0000000000004001  1258544216.936827  0.021251    0.021251      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       --                   80       192.168.1.104   02       private_reserved     1260     6        54      0  

The packet mode provides all features that the flow files provide. Both entries are linked by the flowInd, so you can track each packet back to the flow and vice versa. Every features produced by the plugins can be tracked per packet in time. For researchers, the packet interdistance per flow and the flow duration facilitate generating multiple signals for further time series analysis or signal processing. Extraction of features such as L7Content on a flow basis is a one liner. Let’s say the flow at index 3 is interesting:

$ tawk -t 'flow(3)' faf-exercise_packets.txt | head | tcol
%pktNo  flowInd  flowStat            time               pktIAT    flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP           srcIPCC  srcIPWho          srcPort  dstIP           dstIPCC  dstIPWho          dstPort  l4Proto  pktLen  l7Len  l7Content
23      3        0x0000000000004000  1258544216.908284  0.000000  0.000000      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved  1260     198.189.255.75  us       --                80       6        66      0      
24      3        0x0000000000004001  1258544216.915576  0.000000  0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       --                80       192.168.1.104   02       private_reserved  1260     6        62      0      
25      3        0x0000000000004000  1258544216.916026  0.007742  0.007742      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved  1260     198.189.255.75  us       --                80       6        64      0      
26      3        0x0000000000004000  1258544216.929764  0.013738  0.021480      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   02       private_reserved  1260     198.189.255.75  us       --                80       6        377     319    GET /softw/90/update/u7avi1777u1705ff.bin HTTP/1.1\r\nUser-Agent: AVGINET9-WXPPX86 90 AVI=270.14.71/2510 BUILD=707 LOC=1033 LIC=9I-ASXNN-X4WGW-M0XFR-T84VX-3VX02 DIAG=51E OPF=0 PCA=\r\nHost: aa.avg.com\r\nAccept: */*\r\nAccept-Encoding: identity,deflate,gzip\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nx-avg-id:78-175947826\r\n\r\n
27      3        0x0000000000004001  1258544216.936827  0.021251  0.021251      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       --                80       192.168.1.104   02       private_reserved  1260     6        54      0      
28      3        0x0000000000004001  1258544216.937559  0.000732  0.021983      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       --                80       192.168.1.104   02       private_reserved  1260     6        1434    1380   HTTP/1.1 200 OK\r\nServer: Apache\r\nETag: "0210a9516dd34abc481683f877bd8680:1258533754"\r\nLast-Modified: Wed, 18 Nov 2009 07:55:25 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 95323\r\nContent-Type: application/octet-stream\r\nDate: Wed, 18 Nov 2009 11:39:50 GMT\r\nConnection: keep-alive\r\n\r\nMZ AVG7 UpdateBin grp(avi:1777)dep(avi:1705)tm(0911180855)pri(2)..7TW;........"....m.b...YbU..&..6.P.B.....jx.\n.n..%....g...8......c....X.c.sO..M............Y.7|......q........w/mb.D#...:.`.H|..(.:...wjA/...u....C{.]..7.y..8..v....n.5..L.k..U>&te...-.....a...`..n. h.....0.......9Ig.s..7^.)..,........ .R..+...f ...xg..xq....;1...F.|....)..*..~.%.I.o.*......)...P...w.V.q....41....h...w%o..,Ha;.~}..#!.p....{..w.=A.0...8..IB.;.*...]..w.@..%F[L9(.. ..`..Iq...'......4.&..........Gz0S}`...s.....s...6\).4(..x.J..[do...w./..m..[.X.D...z\.. ..F...\nA[....O_...."..te..|b.."..........e-..i.q....<&h....SKz.gR.+.<1....n........|...-...B..?..".../.g.I@..m[s....iu3$.t.L...`...D$..eff..7(.L.\V_..HR!.X.........A#....=...K.[.>..CO.2J...R...k.k.p..ME...\}.v..l_.D....D...;c......0~3:A......i..7X&..].@.......k?..Qn........,c.`..K...B.M........~\.....>..|._. ...W.YP.....N...u.....s@:..Z.z..n.."B..Q.M.9..D[.c.z.l...z.G....l..6.yPJ.8.........Q.eE.....oPK.'.s. ..(....+..3........."q...d.....v....@......q..+. _YK.`.Zn.c..a..E.q...cI......c....\r0..\n.... ]p..Z=.{./Iz..'..<.d...9...]:...P.}v<...9.h...T9cf../<..U.L
29      3        0x0000000000004001  1258544216.937570  0.000011  0.021994      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       --                80       192.168.1.104   02       private_reserved  1260     6        1434    1380   .G...*.......SlF...>.(..\......].2`...R?fQY.E\....B.\.]..)Fd>\n.'5...&..^M<..L.4..^U....!........VL.n.%..<J.G.:...bz/L.^.r.........n%Wr'.k..g...D...<..f.P............mj...`a.Mc.....B..c.DGz.].e..H.5<f.K...r$....K.-.x..&.....?m....'-.2..0.~.....d/e........4..lx..F.b.....>...7 Z4..]@,&N.......?I......r.3..a........j.G...\ni.g.....d\n..I..k........'..$....6j)svy..u.......T...TH.I..;{Q......\rj.....E..Rc..%.\n...3B.o...)...h].#.<.,1&.......a..](..LVKi...z...>...Bc..Y...N.n6l..3..}{~.G.}p .........pPn..c..eQ..m;........O/...+....Z,..$..<.W...\....0RKbHeh'..2.]....E*....a..j.7h.9..%Q..R.Z..wP/.JF...3p...[.y..$.h.]..*.%.D.+...#.+.u...>.....I...|.&....-.......%:....y....C=.........F....@]X..5&.....W...~Q.%w..d.....aZ.....DS..33......Cp._...<......w..!uvt....c....\[Z.Bh'..N......G...Gu..*....k..0y....In..:.*`8......E.. .(R...~..`Z.E-[....;.B..WIR.0.....^8~....y.6...k..D.V......L7| ..X ...Y...s_......o%Qf2Q0.q.. ...;f5+08..7%.Z........D?.F.]K...@h1D.ah..}Y....#ZF......2.....u]..yc0...<l.E.GO......../g...f.../..+..>..Xw.....X....i.q2..W@P.`\7.f.e.X:.-O......nB{o......pu..s.l."Q.....S7D.4k@.Ud..%uxf.."...r.[%...ZZ.....).bS..E.......h.W..0.v.!`.........ix.gh/7Yd.#HO....bo...;....|...F.....e...).x...)....m...A...6!.r..q..Y.W...[.9..H,..4PL;.L...`g.q.-.+.gIk..vy....2...-.....n.O..3.W..p.%.*.wCOm.....q.,..[.(V....|....N...K..k.. ..W..jZR...L9...q.z.t.+...<c?.....X....]<...u..'Y.
30      3        0x0000000000004001  1258544216.937579  0.000009  0.022003      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       --                80       192.168.1.104   02       private_reserved  1260     6        1434    1380   .......R1.cR#..eWk.B....HD...q....p.c..P.t.....A........\rg..[.x.....>... .jf\n.0..@..[....Z~.a.b..[..5.=..7........^`.8.=....6..\n..eg......p.\n..b....J.(R...O.....G.K3.|.]..]A..\n....z[....K.....\n q\+....S..ox...Hg....i...Q.9s.b4.Y.."o...o..!...p.@.....k.Z.;..I.y.aI.C.......D.G..q..H.h.....L.\....UH.<58..I...a.....{.aTy.._...h.8.bQ%.?.....zW.C..f\C....!x.....O....^{P~'....z9.....8.a...!..{.....Mz....%8...Y/".|...*q=..D.H..@..ZsC...".B...1.MA2..z@......2...S.<]r.....epQ8..Gz.h....V.Qh.....*MYoV..w@...):9...uV.....g'z.,KE:.G$\n.....;../..^(....*.......`.o.....`[...TzF7V..2..o...qU.nE+=n....\na.F..o......h.. .{....}*g....F..,J.9.......ijB...B&..i...A.+.....f ..:ht.;-=.E.....j..2.....h%...\r'...9...\ru._...f...........|I..L..T..../....n.`F.c|.."[g....-...."...v..1y@.....S.]Y....D."..d.-....O:W......~...Y5{....:..."...C..R...%.nq...~......p....^ZF}n..yB.GFP...-..3..C....~...%r.?`.wT8l.'/M_.6k../.J.1.u._.."W}Z.f.e.".#[.Xh.. .]E....6..X...{..O.0..E\......,.._-6r.N.......Zhc......Z.....a...U.....z.*..cW..N8.8........B..h(..51Az..7........^..{.D..........g~EQtM.._....e.;z.?.....~...\I.24.>7lQ.C.X.(D.^x".YJw..0"A....Ix..wR..2..nwt..Qu..?..g.%...3.,\r(......A.[Gb.\..4..u38......C\n.e..Y.x.S.)c....z.......e.3..UkY...........U.C]v..*Q..i..\n..-..Q..]..<;....&.[..0y....0.C....].;....:..+.....B..K.\.=...W......6. ...z.....hXd@.h7.7%.. ..E.d[..'..k.s...........jo.O..uaEL......J&.8R..
31      3        0x0000000000004001  1258544216.937598  0.000019  0.022022      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       --                80       192.168.1.104   02       private_reserved  1260     6        1434    1380   ........%u.He..9......[.x..X...o,.^y.\r*....v...B.)......dN...R#..\....M......C.,.>f.Q[.....7.:.8...-z....^...?..`!..d^..a.!.G.'.6...\n>.o.o...SF..5w.#....h. .J..|..@...k.0...]..A~S#..).. 1..;..F...0.Mf....D.rx..6.+~.%.F...!.m.M...........!.n...~c.........f.....g..6...O.r....-...sC.b.......4..@....R`. ....H..TL..d..P..\n....?)p.(...,..T...C..p..X.m]2....oV`6{w...g.NU.....a.o.......%H...0..h.R.p..g.....fh....[V.L...?@.'-.......?wI....Z)...h.lo!Y.@..e....ab.@l.[Ci....Z........h.1...J........m..&.j......b..^....s.K......$.+..\n1.F.....?%..N.......+..Ws.na....L.....U. )..~..(;.c...w..v.Q.k...3.w3...h.Fu.....i...X..3......u.V....s-."..{.....f..^F......G..l!.../.5...C\..Y.......,.9....7.gI....p........].}w.2.......6..m.....K.....~..q.......TY.1a.v...".C#3..m...6 ..H.Lb..X..5.b(?..q..........s.\r.IZ.o.\n)\n..3..t/e.....{..../'....Z.B....=.................$6....B.7.p.....0o.@..m....1.5...t....Z...=.'j!..?:.eXz"q..-.O..1.'c.O-..j.rEA.I...*.bB..]..6Q..\ro..F../.JA.-....$...u...XmS........);K.$.}.."a.}TE.H......n...^..]....%.....I~....'.. ..N......!nu..eG....K...../.....Ga...6...V.d.a............*>)...f(^.s<..WR..R.....U......O./..e2....b.b.:.k....c+\rD.......e.V......OkzW..[.....?E..fw"..a.....!].jQ.t.l.P..W...f.......%..................u....>...l..j../.......cY:@rxp.*-....;.._t..N..-.."......Z&p=ih.2.}.xV.i.ZGI....V..."...v....=...'K_$0.`a...q;EQS..hn..<'x...n.Ef......,....i.

