Tutorial: The Packet forensics mode

Description

This tutorial gives you an introduction to the packet mode of T2. It was designed to enable efficient post-processing and as a means of drill down from the flows to the very packet. It uses the same format as the flow files and therefore can be processed by tawk or any other tool of your choice. Each plugin can contribute to the packet mode, same as with flows. Flows and packets are linked by the unique flow index.

Preparation

Before we start, all unnecessary or older plugins should be deleted from the plugin folder ~/.tranalyzer/plugins. The plugins required for this tutorial (basicFlow, basicStats, tcpStates, ftpDecode and txtSink) should be recompiled.

# First, empty the plugins folder.
$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$ t2build tranalyzer2 basicFlow basicStats tcpStates ftpDecode txtSink
...
BUILD SUCCESSFUL

Compiling the basicFlow plugin took now a bit longer, because the subnet files for geolocation needed to be rebuilt. This is because -e also removes the subnet file.

Another method is to just remove the .so files, and preserve the old subnet files:

$ rm ~/.tranalyzer/plugins/*.so
$ t2build basicFlow basicStats tcpStates ftpDecode txtSink

This way, the compilation will be considerable faster, as the subnet file already exists.

If you didn’t create a separate data and results directory yet, please do it now in another cmd window:

$ mkdir ~/data
$ mkdir ~/results
$ cd data

The anonymized sample pcap can be downloaded here: faf-exercise.pcap. Please extract it under your data folder, if you have not already. Now you are all set for your first packet mode experience.

Activation of Packet Mode

The packet mode is activated by adding the -s option in the t2 command line. As we loaded the txtSink plugin, text output will now be provided on the command line. Invoke t2 with the -s option. Each packet now produces a separate line in the packet file.

$ t2 -r ~/data/faf-exercise.pcap -w ~/results -s
================================================================================
Tranalyzer 0.8.7 (Anteater), Tarantula. PID: 102899
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.7
    02: basicStats, 0.8.7
    03: tcpStates, 0.8.7
    04: ftpDecode, 0.8.7
    05: txtSink, 0.8.7
[INF] basicFlow: IPv4 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 313050 (313.05 K)
[INF] basicFlow: IPv6 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 21495 (21.50 K)
Processing file: /home/wurst/data/faf-exercise.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1258544215.037210 sec (Wed 18 Nov 2009 11:36:55 GMT)
Dump stop : 1258594491.683288 sec (Thu 19 Nov 2009 01:34:51 GMT)
Total dump duration: 50276.646078 sec (13h 57m 56s)
Finished processing. Elapsed time: 0.156041 sec
Finished unloading flow memory. Time: 0.156081 sec
Percentage completed: 100.00%
Number of processed packets: 5902 (5.90 K)
Number of processed bytes: 4993414 (4.99 M)
Number of raw bytes: 4993414 (4.99 M)
Number of pcap bytes: 5087870 (5.09 M)
Number of IPv4 packets: 5902 (5.90 K) [100.00%]
Number of A packets: 1986 (1.99 K) [33.65%]
Number of B packets: 3916 (3.92 K) [66.35%]
Number of A bytes: 209315 (209.31 K) [4.19%]
Number of B bytes: 4784099 (4.78 M) [95.81%]
Average A packet load: 105.40
Average B packet load: 1221.68 (1.22 K)
--------------------------------------------------------------------------------
basicStats: Biggest L3 Talker: 143.166.11.10 (US): 3101 (3.10 K) [52.54%] packets
basicStats: Biggest L3 Talker: 143.166.11.10 (US): 4436320 (4.44 M) [88.84%] bytes
tcpStates: Aggregated anomaly flags: 0x4a
ftpDecode: Anomaly flags: 0x43
ftpDecode: Number of FTP packets: 4634 (4.63 K) [78.52%]
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 5902 (5.90 K) [100.00%]
Number of TCP bytes: 4993414 (4.99 M) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 72
Number of processed A flows: 36 [50.00%]
Number of processed B flows: 36 [50.00%]
Number of request     flows: 36 [50.00%]
Number of reply       flows: 36 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed   packets/flows: 81.97
Number of processed A packets/flows: 55.17
Number of processed B packets/flows: 108.78
Number of processed total packets/s: 0.12
Number of processed A+B packets/s: 0.12
Number of processed A   packets/s: 0.04
Number of processed   B packets/s: 0.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.00
Average full raw bandwidth: 795 b/s
Average full bandwidth : 792 b/s
Max number of flows in memory: 18 [0.01%]
Memory usage: 0.06 GB [0.09%]
Aggregate flow status: 0x0000000000004000
[INF] IPv4
$

Nice, we observe total flow symmetry (flow asymmetry = 0), so no lonely flows, all IPv4, and we have FTP packets, which is readable content. Interesting, and the biggest talker, maybe it’s the FTP data flow? Let’s find out.

So change to your results cmd window:

$ ls
faf-exercise_flows.txt  faf-exercise_headers.txt  faf-exercise_packets.txt
$

An additional packets file has been created. Let’s have a look at it:

$ head -28 faf-exercise_packets.txt | tcol
%pktNo  flowInd  flowStat            time               pktIAT    flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP           srcIPCC  srcIPWho                     srcPort  dstIP           dstIPCC  dstIPWho                     dstPort  l4Proto  pktLen  l7Len  l7Content
1       1        0x0000000000004000  1258544215.037210  0.000000  0.000000      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1258     77.67.44.206    fr       GTT Communications Inc.      80       6        66      0
2       1        0x0000000000004001  1258544215.202900  0.000000  0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    fr       GTT Communications Inc.      80       192.168.1.104   09       Private network              1258     6        62      0
3       1        0x0000000000004000  1258544215.203358  0.166148  0.166148      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1258     77.67.44.206    fr       GTT Communications Inc.      80       6        64      0
4       1        0x0000000000004000  1258544215.203850  0.000492  0.166640      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1258     77.67.44.206    fr       GTT Communications Inc.      80       6        425     367    GET /softw/90/update/avg9infoavi.ctf HTTP/1.1\r\nUser-Agent: AVGINET9-WXPPX86 90 AVI=270.14.71/2510 BUILD=707 LOC=1033 LIC=9I-ASXNN-X4WGW-M0XFR-T84VX-3VX02 DIAG=51E OPF=0 PCA=\r\nHost: backup.avg.cz\r\nAccept: */*\r\nAccept-Encoding: identity,deflate,gzip\r\nIf-Modified-Since: Tue, 17 Nov 2009 20:41:10 GMT\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nx-avg-id:78-175947826\r\n\r\n
5       1        0x0000000000004001  1258544215.370055  0.167155  0.167155      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    fr       GTT Communications Inc.      80       192.168.1.104   09       Private network              1258     6        1434    1380   HTTP/1.1 200 OK\r\nDate: Wed, 18 Nov 2009 11:39:48 GMT\r\nServer: Apache\r\nLast-Modified: Wed, 18 Nov 2009 09:04:15 GMT\r\nETag: "15c007-cea-478a186e401c0"\r\nAccept-Ranges: bytes\r\nContent-Length: 3306\r\nConnection: close\r\nContent-Type: text/plain\r\n\r\nAVG CTF Index File;ver(10)\r\nbin(u7avi1777ff.bin)grp(avi:1777)tm(0911180855)pri(2)len(6637487)\r\nbin(u7avi1777u1323ff.bin)grp(avi:1777)dep(avi:1323)tm(0911180855)pri(2)len(590030)\r\nbin(u7avi1777u1705ff.bin)grp(avi:1777)dep(avi:1705)tm(0911180855)pri(2)len(95323)\r\nbin(u7iavi2511ff.bin)grp(iavi:2511)tm(0911180855)pri(2)len(45641416)\r\nbin(u7iavi2511u2251fo.bin)grp(iavi:2511)dep(iavi:2251)tm(0911180855)pri(2)len(6175342)\r\nbin(u7iavi2511u2353fn.bin)grp(iavi:2511)dep(iavi:2353)tm(0911180855)pri(2)len(4506824)\r\nbin(u7iavi2511u2404fm.bin)grp(iavi:2511)dep(iavi:2404)tm(0911180855)pri(2)len(3342546)\r\nbin(u7iavi2511u2431fl.bin)grp(iavi:2511)dep(iavi:2431)tm(0911180855)pri(2)len(2609643)\r\nbin(u7iavi2511u2458fk.bin)grp(iavi:2511)dep(iavi:2458)tm(0911180855)pri(2)len(1380674)\r\nbin(u7iavi2511u2480fj.bin)grp(iavi:2511)dep(iavi:2480)tm(0911180855)pri(2)len(681743)\r\nbin(u7iavi2511u2490fi.bin)grp(iavi:2511)dep(iavi:2490)tm(0911180855)pri(2)len(555496)\r\nbin(u7iavi2511u2500fh.bin)grp(iavi:2511)dep(iavi:2500)tm(0911180855)pri(2)len(332906)\r\nbin(u7iavi2511u2505fh.bin)grp(iavi:2511)dep(iavi:2505)tm(0911180855)pri(2)len(204942)\r\nbin(u7iavi2511u2508
6       1        0x0000000000004001  1258544215.370067  0.000012  0.167167      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    fr       GTT Communications Inc.      80       192.168.1.104   09       Private network              1258     6        375     321    fg.bin)grp(iavi:2511)dep(iavi:2508)tm(0911180855)pri(2)len(72274)\r\nbin(u7iavi2511u2510ff.bin)grp(iavi:2511)dep(iavi:2510)tm(0911180855)pri(2)len(30540)\r\nbin(u9ichjw4qt.bin)grp(ichjw:4)pri(2)tm(0907131859)len(113488)\r\nbin(u9ichjw4u2ia.bin)grp(ichjw:4)dep(ichjw:2)pri(2)tm(0907131859)len(94470)\r\nbin(u9ichjw4u3gq.bin)grp(ic
7       1        0x0000000000004000  1258544215.370501  0.166651  0.333291      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1258     77.67.44.206    fr       GTT Communications Inc.      80       6        64      0
8       1        0x0000000000004001  1258544215.370560  0.000493  0.167660      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    fr       GTT Communications Inc.      80       192.168.1.104   09       Private network              1258     6        1434    1380   hjw:4)dep(ichjw:3)pri(2)tm(0907131859)len(13313)\r\nbin(u9idat249b243tc.bin)grp(idat:249)dif(idat:243)pri(2)tm(0911051401)len(621430)\r\nbin(u9idat249b245bp.bin)grp(idat:249)dif(idat:245)pri(2)tm(0911051401)len(197648)\r\nbin(u9idat249b246mj.bin)grp(idat:249)dif(idat:246)pri(2)tm(0911051400)len(159289)\r\nbin(u9idat249b247uh.bin)grp(idat:249)dif(idat:247)pri(2)tm(0911051400)len(95680)\r\nbin(u9idat249le.bin)grp(idat:249)pri(2)tm(0911051400)len(1927074)\r\nbin(u9ifw42jx.bin)grp(ifw:42)pri(2)tm(0911131400)len(541853)\r\nbin(u9ifw42u38we.bin)grp(ifw:42)dep(ifw:38)pri(2)tm(0911131400)len(123575)\r\nbin(u9ifw42u39ke.bin)grp(ifw:42)dep(ifw:39)pri(2)tm(0911131400)len(92745)\r\nbin(u9ifw42u40dc.bin)grp(ifw:42)dep(ifw:40)pri(2)tm(0911131400)len(67292)\r\nbin(u9ifw42u41tz.bin)grp(ifw:42)dep(ifw:41)pri(2)tm(0911131400)len(18393)\r\nbin(x8all234yc.bin)grp(xplph:0012;xplsb:0099;xplsb2:0118;xplsc:0149)tm(0911180700)pri(2)len(1146352)\r\nbin(x8xplph_12gj.bin)grp(xplph:12)tm(0910280700)pri(2)len(4551)\r\nbin(x8xplsb2_118c8.bin)grp(xplsb2:118)tm(0911180700)pri(2)len(4989)\r\nbin(x8xplsb_9946.bin)grp(xplsb:99)tm(0911160700)pri(2)len(985460)\r\nbin(x8xplsb_99d9546.bin)grp(xplsb:99)dif(xplsb:95)tm(0911160700)pri(2)len(32267)\r\nbin(x8xplsb_99d9646.bin)grp(xplsb:99)dif(xplsb:96)tm(0911160700)pri(2)len(3505)\r\nbin(x8xplsb_99d9746.bin)grp(xplsb:99)dif(xplsb:97)tm(0911160700)pri(2)len(644)\r\nbin(x8xplsb_99d9846.bin
9       1        0x0000000000004001  1258544215.370571  0.000011  0.167671      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    fr       GTT Communications Inc.      80       192.168.1.104   09       Private network              1258     6        520     466    )grp(xplsb:99)dif(xplsb:98)tm(0911160700)pri(2)len(581)\r\nbin(x8xplsc_149c8.bin)grp(xplsc:149)tm(0911180700)pri(2)len(151922)\r\nbin(x8xplsc_149d145c8.bin)grp(xplsc:149)dif(xplsc:145)tm(0911180700)pri(2)len(2561)\r\nbin(x8xplsc_149d146c8.bin)grp(xplsc:149)dif(xplsc:146)tm(0911180700)pri(2)len(1921)\r\nbin(x8xplsc_149d147c8.bin)grp(xplsc:149)dif(xplsc:147)tm(0911180700)pri(2)len(1767)\r\nbin(x8xplsc_149d148c8.bin)grp(xplsc:149)dif(xplsc:148)tm(0911180700)pri(2)len(1411)\r\n
10      1        0x0000000000004001  1258544215.370580  0.000009  0.167680      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    fr       GTT Communications Inc.      80       192.168.1.104   09       Private network              1258     6        54      0
11      1        0x0000000000004000  1258544215.370997  0.000496  0.333787      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1258     77.67.44.206    fr       GTT Communications Inc.      80       6        64      0
12      1        0x0000000000004000  1258544215.372742  0.001745  0.335532      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1258     77.67.44.206    fr       GTT Communications Inc.      80       6        64      0
13      1        0x0000000000004001  1258544215.537951  0.167371  0.335051      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    fr       GTT Communications Inc.      80       192.168.1.104   09       Private network              1258     6        54      0
14      2        0x0000000000004000  1258544216.385370  0.000000  0.000000      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1259     77.67.44.206    fr       GTT Communications Inc.      80       6        66      0
15      2        0x0000000000004001  1258544216.551313  0.000000  0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    fr       GTT Communications Inc.      80       192.168.1.104   09       Private network              1259     6        62      0
16      2        0x0000000000004000  1258544216.551760  0.166390  0.166390      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1259     77.67.44.206    fr       GTT Communications Inc.      80       6        64      0
17      2        0x0000000000004000  1258544216.554751  0.002991  0.169381      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1259     77.67.44.206    fr       GTT Communications Inc.      80       6        380     322    GET /softw/90/update/u7avi1777u1705ff.bin HTTP/1.1\r\nUser-Agent: AVGINET9-WXPPX86 90 AVI=270.14.71/2510 BUILD=707 LOC=1033 LIC=9I-ASXNN-X4WGW-M0XFR-T84VX-3VX02 DIAG=51E OPF=0 PCA=\r\nHost: backup.avg.cz\r\nAccept: */*\r\nAccept-Encoding: identity,deflate,gzip\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nx-avg-id:78-175947826\r\n\r\n
18      2        0x0000000000004001  1258544216.720958  0.169645  0.169645      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    fr       GTT Communications Inc.      80       192.168.1.104   09       Private network              1259     6        518     464    HTTP/1.1 302 Found\r\nDate: Wed, 18 Nov 2009 11:39:49 GMT\r\nServer: Apache\r\nLocation: http://aa.avg.com/softw/90/update/u7avi1777u1705ff.bin\r\nContent-Length: 238\r\nConnection: close\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>302 Found</title>\n</head><body>\n<h1>Found</h1>\n<p>The document has moved <a href="http://aa.avg.com/softw/90/update/u7avi1777u1705ff.bin">here</a>.</p>\n</body></html>\n
19      2        0x0000000000004001  1258544216.720970  0.000012  0.169657      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    fr       GTT Communications Inc.      80       192.168.1.104   09       Private network              1259     6        54      0
20      2        0x0000000000004000  1258544216.721401  0.166650  0.336031      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1259     77.67.44.206    fr       GTT Communications Inc.      80       6        64      0
21      2        0x0000000000004000  1258544216.723144  0.001743  0.337774      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1259     77.67.44.206    fr       GTT Communications Inc.      80       6        64      0
22      2        0x0000000000004001  1258544216.888595  0.167625  0.337282      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   77.67.44.206    fr       GTT Communications Inc.      80       192.168.1.104   09       Private network              1259     6        54      0
23      3        0x0000000000004000  1258544216.908284  0.000000  0.000000      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1260     198.189.255.75  us       California State University  80       6        66      0
24      3        0x0000000000004001  1258544216.915576  0.000000  0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       California State University  80       192.168.1.104   09       Private network              1260     6        62      0
25      3        0x0000000000004000  1258544216.916026  0.007742  0.007742      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1260     198.189.255.75  us       California State University  80       6        64      0
26      3        0x0000000000004000  1258544216.929764  0.013738  0.021480      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1260     198.189.255.75  us       California State University  80       6        377     319    GET /softw/90/update/u7avi1777u1705ff.bin HTTP/1.1\r\nUser-Agent: AVGINET9-WXPPX86 90 AVI=270.14.71/2510 BUILD=707 LOC=1033 LIC=9I-ASXNN-X4WGW-M0XFR-T84VX-3VX02 DIAG=51E OPF=0 PCA=\r\nHost: aa.avg.com\r\nAccept: */*\r\nAccept-Encoding: identity,deflate,gzip\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nx-avg-id:78-175947826\r\n\r\n
27      3        0x0000000000004001  1258544216.936827  0.021251  0.021251      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       California State University  80       192.168.1.104   09       Private network              1260     6        54
$