Now the function of pktIAT or flowDuration should be clearer. If you want to use wireshark, use the packet number to find the packets or the time. For researchers, important parameters such als packetLength or L7Length are supplied and can be selected using tawk, and then piped into further processing.

Let’s say that you are only interested in flows that have the ftp flag set:

tawk 'bitsanyset($ftpStat, 0x01)' faf-exercise_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration    numHdrDesc  numHdrs  hdrDesc       ethVlanID  srcIP          srcIPCC  srcIPWho            srcPort  dstIP          dstIPCC  dstIPWho            dstPort  l4Proto  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT    stdIAT    pktps       bytps     pktAsm  bytAsm      tcpStates  ftpStat  ftpCDFindex  ftpCC                     ftpRC                            ftpUsrNum  ftpPwNum  ftpCNum  ftpUsr       ftpPw      ftpC
A     35       0x0000000000004000  1258594162.928342  1258594185.618346  22.690004   1           3        eth:ipv4:tcp  0          192.168.1.105  02       "private_reserved"  49329    143.166.11.10  us       "arin"              21       6        11          11           92           1231          0         24        8.363636    8.41835     0       21.78007  2.062728  5.945361  0.484795    4.054649  0       -0.8609222  0x02       0x01                  USER;PASS;TYPE;PASV;SIZE                                   1          1         2        "anonymous"  "IEUser@"  "I";"/video/R79733.EXE"
B     35       0x0000000000004001  1258594163.008594  1258594491.683288  328.674694  1           3        eth:ipv4:tcp  0          143.166.11.10  us       "arin"              21       192.168.1.105  02       "private_reserved"  49329    6        11          11           1231         92            0         950       111.9091    232.9224    0       306.2558  29.87952  83.53862  0.03346774  3.745345  0       0.8609222   0x42       0x01                                            220;331;230;200;227;213;125;226  0          0         0     
$

The only real ftp flow is the one with flowInd = 35, so let’s select it in the packet file:

$ tawk 'flow(35)' faf-exercise_packets.txt | tcol
%pktNo  flowInd  flowStat            time               pktIAT      flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPWho          srcPort  dstIP          dstIPCC  dstIPWho          dstPort  l4Proto  pktLen  l7Len  l7Content
1266    35       0x0000000000004000  1258594162.928342  0.000000    0.000000      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        66      0      
1267    35       0x0000000000004001  1258594163.008594  0.000000    0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        62      0      
1268    35       0x0000000000004000  1258594163.009292  0.080950    0.080950      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        64      0      
1269    35       0x0000000000004001  1258594163.087792  0.079198    0.079198      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        81      27     220 Microsoft FTP Service\r\n
1270    35       0x0000000000004000  1258594163.088491  0.079199    0.160149      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        74      16     USER anonymous\r\n
1271    35       0x0000000000004001  1258594163.166256  0.078464    0.157662      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        126     72     331 Anonymous access allowed, send identity (e-mail name) as password.\r\n
1272    35       0x0000000000004000  1258594163.168693  0.080202    0.240351      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        72      14     PASS IEUser@\r\n
1273    35       0x0000000000004001  1258594163.247178  0.080922    0.238584      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        1004    950    230-Welcome to the Dell FTP site. A service of Dell Inc., Round Rock, Texas.\r\n    For information about DELL, call +1 800 999 3355 All transfers are logged with\r\n    your host name and email address. If you don't like this policy please disconnect now.\r\n    Please be advised that use constitutes consent to monitoring (Elec Comm Priv Act,\r\n    18 USC 2701-2711). Please see the file readme.txt for disclaimers pertaining to this\r\n    service. If your FTP client crashes or hangs shortly after login, try using a dash\r\n    (-) as the first character of your password. This will turn off the informational\r\n    messages which may be confusing your ftp client.\r\n    ********IN CASE OF PROBLEMS*************************\r\n    ** File Content: send EMAIL to dellbbs@dell.com   **\r\n    ** FTP Server: send EMAIL to hostmaster@dell.com  **\r\n    ** WWW Server: send EMAIL to webmaster@dell.com   **\r\n    ****************************************************\r\n
1274    35       0x0000000000004001  1258594163.247187  0.000009    0.238593      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        75      21     230 User logged in.\r\n
1275    35       0x0000000000004000  1258594163.247637  0.078944    0.319295      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        64      0      
1276    35       0x0000000000004000  1258594163.249385  0.001748    0.321043      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        66      8      TYPE I\r\n
1277    35       0x0000000000004001  1258594163.327121  0.079934    0.318527      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        74      20     200 Type set to I.\r\n
1278    35       0x0000000000004000  1258594163.327845  0.078460    0.399503      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        64      6      PASV\r\n
1279    35       0x0000000000004001  1258594163.407582  0.080461    0.398988      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        104     50     227 Entering Passive Mode (143,166,11,10,251,78)\r\n
1283    35       0x0000000000004000  1258594163.487490  0.159645    0.559148      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        82      24     SIZE /video/R79733.EXE\r\n
1284    35       0x0000000000004001  1258594163.565990  0.158408    0.557396      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        67      13     213 4255056\r\n
1285    35       0x0000000000004000  1258594163.566694  0.079204    0.638352      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        82      24     RETR /video/R79733.EXE\r\n
1286    35       0x0000000000004001  1258594163.644188  0.078198    0.635594      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        108     54     125 Data connection already open; Transfer starting.\r\n
1303    35       0x0000000000004000  1258594163.838277  0.271583    0.909935      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        64      0      
5898    35       0x0000000000004001  1258594185.427515  21.783327   22.418921     3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        78      24     226 Transfer complete.\r\n
5900    35       0x0000000000004000  1258594185.618346  21.780069   22.690004     3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        64      0      
5902    35       0x0000000000004001  1258594491.683288  306.255768  328.674683    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        54      0 
$

Note the packet number in the first column, which coincides with the same in wireshark. So if you want to look up a packet there, just fire up wireshark and select the packet number.

Adding more plugins

Let’s add some more plugins which contribute to the packet file.

$ t2build tcpFlags icmpDecode macRecorder portClassifier
...
BUILD SUCCESSFUL

$ t2 -r ~/data/faf-exercise.pcap.pcap -w ~/results -s
================================================================================
Tranalyzer 0.8.2 (Anteater), Tarantula. PID: 10211
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.3
    02: macRecorder, 0.8.2
    03: portClassifier, 0.8.2
    04: basicStats, 0.8.3
    05: tcpFlags, 0.8.2
    06: tcpStates, 0.8.2
    07: icmpDecode, 0.8.2
    08: ftpDecode, 0.8.2
    09: txtSink, 0.8.2
[INF] basicFlow: IPv4 Ver: 3, Rev: 20190114, Range Mode: 0, subnet ranges loaded: 2816255 (2.82 M)
[INF] basicFlow: IPv6 Ver: 3, Rev: 20190114, Range Mode: 0, subnet ranges loaded: 36634 (36.63 K)
Processing file: /home/wurst/data/faf-exercise.pcap
...
--------------------------------------------------------------------------------
basicStats: Biggest Talker: 143.166.11.10: 3101 (3.10 K) [52.54%] packets
basicStats: Biggest Talker: 143.166.11.10: 4268858 (4.27 M) [85.49%] bytes
tcpFlags: Aggregated IP anomaly flags : 0x0046
tcpFlags: Aggregated TCP anomaly flags: 0xbc07
tcpFlags: Number of TCP scans, succ scans, retries: 0, 0, 2
tcpFlags: Number WinSz below 1: 4 [0.07%]
tcpStates: Aggregated anomaly flags: 0x4a
ftpDecode: Anomaly flags: 0x01
ftpDecode: Number of FTP packets: 22 [0.37%]
--------------------------------------------------------------------------------
...

By invoking the same tawk query as before, we find from portClassifier a human readable output of the port based assignment of the embedded protocol; Here FTP.

macRecorder tells us that there is only one interface pair is involved as macPairs is 1. If load balancing is involved or an interface card is broken there can be more macPairs per flow. Moreover, the manufacturer is decoded from the first three octets of the MAC address.

(icmpDecode output will be discussed below.)

tcpFlags provides all aggregated information of IP and Layer 4.

$ tawk 'bitsanyset($ftpStat, 0x01)' faf-exercise_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration    numHdrDesc  numHdrs  hdrDesc       ethVlanID  srcIP          srcIPCC  srcIPWho            srcPort  dstIP          dstIPCC  dstIPWho            dstPort  l4Proto  macPairs  srcMac_dstMac_numP                      srcManuf_dstManuf  dstPortClassN  dstPortClass  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT    stdIAT    pktps       bytps     pktAsm  bytAsm      tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipTOS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpTmS  tcpTmER  tcpEcI  tcpBtm    tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStates  icmpStat  icmpTCcnt  icmpBFTypH_TypL_Code          icmpTmGtw   icmpEchoSuccRatio  icmpPFindex
A     35       0x0000000000004000  1258594162.928342  1258594185.618346  22.690004   1           3        eth:ipv4:tcp  0          192.168.1.105  02       "private_reserved"  49329    143.166.11.10  us       "arin"              21       6        1         00:08:74:38:01:b4_00:19:e3:e7:5d:23_11  DellComp_Apple     21             ftp           11          11           92           1231          0         24        8.363636    8.41835     0       21.78007  2.062728  5.945361  0.484795    4.054649  0       -0.8609222  0x0140    1           2328        128       128       0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  9           91              1               8           1231                   0               8192          62176.56     8192         64860        8               1              2                  0             0x1a      0x0000      1             4          0x00000016  1460    0      0       0        0       0.000000  0              0.00045           0.194089          0.04297619        0.07021572           0.08025199    -1               0x02       0x00      0          0x00000000_0x00000000_0x0000  0x00000000  0                  0
B     35       0x0000000000004001  1258594163.008594  1258594491.683288  328.674694  1           3        eth:ipv4:tcp  0          143.166.11.10  us       "arin"              21       192.168.1.105  02       "private_reserved"  49329    6        1         00:19:e3:e7:5d:23_00:08:74:38:01:b4_11  Apple_DellComp     21             ftp           11          11           1231         92            0         950       111.9091    232.9224    0       306.2558  29.87952  83.53862  0.03346774  3.745345  0       0.8609222   0x01c0    1           26560       239       239       0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  11          1230            0               6           92                     1               4140          4214.603     4140         4232         0               6              1                  0             0x1e      0x0006      1             2          0x00000014  1380    0      0       0        0       0.000000  0.08025199     0.077494          306.0649          29.85102          83.48595             29.89399      83.48597         0x42       0x00      0          0x00000000_0x00000000_0x0000  0x00000000  0                  0

The packet mode provides more or less the same info per packet. Now, the evolution of the anomaly bits, packet lengths, the sequence ack numbers, checksums, window size on a packet by packet basis can be extracted and directly fed into sequence analysis algorithms.

$ tawk 'flow(35)' faf-exercise_packets.txt | tcol
%pktNo  flowInd  flowStat            time               pktIAT      flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPWho          srcPort  dstIP          dstIPCC  dstIPWho          dstPort  l4Proto  srcManuf  dstManuf  pktLen  l7Len  ipTOS  ipID    ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq         ack         seqDiff  ackDiff  seqPktLen  ackPktLen  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpOptLen  tcpOpts                                  icmpType  icmpCode  icmpPFindex  l7Content
1266    35       0x0000000000004000  1258594162.928342  0.000000    0.000000      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     66      0      0x00   0x3f66  0         0x4000  128    0x5ea0       0x5ea0       0x7ccd       0x7ccd       0x0040                                                 0                 0x90b23817  0x00000000  0        0        0          0          0x0141    0x02      0x0000      8192    8          0x02;0x04;0x05;0xb4;0x01;0x01;0x04;0x02                                   
1267    35       0x0000000000004001  1258594163.008594  0.000000    0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      62      0      0x00   0xd8ac  0         0x4000  239    0x5659       0x5659       0x1d37       0x1d37       0x0040                                                 0                 0x15c65ae4  0x90b23818  0        0        0          0          0x0161    0x12      0x0002      4140    8          0x02;0x04;0x05;0x64;0x04;0x02;0x00;0x00                                   
1268    35       0x0000000000004000  1258594163.009292  0.080950    0.080950      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     64      0      0x00   0x3f67  1         0x4000  128    0x5ea7       0x5ea7       0x5b79       0x5b79       0x0040                                                 0                 0x90b23818  0x15c65ae5  0        0        0          0          0x01c0    0x10      0x0000      64860   0                                                                                    
1269    35       0x0000000000004001  1258594163.087792  0.079198    0.079198      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      81      27     0x00   0xe501  3157      0x4000  239    0x49f1       0x49f1       0xad9d       0xad9d       0x0040                                                 0                 0x15c65ae5  0x90b23818  0        0        0          0          0x0140    0x18      0x0000      4140    0                                                                                    220 Microsoft FTP Service\r\n
1270    35       0x0000000000004000  1258594163.088491  0.079199    0.160149      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     74      16     0x00   0x3f73  12        0x4000  128    0x5e8b       0x5e8b       0xd384       0xd384       0x0040                                                 0                 0x90b23818  0x15c65b00  0        27       0          27         0x0140    0x18      0x0000      64833   0                                                                                    USER anonymous\r\n
1271    35       0x0000000000004001  1258594163.166256  0.078464    0.157662      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      126     72     0x00   0xf08c  2955      0x4000  239    0x3e39       0x3e39       0xf987       0xf987       0x0040                                                 0                 0x15c65b00  0x90b23828  27       16       27         16         0x01c0    0x18      0x0000      4156    0                                                                                    331 Anonymous access allowed, send identity (e-mail name) as password.\r\n
1272    35       0x0000000000004000  1258594163.168693  0.080202    0.240351      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     72      14     0x00   0x3f74  1         0x4000  128    0x5e8c       0x5e8c       0x5f70       0x5f70       0x0040                                                 0                 0x90b23828  0x15c65b48  16       72       16         99         0x0140    0x18      0x0000      64761   0                                                                                    PASS IEUser@\r\n
1273    35       0x0000000000004001  1258594163.247178  0.080922    0.238584      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      1004    950    0x00   0xfba9  2845      0x4000  239    0x2fae       0x2fae       0x41de       0x41de       0x0040                                                 0                 0x15c65b48  0x90b23836  72       14       99         30         0x01c0    0x18      0x0000      4170    0                                                                                    230-Welcome to the Dell FTP site. A service of Dell Inc., Round Rock, Texas.\r\n    For information about DELL, call +1 800 999 3355 All transfers are logged with\r\n    your host name and email address. If you don't like this policy please disconnect now.\r\n    Please be advised that use constitutes consent to monitoring (Elec Comm Priv Act,\r\n    18 USC 2701-2711). Please see the file readme.txt for disclaimers pertaining to this\r\n    service. If your FTP client crashes or hangs shortly after login, try using a dash\r\n    (-) as the first character of your password. This will turn off the informational\r\n    messages which may be confusing your ftp client.\r\n    ********IN CASE OF PROBLEMS*************************\r\n    ** File Content: send EMAIL to dellbbs@dell.com   **\r\n    ** FTP Server: send EMAIL to hostmaster@dell.com  **\r\n    ** WWW Server: send EMAIL to webmaster@dell.com   **\r\n    ****************************************************\r\n
1274    35       0x0000000000004001  1258594163.247187  0.000009    0.238593      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      75      21     0x00   0xfbaa  1         0x4000  239    0x334e       0x334e       0x2a2a       0x2a2a       0x0040                                                 0                 0x15c65efe  0x90b23836  950      0        1049       30         0x01c0    0x18      0x0000      4170    0                                                                                    230 User logged in.\r\n
1275    35       0x0000000000004000  1258594163.247637  0.078944    0.319295      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     64      0      0x00   0x3f7d  9         0x4000  128    0x5e91       0x5e91       0x5b5b       0x5b5b       0x0040                                                 0                 0x90b23836  0x15c65f13  14       971      30         1070       0x0140    0x10      0x0000      63790   0                                                                                    
1276    35       0x0000000000004000  1258594163.249385  0.001748    0.321043      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     66      8      0x00   0x3f7e  1         0x4000  128    0x5e88       0x5e88       0x8959       0x8959       0x0040                                                 0                 0x90b23836  0x15c65f13  0        0        30         1070       0x0140    0x18      0x0000      63790   0                                                                                    TYPE I\r\n
1277    35       0x0000000000004001  1258594163.327121  0.079934    0.318527      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      74      20     0x00   0x0656  2732      0x4000  239    0x28a4       0x28a4       0xb130       0xb130       0x0044                                                 0                 0x15c65f13  0x90b2383e  21       8        1070       38         0x01c0    0x18      0x0000      4178    0                                                                                    200 Type set to I.\r\n
1278    35       0x0000000000004000  1258594163.327845  0.078460    0.399503      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     64      6      0x00   0x3f7f  1         0x4000  128    0x5e89       0x5e89       0xaaa3       0xaaa3       0x0040                                                 0                 0x90b2383e  0x15c65f27  8        20       38         1090       0x0140    0x18      0x0000      63770   0                                                                                    PASV\r\n
1279    35       0x0000000000004001  1258594163.407582  0.080461    0.398988      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      104     50     0x00   0x148b  3637      0x4000  239    0x1a51       0x1a51       0xbf53       0xbf53       0x0040                                                 0                 0x15c65f27  0x90b23844  20       6        1090       44         0x01c0    0x18      0x0000      4184    0                                                                                    227 Entering Passive Mode (143,166,11,10,251,78)\r\n
1283    35       0x0000000000004000  1258594163.487490  0.159645    0.559148      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     82      24     0x00   0x3f8b  12        0x4000  128    0x5e6b       0x5e6b       0xf13a       0xf13a       0x0040                                                 0                 0x90b23844  0x15c65f59  6        50       44         1140       0x0140    0x18      0x0000      63720   0                                                                                    SIZE /video/R79733.EXE\r\n
1284    35       0x0000000000004001  1258594163.565990  0.158408    0.557396      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      67      13     0x00   0x2b10  5765      0x4000  239    0x03f1       0x03f1       0x049e       0x049e       0x0040                                                 0                 0x15c65f59  0x90b2385c  50       24       1140       68         0x01c0    0x18      0x0000      4208    0                                                                                    213 4255056\r\n
1285    35       0x0000000000004000  1258594163.566694  0.079204    0.638352      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     82      24     0x00   0x3f8c  1         0x4000  128    0x5e6a       0x5e6a       0xf819       0xf819       0x0040                                                 0                 0x90b2385c  0x15c65f66  24       13       68         1153       0x0140    0x18      0x0000      63707   0                                                                                    RETR /video/R79733.EXE\r\n
1286    35       0x0000000000004001  1258594163.644188  0.078198    0.635594      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      108     54     0x00   0x37af  3231      0x4000  239    0xf728       0xf728       0xb8e3       0xb8e3       0x0040                                                 0                 0x15c65f66  0x90b23874  13       24       1153       92         0x01c0    0x18      0x0000      4232    0                                                                                    125 Data connection already open; Transfer starting.\r\n
1303    35       0x0000000000004000  1258594163.838277  0.271583    0.909935      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     64      0      0x00   0x3fa1  21        0x4000  128    0x5e6d       0x5e6d       0x5b1d       0x5b1d       0x0040                                                 0                 0x90b23874  0x15c65f9c  24       54       92         1207       0x0140    0x10      0x0000      63653   0                                                                                    
5898    35       0x0000000000004001  1258594185.427515  21.783327   22.418921     3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      78      24     0x00   0x9f6f  26560     0x4000  239    0x8f86       0x8f86       0x7425       0x7425       0x0040                                                 0                 0x15c65f9c  0x90b23874  54       0        1207       92         0x01c0    0x18      0x0000      4232    0                                                                                    226 Transfer complete.\r\n
5900    35       0x0000000000004000  1258594185.618346  21.780069   22.690004     3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     64      0      0x00   0x48b9  2328      0x4000  128    0x5555       0x5555       0x5b1d       0x5b1d       0x0040                                                 0                 0x90b23874  0x15c65fb4  0        24       92         1231       0x0140    0x10      0x0000      63629   0                                                                                    
5902    35       0x0000000000004001  1258594491.683288  306.255768  328.674683    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      54      0      0x00   0xc0d1  8546      0x4000  239    0x6e3c       0x6e3c       0x431f       0x431f       0x0040                                                 0                 0x15c65fb4  0x90b23874  24       0        1231       92         0x01c0    0x14      0x0004      4232    0 
$