The packet mode provides all features that the flow files provide. Both entries are linked by the flowInd, so you can track each packet back to the flow and vice versa. Every features produced by the plugins can be tracked per packet in time. For researchers, the packet interdistance per flow and the flow duration facilitate generating multiple signals for further time series analysis or signal processing. Extraction of features such as l7Content on a flow basis is a one liner. Let’s say the flow at index 3 is interesting:

$ tawk -t 'flow(3)' faf-exercise_packets.txt | head | tcol
%pktNo  flowInd  flowStat            time               pktIAT    flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP           srcIPCC  srcIPWho                     srcPort  dstIP           dstIPCC  dstIPWho                     dstPort  l4Proto  pktLen  l7Len  l7Content
23      3        0x0000000000004000  1258544216.908284  0.000000  0.000000      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1260     198.189.255.75  us       California State University  80       6        66      0
24      3        0x0000000000004001  1258544216.915576  0.000000  0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       California State University  80       192.168.1.104   09       Private network              1260     6        62      0
25      3        0x0000000000004000  1258544216.916026  0.007742  0.007742      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1260     198.189.255.75  us       California State University  80       6        64      0
26      3        0x0000000000004000  1258544216.929764  0.013738  0.021480      3        eth:ipv4:tcp             00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800   192.168.1.104   09       Private network              1260     198.189.255.75  us       California State University  80       6        377     319    GET /softw/90/update/u7avi1777u1705ff.bin HTTP/1.1\r\nUser-Agent: AVGINET9-WXPPX86 90 AVI=270.14.71/2510 BUILD=707 LOC=1033 LIC=9I-ASXNN-X4WGW-M0XFR-T84VX-3VX02 DIAG=51E OPF=0 PCA=\r\nHost: aa.avg.com\r\nAccept: */*\r\nAccept-Encoding: identity,deflate,gzip\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nx-avg-id:78-175947826\r\n\r\n
27      3        0x0000000000004001  1258544216.936827  0.021251  0.021251      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       California State University  80       192.168.1.104   09       Private network              1260     6        54      0
28      3        0x0000000000004001  1258544216.937559  0.000732  0.021983      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       California State University  80       192.168.1.104   09       Private network              1260     6        1434    1380   HTTP/1.1 200 OK\r\nServer: Apache\r\nETag: "0210a9516dd34abc481683f877bd8680:1258533754"\r\nLast-Modified: Wed, 18 Nov 2009 07:55:25 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 95323\r\nContent-Type: application/octet-stream\r\nDate: Wed, 18 Nov 2009 11:39:50 GMT\r\nConnection: keep-alive\r\n\r\nMZ AVG7 UpdateBin grp(avi:1777)dep(avi:1705)tm(0911180855)pri(2)..7TW;........"....m.b...YbU..&..6.P.B.....jx.\n.n..%....g...8......c....X.c.sO..M............Y.7|......q........w/mb.D#...:.`.H|..(.:...wjA/...u....C{.]..7.y..8..v....n.5..L.k..U>&te...-.....a...`..n. h.....0.......9Ig.s..7^.)..,........ .R..+...f ...xg..xq....;1...F.|....)..*..~.%.I.o.*......)...P...w.V.q....41....h...w%o..,Ha;.~}..#!.p....{..w.=A.0...8..IB.;.*...]..w.@..%F[L9(.. ..`..Iq...'......4.&..........Gz0S}`...s.....s...6\).4(..x.J..[do...w./..m..[.X.D...z\.. ..F...\nA[....O_...."..te..|b..".......\t..e-..i.q....<&h....SKz.gR.+.<1....n........|...-...B..?..".../.g.I@..m[s....iu3$.t\tL...`...D$..eff..7(.L.\V_..HR!.X.........A#....=...K.[.>..CO.2J...R...k.k.p..ME...\}.v..l_.D\t...D...;c......0~3:A......i..7X&..].@.......k?..Qn........,c.`..K.\t.B.M........~\.....>..|._. ...W.YP.....N...u.....s@:..Z.z..n.."B..Q.M.9..D[.c.z.l...z.G....l..6.yPJ.8.........Q.eE.....oPK.'.s. ..(....+..3........."q...d.....v....@......q..+. _YK.`.Zn.c..a..E.q...cI......c....\r0..\n.... ]p..Z=.{./Iz..'..<.d...9...]:...P.}v<...9.h...T9cf../<..U.L
29      3        0x0000000000004001  1258544216.937570  0.000011  0.021994      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       California State University  80       192.168.1.104   09       Private network              1260     6        1434    1380   .G...*.......SlF...>.(..\......].2`...R?fQY.E\....B.\.]..)Fd>\n.'5...&..^M<..L.4..^U....!........VL.n.%..<J.G.:...bz/L.^.r.........n%Wr'.k..g...D...<..f.P............mj...`a.Mc.....B..c.DGz.].e..H.5<f.K...r$....K.-.x..&.....?m....'-.2..0.~.....d/e........4..lx..F\tb.....>...7 Z4..]@,&N.......?I......r.3..a........j.G...\ni.g.....d\n..I..k........'..$....6j)svy..u.......T...TH.I..;{Q......\rj.....E..Rc..%.\n...3B.o...)...h].#.<.,1&.......a..](..LVKi...z...>...Bc..Y...N.n6l..3..}{~.G.}p .........pPn..c..eQ..m;........O/...+....Z,..$..<.W...\....0RKbHeh'..2.]....E*....a..j.7h.9..%Q..R.Z..wP/.JF...3p...[.y..$.h.]..*.%.D.+...#.+.u...>.....I...|.&....-.......%:\t...y....C=.........F....@]X..5&.....W...~Q.%w..d.....aZ.....DS..33......Cp._.\t.<......w..!uvt....c....\[Z.Bh'..N......G...Gu..*...\tk..0y....In..:.*`8......E.. .(R...~..`Z.E-[....;.B..WIR.0.....^8~....y.6...k..D.V......L7| ..X ...Y...s_......o%Qf2Q0.q.. ...;f5+08..7%.Z........D?.F.]K...@h1D.ah..}Y....#ZF......2.....u]..yc0...<l.E.GO......../g...f.../..+..>..Xw.....X....i.q2..W@P.`\7.f.e.X:.-O......nB{o......pu..s.l."Q.....S7D.4k@.Ud..%uxf.."...r.[%...ZZ.....).bS..E.......h.W..0.v.!`.........ix.gh/7Yd.#HO....bo...;....|...F.....e...).x...)....m...A...6!.r..q..Y.W...[.9..H,..4PL;.L...`g.q.-.+.gIk..vy....2...-.....n.O..3.W..p.%.*.wCOm.\t...q.,..[.(V....|....N...K..k.. ..W..jZR...L9...q.z.t.+...<c?.....X....]<...u..'Y.
30      3        0x0000000000004001  1258544216.937579  0.000009  0.022003      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       California State University  80       192.168.1.104   09       Private network              1260     6        1434    1380   .......R1.cR#..eWk.B....HD...q....p.c..P.t.....A........\rg..[.x.....>... .jf\n.0..@..[....Z~.a.b..[..5.=..7........^`.8.=.\t..6..\n..eg......p.\n..b....J.(R...O.....G.K3.|.]..]A..\n....z[....K.....\n q\+....S..ox.\t.Hg....i...Q.9s.b4.Y.."o...o..!...p.@.....k.Z.;..I.y.aI.C.......D.G..q..H.h.....L.\....UH.<58..I...a.....{.aTy.._...h.8.bQ%.?.....zW.C..f\C....!x.....O....^{P~'....z9.....8.a...!..{.....Mz....%8...Y/".|...*q=..D.H..@..ZsC...".B...1.MA2..z@......2...S.<]r.....epQ8..Gz.h....V.Qh.....*MYoV..w@...):9...uV.....g'z.,KE:.G$\n.....;../..^(....*.......`.o.....`[...TzF7V..2..o...qU.nE+=n....\na.F..o...\t..h.. .{....}*g....F..,J.9.......ijB...B&..i...A.+.....f ..:ht.;-=.E.....j..2.....h%...\r'...9...\ru._...f...........|I..L..T..../....n.`F.c|.."[g....-...."...v..1y@.....S.]Y....D."..d.-....O:W......~...Y5{....:..."...C..R...%.nq...~......p....^ZF}n..yB.GFP...-..3..C....~...%r.?`.wT8l.'/M_.6k../.J.1.u._.."W}Z.f.e.".#[.Xh.. .]E....6..X...{..O.0\t.E\......,.._-6r.N.......Zhc......Z.....a...U.....z.*..cW..N8.8........B..h(..51Az..7........^..{.D..........g~EQtM.._....e.;z.?.....~...\I.24.>7lQ.C.X.(D.^x".YJw..0"A....Ix..wR..2..nwt..Qu..?..g.%...3.,\r(......A.[Gb.\..4..u38......C\n.e..Y.x.S.)c....z.......e.3..UkY...........U.C]v..*Q..i..\n..-..Q..]\t.<;....&.[..0y....0.C....].;....:..+.....B..K.\.=...W......6. ...z.....hXd@.h7.7%.. ..E.d[..'..k.s...........jo.O..uaEL......J&.8R..
31      3        0x0000000000004001  1258544216.937598  0.000019  0.022022      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   198.189.255.75  us       California State University  80       192.168.1.104   09       Private network              1260     6        1434    1380   ........%u.He..9......[.x..X...o,.^y.\r*....v...B.)......dN...R#..\....M......C.,.>f.Q[.....7.:.8...-z....^...?..`!..d^..a.!.G.'.6...\n>.o.o...SF..5w.#....h. .J..|..@...k.0...]..A~S#..).. 1..;..F...0.Mf....D.rx..6.+~.%.F...!.m.M...........!.n...~c.........f.....g..6...O.r....-...sC.b.......4..@....R`. ....H..TL..d..P..\n....?)p.(...,..T...C..p..X.m]2....oV`6{w...g.NU.....a.o.......%H...0..h.R.p..g.....fh....[V.L...?@.'-.......?wI....Z)...h.lo!Y.@..e....ab.@l.[Ci....Z........h.1...J........m..&.j......b..^....s.K......$.+..\n1.F.....?%..N.......+..Ws.na....L.....U. )..~..(;.c...w..v.Q.k...3.w3...h.Fu.....i...X..3......u.V....s-."..{.....f..^F......G..l!.../.5...C\..Y.......,.9....7.gI....p........].}w.2.......6..m.....K.....~..q.......TY\t1a.v...".C#3..m...6 ..H.Lb..X..5.b(?..q..........s.\r.IZ.o.\n)\n..3..t/e.....{..../'....Z.B....=.................$6....B.7.p.....0o\t@..m....1.5...t....Z...=.'j!..?:.eXz"q..-.O..1.'c.O-..j.rEA.I...*.bB..]..6Q..\ro..F../.JA.-....$...u...XmS........);K.$.}.."a.}TE.H......n...^..]....%.....I~....'.. ..N......!nu..eG....K...../.....Ga...6...V.d.a............*>)...f(^.s<..WR..R.....U......O./..e2....b.b.:.k....c+\rD.......e.V......OkzW..[.....?E..fw".\ta.....!].jQ.t.l.P..W...f.....\t.%..................u....>...l..j../.......cY:@rxp.*-....;.._t..N..-.."......Z&p=ih.2.}.xV.i.ZGI....V..."...v....=...'K_$0.`a...q;EQS..hn..<'x...n.Ef......,....i.
$

Now the function of pktIAT or flowDuration should be clearer. If you want to use Wireshark, use the packet number to find the packets or the time. For researchers, important parameters such as packetLength or L7Length are supplied and can be selected using tawk, and then piped into further processing.