Changing L7 output format to hex

The configuration of the packet mode currently resides at compile-time in a header file: main.h. This will change in future and bring more flexibility to the packet mode. You can either switch on/off the packet number or the output type of Layer7 content. Switch from human readable to HEX values. You can have both switched on simultaneously, but then the human readable output is appended to the HEX output.

Modify the header file to look like this:

You only need to recompile the core now:

$ tran
$ cd tranalyzer2
$ ./autogen.sh
...
$

or you are lazy and just recompile all your plugins used so far. Does not make a real big run time difference if the plugins were already compiled.

$ t2build -R
...

With the new configuration in place, run T2 again:

$ t2 -r ~/data/faf-exercise.pcap.pcap -w ~/results -s
...
$

If we select our ftp flow again, we now find the L7 output in hex. The format enables you to directly read the L7 with awk without recoding.

$ tawk 'flow(35)' faf-exercise_packets.txt | tcol
%pktNo  flowInd  flowStat            time               pktIAT      flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPWho          srcPort  dstIP          dstIPCC  dstIPWho          dstPort  l4Proto  srcManuf  dstManuf  pktLen  l7Len  ipTOS  ipID    ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq         ack         seqDiff  ackDiff  seqPktLen  ackPktLen  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpOptLen  tcpOpts                                  icmpType  icmpCode  icmpPFindex  l7HexContent
1266    35       0x0000000000004000  1258594162.928342  0.000000    0.000000      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     66      0      0x00   0x3f66  0         0x4000  128    0x5ea0       0x5ea0       0x7ccd       0x7ccd       0x0040                                                 0                 0x90b23817  0x00000000  0        0        0          0          0x0141    0x02      0x0000      8192    8          0x02;0x04;0x05;0xb4;0x01;0x01;0x04;0x02                                   
1267    35       0x0000000000004001  1258594163.008594  0.000000    0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      62      0      0x00   0xd8ac  0         0x4000  239    0x5659       0x5659       0x1d37       0x1d37       0x0040                                                 0                 0x15c65ae4  0x90b23818  0        0        0          0          0x0161    0x12      0x0002      4140    8          0x02;0x04;0x05;0x64;0x04;0x02;0x00;0x00                                   
1268    35       0x0000000000004000  1258594163.009292  0.080950    0.080950      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     64      0      0x00   0x3f67  1         0x4000  128    0x5ea7       0x5ea7       0x5b79       0x5b79       0x0040                                                 0                 0x90b23818  0x15c65ae5  0        0        0          0          0x01c0    0x10      0x0000      64860   0                                                                                    
1269    35       0x0000000000004001  1258594163.087792  0.079198    0.079198      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      81      27     0x00   0xe501  3157      0x4000  239    0x49f1       0x49f1       0xad9d       0xad9d       0x0040                                                 0                 0x15c65ae5  0x90b23818  0        0        0          0          0x0140    0x18      0x0000      4140    0                                                                                    0x32 0x32 0x30 0x20 0x4d 0x69 0x63 0x72 0x6f 0x73 0x6f 0x66 0x74 0x20 0x46 0x54 0x50 0x20 0x53 0x65 0x72 0x76 0x69 0x63 0x65 0x0d 0x0a
1270    35       0x0000000000004000  1258594163.088491  0.079199    0.160149      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     74      16     0x00   0x3f73  12        0x4000  128    0x5e8b       0x5e8b       0xd384       0xd384       0x0040                                                 0                 0x90b23818  0x15c65b00  0        27       0          27         0x0140    0x18      0x0000      64833   0                                                                                    0x55 0x53 0x45 0x52 0x20 0x61 0x6e 0x6f 0x6e 0x79 0x6d 0x6f 0x75 0x73 0x0d 0x0a
1271    35       0x0000000000004001  1258594163.166256  0.078464    0.157662      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      126     72     0x00   0xf08c  2955      0x4000  239    0x3e39       0x3e39       0xf987       0xf987       0x0040                                                 0                 0x15c65b00  0x90b23828  27       16       27         16         0x01c0    0x18      0x0000      4156    0                                                                                    0x33 0x33 0x31 0x20 0x41 0x6e 0x6f 0x6e 0x79 0x6d 0x6f 0x75 0x73 0x20 0x61 0x63 0x63 0x65 0x73 0x73 0x20 0x61 0x6c 0x6c 0x6f 0x77 0x65 0x64 0x2c 0x20 0x73 0x65 0x6e 0x64 0x20 0x69 0x64 0x65 0x6e 0x74 0x69 0x74 0x79 0x20 0x28 0x65 0x2d 0x6d 0x61 0x69 0x6c 0x20 0x6e 0x61 0x6d 0x65 0x29 0x20 0x61 0x73 0x20 0x70 0x61 0x73 0x73 0x77 0x6f 0x72 0x64 0x2e 0x0d 0x0a
1272    35       0x0000000000004000  1258594163.168693  0.080202    0.240351      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     72      14     0x00   0x3f74  1         0x4000  128    0x5e8c       0x5e8c       0x5f70       0x5f70       0x0040                                                 0                 0x90b23828  0x15c65b48  16       72       16         99         0x0140    0x18      0x0000      64761   0                                                                                    0x50 0x41 0x53 0x53 0x20 0x49 0x45 0x55 0x73 0x65 0x72 0x40 0x0d 0x0a
1273    35       0x0000000000004001  1258594163.247178  0.080922    0.238584      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      1004    950    0x00   0xfba9  2845      0x4000  239    0x2fae       0x2fae       0x41de       0x41de       0x0040                                                 0                 0x15c65b48  0x90b23836  72       14       99         30         0x01c0    0x18      0x0000      4170    0                                                                                    0x32 0x33 0x30 0x2d 0x57 0x65 0x6c 0x63 0x6f 0x6d 0x65 0x20 0x74 0x6f 0x20 0x74 0x68 0x65 0x20 0x44 0x65 0x6c 0x6c 0x20 0x46 0x54 0x50 0x20 0x73 0x69 0x74 0x65 0x2e 0x20 0x41 0x20 0x73 0x65 0x72 0x76 0x69 0x63 0x65 0x20 0x6f 0x66 0x20 0x44 0x65 0x6c 0x6c 0x20 0x49 0x6e 0x63 0x2e 0x2c 0x20 0x52 0x6f 0x75 0x6e 0x64 0x20 0x52 0x6f 0x63 0x6b 0x2c 0x20 0x54 0x65 0x78 0x61 0x73 0x2e 0x0d 0x0a 0x20 0x20 0x20 0x20 0x46 0x6f 0x72 0x20 0x69 0x6e 0x66 0x6f 0x72 0x6d 0x61 0x74 0x69 0x6f 0x6e 0x20 0x61 0x62 0x6f 0x75 0x74 0x20 0x44 0x45 0x4c 0x4c 0x2c 0x20 0x63 0x61 0x6c 0x6c 0x20 0x2b 0x31 0x20 0x38 0x30 0x30 0x20 0x39 0x39 0x39 0x20 0x33 0x33 0x35 0x35 0x20 0x41 0x6c 0x6c 0x20 0x74 0x72 0x61 0x6e 0x73 0x66 0x65 0x72 0x73 0x20 0x61 0x72 0x65 0x20 0x6c 0x6f 0x67 0x67 0x65 0x64 0x20 0x77 0x69 0x74 0x68 0x0d 0x0a 0x20 0x20 0x20 0x20 0x79 0x6f 0x75 0x72 0x20 0x68 0x6f 0x73 0x74 0x20 0x6e 0x61 0x6d 0x65 0x20 0x61 0x6e 0x64 0x20 0x65 0x6d 0x61 0x69 0x6c 0x20 0x61 0x64 0x64 0x72 0x65 0x73 0x73 0x2e 0x20 0x49 0x66 0x20 0x79 0x6f 0x75 0x20 0x64 0x6f 0x6e 0x27 0x74 0x20 0x6c 0x69 0x6b 0x65 0x20 0x74 0x68 0x69 0x73 0x20 0x70 0x6f 0x6c 0x69 0x63 0x79 0x20 0x70 0x6c 0x65 0x61 0x73 0x65 0x20 0x64 0x69 0x73 0x63 0x6f 0x6e 0x6e 0x65 0x63 0x74 0x20 0x6e 0x6f 0x77 0x2e 0x0d 0x0a 0x20 0x20 0x20 0x20 0x50 0x6c 0x65 0x61 0x73 0x65 0x20 0x62 0x65 0x20 0x61 0x64 0x76 0x69 0x73 0x65 0x64 0x20 0x74 0x68 0x61 0x74 0x20 0x75 0x73 0x65 0x20 0x63 0x6f 0x6e 0x73 0x74 0x69 0x74 0x75 0x74 0x65 0x73 0x20 0x63 0x6f 0x6e 0x73 0x65 0x6e 0x74 0x20 0x74 0x6f 0x20 0x6d 0x6f 0x6e 0x69 0x74 0x6f 0x72 0x69 0x6e 0x67 0x20 0x28 0x45 0x6c 0x65 0x63 0x20 0x43 0x6f 0x6d 0x6d 0x20 0x50 0x72 0x69 0x76 0x20 0x41 0x63 0x74 0x2c 0x0d 0x0a 0x20 0x20 0x20 0x20 0x31 0x38 0x20 0x55 0x53 0x43 0x20 0x32 0x37 0x30 0x31 0x2d 0x32 0x37 0x31 0x31 0x29 0x2e 0x20 0x50 0x6c 0x65 0x61 0x73 0x65 0x20 0x73 0x65 0x65 0x20 0x74 0x68 0x65 0x20 0x66 0x69 0x6c 0x65 0x20 0x72 0x65 0x61 0x64 0x6d 0x65 0x2e 0x74 0x78 0x74 0x20 0x66 0x6f 0x72 0x20 0x64 0x69 0x73 0x63 0x6c 0x61 0x69 0x6d 0x65 0x72 0x73 0x20 0x70 0x65 0x72 0x74 0x61 0x69 0x6e 0x69 0x6e 0x67 0x20 0x74 0x6f 0x20 0x74 0x68 0x69 0x73 0x0d 0x0a 0x20 0x20 0x20 0x20 0x73 0x65 0x72 0x76 0x69 0x63 0x65 0x2e 0x20 0x49 0x66 0x20 0x79 0x6f 0x75 0x72 0x20 0x46 0x54 0x50 0x20 0x63 0x6c 0x69 0x65 0x6e 0x74 0x20 0x63 0x72 0x61 0x73 0x68 0x65 0x73 0x20 0x6f 0x72 0x20 0x68 0x61 0x6e 0x67 0x73 0x20 0x73 0x68 0x6f 0x72 0x74 0x6c 0x79 0x20 0x61 0x66 0x74 0x65 0x72 0x20 0x6c 0x6f 0x67 0x69 0x6e 0x2c 0x20 0x74 0x72 0x79 0x20 0x75 0x73 0x69 0x6e 0x67 0x20 0x61 0x20 0x64 0x61 0x73 0x68 0x0d 0x0a 0x20 0x20 0x20 0x20 0x28 0x2d 0x29 0x20 0x61 0x73 0x20 0x74 0x68 0x65 0x20 0x66 0x69 0x72 0x73 0x74 0x20 0x63 0x68 0x61 0x72 0x61 0x63 0x74 0x65 0x72 0x20 0x6f 0x66 0x20 0x79 0x6f 0x75 0x72 0x20 0x70 0x61 0x73 0x73 0x77 0x6f 0x72 0x64 0x2e 0x20 0x54 0x68 0x69 0x73 0x20 0x77 0x69 0x6c 0x6c 0x20 0x74 0x75 0x72 0x6e 0x20 0x6f 0x66 0x66 0x20 0x74 0x68 0x65 0x20 0x69 0x6e 0x66 0x6f 0x72 0x6d 0x61 0x74 0x69 0x6f 0x6e 0x61 0x6c 0x0d 0x0a 0x20 0x20 0x20 0x20 0x6d 0x65 0x73 0x73 0x61 0x67 0x65 0x73 0x20 0x77 0x68 0x69 0x63 0x68 0x20 0x6d 0x61 0x79 0x20 0x62 0x65 0x20 0x63 0x6f 0x6e 0x66 0x75 0x73 0x69 0x6e 0x67 0x20 0x79 0x6f 0x75 0x72 0x20 0x66 0x74 0x70 0x20 0x63 0x6c 0x69 0x65 0x6e 0x74 0x2e 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x49 0x4e 0x20 0x43 0x41 0x53 0x45 0x20 0x4f 0x46 0x20 0x50 0x52 0x4f 0x42 0x4c 0x45 0x4d 0x53 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x20 0x46 0x69 0x6c 0x65 0x20 0x43 0x6f 0x6e 0x74 0x65 0x6e 0x74 0x3a 0x20 0x73 0x65 0x6e 0x64 0x20 0x45 0x4d 0x41 0x49 0x4c 0x20 0x74 0x6f 0x20 0x64 0x65 0x6c 0x6c 0x62 0x62 0x73 0x40 0x64 0x65 0x6c 0x6c 0x2e 0x63 0x6f 0x6d 0x20 0x20 0x20 0x2a 0x2a 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x20 0x46 0x54 0x50 0x20 0x53 0x65 0x72 0x76 0x65 0x72 0x3a 0x20 0x73 0x65 0x6e 0x64 0x20 0x45 0x4d 0x41 0x49 0x4c 0x20 0x74 0x6f 0x20 0x68 0x6f 0x73 0x74 0x6d 0x61 0x73 0x74 0x65 0x72 0x40 0x64 0x65 0x6c 0x6c 0x2e 0x63 0x6f 0x6d 0x20 0x20 0x2a 0x2a 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x20 0x57 0x57 0x57 0x20 0x53 0x65 0x72 0x76 0x65 0x72 0x3a 0x20 0x73 0x65 0x6e 0x64 0x20 0x45 0x4d 0x41 0x49 0x4c 0x20 0x74 0x6f 0x20 0x77 0x65 0x62 0x6d 0x61 0x73 0x74 0x65 0x72 0x40 0x64 0x65 0x6c 0x6c 0x2e 0x63 0x6f 0x6d 0x20 0x20 0x20 0x2a 0x2a 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x0d 0x0a
1274    35       0x0000000000004001  1258594163.247187  0.000009    0.238593      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      75      21     0x00   0xfbaa  1         0x4000  239    0x334e       0x334e       0x2a2a       0x2a2a       0x0040                                                 0                 0x15c65efe  0x90b23836  950      0        1049       30         0x01c0    0x18      0x0000      4170    0                                                                                    0x32 0x33 0x30 0x20 0x55 0x73 0x65 0x72 0x20 0x6c 0x6f 0x67 0x67 0x65 0x64 0x20 0x69 0x6e 0x2e 0x0d 0x0a
1275    35       0x0000000000004000  1258594163.247637  0.078944    0.319295      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     64      0      0x00   0x3f7d  9         0x4000  128    0x5e91       0x5e91       0x5b5b       0x5b5b       0x0040                                                 0                 0x90b23836  0x15c65f13  14       971      30         1070       0x0140    0x10      0x0000      63790   0                                                                                    
1276    35       0x0000000000004000  1258594163.249385  0.001748    0.321043      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     66      8      0x00   0x3f7e  1         0x4000  128    0x5e88       0x5e88       0x8959       0x8959       0x0040                                                 0                 0x90b23836  0x15c65f13  0        0        30         1070       0x0140    0x18      0x0000      63790   0                                                                                    0x54 0x59 0x50 0x45 0x20 0x49 0x0d 0x0a
1277    35       0x0000000000004001  1258594163.327121  0.079934    0.318527      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      74      20     0x00   0x0656  2732      0x4000  239    0x28a4       0x28a4       0xb130       0xb130       0x0044                                                 0                 0x15c65f13  0x90b2383e  21       8        1070       38         0x01c0    0x18      0x0000      4178    0                                                                                    0x32 0x30 0x30 0x20 0x54 0x79 0x70 0x65 0x20 0x73 0x65 0x74 0x20 0x74 0x6f 0x20 0x49 0x2e 0x0d 0x0a
1278    35       0x0000000000004000  1258594163.327845  0.078460    0.399503      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     64      6      0x00   0x3f7f  1         0x4000  128    0x5e89       0x5e89       0xaaa3       0xaaa3       0x0040                                                 0                 0x90b2383e  0x15c65f27  8        20       38         1090       0x0140    0x18      0x0000      63770   0                                                                                    0x50 0x41 0x53 0x56 0x0d 0x0a
1279    35       0x0000000000004001  1258594163.407582  0.080461    0.398988      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      104     50     0x00   0x148b  3637      0x4000  239    0x1a51       0x1a51       0xbf53       0xbf53       0x0040                                                 0                 0x15c65f27  0x90b23844  20       6        1090       44         0x01c0    0x18      0x0000      4184    0                                                                                    0x32 0x32 0x37 0x20 0x45 0x6e 0x74 0x65 0x72 0x69 0x6e 0x67 0x20 0x50 0x61 0x73 0x73 0x69 0x76 0x65 0x20 0x4d 0x6f 0x64 0x65 0x20 0x28 0x31 0x34 0x33 0x2c 0x31 0x36 0x36 0x2c 0x31 0x31 0x2c 0x31 0x30 0x2c 0x32 0x35 0x31 0x2c 0x37 0x38 0x29 0x0d 0x0a
1283    35       0x0000000000004000  1258594163.487490  0.159645    0.559148      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     82      24     0x00   0x3f8b  12        0x4000  128    0x5e6b       0x5e6b       0xf13a       0xf13a       0x0040                                                 0                 0x90b23844  0x15c65f59  6        50       44         1140       0x0140    0x18      0x0000      63720   0                                                                                    0x53 0x49 0x5a 0x45 0x20 0x2f 0x76 0x69 0x64 0x65 0x6f 0x2f 0x52 0x37 0x39 0x37 0x33 0x33 0x2e 0x45 0x58 0x45 0x0d 0x0a
1284    35       0x0000000000004001  1258594163.565990  0.158408    0.557396      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      67      13     0x00   0x2b10  5765      0x4000  239    0x03f1       0x03f1       0x049e       0x049e       0x0040                                                 0                 0x15c65f59  0x90b2385c  50       24       1140       68         0x01c0    0x18      0x0000      4208    0                                                                                    0x32 0x31 0x33 0x20 0x34 0x32 0x35 0x35 0x30 0x35 0x36 0x0d 0x0a
1285    35       0x0000000000004000  1258594163.566694  0.079204    0.638352      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     82      24     0x00   0x3f8c  1         0x4000  128    0x5e6a       0x5e6a       0xf819       0xf819       0x0040                                                 0                 0x90b2385c  0x15c65f66  24       13       68         1153       0x0140    0x18      0x0000      63707   0                                                                                    0x52 0x45 0x54 0x52 0x20 0x2f 0x76 0x69 0x64 0x65 0x6f 0x2f 0x52 0x37 0x39 0x37 0x33 0x33 0x2e 0x45 0x58 0x45 0x0d 0x0a
1286    35       0x0000000000004001  1258594163.644188  0.078198    0.635594      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      108     54     0x00   0x37af  3231      0x4000  239    0xf728       0xf728       0xb8e3       0xb8e3       0x0040                                                 0                 0x15c65f66  0x90b23874  13       24       1153       92         0x01c0    0x18      0x0000      4232    0                                                                                    0x31 0x32 0x35 0x20 0x44 0x61 0x74 0x61 0x20 0x63 0x6f 0x6e 0x6e 0x65 0x63 0x74 0x69 0x6f 0x6e 0x20 0x61 0x6c 0x72 0x65 0x61 0x64 0x79 0x20 0x6f 0x70 0x65 0x6e 0x3b 0x20 0x54 0x72 0x61 0x6e 0x73 0x66 0x65 0x72 0x20 0x73 0x74 0x61 0x72 0x74 0x69 0x6e 0x67 0x2e 0x0d 0x0a
1303    35       0x0000000000004000  1258594163.838277  0.271583    0.909935      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     64      0      0x00   0x3fa1  21        0x4000  128    0x5e6d       0x5e6d       0x5b1d       0x5b1d       0x0040                                                 0                 0x90b23874  0x15c65f9c  24       54       92         1207       0x0140    0x10      0x0000      63653   0                                                                                    
5898    35       0x0000000000004001  1258594185.427515  21.783327   22.418921     3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      78      24     0x00   0x9f6f  26560     0x4000  239    0x8f86       0x8f86       0x7425       0x7425       0x0040                                                 0                 0x15c65f9c  0x90b23874  54       0        1207       92         0x01c0    0x18      0x0000      4232    0                                                                                    0x32 0x32 0x36 0x20 0x54 0x72 0x61 0x6e 0x73 0x66 0x65 0x72 0x20 0x63 0x6f 0x6d 0x70 0x6c 0x65 0x74 0x65 0x2e 0x0d 0x0a
5900    35       0x0000000000004000  1258594185.618346  21.780069   22.690004     3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        Dell      Apple     64      0      0x00   0x48b9  2328      0x4000  128    0x5555       0x5555       0x5b1d       0x5b1d       0x0040                                                 0                 0x90b23874  0x15c65fb4  0        24       92         1231       0x0140    0x10      0x0000      63629   0                                                                                    
5902    35       0x0000000000004001  1258594491.683288  306.255768  328.674683    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        Apple     Dell      54      0      0x00   0xc0d1  8546      0x4000  239    0x6e3c       0x6e3c       0x431f       0x431f       0x0040                                                 0                 0x15c65fb4  0x90b23874  24       0        1231       92         0x01c0    0x14      0x0004      4232    0 
$