Let’s say that you are only interested in flows that have the ftp flag set:

tawk 'bitsanyset($ftpStat, 0x01)' faf-exercise_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration    numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP          srcIPCC  srcIPWho           srcPort  dstIP          dstIPCC  dstIPWho           dstPort  l4Proto  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT    stdIAT    pktps       bytps     pktAsm  bytAsm      tcpStates  ftpStat  ftpCDFindex  ftpCC                          ftpRC                            ftpUsrNum  ftpPwNum  ftpCNum  ftpUsr       ftpPw      ftpC
A     35       0x0000000000004000  1258594162.928342  1258594185.618346  22.690004   1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  09       "Private network"  49329    143.166.11.10  us       "Dell"             21       6        11          11           92           1231          0         24        8.363636    8.41835     0       21.78007  2.062728  5.945361  0.484795    4.054649  0       -0.8609222  0x02       0x01     36           USER;PASS;TYPE;PASV;SIZE;RETR                                   1          1         2        "anonymous"  "IEUser@"  "I";"/video/R79733.EXE"
B     35       0x0000000000004001  1258594163.008594  1258594491.683288  328.674694  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              143.166.11.10  us       "Dell"             21       192.168.1.105  09       "Private network"  49329    6        11          11           1231         92            0         950       111.9091    232.9224    0       306.2558  29.87952  83.53862  0.03346774  3.745345  0       0.8609222   0x42       0x41     36                                          220;331;230;200;227;213;125;226  0          0         1                                "125 Data connection already open; Transfer startin"
$

The only real FTP flow is the one with flowInd = 35, so let’s select it in the packet file:

$ tawk 'flow(35)' faf-exercise_packets.txt | tcol
%pktNo  flowInd  flowStat            time               pktIAT      flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPWho         srcPort  dstIP          dstIPCC  dstIPWho         dstPort  l4Proto  pktLen  l7Len  l7Content
1266    35       0x0000000000004000  1258594162.928342  0.000000    0.000000      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        66      0
1267    35       0x0000000000004001  1258594163.008594  0.000000    0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        62      0
1268    35       0x0000000000004000  1258594163.009292  0.080950    0.080950      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        64      0
1269    35       0x0000000000004001  1258594163.087792  0.079198    0.079198      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        81      27     220 Microsoft FTP Service\r\n
1270    35       0x0000000000004000  1258594163.088491  0.079199    0.160149      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        74      16     USER anonymous\r\n
1271    35       0x0000000000004001  1258594163.166256  0.078464    0.157662      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        126     72     331 Anonymous access allowed, send identity (e-mail name) as password.\r\n
1272    35       0x0000000000004000  1258594163.168693  0.080202    0.240351      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        72      14     PASS IEUser@\r\n
1273    35       0x0000000000004001  1258594163.247178  0.080922    0.238584      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        1004    950    230-Welcome to the Dell FTP site. A service of Dell Inc., Round Rock, Texas.\r\n    For information about DELL, call +1 800 999 3355 All transfers are logged with\r\n    your host name and email address. If you don't like this policy please disconnect now.\r\n    Please be advised that use constitutes consent to monitoring (Elec Comm Priv Act,\r\n    18 USC 2701-2711). Please see the file readme.txt for disclaimers pertaining to this\r\n    service. If your FTP client crashes or hangs shortly after login, try using a dash\r\n    (-) as the first character of your password. This will turn off the informational\r\n    messages which may be confusing your ftp client.\r\n    ********IN CASE OF PROBLEMS*************************\r\n    ** File Content: send EMAIL to dellbbs@dell.com   **\r\n    ** FTP Server: send EMAIL to hostmaster@dell.com  **\r\n    ** WWW Server: send EMAIL to webmaster@dell.com   **\r\n    ****************************************************\r\n
1274    35       0x0000000000004001  1258594163.247187  0.000009    0.238593      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        75      21     230 User logged in.\r\n
1275    35       0x0000000000004000  1258594163.247637  0.078944    0.319295      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        64      0
1276    35       0x0000000000004000  1258594163.249385  0.001748    0.321043      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        66      8      TYPE I\r\n
1277    35       0x0000000000004001  1258594163.327121  0.079934    0.318527      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        74      20     200 Type set to I.\r\n
1278    35       0x0000000000004000  1258594163.327845  0.078460    0.399503      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        64      6      PASV\r\n
1279    35       0x0000000000004001  1258594163.407582  0.080461    0.398988      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        104     50     227 Entering Passive Mode (143,166,11,10,251,78)\r\n
1283    35       0x0000000000004000  1258594163.487490  0.159645    0.559148      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        82      24     SIZE /video/R79733.EXE\r\n
1284    35       0x0000000000004001  1258594163.565990  0.158408    0.557396      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        67      13     213 4255056\r\n
1285    35       0x0000000000004000  1258594163.566694  0.079204    0.638352      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        82      24     RETR /video/R79733.EXE\r\n
1286    35       0x0000000000004001  1258594163.644188  0.078198    0.635594      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        108     54     125 Data connection already open; Transfer starting.\r\n
1303    35       0x0000000000004000  1258594163.838277  0.271583    0.909935      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        64      0
5898    35       0x0000000000004001  1258594185.427515  21.783327   22.418921     3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        78      24     226 Transfer complete.\r\n
5900    35       0x0000000000004000  1258594185.618346  21.780069   22.690004     3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        64      0
5902    35       0x0000000000004001  1258594491.683288  306.255768  328.674683    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        54      0
$

Note the packet number in the first column, which coincides with the same in Wireshark. So if you want to look up a packet there, just fire up Wireshark and select the packet number.

Absolute Relative Seq Ack Numbers

If the tcpFlags plugin is added seq/ack numbers, window size and certain options are displayed in packet mode. The default of absolute seq/ack numbers can be changed to relative which is helpful when analyzing the evolution of such numbers. In order to change to relative representation move to the tcpFlags directory, open tcpFlags.h and set the constant to relative.

$ tcpFlags
$ vi src/tcpFlags.h
...
// local defines

// -s option
#define SPKTMD_SEQACKREL 1 // -s option SEQ/ACK Numbers 0: absolute, 1: relative
...

Recompile, rerun t2

$ t2build tcpFlags
...
$ t2 -r ~/data/faf-exercise.pcap -w ~/results/ -s
...

Extract flow 35 again from faf-excercise_packets.txt and look for the seq and ack columns. They are now all relative to the beginning of the flow.

$ tawk -t 'flow(35)' faf-exercise_packets.txt | tcol
%pktNo  flowInd  flowStat            time               pktIAT      flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPWho         srcPort  dstIP          dstIPCC  dstIPWho         dstPort  l4Proto  ipTOS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq   ack   seqDiff  ackDiff  seqPktLen  ackPktLen  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpTmS  tcpTmER  tcpOptLen  tcpOpts                                  l7Content
1266    35       0x0000000000004000  1258594162.928342  0.000000    0.000000      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        0x00   16230  0         0x4000  128    0x5ea0       0x5ea0       0x7ccd       0x7ccd       0x0040   0                       0                     0                 0     0     0        0        0          0          0x0041    0x02      0x0000      8192    0       0        8          0x02;0x04;0x05;0xb4;0x01;0x01;0x04;0x02
1267    35       0x0000000000004001  1258594163.008594  0.000000    0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        0x00   55468  0         0x4000  239    0x5659       0x5659       0x1d37       0x1d37       0x0040   0                       0                     0                 0     1     0        0        0          0          0x0061    0x12      0x0002      4140    0       0        8          0x02;0x04;0x05;0x64;0x04;0x02;0x00;0x00
1268    35       0x0000000000004000  1258594163.009292  0.080950    0.080950      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        0x00   16231  1         0x4000  128    0x5ea7       0x5ea7       0x5b79       0x5b79       0x0040   0                       0                     0                 1     1     0        0        0          0          0x00c0    0x10      0x0000      64860   0       0        0
1269    35       0x0000000000004001  1258594163.087792  0.079198    0.079198      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        0x00   58625  3157      0x4000  239    0x49f1       0x49f1       0xad9d       0xad9d       0x0040   0                       0                     0                 1     1     0        0        0          0          0x0040    0x18      0x0000      4140    0       0        0                                                   220 Microsoft FTP Service\r\n
1270    35       0x0000000000004000  1258594163.088491  0.079199    0.160149      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        0x00   16243  12        0x4000  128    0x5e8b       0x5e8b       0xd384       0xd384       0x0040   0                       0                     0                 1     28    0        27       0          27         0x0040    0x18      0x0000      64833   0       0        0                                                   USER anonymous\r\n
1271    35       0x0000000000004001  1258594163.166256  0.078464    0.157662      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        0x00   61580  2955      0x4000  239    0x3e39       0x3e39       0xf987       0xf987       0x0040   0                       0                     0                 28    17    27       16       27         16         0x00c0    0x18      0x0000      4156    0       0        0                                                   331 Anonymous access allowed, send identity (e-mail name) as password.\r\n
1272    35       0x0000000000004000  1258594163.168693  0.080202    0.240351      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        0x00   16244  1         0x4000  128    0x5e8c       0x5e8c       0x5f70       0x5f70       0x0040   0                       0                     0                 17    100   16       72       16         99         0x0040    0x18      0x0000      64761   0       0        0                                                   PASS IEUser@\r\n
1273    35       0x0000000000004001  1258594163.247178  0.080922    0.238584      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        0x00   64425  2845      0x4000  239    0x2fae       0x2fae       0x41de       0x41de       0x0040   0                       0                     0                 100   31    72       14       99         30         0x00c0    0x18      0x0000      4170    0       0        0                                                   230-Welcome to the Dell FTP site. A service of Dell Inc., Round Rock, Texas.\r\n    For information about DELL, call +1 800 999 3355 All transfers are logged with\r\n    your host name and email address. If you don't like this policy please disconnect now.\r\n    Please be advised that use constitutes consent to monitoring (Elec Comm Priv Act,\r\n    18 USC 2701-2711). Please see the file readme.txt for disclaimers pertaining to this\r\n    service. If your FTP client crashes or hangs shortly after login, try using a dash\r\n    (-) as the first character of your password. This will turn off the informational\r\n    messages which may be confusing your ftp client.\r\n    ********IN CASE OF PROBLEMS*************************\r\n    ** File Content: send EMAIL to dellbbs@dell.com   **\r\n    ** FTP Server: send EMAIL to hostmaster@dell.com  **\r\n    ** WWW Server: send EMAIL to webmaster@dell.com   **\r\n    ****************************************************\r\n
1274    35       0x0000000000004001  1258594163.247187  0.000009    0.238593      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        0x00   64426  1         0x4000  239    0x334e       0x334e       0x2a2a       0x2a2a       0x0040   0                       0                     0                 1050  31    950      0        1049       30         0x00c0    0x18      0x0000      4170    0       0        0                                                   230 User logged in.\r\n
1275    35       0x0000000000004000  1258594163.247637  0.078944    0.319295      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        0x00   16253  9         0x4000  128    0x5e91       0x5e91       0x5b5b       0x5b5b       0x0040   0                       0                     0                 31    1071  14       971      30         1070       0x0040    0x10      0x0000      63790   0       0        0
1276    35       0x0000000000004000  1258594163.249385  0.001748    0.321043      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        0x00   16254  1         0x4000  128    0x5e88       0x5e88       0x8959       0x8959       0x0040   0                       0                     0                 31    1071  0        0        30         1070       0x0040    0x18      0x0000      63790   0       0        0                                                   TYPE I\r\n
1277    35       0x0000000000004001  1258594163.327121  0.079934    0.318527      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        0x00   1622   2732      0x4000  239    0x28a4       0x28a4       0xb130       0xb130       0x0044   0                       0                     0                 1071  39    21       8        1070       38         0x00c0    0x18      0x0000      4178    0       0        0                                                   200 Type set to I.\r\n
1278    35       0x0000000000004000  1258594163.327845  0.078460    0.399503      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        0x00   16255  1         0x4000  128    0x5e89       0x5e89       0xaaa3       0xaaa3       0x0040   0                       0                     0                 39    1091  8        20       38         1090       0x0040    0x18      0x0000      63770   0       0        0                                                   PASV\r\n
1279    35       0x0000000000004001  1258594163.407582  0.080461    0.398988      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        0x00   5259   3637      0x4000  239    0x1a51       0x1a51       0xbf53       0xbf53       0x0040   0                       0                     0                 1091  45    20       6        1090       44         0x00c0    0x18      0x0000      4184    0       0        0                                                   227 Entering Passive Mode (143,166,11,10,251,78)\r\n
1283    35       0x0000000000004000  1258594163.487490  0.159645    0.559148      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        0x00   16267  12        0x4000  128    0x5e6b       0x5e6b       0xf13a       0xf13a       0x0040   0                       0                     0                 45    1141  6        50       44         1140       0x0040    0x18      0x0000      63720   0       0        0                                                   SIZE /video/R79733.EXE\r\n
1284    35       0x0000000000004001  1258594163.565990  0.158408    0.557396      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        0x00   11024  5765      0x4000  239    0x03f1       0x03f1       0x049e       0x049e       0x0040   0                       0                     0                 1141  69    50       24       1140       68         0x00c0    0x18      0x0000      4208    0       0        0                                                   213 4255056\r\n
1285    35       0x0000000000004000  1258594163.566694  0.079204    0.638352      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        0x00   16268  1         0x4000  128    0x5e6a       0x5e6a       0xf819       0xf819       0x0040   0                       0                     0                 69    1154  24       13       68         1153       0x0040    0x18      0x0000      63707   0       0        0                                                   RETR /video/R79733.EXE\r\n
1286    35       0x0000000000004001  1258594163.644188  0.078198    0.635594      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        0x00   14255  3231      0x4000  239    0xf728       0xf728       0xb8e3       0xb8e3       0x0040   0                       0                     0                 1154  93    13       24       1153       92         0x00c0    0x18      0x0000      4232    0       0        0                                                   125 Data connection already open; Transfer starting.\r\n
1303    35       0x0000000000004000  1258594163.838277  0.271583    0.909935      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        0x00   16289  21        0x4000  128    0x5e6d       0x5e6d       0x5b1d       0x5b1d       0x0040   0                       0                     0                 93    1208  24       54       92         1207       0x0040    0x10      0x0000      63653   0       0        0
5898    35       0x0000000000004001  1258594185.427515  21.783327   22.418921     3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        0x00   40815  26560     0x4000  239    0x8f86       0x8f86       0x7425       0x7425       0x0040   0                       0                     0                 1208  93    54       0        1207       92         0x00c0    0x18      0x0000      4232    0       0        0                                                   226 Transfer complete.\r\n
5900    35       0x0000000000004000  1258594185.618346  21.780069   22.690004     3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        0x00   18617  2328      0x4000  128    0x5555       0x5555       0x5b1d       0x5b1d       0x0040   0                       0                     0                 93    1232  0        24       92         1231       0x0040    0x10      0x0000      63629   0       0        0
5902    35       0x0000000000004001  1258594491.683288  306.255768  328.674683    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        0x00   49361  8546      0x4000  239    0x6e3c       0x6e3c       0x431f       0x431f       0x0040   0                       0                     0                 1232  93    24       0        1231       92         0x00c0    0x14      0x0004      4232    0       0        0
$