Selecting flows and packets

Maybe you want to look for a certain anomaly or you are interested in all ICMP messages. As our present PCAP does not contain ICMP, download annoloc2.pcap.pcap and run T2 on it:

$ t2 -r ~/data/annoloc2.pcap -w ~/results/ -s
================================================================================
Tranalyzer 0.8.2 (Anteater), Tarantula. PID: 23059
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.3
    02: macRecorder, 0.8.2
    03: portClassifier, 0.8.2
    04: basicStats, 0.8.3
    05: tcpFlags, 0.8.2
    06: tcpStates, 0.8.2
    07: icmpDecode, 0.8.2
    08: ftpDecode, 0.8.2
    09: txtSink, 0.8.2
[INF] basicFlow: IPv4 Ver: 3, Rev: 20190114, Range Mode: 0, subnet ranges loaded: 2816255 (2.82 M)
[INF] basicFlow: IPv6 Ver: 3, Rev: 20190114, Range Mode: 0, subnet ranges loaded: 36634 (36.63 K)
Processing file: /home/wurst/data/skypeu.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1146661308.742778 sec (Wed 03 May 2006 13:01:48 GMT)
[WRN] snapL2Length: 68 - snapL3Length: 54 - IP length in header: 60
Dump stop : 1146690263.003348 sec (Wed 03 May 2006 21:04:23 GMT)
Total dump duration: 28954.260570 sec (8h 2m 34s)
Finished processing. Elapsed time: 0.075861 sec
Finished unloading flow memory. Time: 0.075929 sec
Percentage completed: 100.00%
Number of processed packets: 8656 (8.66 K)
Number of processed bytes: 580072 (580.07 K)
Number of raw bytes: 673514 (673.51 K)
Number of pcap bytes: 718592 (718.59 K)
Number of IPv4 packets: 8656 (8.66 K) [100.00%]
Number of A packets: 4344 (4.34 K) [50.18%]
Number of B packets: 4312 (4.31 K) [49.82%]
Number of A bytes: 291096 (291.10 K) [50.18%]
Number of B bytes: 288976 (288.98 K) [49.82%]
Average A packet load: 67.01
Average B packet load: 67.02
--------------------------------------------------------------------------------
basicStats: Biggest Talker: 192.168.201.243: 2178 (2.18 K) [25.16%] packets
basicStats: Biggest Talker: 192.168.201.243: 25679 (25.68 K) [4.43%] bytes
tcpFlags: Aggregated IP anomaly flags : 0x1840
tcpFlags: Aggregated TCP anomaly flags: 0x0102
tcpStates: Aggregated anomaly flags: 0x02
ftpDecode: Anomaly flags: 0x00
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 8656 (8.66 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 4
Number of processed A flows: 2 [50.00%]
Number of processed B flows: 2 [50.00%]
Number of request     flows: 2 [50.00%]
Number of reply       flows: 2 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed   packets/flows: 2164.00 (2.16 K)
Number of processed A packets/flows: 2172.00 (2.17 K)
Number of processed B packets/flows: 2156.00 (2.16 K)
Number of processed total packets/s: 0.30
Number of processed A+B packets/s: 0.30
Number of processed A   packets/s: 0.15
Number of processed   B packets/s: 0.15
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.00
Average full raw bandwidth: 186 b/s
Average snapped bandwidth : 160 b/s
Average full bandwidth : 186 b/s
Max number of flows in memory: 2 [0.00%]
Memory usage: 0.42 GB [0.62%]
Aggregate flow status: 0x0000000200004000
[WRN] L3 SnapLength < Length in IP header
[INF] IPv4
$

Oups, snaplength warning up to the IP Header. That’s bad, so we will not see much content, as you can see in the packetfile.