Adding more plugins

Let’s add some more plugins which contribute to the packet file.

$ t2build icmpDecode macRecorder portClassifier
...
BUILD SUCCESSFUL

$ t2 -r ~/data/faf-exercise.pcap -w ~/results -s
================================================================================
Tranalyzer 0.8.7 (Anteater), Tarantula. PID: 104552
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.7
    02: macRecorder, 0.8.7
    03: portClassifier, 0.8.7
    04: basicStats, 0.8.7
    05: tcpFlags, 0.8.7
    06: tcpStates, 0.8.7
    07: icmpDecode, 0.8.7
    08: ftpDecode, 0.8.7
    09: txtSink, 0.8.7
[INF] basicFlow: IPv4 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 313050 (313.05 K)
[INF] basicFlow: IPv6 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 21495 (21.50 K)
Processing file: /home/wurst/data/faf-exercise.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1258544215.037210 sec (Wed 18 Nov 2009 11:36:55 GMT)
Dump stop : 1258594491.683288 sec (Thu 19 Nov 2009 01:34:51 GMT)
Total dump duration: 50276.646078 sec (13h 57m 56s)
Finished processing. Elapsed time: 0.153270 sec
Finished unloading flow memory. Time: 0.153341 sec
Percentage completed: 100.00%
Number of processed packets: 5902 (5.90 K)
Number of processed bytes: 4993414 (4.99 M)
Number of raw bytes: 4993414 (4.99 M)
Number of pcap bytes: 5087870 (5.09 M)
Number of IPv4 packets: 5902 (5.90 K) [100.00%]
Number of A packets: 1986 (1.99 K) [33.65%]
Number of B packets: 3916 (3.92 K) [66.35%]
Number of A bytes: 209315 (209.31 K) [4.19%]
Number of B bytes: 4784099 (4.78 M) [95.81%]
Average A packet load: 105.40
Average B packet load: 1221.68 (1.22 K)
--------------------------------------------------------------------------------
basicStats: Biggest L3 Talker: 143.166.11.10 (US): 3101 (3.10 K) [52.54%] packets
basicStats: Biggest L3 Talker: 143.166.11.10 (US): 4436320 (4.44 M) [88.84%] bytes
tcpFlags: Aggregated ipFlags: 0x0046
tcpFlags: Aggregated tcpAnomaly: 0xbc07
tcpFlags: Number of TCP scans, succ scans, syn retries, seq retries: 0, 36, 0, 2
tcpFlags: Number WinSz below 1: 4 [0.07%]
tcpStates: Aggregated anomaly flags: 0x4a
ftpDecode: Anomaly flags: 0x43
ftpDecode: Number of FTP packets: 4634 (4.63 K) [78.52%]
--------------------------------------------------------------------------------
...

By invoking the same tawk query as before, we find from portClassifier a human readable output of the port based assignment of the embedded protocol; Here FTP.

macRecorder tells us that there is only one interface pair involved as macPairs is 1. If load balancing is involved or an interface card is broken there can be more macPairs per flow. Moreover, the manufacturer is decoded from the first three octets of the MAC address.

(icmpDecode output will be discussed below.)

tcpFlags provides all aggregated information of IP and Layer 4.

$ tawk 'bitsanyset($ftpStat, 0x01)' faf-exercise_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration    numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP          srcIPCC  srcIPWho           srcPort  dstIP          dstIPCC  dstIPWho           dstPort  l4Proto  macPairs  srcMac_dstMac_numP                      srcManuf_dstManuf  dstPortClassN  dstPortClass  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT    stdIAT    pktps       bytps     pktAsm  bytAsm      tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipTOS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpTmS  tcpTmER  tcpEcI  tcpUtm    tcpBtm    tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStates  icmpStat  icmpTCcnt  icmpBFTypH_TypL_Code          icmpTmGtw   icmpEchoSuccRatio  icmpPFindex  ftpStat  ftpCDFindex  ftpCC                          ftpRC                            ftpUsrNum  ftpPwNum  ftpCNum  ftpUsr       ftpPw      ftpC
A     35       0x0000000000004000  1258594162.928342  1258594185.618346  22.690004   1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  09       "Private network"  49329    143.166.11.10  us       "Dell"             21       6        1         00:08:74:38:01:b4_00:19:e3:e7:5d:23_11  Dell_Apple         21             ftp           11          11           92           1231          0         24        8.363636    8.41835     0       21.78007  2.062728  5.945361  0.484795    4.054649  0       -0.8609222  0x0044    1           2328        128       128       0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2427598871  9           91              1               8           1231                   0               8192          62176.56     8192         64860        8               1              2                  0             0x1a      0x0000      1             4          0x00000016  1460    0      0       0        0       0.000000  0.000000  0              0.00045           0.194089          0.04297619        0.07021572           0.08025199    -1               0x02       0x00      0          0x00000000_0x00000000_0x0000  0x00000000  0                  0            0x01     36           USER;PASS;TYPE;PASV;SIZE;RETR                                   1          1         2        "anonymous"  "IEUser@"  "I";"/video/R79733.EXE"
B     35       0x0000000000004001  1258594163.008594  1258594491.683288  328.674694  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              143.166.11.10  us       "Dell"             21       192.168.1.105  09       "Private network"  49329    6        1         00:19:e3:e7:5d:23_00:08:74:38:01:b4_11  Apple_Dell         21             ftp           11          11           1231         92            0         950       111.9091    232.9224    0       306.2558  29.87952  83.53862  0.03346774  3.745345  0       0.8609222   0x00c4    1           26560       239       239       0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  365320932   11          1230            0               6           92                     1               4140          4214.603     4140         4232         0               6              1                  0             0x1e      0x0006      1             2          0x00000014  1380    0      0       0        0       0.000000  0.000000  0.08025199     0.077494          306.0649          29.85102          83.48595             29.89399      83.48597         0x42       0x00      0          0x00000000_0x00000000_0x0000  0x00000000  0                  0            0x41     36                                          220;331;230;200;227;213;125;226  0          0         1                                "125 Data connection already open; Transfer startin"
$

The packet mode provides more or less the same info per packet. Now, the evolution of the anomaly bits, packet lengths, the sequence ack numbers, checksums, window size on a packet by packet basis can be extracted and directly fed into sequence analysis algorithms.