$ tawk 'icmp()' annoloc2_flows.txt | head | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc        ethVlanID  srcIP           srcIPCC  srcIPWho                   srcPort  dstIP            dstIPCC  dstIPWho                   dstPort  l4Proto  macPairs  srcMac_dstMac_numP                     srcManuf_dstManuf  dstPortClassN  dstPortClass  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT  aveIAT  stdIAT  pktps  bytps  pktAsm  bytAsm  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipTOS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpTmS  tcpTmER  tcpEcI  tcpBtm    tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStates  icmpStat  icmpTCcnt  icmpBFTypH_TypL_Code          icmpTmGtw   icmpEchoSuccRatio  icmpPFindex  ftpStat  ftpCDFindex  ftpCC  ftpRC  ftpUsrNum  ftpPwNum  ftpCNum  ftpUsr  ftpPw  ftpC
A     59       0x0000000200004001  1022171701.692762  1022171701.692762  0.000000  1           3        eth:ipv4:icmp  0          138.212.187.10  jp       "asahi kasei corporation"  0        201.116.148.149  mx       "--"                       0        1        1         00:80:48:b3:22:ef_00:d0:02:6d:78:00_1  CompexUs_Ditech    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0100    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  0            0x00                                0          0         0                       
A     896      0x0000000200004001  1022171701.812425  1022171701.812425  0.000000  1           3        eth:ipv4:icmp  0          138.212.189.88  jp       "asahi kasei corporation"  0        201.116.161.83   mx       "--"                       0        1        1         00:80:48:d7:ed:7a_00:d0:02:6d:78:00_1  CompexUs_Ditech    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0100    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  893          0x00                                0          0         0                       
A     1073     0x0000000200004001  1022171701.889357  1022171701.889357  0.000000  1           3        eth:ipv4:icmp  0          138.212.184.71  jp       "asahi kasei corporation"  0        146.208.9.41     us       "arin"                     0        1        1         00:48:54:7a:04:0f_00:d0:02:6d:78:00_1  DigitalS_Ditech    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0100    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1056         0x00                                0          0         0                       
A     1181     0x0000000200004001  1022171701.956543  1022171701.956543  0.000000  1           3        eth:ipv4:icmp  0          201.118.86.105  mx       "--"                       0        138.212.189.66   jp       "asahi kasei corporation"  0        1        1         00:d0:02:6d:78:00_00:80:48:b3:22:c4_1  Ditech_CompexUs    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0100    65535       0           246       246       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          0x00000000_0x00000008_0x0002  0x00000000  0                  1170         0x00                                0          0         0                       
A     1208     0x0000000200004001  1022171701.980834  1022171701.980834  0.000000  1           3        eth:ipv4:icmp  0          138.213.40.91   ff       "apnic"                    0        138.212.189.66   jp       "asahi kasei corporation"  0        1        1         00:d0:02:6d:78:00_00:80:48:b3:22:c4_1  Ditech_CompexUs    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0100    65535       0           113       113       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1184         0x00                                0          0         0                       
A     1236     0x0000000200004001  1022171702.009674  1022171702.009674  0.000000  1           3        eth:ipv4:icmp  0          138.212.184.71  jp       "asahi kasei corporation"  0        36.237.77.156    tw       "--"                       0        1        1         00:48:54:7a:04:0f_00:d0:02:6d:78:00_1  DigitalS_Ditech    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0100    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1226         0x00                                0          0         0                       
A     1561     0x0000000200004001  1022171702.247453  1022171702.247453  0.000000  1           3        eth:ipv4:icmp  0          138.212.186.88  jp       "asahi kasei corporation"  0        201.19.77.72     br       "--"                       0        1        1         00:04:76:22:07:90_00:d0:02:6d:78:00_1  3Com_Ditech        0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0100    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1559         0x00                                0          0         0                       
A     1576     0x0000000200004001  1022171702.265015  1022171702.265015  0.000000  1           3        eth:ipv4:icmp  0          138.212.191.25  jp       "asahi kasei corporation"  0        19.50.144.156    us       "--"                       0        1        1         00:08:a1:1d:3f:f1_00:d0:02:6d:78:00_1  CnetTech_Ditech    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0100    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1574         0x00                                0          0         0                       
A     1722     0x0000000200004001  1022171702.396273  1022171702.396273  0.000000  1           3        eth:ipv4:icmp  0          138.212.190.25  jp       "asahi kasei corporation"  0        19.6.20.159      us       "searched the apnic whoi"  0        1        1         00:80:48:b3:24:eb_00:d0:02:6d:78:00_1  CompexUs_Ditech    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0100    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          0x00000000_0x00000008_0x0008  0x00000000  0                  1715         0x00                                0          0         0 

icmpDecode links an ICMP message to the flow who caused it, so with a one liner we can select all the linked flows from the flow file.

$ tawk 'icmp(){ if ($icmpPFindex != 0) {printf "%d ", $icmpPFindex;}}' annoloc2_flows.txt
893;1056;1170;1184;1226;1559;1574;1715;1744;1752;1819;7889;1880;1876;1978;1998;2014;2093;2125;2227;2240;2390;2461;2479;2434;2534;2541;2569;2552;2646;2694;2645;2746;1152;2832;2897;2921;2929;2944;2973;2970;3002;3026;3022;3120;3118;3154;3122;3230;3206;3246;3350;2385;1660;1549;1748;2364;1792;3591;1897;1797;3614;1896;493;2096;1979;2196;1485;2177;2182;3816;2768;2481;2540;3252;2845;2720;2942;2776;2979;2690;4326;3108;3065;3149;3174;3207;2651;4412;1128;635;1038;1219;1213;3269;4518;4450;3496;1596;4601;1631;4613;1701;4275;1904;2332;4634;1717;1926;1842;2560;2009;2567;3658;2086;4871;4882;2487;2463;3902;2880;2593;2765;2577;3000;5081;2755;2718;2907;1465;3010;5232;3165;3234;4525;3190;3263;3605;5478;3327;5526;5523;3466;3703;2123;3413;3465;3508;2915;5644;3550;4685;4737;3722;5803;3696;5901;4950;3874;3574;4000;4117;3320;3645;5237;4220;4201;6245;4293;5336;4163;4313;4379;4982;4301;3724;5434;4389;6422;4488;6296;4511;5813;4666;6469;4696;4682;4753;6628;4797;6595;4639;4827;4854;4693;4999;6749;4976;5709;6815;6831;4943;4969;5137;4967;5405;5100;4553;5317;5242;5244;5243;5274;4665;6398;7189;5362;5418;5496;5389;5365;5583;5653;5634;5630;5587;6590;5012;5503;5661;7434;5656;5730;5637;3436;5745;7500;1322;7486;6694;5887;6859;6772;5877;7603;7607;5970;6878;5821;5908;5972;5347;5421;6043;5432;6018;7771;6053;5233;6261;6067;6125;7046;6228;6199;6178;6295;7843;6340;6380;6363;6350;5842;6411;6371;6534;6507;6826;6575;8351;6648;6624;8457;6699;6696;6754;6693;6782;6800;6835;8057;8482;6875;1682;6893;6933;6897;6885;6998;7037;8918;7970;7223;7103;7417;7196;8905;8157;7299;8078;1534;9118;8231;7464;7512;9169;8137;7339;1341;1311;9202;979;9214;7455;9236;1937;7439;1160;1939;9264;1974;1997;8314;9241;8233;8338;8706;988;1361;6987;9306;2088;1492;2257;9304;9341;7887;8427;9354;4014;1935;8421;9361;8451;1625;2219;7528;7666;9377;9385;7515;9401;8542;7606;1825;8508;7616;9411;2349;8454;9437;7646;9464;2207;9485;9496;9501;8297;7668;8557;9536;1766;2337;2360;9551;7679;8615;7702;2105;7723;2606;7751;8320;9508;8109;2234;7680;9615;9626;8769;2265;9642;8007;7699;7038;2377;9663;9667;3317;9674;8719;9680;2635;7837;9698;9686;8458;3518;9077;9727;8844;7849;7785;2736;9177;8051;8810;2763;7884;7892;8430;8817;2358;2815;7921;2857;6216;2842;7914;1412;8579;8876;2671;2523;1873;9831;8907;9841;3144;2982;5196;8044;9870;3030;9866;705;8924;9888;9892;8089;2967;9922;3146;959;3202;94;3209;490;8965;3039;828;9976;921;536;1012;8156;9416;977
$