$ tawk 'flow(35)' faf-exercise_packets.txt | tcol
%pktNo  flowInd  flowStat            time               pktIAT      flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPWho         srcPort  dstIP          dstIPCC  dstIPWho         dstPort  l4Proto  srcManuf  dstManuf  pktLen  l7Len  ipTOS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq   ack   seqDiff  ackDiff  seqPktLen  ackPktLen  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpTmS  tcpTmER  tcpOptLen  tcpOpts                                  icmpType  icmpCode  icmpPFindex  l7HexContent
1266    35       0x0000000000004000  1258594162.928342  0.000000    0.000000      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     66      0      0x00   16230  0         0x4000  128    0x5ea0       0x5ea0       0x7ccd       0x7ccd       0x0040   0                       0                     0                 0     0     0        0        0          0          0x0041    0x02      0x0000      8192    0       0        8          0x02;0x04;0x05;0xb4;0x01;0x01;0x04;0x02
1267    35       0x0000000000004001  1258594163.008594  0.000000    0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      62      0      0x00   55468  0         0x4000  239    0x5659       0x5659       0x1d37       0x1d37       0x0040   0                       0                     0                 0     1     0        0        0          0          0x0061    0x12      0x0002      4140    0       0        8          0x02;0x04;0x05;0x64;0x04;0x02;0x00;0x00
1268    35       0x0000000000004000  1258594163.009292  0.080950    0.080950      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     64      0      0x00   16231  1         0x4000  128    0x5ea7       0x5ea7       0x5b79       0x5b79       0x0040   0                       0                     0                 1     1     0        0        0          0          0x00c0    0x10      0x0000      64860   0       0        0
1269    35       0x0000000000004001  1258594163.087792  0.079198    0.079198      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      81      27     0x00   58625  3157      0x4000  239    0x49f1       0x49f1       0xad9d       0xad9d       0x0040   0                       0                     0                 1     1     0        0        0          0          0x0040    0x18      0x0000      4140    0       0        0                                                                                    0x32 0x32 0x30 0x20 0x4d 0x69 0x63 0x72 0x6f 0x73 0x6f 0x66 0x74 0x20 0x46 0x54 0x50 0x20 0x53 0x65 0x72 0x76 0x69 0x63 0x65 0x0d 0x0a
1270    35       0x0000000000004000  1258594163.088491  0.079199    0.160149      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     74      16     0x00   16243  12        0x4000  128    0x5e8b       0x5e8b       0xd384       0xd384       0x0040   0                       0                     0                 1     28    0        27       0          27         0x0040    0x18      0x0000      64833   0       0        0                                                                                    0x55 0x53 0x45 0x52 0x20 0x61 0x6e 0x6f 0x6e 0x79 0x6d 0x6f 0x75 0x73 0x0d 0x0a
1271    35       0x0000000000004001  1258594163.166256  0.078464    0.157662      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      126     72     0x00   61580  2955      0x4000  239    0x3e39       0x3e39       0xf987       0xf987       0x0040   0                       0                     0                 28    17    27       16       27         16         0x00c0    0x18      0x0000      4156    0       0        0                                                                                    0x33 0x33 0x31 0x20 0x41 0x6e 0x6f 0x6e 0x79 0x6d 0x6f 0x75 0x73 0x20 0x61 0x63 0x63 0x65 0x73 0x73 0x20 0x61 0x6c 0x6c 0x6f 0x77 0x65 0x64 0x2c 0x20 0x73 0x65 0x6e 0x64 0x20 0x69 0x64 0x65 0x6e 0x74 0x69 0x74 0x79 0x20 0x28 0x65 0x2d 0x6d 0x61 0x69 0x6c 0x20 0x6e 0x61 0x6d 0x65 0x29 0x20 0x61 0x73 0x20 0x70 0x61 0x73 0x73 0x77 0x6f 0x72 0x64 0x2e 0x0d 0x0a
1272    35       0x0000000000004000  1258594163.168693  0.080202    0.240351      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     72      14     0x00   16244  1         0x4000  128    0x5e8c       0x5e8c       0x5f70       0x5f70       0x0040   0                       0                     0                 17    100   16       72       16         99         0x0040    0x18      0x0000      64761   0       0        0                                                                                    0x50 0x41 0x53 0x53 0x20 0x49 0x45 0x55 0x73 0x65 0x72 0x40 0x0d 0x0a
1273    35       0x0000000000004001  1258594163.247178  0.080922    0.238584      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      1004    950    0x00   64425  2845      0x4000  239    0x2fae       0x2fae       0x41de       0x41de       0x0040   0                       0                     0                 100   31    72       14       99         30         0x00c0    0x18      0x0000      4170    0       0        0                                                                                    0x32 0x33 0x30 0x2d 0x57 0x65 0x6c 0x63 0x6f 0x6d 0x65 0x20 0x74 0x6f 0x20 0x74 0x68 0x65 0x20 0x44 0x65 0x6c 0x6c 0x20 0x46 0x54 0x50 0x20 0x73 0x69 0x74 0x65 0x2e 0x20 0x41 0x20 0x73 0x65 0x72 0x76 0x69 0x63 0x65 0x20 0x6f 0x66 0x20 0x44 0x65 0x6c 0x6c 0x20 0x49 0x6e 0x63 0x2e 0x2c 0x20 0x52 0x6f 0x75 0x6e 0x64 0x20 0x52 0x6f 0x63 0x6b 0x2c 0x20 0x54 0x65 0x78 0x61 0x73 0x2e 0x0d 0x0a 0x20 0x20 0x20 0x20 0x46 0x6f 0x72 0x20 0x69 0x6e 0x66 0x6f 0x72 0x6d 0x61 0x74 0x69 0x6f 0x6e 0x20 0x61 0x62 0x6f 0x75 0x74 0x20 0x44 0x45 0x4c 0x4c 0x2c 0x20 0x63 0x61 0x6c 0x6c 0x20 0x2b 0x31 0x20 0x38 0x30 0x30 0x20 0x39 0x39 0x39 0x20 0x33 0x33 0x35 0x35 0x20 0x41 0x6c 0x6c 0x20 0x74 0x72 0x61 0x6e 0x73 0x66 0x65 0x72 0x73 0x20 0x61 0x72 0x65 0x20 0x6c 0x6f 0x67 0x67 0x65 0x64 0x20 0x77 0x69 0x74 0x68 0x0d 0x0a 0x20 0x20 0x20 0x20 0x79 0x6f 0x75 0x72 0x20 0x68 0x6f 0x73 0x74 0x20 0x6e 0x61 0x6d 0x65 0x20 0x61 0x6e 0x64 0x20 0x65 0x6d 0x61 0x69 0x6c 0x20 0x61 0x64 0x64 0x72 0x65 0x73 0x73 0x2e 0x20 0x49 0x66 0x20 0x79 0x6f 0x75 0x20 0x64 0x6f 0x6e 0x27 0x74 0x20 0x6c 0x69 0x6b 0x65 0x20 0x74 0x68 0x69 0x73 0x20 0x70 0x6f 0x6c 0x69 0x63 0x79 0x20 0x70 0x6c 0x65 0x61 0x73 0x65 0x20 0x64 0x69 0x73 0x63 0x6f 0x6e 0x6e 0x65 0x63 0x74 0x20 0x6e 0x6f 0x77 0x2e 0x0d 0x0a 0x20 0x20 0x20 0x20 0x50 0x6c 0x65 0x61 0x73 0x65 0x20 0x62 0x65 0x20 0x61 0x64 0x76 0x69 0x73 0x65 0x64 0x20 0x74 0x68 0x61 0x74 0x20 0x75 0x73 0x65 0x20 0x63 0x6f 0x6e 0x73 0x74 0x69 0x74 0x75 0x74 0x65 0x73 0x20 0x63 0x6f 0x6e 0x73 0x65 0x6e 0x74 0x20 0x74 0x6f 0x20 0x6d 0x6f 0x6e 0x69 0x74 0x6f 0x72 0x69 0x6e 0x67 0x20 0x28 0x45 0x6c 0x65 0x63 0x20 0x43 0x6f 0x6d 0x6d 0x20 0x50 0x72 0x69 0x76 0x20 0x41 0x63 0x74 0x2c 0x0d 0x0a 0x20 0x20 0x20 0x20 0x31 0x38 0x20 0x55 0x53 0x43 0x20 0x32 0x37 0x30 0x31 0x2d 0x32 0x37 0x31 0x31 0x29 0x2e 0x20 0x50 0x6c 0x65 0x61 0x73 0x65 0x20 0x73 0x65 0x65 0x20 0x74 0x68 0x65 0x20 0x66 0x69 0x6c 0x65 0x20 0x72 0x65 0x61 0x64 0x6d 0x65 0x2e 0x74 0x78 0x74 0x20 0x66 0x6f 0x72 0x20 0x64 0x69 0x73 0x63 0x6c 0x61 0x69 0x6d 0x65 0x72 0x73 0x20 0x70 0x65 0x72 0x74 0x61 0x69 0x6e 0x69 0x6e 0x67 0x20 0x74 0x6f 0x20 0x74 0x68 0x69 0x73 0x0d 0x0a 0x20 0x20 0x20 0x20 0x73 0x65 0x72 0x76 0x69 0x63 0x65 0x2e 0x20 0x49 0x66 0x20 0x79 0x6f 0x75 0x72 0x20 0x46 0x54 0x50 0x20 0x63 0x6c 0x69 0x65 0x6e 0x74 0x20 0x63 0x72 0x61 0x73 0x68 0x65 0x73 0x20 0x6f 0x72 0x20 0x68 0x61 0x6e 0x67 0x73 0x20 0x73 0x68 0x6f 0x72 0x74 0x6c 0x79 0x20 0x61 0x66 0x74 0x65 0x72 0x20 0x6c 0x6f 0x67 0x69 0x6e 0x2c 0x20 0x74 0x72 0x79 0x20 0x75 0x73 0x69 0x6e 0x67 0x20 0x61 0x20 0x64 0x61 0x73 0x68 0x0d 0x0a 0x20 0x20 0x20 0x20 0x28 0x2d 0x29 0x20 0x61 0x73 0x20 0x74 0x68 0x65 0x20 0x66 0x69 0x72 0x73 0x74 0x20 0x63 0x68 0x61 0x72 0x61 0x63 0x74 0x65 0x72 0x20 0x6f 0x66 0x20 0x79 0x6f 0x75 0x72 0x20 0x70 0x61 0x73 0x73 0x77 0x6f 0x72 0x64 0x2e 0x20 0x54 0x68 0x69 0x73 0x20 0x77 0x69 0x6c 0x6c 0x20 0x74 0x75 0x72 0x6e 0x20 0x6f 0x66 0x66 0x20 0x74 0x68 0x65 0x20 0x69 0x6e 0x66 0x6f 0x72 0x6d 0x61 0x74 0x69 0x6f 0x6e 0x61 0x6c 0x0d 0x0a 0x20 0x20 0x20 0x20 0x6d 0x65 0x73 0x73 0x61 0x67 0x65 0x73 0x20 0x77 0x68 0x69 0x63 0x68 0x20 0x6d 0x61 0x79 0x20 0x62 0x65 0x20 0x63 0x6f 0x6e 0x66 0x75 0x73 0x69 0x6e 0x67 0x20 0x79 0x6f 0x75 0x72 0x20 0x66 0x74 0x70 0x20 0x63 0x6c 0x69 0x65 0x6e 0x74 0x2e 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x49 0x4e 0x20 0x43 0x41 0x53 0x45 0x20 0x4f 0x46 0x20 0x50 0x52 0x4f 0x42 0x4c 0x45 0x4d 0x53 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x20 0x46 0x69 0x6c 0x65 0x20 0x43 0x6f 0x6e 0x74 0x65 0x6e 0x74 0x3a 0x20 0x73 0x65 0x6e 0x64 0x20 0x45 0x4d 0x41 0x49 0x4c 0x20 0x74 0x6f 0x20 0x64 0x65 0x6c 0x6c 0x62 0x62 0x73 0x40 0x64 0x65 0x6c 0x6c 0x2e 0x63 0x6f 0x6d 0x20 0x20 0x20 0x2a 0x2a 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x20 0x46 0x54 0x50 0x20 0x53 0x65 0x72 0x76 0x65 0x72 0x3a 0x20 0x73 0x65 0x6e 0x64 0x20 0x45 0x4d 0x41 0x49 0x4c 0x20 0x74 0x6f 0x20 0x68 0x6f 0x73 0x74 0x6d 0x61 0x73 0x74 0x65 0x72 0x40 0x64 0x65 0x6c 0x6c 0x2e 0x63 0x6f 0x6d 0x20 0x20 0x2a 0x2a 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x20 0x57 0x57 0x57 0x20 0x53 0x65 0x72 0x76 0x65 0x72 0x3a 0x20 0x73 0x65 0x6e 0x64 0x20 0x45 0x4d 0x41 0x49 0x4c 0x20 0x74 0x6f 0x20 0x77 0x65 0x62 0x6d 0x61 0x73 0x74 0x65 0x72 0x40 0x64 0x65 0x6c 0x6c 0x2e 0x63 0x6f 0x6d 0x20 0x20 0x20 0x2a 0x2a 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x0d 0x0a
1274    35       0x0000000000004001  1258594163.247187  0.000009    0.238593      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      75      21     0x00   64426  1         0x4000  239    0x334e       0x334e       0x2a2a       0x2a2a       0x0040   0                       0                     0                 1050  31    950      0        1049       30         0x00c0    0x18      0x0000      4170    0       0        0                                                                                    0x32 0x33 0x30 0x20 0x55 0x73 0x65 0x72 0x20 0x6c 0x6f 0x67 0x67 0x65 0x64 0x20 0x69 0x6e 0x2e 0x0d 0x0a
1275    35       0x0000000000004000  1258594163.247637  0.078944    0.319295      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     64      0      0x00   16253  9         0x4000  128    0x5e91       0x5e91       0x5b5b       0x5b5b       0x0040   0                       0                     0                 31    1071  14       971      30         1070       0x0040    0x10      0x0000      63790   0       0        0
1276    35       0x0000000000004000  1258594163.249385  0.001748    0.321043      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     66      8      0x00   16254  1         0x4000  128    0x5e88       0x5e88       0x8959       0x8959       0x0040   0                       0                     0                 31    1071  0        0        30         1070       0x0040    0x18      0x0000      63790   0       0        0                                                                                    0x54 0x59 0x50 0x45 0x20 0x49 0x0d 0x0a
1277    35       0x0000000000004001  1258594163.327121  0.079934    0.318527      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      74      20     0x00   1622   2732      0x4000  239    0x28a4       0x28a4       0xb130       0xb130       0x0044   0                       0                     0                 1071  39    21       8        1070       38         0x00c0    0x18      0x0000      4178    0       0        0                                                                                    0x32 0x30 0x30 0x20 0x54 0x79 0x70 0x65 0x20 0x73 0x65 0x74 0x20 0x74 0x6f 0x20 0x49 0x2e 0x0d 0x0a
1278    35       0x0000000000004000  1258594163.327845  0.078460    0.399503      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     64      6      0x00   16255  1         0x4000  128    0x5e89       0x5e89       0xaaa3       0xaaa3       0x0040   0                       0                     0                 39    1091  8        20       38         1090       0x0040    0x18      0x0000      63770   0       0        0                                                                                    0x50 0x41 0x53 0x56 0x0d 0x0a
1279    35       0x0000000000004001  1258594163.407582  0.080461    0.398988      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      104     50     0x00   5259   3637      0x4000  239    0x1a51       0x1a51       0xbf53       0xbf53       0x0040   0                       0                     0                 1091  45    20       6        1090       44         0x00c0    0x18      0x0000      4184    0       0        0                                                                                    0x32 0x32 0x37 0x20 0x45 0x6e 0x74 0x65 0x72 0x69 0x6e 0x67 0x20 0x50 0x61 0x73 0x73 0x69 0x76 0x65 0x20 0x4d 0x6f 0x64 0x65 0x20 0x28 0x31 0x34 0x33 0x2c 0x31 0x36 0x36 0x2c 0x31 0x31 0x2c 0x31 0x30 0x2c 0x32 0x35 0x31 0x2c 0x37 0x38 0x29 0x0d 0x0a
1283    35       0x0000000000004000  1258594163.487490  0.159645    0.559148      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     82      24     0x00   16267  12        0x4000  128    0x5e6b       0x5e6b       0xf13a       0xf13a       0x0040   0                       0                     0                 45    1141  6        50       44         1140       0x0040    0x18      0x0000      63720   0       0        0                                                                                    0x53 0x49 0x5a 0x45 0x20 0x2f 0x76 0x69 0x64 0x65 0x6f 0x2f 0x52 0x37 0x39 0x37 0x33 0x33 0x2e 0x45 0x58 0x45 0x0d 0x0a
1284    35       0x0000000000004001  1258594163.565990  0.158408    0.557396      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      67      13     0x00   11024  5765      0x4000  239    0x03f1       0x03f1       0x049e       0x049e       0x0040   0                       0                     0                 1141  69    50       24       1140       68         0x00c0    0x18      0x0000      4208    0       0        0                                                                                    0x32 0x31 0x33 0x20 0x34 0x32 0x35 0x35 0x30 0x35 0x36 0x0d 0x0a
1285    35       0x0000000000004000  1258594163.566694  0.079204    0.638352      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     82      24     0x00   16268  1         0x4000  128    0x5e6a       0x5e6a       0xf819       0xf819       0x0040   0                       0                     0                 69    1154  24       13       68         1153       0x0040    0x18      0x0000      63707   0       0        0                                                                                    0x52 0x45 0x54 0x52 0x20 0x2f 0x76 0x69 0x64 0x65 0x6f 0x2f 0x52 0x37 0x39 0x37 0x33 0x33 0x2e 0x45 0x58 0x45 0x0d 0x0a
1286    35       0x0000000000004001  1258594163.644188  0.078198    0.635594      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      108     54     0x00   14255  3231      0x4000  239    0xf728       0xf728       0xb8e3       0xb8e3       0x0040   0                       0                     0                 1154  93    13       24       1153       92         0x00c0    0x18      0x0000      4232    0       0        0                                                                                    0x31 0x32 0x35 0x20 0x44 0x61 0x74 0x61 0x20 0x63 0x6f 0x6e 0x6e 0x65 0x63 0x74 0x69 0x6f 0x6e 0x20 0x61 0x6c 0x72 0x65 0x61 0x64 0x79 0x20 0x6f 0x70 0x65 0x6e 0x3b 0x20 0x54 0x72 0x61 0x6e 0x73 0x66 0x65 0x72 0x20 0x73 0x74 0x61 0x72 0x74 0x69 0x6e 0x67 0x2e 0x0d 0x0a
1303    35       0x0000000000004000  1258594163.838277  0.271583    0.909935      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     64      0      0x00   16289  21        0x4000  128    0x5e6d       0x5e6d       0x5b1d       0x5b1d       0x0040   0                       0                     0                 93    1208  24       54       92         1207       0x0040    0x10      0x0000      63653   0       0        0
5898    35       0x0000000000004001  1258594185.427515  21.783327   22.418921     3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      78      24     0x00   40815  26560     0x4000  239    0x8f86       0x8f86       0x7425       0x7425       0x0040   0                       0                     0                 1208  93    54       0        1207       92         0x00c0    0x18      0x0000      4232    0       0        0                                                                                    0x32 0x32 0x36 0x20 0x54 0x72 0x61 0x6e 0x73 0x66 0x65 0x72 0x20 0x63 0x6f 0x6d 0x70 0x6c 0x65 0x74 0x65 0x2e 0x0d 0x0a
5900    35       0x0000000000004000  1258594185.618346  21.780069   22.690004     3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     64      0      0x00   18617  2328      0x4000  128    0x5555       0x5555       0x5b1d       0x5b1d       0x0040   0                       0                     0                 93    1232  0        24       92         1231       0x0040    0x10      0x0000      63629   0       0        0
5902    35       0x0000000000004001  1258594491.683288  306.255768  328.674683    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      54      0      0x00   49361  8546      0x4000  239    0x6e3c       0x6e3c       0x431f       0x431f       0x0040   0                       0                     0                 1232  93    24       0        1231       92         0x00c0    0x14      0x0004      4232    0       0        0
$

Changing L7 output format to hex

The configuration of the packet mode currently resides at compile-time in a header file: main.h. This will change in future and bring more flexibility to the packet mode. You can either switch on/off the packet number or the output type of Layer 7 content. Switch from human readable to hexadecimal values. You can have both switched on simultaneously, in which case the human readable output is appended after the hexadecimal output.

Modify the header file to look like this:

$ vi main.h

You only need to recompile the core now and rerun t2:

$ t2build tranalyzer2
...
$ t2 -r ~/data/faf-exercise.pcap -w ~/results -s
...
$

If we select our FTP flow again, we now find the L7 output in hex. The format enables you to directly read the L7 binary content with tawk without recoding from text.

$ tawk 'flow(35)' faf-exercise_packets.txt | tcol
%pktNo  flowInd  flowStat            time               pktIAT      flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPWho         srcPort  dstIP          dstIPCC  dstIPWho         dstPort  l4Proto  srcManuf  dstManuf  pktLen  l7Len  ipTOS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq   ack   seqDiff  ackDiff  seqPktLen  ackPktLen  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpTmS  tcpTmER  tcpOptLen  tcpOpts                                  icmpType  icmpCode  icmpPFindex  l7HexContent
1266    35       0x0000000000004000  1258594162.928342  0.000000    0.000000      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     66      0      0x00   16230  0         0x4000  128    0x5ea0       0x5ea0       0x7ccd       0x7ccd       0x0040   0                       0                     0                 0     0     0        0        0          0          0x0041    0x02      0x0000      8192    0       0        8          0x02;0x04;0x05;0xb4;0x01;0x01;0x04;0x02
1267    35       0x0000000000004001  1258594163.008594  0.000000    0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      62      0      0x00   55468  0         0x4000  239    0x5659       0x5659       0x1d37       0x1d37       0x0040   0                       0                     0                 0     1     0        0        0          0          0x0061    0x12      0x0002      4140    0       0        8          0x02;0x04;0x05;0x64;0x04;0x02;0x00;0x00
1268    35       0x0000000000004000  1258594163.009292  0.080950    0.080950      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     64      0      0x00   16231  1         0x4000  128    0x5ea7       0x5ea7       0x5b79       0x5b79       0x0040   0                       0                     0                 1     1     0        0        0          0          0x00c0    0x10      0x0000      64860   0       0        0
1269    35       0x0000000000004001  1258594163.087792  0.079198    0.079198      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      81      27     0x00   58625  3157      0x4000  239    0x49f1       0x49f1       0xad9d       0xad9d       0x0040   0                       0                     0                 1     1     0        0        0          0          0x0040    0x18      0x0000      4140    0       0        0                                                                                    0x32 0x32 0x30 0x20 0x4d 0x69 0x63 0x72 0x6f 0x73 0x6f 0x66 0x74 0x20 0x46 0x54 0x50 0x20 0x53 0x65 0x72 0x76 0x69 0x63 0x65 0x0d 0x0a
1270    35       0x0000000000004000  1258594163.088491  0.079199    0.160149      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     74      16     0x00   16243  12        0x4000  128    0x5e8b       0x5e8b       0xd384       0xd384       0x0040   0                       0                     0                 1     28    0        27       0          27         0x0040    0x18      0x0000      64833   0       0        0                                                                                    0x55 0x53 0x45 0x52 0x20 0x61 0x6e 0x6f 0x6e 0x79 0x6d 0x6f 0x75 0x73 0x0d 0x0a
1271    35       0x0000000000004001  1258594163.166256  0.078464    0.157662      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      126     72     0x00   61580  2955      0x4000  239    0x3e39       0x3e39       0xf987       0xf987       0x0040   0                       0                     0                 28    17    27       16       27         16         0x00c0    0x18      0x0000      4156    0       0        0                                                                                    0x33 0x33 0x31 0x20 0x41 0x6e 0x6f 0x6e 0x79 0x6d 0x6f 0x75 0x73 0x20 0x61 0x63 0x63 0x65 0x73 0x73 0x20 0x61 0x6c 0x6c 0x6f 0x77 0x65 0x64 0x2c 0x20 0x73 0x65 0x6e 0x64 0x20 0x69 0x64 0x65 0x6e 0x74 0x69 0x74 0x79 0x20 0x28 0x65 0x2d 0x6d 0x61 0x69 0x6c 0x20 0x6e 0x61 0x6d 0x65 0x29 0x20 0x61 0x73 0x20 0x70 0x61 0x73 0x73 0x77 0x6f 0x72 0x64 0x2e 0x0d 0x0a
1272    35       0x0000000000004000  1258594163.168693  0.080202    0.240351      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     72      14     0x00   16244  1         0x4000  128    0x5e8c       0x5e8c       0x5f70       0x5f70       0x0040   0                       0                     0                 17    100   16       72       16         99         0x0040    0x18      0x0000      64761   0       0        0                                                                                    0x50 0x41 0x53 0x53 0x20 0x49 0x45 0x55 0x73 0x65 0x72 0x40 0x0d 0x0a
1273    35       0x0000000000004001  1258594163.247178  0.080922    0.238584      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      1004    950    0x00   64425  2845      0x4000  239    0x2fae       0x2fae       0x41de       0x41de       0x0040   0                       0                     0                 100   31    72       14       99         30         0x00c0    0x18      0x0000      4170    0       0        0                                                                                    0x32 0x33 0x30 0x2d 0x57 0x65 0x6c 0x63 0x6f 0x6d 0x65 0x20 0x74 0x6f 0x20 0x74 0x68 0x65 0x20 0x44 0x65 0x6c 0x6c 0x20 0x46 0x54 0x50 0x20 0x73 0x69 0x74 0x65 0x2e 0x20 0x41 0x20 0x73 0x65 0x72 0x76 0x69 0x63 0x65 0x20 0x6f 0x66 0x20 0x44 0x65 0x6c 0x6c 0x20 0x49 0x6e 0x63 0x2e 0x2c 0x20 0x52 0x6f 0x75 0x6e 0x64 0x20 0x52 0x6f 0x63 0x6b 0x2c 0x20 0x54 0x65 0x78 0x61 0x73 0x2e 0x0d 0x0a 0x20 0x20 0x20 0x20 0x46 0x6f 0x72 0x20 0x69 0x6e 0x66 0x6f 0x72 0x6d 0x61 0x74 0x69 0x6f 0x6e 0x20 0x61 0x62 0x6f 0x75 0x74 0x20 0x44 0x45 0x4c 0x4c 0x2c 0x20 0x63 0x61 0x6c 0x6c 0x20 0x2b 0x31 0x20 0x38 0x30 0x30 0x20 0x39 0x39 0x39 0x20 0x33 0x33 0x35 0x35 0x20 0x41 0x6c 0x6c 0x20 0x74 0x72 0x61 0x6e 0x73 0x66 0x65 0x72 0x73 0x20 0x61 0x72 0x65 0x20 0x6c 0x6f 0x67 0x67 0x65 0x64 0x20 0x77 0x69 0x74 0x68 0x0d 0x0a 0x20 0x20 0x20 0x20 0x79 0x6f 0x75 0x72 0x20 0x68 0x6f 0x73 0x74 0x20 0x6e 0x61 0x6d 0x65 0x20 0x61 0x6e 0x64 0x20 0x65 0x6d 0x61 0x69 0x6c 0x20 0x61 0x64 0x64 0x72 0x65 0x73 0x73 0x2e 0x20 0x49 0x66 0x20 0x79 0x6f 0x75 0x20 0x64 0x6f 0x6e 0x27 0x74 0x20 0x6c 0x69 0x6b 0x65 0x20 0x74 0x68 0x69 0x73 0x20 0x70 0x6f 0x6c 0x69 0x63 0x79 0x20 0x70 0x6c 0x65 0x61 0x73 0x65 0x20 0x64 0x69 0x73 0x63 0x6f 0x6e 0x6e 0x65 0x63 0x74 0x20 0x6e 0x6f 0x77 0x2e 0x0d 0x0a 0x20 0x20 0x20 0x20 0x50 0x6c 0x65 0x61 0x73 0x65 0x20 0x62 0x65 0x20 0x61 0x64 0x76 0x69 0x73 0x65 0x64 0x20 0x74 0x68 0x61 0x74 0x20 0x75 0x73 0x65 0x20 0x63 0x6f 0x6e 0x73 0x74 0x69 0x74 0x75 0x74 0x65 0x73 0x20 0x63 0x6f 0x6e 0x73 0x65 0x6e 0x74 0x20 0x74 0x6f 0x20 0x6d 0x6f 0x6e 0x69 0x74 0x6f 0x72 0x69 0x6e 0x67 0x20 0x28 0x45 0x6c 0x65 0x63 0x20 0x43 0x6f 0x6d 0x6d 0x20 0x50 0x72 0x69 0x76 0x20 0x41 0x63 0x74 0x2c 0x0d 0x0a 0x20 0x20 0x20 0x20 0x31 0x38 0x20 0x55 0x53 0x43 0x20 0x32 0x37 0x30 0x31 0x2d 0x32 0x37 0x31 0x31 0x29 0x2e 0x20 0x50 0x6c 0x65 0x61 0x73 0x65 0x20 0x73 0x65 0x65 0x20 0x74 0x68 0x65 0x20 0x66 0x69 0x6c 0x65 0x20 0x72 0x65 0x61 0x64 0x6d 0x65 0x2e 0x74 0x78 0x74 0x20 0x66 0x6f 0x72 0x20 0x64 0x69 0x73 0x63 0x6c 0x61 0x69 0x6d 0x65 0x72 0x73 0x20 0x70 0x65 0x72 0x74 0x61 0x69 0x6e 0x69 0x6e 0x67 0x20 0x74 0x6f 0x20 0x74 0x68 0x69 0x73 0x0d 0x0a 0x20 0x20 0x20 0x20 0x73 0x65 0x72 0x76 0x69 0x63 0x65 0x2e 0x20 0x49 0x66 0x20 0x79 0x6f 0x75 0x72 0x20 0x46 0x54 0x50 0x20 0x63 0x6c 0x69 0x65 0x6e 0x74 0x20 0x63 0x72 0x61 0x73 0x68 0x65 0x73 0x20 0x6f 0x72 0x20 0x68 0x61 0x6e 0x67 0x73 0x20 0x73 0x68 0x6f 0x72 0x74 0x6c 0x79 0x20 0x61 0x66 0x74 0x65 0x72 0x20 0x6c 0x6f 0x67 0x69 0x6e 0x2c 0x20 0x74 0x72 0x79 0x20 0x75 0x73 0x69 0x6e 0x67 0x20 0x61 0x20 0x64 0x61 0x73 0x68 0x0d 0x0a 0x20 0x20 0x20 0x20 0x28 0x2d 0x29 0x20 0x61 0x73 0x20 0x74 0x68 0x65 0x20 0x66 0x69 0x72 0x73 0x74 0x20 0x63 0x68 0x61 0x72 0x61 0x63 0x74 0x65 0x72 0x20 0x6f 0x66 0x20 0x79 0x6f 0x75 0x72 0x20 0x70 0x61 0x73 0x73 0x77 0x6f 0x72 0x64 0x2e 0x20 0x54 0x68 0x69 0x73 0x20 0x77 0x69 0x6c 0x6c 0x20 0x74 0x75 0x72 0x6e 0x20 0x6f 0x66 0x66 0x20 0x74 0x68 0x65 0x20 0x69 0x6e 0x66 0x6f 0x72 0x6d 0x61 0x74 0x69 0x6f 0x6e 0x61 0x6c 0x0d 0x0a 0x20 0x20 0x20 0x20 0x6d 0x65 0x73 0x73 0x61 0x67 0x65 0x73 0x20 0x77 0x68 0x69 0x63 0x68 0x20 0x6d 0x61 0x79 0x20 0x62 0x65 0x20 0x63 0x6f 0x6e 0x66 0x75 0x73 0x69 0x6e 0x67 0x20 0x79 0x6f 0x75 0x72 0x20 0x66 0x74 0x70 0x20 0x63 0x6c 0x69 0x65 0x6e 0x74 0x2e 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x49 0x4e 0x20 0x43 0x41 0x53 0x45 0x20 0x4f 0x46 0x20 0x50 0x52 0x4f 0x42 0x4c 0x45 0x4d 0x53 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x20 0x46 0x69 0x6c 0x65 0x20 0x43 0x6f 0x6e 0x74 0x65 0x6e 0x74 0x3a 0x20 0x73 0x65 0x6e 0x64 0x20 0x45 0x4d 0x41 0x49 0x4c 0x20 0x74 0x6f 0x20 0x64 0x65 0x6c 0x6c 0x62 0x62 0x73 0x40 0x64 0x65 0x6c 0x6c 0x2e 0x63 0x6f 0x6d 0x20 0x20 0x20 0x2a 0x2a 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x20 0x46 0x54 0x50 0x20 0x53 0x65 0x72 0x76 0x65 0x72 0x3a 0x20 0x73 0x65 0x6e 0x64 0x20 0x45 0x4d 0x41 0x49 0x4c 0x20 0x74 0x6f 0x20 0x68 0x6f 0x73 0x74 0x6d 0x61 0x73 0x74 0x65 0x72 0x40 0x64 0x65 0x6c 0x6c 0x2e 0x63 0x6f 0x6d 0x20 0x20 0x2a 0x2a 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x20 0x57 0x57 0x57 0x20 0x53 0x65 0x72 0x76 0x65 0x72 0x3a 0x20 0x73 0x65 0x6e 0x64 0x20 0x45 0x4d 0x41 0x49 0x4c 0x20 0x74 0x6f 0x20 0x77 0x65 0x62 0x6d 0x61 0x73 0x74 0x65 0x72 0x40 0x64 0x65 0x6c 0x6c 0x2e 0x63 0x6f 0x6d 0x20 0x20 0x20 0x2a 0x2a 0x0d 0x0a 0x20 0x20 0x20 0x20 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x2a 0x0d 0x0a
1274    35       0x0000000000004001  1258594163.247187  0.000009    0.238593      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      75      21     0x00   64426  1         0x4000  239    0x334e       0x334e       0x2a2a       0x2a2a       0x0040   0                       0                     0                 1050  31    950      0        1049       30         0x00c0    0x18      0x0000      4170    0       0        0                                                                                    0x32 0x33 0x30 0x20 0x55 0x73 0x65 0x72 0x20 0x6c 0x6f 0x67 0x67 0x65 0x64 0x20 0x69 0x6e 0x2e 0x0d 0x0a
1275    35       0x0000000000004000  1258594163.247637  0.078944    0.319295      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     64      0      0x00   16253  9         0x4000  128    0x5e91       0x5e91       0x5b5b       0x5b5b       0x0040   0                       0                     0                 31    1071  14       971      30         1070       0x0040    0x10      0x0000      63790   0       0        0
1276    35       0x0000000000004000  1258594163.249385  0.001748    0.321043      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     66      8      0x00   16254  1         0x4000  128    0x5e88       0x5e88       0x8959       0x8959       0x0040   0                       0                     0                 31    1071  0        0        30         1070       0x0040    0x18      0x0000      63790   0       0        0                                                                                    0x54 0x59 0x50 0x45 0x20 0x49 0x0d 0x0a
1277    35       0x0000000000004001  1258594163.327121  0.079934    0.318527      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      74      20     0x00   1622   2732      0x4000  239    0x28a4       0x28a4       0xb130       0xb130       0x0044   0                       0                     0                 1071  39    21       8        1070       38         0x00c0    0x18      0x0000      4178    0       0        0                                                                                    0x32 0x30 0x30 0x20 0x54 0x79 0x70 0x65 0x20 0x73 0x65 0x74 0x20 0x74 0x6f 0x20 0x49 0x2e 0x0d 0x0a
1278    35       0x0000000000004000  1258594163.327845  0.078460    0.399503      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     64      6      0x00   16255  1         0x4000  128    0x5e89       0x5e89       0xaaa3       0xaaa3       0x0040   0                       0                     0                 39    1091  8        20       38         1090       0x0040    0x18      0x0000      63770   0       0        0                                                                                    0x50 0x41 0x53 0x56 0x0d 0x0a
1279    35       0x0000000000004001  1258594163.407582  0.080461    0.398988      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      104     50     0x00   5259   3637      0x4000  239    0x1a51       0x1a51       0xbf53       0xbf53       0x0040   0                       0                     0                 1091  45    20       6        1090       44         0x00c0    0x18      0x0000      4184    0       0        0                                                                                    0x32 0x32 0x37 0x20 0x45 0x6e 0x74 0x65 0x72 0x69 0x6e 0x67 0x20 0x50 0x61 0x73 0x73 0x69 0x76 0x65 0x20 0x4d 0x6f 0x64 0x65 0x20 0x28 0x31 0x34 0x33 0x2c 0x31 0x36 0x36 0x2c 0x31 0x31 0x2c 0x31 0x30 0x2c 0x32 0x35 0x31 0x2c 0x37 0x38 0x29 0x0d 0x0a
1283    35       0x0000000000004000  1258594163.487490  0.159645    0.559148      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     82      24     0x00   16267  12        0x4000  128    0x5e6b       0x5e6b       0xf13a       0xf13a       0x0040   0                       0                     0                 45    1141  6        50       44         1140       0x0040    0x18      0x0000      63720   0       0        0                                                                                    0x53 0x49 0x5a 0x45 0x20 0x2f 0x76 0x69 0x64 0x65 0x6f 0x2f 0x52 0x37 0x39 0x37 0x33 0x33 0x2e 0x45 0x58 0x45 0x0d 0x0a
1284    35       0x0000000000004001  1258594163.565990  0.158408    0.557396      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      67      13     0x00   11024  5765      0x4000  239    0x03f1       0x03f1       0x049e       0x049e       0x0040   0                       0                     0                 1141  69    50       24       1140       68         0x00c0    0x18      0x0000      4208    0       0        0                                                                                    0x32 0x31 0x33 0x20 0x34 0x32 0x35 0x35 0x30 0x35 0x36 0x0d 0x0a
1285    35       0x0000000000004000  1258594163.566694  0.079204    0.638352      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     82      24     0x00   16268  1         0x4000  128    0x5e6a       0x5e6a       0xf819       0xf819       0x0040   0                       0                     0                 69    1154  24       13       68         1153       0x0040    0x18      0x0000      63707   0       0        0                                                                                    0x52 0x45 0x54 0x52 0x20 0x2f 0x76 0x69 0x64 0x65 0x6f 0x2f 0x52 0x37 0x39 0x37 0x33 0x33 0x2e 0x45 0x58 0x45 0x0d 0x0a
1286    35       0x0000000000004001  1258594163.644188  0.078198    0.635594      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      108     54     0x00   14255  3231      0x4000  239    0xf728       0xf728       0xb8e3       0xb8e3       0x0040   0                       0                     0                 1154  93    13       24       1153       92         0x00c0    0x18      0x0000      4232    0       0        0                                                                                    0x31 0x32 0x35 0x20 0x44 0x61 0x74 0x61 0x20 0x63 0x6f 0x6e 0x6e 0x65 0x63 0x74 0x69 0x6f 0x6e 0x20 0x61 0x6c 0x72 0x65 0x61 0x64 0x79 0x20 0x6f 0x70 0x65 0x6e 0x3b 0x20 0x54 0x72 0x61 0x6e 0x73 0x66 0x65 0x72 0x20 0x73 0x74 0x61 0x72 0x74 0x69 0x6e 0x67 0x2e 0x0d 0x0a
1303    35       0x0000000000004000  1258594163.838277  0.271583    0.909935      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     64      0      0x00   16289  21        0x4000  128    0x5e6d       0x5e6d       0x5b1d       0x5b1d       0x0040   0                       0                     0                 93    1208  24       54       92         1207       0x0040    0x10      0x0000      63653   0       0        0
5898    35       0x0000000000004001  1258594185.427515  21.783327   22.418921     3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      78      24     0x00   40815  26560     0x4000  239    0x8f86       0x8f86       0x7425       0x7425       0x0040   0                       0                     0                 1208  93    54       0        1207       92         0x00c0    0x18      0x0000      4232    0       0        0                                                                                    0x32 0x32 0x36 0x20 0x54 0x72 0x61 0x6e 0x73 0x66 0x65 0x72 0x20 0x63 0x6f 0x6d 0x70 0x6c 0x65 0x74 0x65 0x2e 0x0d 0x0a
5900    35       0x0000000000004000  1258594185.618346  21.780069   22.690004     3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  09       Private network  49329    143.166.11.10  us       Dell             21       6        Dell      Apple     64      0      0x00   18617  2328      0x4000  128    0x5555       0x5555       0x5b1d       0x5b1d       0x0040   0                       0                     0                 93    1232  0        24       92         1231       0x0040    0x10      0x0000      63629   0       0        0
5902    35       0x0000000000004001  1258594491.683288  306.255768  328.674683    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             21       192.168.1.105  09       Private network  49329    6        Apple     Dell      54      0      0x00   49361  8546      0x4000  239    0x6e3c       0x6e3c       0x431f       0x431f       0x0040   0                       0                     0                 1232  93    24       0        1231       92         0x00c0    0x14      0x0004      4232    0       0        0
$