And select some of them

$ tawk -t 'flow("536;1012;8156;9416;977")' annoloc2_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       ethVlanID  srcIP            srcIPCC  srcIPWho                   srcPort  dstIP            dstIPCC  dstIPWho                   dstPort  l4Proto  macPairs  srcMac_dstMac_numP                       srcManuf_dstManuf  dstPortClassN  dstPortClass  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT     stdIAT      pktps      bytps     pktAsm  bytAsm  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipTOS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpTmS  tcpTmER  tcpEcI  tcpBtm    tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStates  icmpStat  icmpTCcnt  icmpBFTypH_TypL_Code          icmpTmGtw   icmpEchoSuccRatio  icmpPFindex  connSip  connDip  connSipDip  connSipDprt  connF
A     977      0x0000100200004000  1022171701.845506  1022171726.565720  24.720214  1           3        eth:ipv4:udp  0          138.212.184.165  jp       "asahi kasei corporation"  10012    193.107.159.17   at       "at-westnet"               58840    17       1         00:00:1c:b6:1a:53_00:d0:02:6d:78:00_102  BellTech_Ditech    58840          unknown       102         0            204          0             2         2         2           0           0       0.480919  0.2423551  0.0384127   4.126178   8.252356  1       1       0x0100    0           0           63        63        0         0x00   0x1840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x00      0          0x00000000_0x00000000_0x0000  0x00000000  0                  0            9        1        2           1            0.1111111
A     536      0x0000100200004000  1022171701.729716  1022171726.571332  24.841616  1           3        eth:ipv4:udp  0          216.180.24.151   us       "arin"                     7755     138.212.190.122  jp       "asahi kasei corporation"  1411     17       1         00:d0:02:6d:78:00_00:04:76:9d:b8:ea_102  Ditech_3Com        1411           af            102         0            204          0             2         2         2           0           0       0.481309  0.2435452  0.03869319  4.106013   8.212027  1       1       0x0100    0           0           54        54        0         0x00   0x1840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x00      0          0x00000000_0x00000000_0x0000  0x00000000  0                  0            1        1        2           1            1
A     1012     0x0000100200004000  1022171701.864058  1022171726.588214  24.724156  1           3        eth:ipv4:udp  0          138.212.191.240  jp       "asahi kasei corporation"  7777     19.6.23.127      us       "searched the apnic whoi"  1591     17       1         00:04:75:73:9b:a2_00:d0:02:6d:78:00_103  3Com_Ditech        1591           ncpm-pm       103         0            206          0             2         2         2           0           0       0.480624  0.2400404  0.03038617  4.165967   8.331933  1       1       0x0100    0           0           64        64        0         0x00   0x1840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x00      0          0x00000000_0x00000000_0x0000  0x00000000  0                  0            1        1        2           1            1
A     8156     0x0000000200004000  1022171720.363014  1022171726.611212  6.248198   1           3        eth:ipv4:udp  0          193.86.50.182    cz       "--"                       1214     138.212.187.10   jp       "asahi kasei corporation"  1214     17       1         00:d0:02:6d:78:00_00:80:48:b3:22:ef_3    Ditech_CompexUs    1214           kazaa         3           0            126          0             42        42        42          0           0       3.270969  2.082733   1.099679    0.4801384  20.16581  1       1       0x0100    201         206         119       119       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x00      0          0x00000000_0x00000000_0x0000  0x00000000  0                  0            1        1        2           1            1
A     9416     0x0000000200004000  1022171724.619780  1022171726.619724  1.999944   1           3        eth:ipv4:udp  0          83.17.130.9      pl       "static ip"                3098     138.212.191.75   jp       "asahi kasei corporation"  27015    17       1         00:d0:02:6d:78:00_00:50:da:37:f6:03_2    Ditech_3Com        27015          unknown       2           0            25           0             9         16        12.5        2.474874    0       1.999944  0.999972   0.707087    1.000028   12.50035  1       1       0x0100    55040       55040       111       111       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       0      0       0        0       0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x00      0          0x00000000_0x00000000_0x0000  0x00000000  0                  0            1        1        2           1            1
...

Unfortunately there is no content, otherwise you could see the content of the packet if you list the ICMP packets going back to the sender. The packets which caused the ICMP messages can be also selected with the same one liner.

$ tawk -t 'flow("536;1012;8156;9416;977")' annoloc2_packets.txt | head | tcol
%pktNo  flowInd  flowStat            time               pktIAT    flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP            srcIPCC  srcIPWho                 srcPort  dstIP            dstIPCC  dstIPWho                 dstPort  l4Proto  srcManuf  dstManuf  pktLen  l7Len  ipTOS  ipID    ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq  ack  seqDiff  ackDiff  seqPktLen  ackPktLen  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpOptLen  tcpOpts  icmpType  icmpCode  icmpPFindex  l7HexContent
1570    536      0x0000000200004000  1022171701.729716  0.000000  0.000000      3        eth:ipv4:udp             00:d0:02:6d:78:00  00:04:76:9d:b8:ea  0x0800   216.180.24.151   us       arin                     7755     138.212.190.122  jp       asahi kasei corporation  1411     17       Ditech    3Com      60      2      0x00   0x0000  0         0x4000  54     0x0a35       0x0a35       0x2b30       0x0000       0x1840                                                 0                                                                                                                                                                
7157    977      0x0000000200004000  1022171701.845506  0.000000  0.000000      3        eth:ipv4:udp             00:00:1c:b6:1a:53  00:d0:02:6d:78:00  0x0800   138.212.184.165  jp       asahi kasei corporation  10012    193.107.159.17   at       at-westnet               58840    17       BellTech  Ditech    60      2      0x00   0x0000  0         0x4000  63     0x97d8       0x97d8       0xccac       0x0000       0x1840                                                 0                                                                                                                                                                
7966    1012     0x0000000200004000  1022171701.864058  0.000000  0.000000      3        eth:ipv4:udp             00:04:75:73:9b:a2  00:d0:02:6d:78:00  0x0800   138.212.191.240  jp       asahi kasei corporation  7777     19.6.23.127      us       searched the apnic whoi  1591     17       3Com      Ditech    60      2      0x00   0x0000  0         0x4000  64     0xc585       0xc585       0x31b2       0x0000       0x1840                                                 0                                                                                                                                                                
13204   536      0x0000000200004000  1022171701.971061  0.241345  0.241345      3        eth:ipv4:udp             00:d0:02:6d:78:00  00:04:76:9d:b8:ea  0x0800   216.180.24.151   us       arin                     7755     138.212.190.122  jp       asahi kasei corporation  1411     17       Ditech    3Com      60      2      0x00   0x0000  0         0x4000  54     0x0a35       0x0a35       0x2a30       0x0000       0x1840                                                 0                                                                                                                                                                
18787   977      0x0000000200004000  1022171702.089219  0.243713  0.243713      3        eth:ipv4:udp             00:00:1c:b6:1a:53  00:d0:02:6d:78:00  0x0800   138.212.184.165  jp       asahi kasei corporation  10012    193.107.159.17   at       at-westnet               58840    17       BellTech  Ditech    60      2      0x00   0x0000  0         0x4000  63     0x97d8       0x97d8       0xcbac       0x0000       0x1840                                                 0                                                                                                                                                                
19587   1012     0x0000000200004000  1022171702.105740  0.241682  0.241682      3        eth:ipv4:udp             00:04:75:73:9b:a2  00:d0:02:6d:78:00  0x0800   138.212.191.240  jp       asahi kasei corporation  7777     19.6.23.127      us       searched the apnic whoi  1591     17       3Com      Ditech    60      2      0x00   0x0000  0         0x4000  64     0xc585       0xc585       0x30b2       0x0000       0x1840                                                 0                                                                                                                                                                
24718   536      0x0000100200004000  1022171702.209034  0.237973  0.479318      3        eth:ipv4:udp             00:d0:02:6d:78:00  00:04:76:9d:b8:ea  0x0800   216.180.24.151   us       arin                     7755     138.212.190.122  jp       asahi kasei corporation  1411     17       Ditech    3Com      60      2      0x00   0x0000  0         0x4000  54     0x0a35       0x0a35       0x2930       0x0000       0x1840                                                 0                                                                                                                                                                
30620   977      0x0000100200004000  1022171702.324850  0.235631  0.479344      3        eth:ipv4:udp             00:00:1c:b6:1a:53  00:d0:02:6d:78:00  0x0800   138.212.184.165  jp       asahi kasei corporation  10012    193.107.159.17   at       at-westnet               58840    17       BellTech  Ditech    60      2      0x00   0x0000  0         0x4000  63     0x97d8       0x97d8       0xcaac       0x0000       0x1840                                                 0                                                                                                                                                                
31252   1012     0x0000100200004000  1022171702.338005  0.232265  0.473947      3        eth:ipv4:udp             00:04:75:73:9b:a2  00:d0:02:6d:78:00  0x0800   138.212.191.240  jp       asahi kasei corporation  7777     19.6.23.127      us       searched the apnic whoi  1591     17       3Com      Ditech    60      2      0x00   0x0000  0         0x4000  64     0xc585       0xc585       0x2fb2       0x0000       0x1840                                                 0  

That is just a very brief demo what you can do with T2 packet mode. A more extensive introduction to mining and drill down methods can be found in the drill down tutorial (coming soon).