Don’t forget to reset to character output again for the next chapter.

Selecting flows and packets

Maybe you want to look for a certain anomaly or you are interested in all ICMP messages. As our present PCAP does not contain ICMP, download annoloc2.pcap and run t2 on it:

$ t2 -r ~/data/annoloc2.pcap -w ~/results/ -s
================================================================================
Tranalyzer 0.8.7 (Anteater), Tarantula. PID: 20011
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.7
    02: macRecorder, 0.8.7
    03: portClassifier, 0.8.7
    04: basicStats, 0.8.7
    05: tcpFlags, 0.8.7
    06: tcpStates, 0.8.7
    07: icmpDecode, 0.8.7
    08: ftpDecode, 0.8.7
    09: txtSink, 0.8.7
[INF] basicFlow: IPv4 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 312985 (312.99 K)
[INF] basicFlow: IPv6 Ver: 4, Rev: 01102019, Range Mode: 0, subnet ranges loaded: 21495 (21.50 K)
Processing file: /home/wurst/data/annoloc2.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1022171701.691172 sec (Thu 23 May 2002 16:35:01 GMT)
[WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500
Dump stop : 1022171726.640398 sec (Thu 23 May 2002 16:35:26 GMT)
Total dump duration: 24.949226 sec
Finished processing. Elapsed time: 0.878967 sec
Finished unloading flow memory. Time: 1.305904 sec
Percentage completed: 100.00%
Number of processed packets: 1219015 (1.22 M)
Number of processed bytes: 64082726 (64.08 M)
Number of raw bytes: 844642686 (844.64 M)
Number of pcap bytes: 83586990 (83.59 M)
Number of IPv4 packets: 1218588 (1.22 M) [99.96%]
Number of IPv6 packets: 180 [0.01%]
Number of A packets: 561591 (561.59 K) [46.07%]
Number of B packets: 657424 (657.42 K) [53.93%]
Number of A bytes: 29274086 (29.27 M) [45.68%]
Number of B bytes: 34808640 (34.81 M) [54.32%]
Average A packet load: 52.13
Average B packet load: 52.95
--------------------------------------------------------------------------------
basicStats: Biggest L2 Talker: 00:d0:02:6d:78:00: 57 [0.00%] packets
basicStats: Biggest L2 Talker: 00:d0:02:6d:78:00: 3420 (3.42 K) [0.01%] bytes
basicStats: Biggest L3 Talker: 138.212.189.38 (JP): 23601 (23.60 K) [1.94%] packets
basicStats: Biggest L3 Talker: 138.212.189.38 (JP): 35005508 (35.01 M) [54.63%] bytes
tcpFlags: Aggregated ipFlags: 0x3dff
tcpFlags: Aggregated tcpAnomaly: 0xff47
tcpFlags: Number of TCP scans, succ scans, syn retries, seq retries: 685, 2569 (2.57 K), 114, 933
tcpFlags: Number WinSz below 1: 2415 (2.42 K) [0.25%]
tcpStates: Aggregated anomaly flags: 0xdf
icmpDecode: Number of ICMP echo request packets: 224 [7.32%]
icmpDecode: Number of ICMP echo reply packets: 191 [6.24%]
icmpDecode: ICMP echo reply / request ratio: 0.85
ftpDecode: Anomaly flags: 0x01
ftpDecode: Number of FTP packets: 2082 (2.08 K) [0.17%]
--------------------------------------------------------------------------------
Headers count: min: 2, max: 4, average: 3.01
Number of GRE packets: 20 [0.00%]
Number of IGMP packets: 12 [0.00%]
Number of ICMP packets: 3059 (3.06 K) [0.25%]
Number of ICMPv6 packets: 11 [0.00%]
Number of TCP packets: 948743 (948.74 K) [77.83%]
Number of TCP bytes: 52643546 (52.64 M) [82.15%]
Number of UDP packets: 266900 (266.90 K) [21.89%]
Number of UDP bytes: 11234272 (11.23 M) [17.53%]
Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 17589 (17.59 K)
Number of processed A flows: 9980 (9.98 K) [56.74%]
Number of processed B flows: 7609 (7.61 K) [43.26%]
Number of request     flows: 9452 (9.45 K) [53.74%]
Number of reply       flows: 8137 (8.14 K) [46.26%]
Total   A/B    flow asymmetry: 0.13
Total req/rply flow asymmetry: 0.07
Number of processed   packets/flows: 69.31
Number of processed A packets/flows: 56.27
Number of processed B packets/flows: 86.40
Number of processed total packets/s: 48859.83 (48.86 K)
Number of processed A+B packets/s: 48859.83 (48.86 K)
Number of processed A   packets/s: 22509.36 (22.51 K)
Number of processed   B packets/s: 26350.48 (26.35 K)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 704.99
Average full raw bandwidth: 270835712 b/s (270.84 Mb/s)
Average snapped bandwidth : 20548206 b/s (20.55 Mb/s)
Average full bandwidth : 270269600 b/s (270.27 Mb/s)
Max number of flows in memory: 15206 (15.21 K) [5.80%]
Memory usage: 0.18 GB [0.27%]
Aggregate flow status: 0x000018fa0202d044
[WRN] L3 SnapLength < Length in IP header
[WRN] L4 header snapped
[WRN] Consecutive duplicate IP ID
[WRN] IPv4/6 fragmentation header packet missing
[WRN] IPv4/6 packet fragmentation sequence not finished
[INF] IPv4
[INF] IPv6
[INF] IPv4/6 fragmentation
[INF] IPv4/6 in IPv4/6
[INF] GRE encapsulation
[INF] SSDP/UPnP flows
[INF] Ethernet flows
[INF] ARP flows
$

Oups, snap length warning up to the IP Header. That’s bad, so we will not see much content, as you can see in the packet file.

$ tawk 'icmp()' annoloc2_flows.txt | head | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc        srcMac             dstMac             ethType  ethVlanID  srcIP           srcIPCC  srcIPWho                   srcPort  dstIP            dstIPCC  dstIPWho                       dstPort  l4Proto  macPairs  srcMac_dstMac_numP                     srcManuf_dstManuf  dstPortClassN  dstPortClass  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT  aveIAT  stdIAT  pktps  bytps  pktAsm  bytAsm  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipTOS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN  tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpTmS  tcpTmER  tcpEcI  tcpUtm    tcpBtm    tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStates  icmpStat  icmpTCcnt  icmpType_Code  icmpTmGtw   icmpEchoSuccRatio  icmpPFindex  ftpStat  ftpCDFindex  ftpCC  ftpRC  ftpUsrNum  ftpPwNum  ftpCNum  ftpUsr  ftpPw  ftpC
A     59       0x0000000200004001  1022171701.692762  1022171701.692762  0.000000  1           3        eth:ipv4:icmp  00:80:48:b3:22:ef  00:d0:02:6d:78:00  0x0800              138.212.187.10  jp       "ASAHI KASEI CORPORATION"  0        201.116.148.149  mx       "Uninet S.A. de C.V."          0        1        1         00:80:48:b3:22:ef_00:d0:02:6d:78:00_1  CompexUs_Ditech    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0000    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          3_3            0x00000000  0                  0            0x00                                0          0         0
A     893      0x0000000200004001  1022171701.812425  1022171701.812425  0.000000  1           3        eth:ipv4:icmp  00:80:48:d7:ed:7a  00:d0:02:6d:78:00  0x0800              138.212.189.88  jp       "ASAHI KASEI CORPORATION"  0        201.116.161.83   mx       "Uninet S.A. de C.V."          0        1        1         00:80:48:d7:ed:7a_00:d0:02:6d:78:00_1  CompexUs_Ditech    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0000    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          3_3            0x00000000  0                  890          0x00                                0          0         0
A     1069     0x0000000200004001  1022171701.889357  1022171701.889357  0.000000  1           3        eth:ipv4:icmp  00:48:54:7a:04:0f  00:d0:02:6d:78:00  0x0800              138.212.184.71  jp       "ASAHI KASEI CORPORATION"  0        146.208.9.41     us       "Keysight Technologies"        0        1        1         00:48:54:7a:04:0f_00:d0:02:6d:78:00_1  DigitalS_Ditech    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0000    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          3_3            0x00000000  0                  1052         0x00                                0          0         0
A     1177     0x0000000200004001  1022171701.956543  1022171701.956543  0.000000  1           3        eth:ipv4:icmp  00:d0:02:6d:78:00  00:80:48:b3:22:c4  0x0800              201.118.86.105  mx       "Uninet S.A. de C.V."      0        138.212.189.66   jp       "ASAHI KASEI CORPORATION"      0        1        1         00:d0:02:6d:78:00_00:80:48:b3:22:c4_1  Ditech_CompexUs    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0000    65535       0           246       246       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          3_1            0x00000000  0                  1166         0x00                                0          0         0
A     1204     0x0000000200004001  1022171701.980834  1022171701.980834  0.000000  1           3        eth:ipv4:icmp  00:d0:02:6d:78:00  00:80:48:b3:22:c4  0x0800              138.213.40.91   --       "--"                       0        138.212.189.66   jp       "ASAHI KASEI CORPORATION"      0        1        1         00:d0:02:6d:78:00_00:80:48:b3:22:c4_1  Ditech_CompexUs    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0000    65535       0           113       113       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          3_3            0x00000000  0                  1180         0x00                                0          0         0
A     1232     0x0000000200004001  1022171702.009674  1022171702.009674  0.000000  1           3        eth:ipv4:icmp  00:48:54:7a:04:0f  00:d0:02:6d:78:00  0x0800              138.212.184.71  jp       "ASAHI KASEI CORPORATION"  0        36.237.77.156    tw       "Data Communication Business"  0        1        1         00:48:54:7a:04:0f_00:d0:02:6d:78:00_1  DigitalS_Ditech    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0000    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          3_3            0x00000000  0                  1222         0x00                                0          0         0
A     1557     0x0000000200004001  1022171702.247453  1022171702.247453  0.000000  1           3        eth:ipv4:icmp  00:04:76:22:07:90  00:d0:02:6d:78:00  0x0800              138.212.186.88  jp       "ASAHI KASEI CORPORATION"  0        201.19.77.72     br       "Telemar Norte Leste S.A."     0        1        1         00:04:76:22:07:90_00:d0:02:6d:78:00_1  3Com_Ditech        0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0000    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          3_3            0x00000000  0                  1555         0x00                                0          0         0
A     1572     0x0000000200004001  1022171702.265015  1022171702.265015  0.000000  1           3        eth:ipv4:icmp  00:08:a1:1d:3f:f1  00:d0:02:6d:78:00  0x0800              138.212.191.25  jp       "ASAHI KASEI CORPORATION"  0        19.50.144.156    us       "Ford Motor Company"           0        1        1         00:08:a1:1d:3f:f1_00:d0:02:6d:78:00_1  CnetTech_Ditech    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0000    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          3_3            0x00000000  0                  1570         0x00                                0          0         0
A     1718     0x0000000200004001  1022171702.396273  1022171702.396273  0.000000  1           3        eth:ipv4:icmp  00:80:48:b3:24:eb  00:d0:02:6d:78:00  0x0800              138.212.190.25  jp       "ASAHI KASEI CORPORATION"  0        19.6.20.159      us       "Ford Motor Company"           0        1        1         00:80:48:b3:24:eb_00:d0:02:6d:78:00_1  CompexUs_Ditech    0              unknown       1           0            28           0             28        28        28          0           0       0       0       0       0      0      1       1       0x0000    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0         0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x01      1          3_3            0x00000000  0                  1711         0x00                                0          0         0
$

icmpDecode links an ICMP message to the flow who caused it, so with a one liner we can select all the linked flows from the flow file.

$ tawk -H 'icmp() && $icmpPFindex { printf "%d ", $icmpPFindex } END { printf "\n" }' annoloc2_flows.txt
890;1052;1166;1180;1222;1555;1570;1711;1740;1748;1815;7887;1876;1872;1975;1995;2011;2090;2122;2224;2237;2387;2458;2476;2431;2531;2538;2566;2549;2643;2691;2642;2743;1148;2829;2894;2918;2926;2941;2970;2967;2999;3023;3019;3117;3115;3151;3119;3227;3203;3243;3347;2382;1656;1545;1744;2361;1788;3588;1893;1793;3611;1892;490;2093;1976;2193;1481;2174;2179;3813;2765;2478;2537;3249;2842;2717;2939;2773;2976;2687;4323;3105;3062;3146;3171;3204;2648;4409;1124;632;1034;1215;1209;3266;4515;4447;3493;1592;4598;1627;4610;1697;4272;1901;2329;4631;1713;1923;1838;2557;2006;2564;3655;2083;4868;4879;2484;2460;3899;2877;2590;2762;2574;2997;5078;2752;2715;2904;1461;3007;5229;3162;3231;4522;3187;3260;3602;5475;3324;5523;5520;3463;3700;2120;3410;3462;3505;2912;5641;3547;4682;4734;3719;5800;3693;5898;4947;3871;3571;3997;4114;3317;3642;5234;4217;4198;6242;4290;5333;4160;4310;4376;4979;4298;3721;5431;4386;6420;4485;6294;4508;5810;4663;6467;4693;4679;4750;6626;4794;6593;4636;4824;4851;4690;4996;6747;4973;5706;6813;6829;4940;4966;5134;4964;5402;5097;4550;5314;5239;5241;5240;5271;4662;6396;7187;5359;5415;5493;5386;5362;5580;5650;5631;5627;5584;6588;5009;5500;5658;7432;5653;5727;5634;3433;5742;7498;1318;7484;6692;5884;6857;6770;5874;7601;7605;5967;6876;5818;5905;5969;5344;5418;6040;5429;6015;7769;6050;5230;6258;6064;6122;7044;6225;6196;6175;6293;7841;6338;6378;6361;6348;5839;6409;6369;6532;6505;6824;6573;8349;6646;6622;8455;6697;6694;6752;6691;6780;6798;6833;8055;8480;6873;1678;6891;6931;6895;6883;6996;7035;8916;7968;7221;7101;7415;7194;8903;8155;7297;8076;1530;9116;8229;7462;7510;9167;8135;7337;1337;1307;9200;976;9212;7453;9234;1934;7437;1156;1936;9262;1971;1994;8312;9239;8231;8336;8704;985;1357;6985;9304;2085;1488;2254;9302;9339;7885;8425;9352;4011;1932;8419;9359;8449;1621;2216;7526;7664;9375;9383;7513;9399;8540;7604;1821;8506;7614;9409;2346;8452;9435;7644;9462;2204;9483;9494;9499;8295;7666;8555;9534;1762;2334;2357;9549;7677;8613;7700;2102;7721;2603;7749;8318;9506;8107;2231;7678;9613;9624;8767;2262;9640;8005;7697;7036;2374;9661;9665;3314;9672;8717;9678;2632;7835;9696;9684;8456;3515;9075;9725;8842;7847;7783;2733;9175;8049;8808;2760;7882;7890;8428;8815;2355;2812;7919;2854;6213;2839;7912;1408;8577;8874;2668;2520;1869;9829;8905;9839;3141;2979;5193;8042;9868;3027;9864;702;8922;9886;9890;8087;2964;9920;3143;956;3199;94;3206;487;8963;3036;825;9974;918;533;1008;8154;9414;974;
$

And select some of them

$ tawk -t 'flow("890;1052;1166;1180;1222;1555")' annoloc2_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP           srcIPCC  srcIPWho                       srcPort  dstIP           dstIPCC  dstIPWho                   dstPort  l4Proto  macPairs  srcMac_dstMac_numP                     srcManuf_dstManuf  dstPortClassN  dstPortClass  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT   aveIAT    stdIAT    pktps      bytps     pktAsm  bytAsm  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipTOS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpTmS  tcpTmER  tcpEcI  tcpUtm    tcpBtm    tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStates  icmpStat  icmpTCcnt  icmpType_Code  icmpTmGtw   icmpEchoSuccRatio  icmpPFindex  ftpStat  ftpCDFindex  ftpCC  ftpRC  ftpUsrNum  ftpPwNum  ftpCNum  ftpUsr  ftpPw  ftpC
A     890      0x0000000200004000  1022171701.812410  1022171701.812410  0.000000   1           3        eth:ipv4:udp  00:d0:02:6d:78:00  00:80:48:d7:ed:7a  0x0800              201.116.161.83  mx       "Uninet S.A. de C.V."          1214     138.212.189.88  jp       "ASAHI KASEI CORPORATION"  1214     17       1         00:d0:02:6d:78:00_00:80:48:d7:ed:7a_1  Ditech_CompexUs    1214           kazaa         1           0            43           0             43        43        43          0           0       0        0         0         0          0         1       1       0x0000    65535       0           120       120       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x00      0                         0x00000000  0                  0            0x00                                0          0         0
A     1052     0x0000000200004000  1022171701.881348  1022171701.881348  0.000000   1           3        eth:ipv4:udp  00:d0:02:6d:78:00  00:48:54:7a:04:0f  0x0800              146.208.9.41    us       "Keysight Technologies"        1214     138.212.184.71  jp       "ASAHI KASEI CORPORATION"  1214     17       1         00:d0:02:6d:78:00_00:48:54:7a:04:0f_1  Ditech_DigitalS    1214           kazaa         1           0            47           0             47        47        47          0           0       0        0         0         0          0         1       1       0x0000    65535       0           114       114       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x00      0                         0x00000000  0                  0            0x00                                0          0         0
A     1180     0x0000000200004000  1022171701.960091  1022171701.960091  0.000000   1           3        eth:ipv4:udp  00:80:48:b3:22:c4  00:d0:02:6d:78:00  0x0800              138.212.189.66  jp       "ASAHI KASEI CORPORATION"      1214     138.213.40.91   --       "--"                       1214     17       1         00:80:48:b3:22:c4_00:d0:02:6d:78:00_1  CompexUs_Ditech    1214           kazaa         1           0            45           0             45        45        45          0           0       0        0         0         0          0         1       1       0x0000    65535       0           128       128       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x00      0                         0x00000000  0                  0            0x00                                0          0         0
A     1222     0x0000000200004000  1022171702.003111  1022171702.003111  0.000000   1           3        eth:ipv4:udp  00:d0:02:6d:78:00  00:48:54:7a:04:0f  0x0800              36.237.77.156   tw       "Data Communication Business"  1214     138.212.184.71  jp       "ASAHI KASEI CORPORATION"  1214     17       1         00:d0:02:6d:78:00_00:48:54:7a:04:0f_1  Ditech_DigitalS    1214           kazaa         1           0            35           0             35        35        35          0           0       0        0         0         0          0         1       1       0x0000    65535       0           115       115       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x00      0                         0x00000000  0                  0            0x00                                0          0         0
A     1555     0x0000000200004000  1022171702.246779  1022171702.246779  0.000000   1           3        eth:ipv4:udp  00:d0:02:6d:78:00  00:04:76:22:07:90  0x0800              201.19.77.72    br       "Telemar Norte Leste S.A."     1214     138.212.186.88  jp       "ASAHI KASEI CORPORATION"  1214     17       1         00:d0:02:6d:78:00_00:04:76:22:07:90_1  Ditech_3Com        1214           kazaa         1           0            46           0             46        46        46          0           0       0        0         0         0          0         1       1       0x0000    65535       0           111       111       0         0x00   0x1800   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      0               0             0            0            0            0               0              0                  0             0x00      0x0000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x00       0x00      0                         0x00000000  0                  0            0x00                                0          0         0
A     1166     0x0000000200004000  1022171701.947721  1022171726.546595  24.598874  1           3        eth:ipv4:tcp  00:80:48:b3:22:c4  00:d0:02:6d:78:00  0x0800              138.212.189.66  jp       "ASAHI KASEI CORPORATION"      1214     201.118.86.105  mx       "Uninet S.A. de C.V."      1053     6        1         00:80:48:b3:22:c4_00:d0:02:6d:78:00_3  CompexUs_Ditech    1053           remote-as     3           0            45           0             15        15        15          0           0       16.4667  8.199624  5.319073  0.1219568  1.829352  1       1       0x0040    1549        3090        128       128       0         0x00   0x1840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1440205039  3           0               0               0           0                      0               64159         64159        64159        64159        0               0              0                  0             0x98      0x8000      0             0          0x00000000  0       1      0       0        0       0.000000  0.000000  0              65535             0                 0                 0                    0             -1               0x03       0x00      0                         0x00000000  0                  0            0x00                                0          0         0
$

Unfortunately there is no content, otherwise you could see the content of the packet if you list the ICMP packets going back to the sender. Look at the flowStat:

$  tawk -V flowStat=0x0000000a00004000

The flowStat column with value 0x0000000a00004000 is to be interpreted as follows:

   bit | flowStat              | Description
   =============================================================================
    14 | 0x0000 0000 0000 4000 | IPv4
    33 | 0x0000 0002 0000 0000 | Acquired packet length < packet length in L3 header

$

So we do not see any L7content in the packet file Look at the snaplength warning in the end report:

[WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500

From the L3 header 40 bytes. Extract a packet number and look in wireshark.

The packets which caused the ICMP messages can be also selected with the same one liner.

$ tawk -t 'flow("890;1052;1166;1180;1222;1555")' annoloc2_packets.txt | tcol
%pktNo   flowInd  flowStat            time               pktIAT     flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP           srcIPCC  srcIPWho                     srcPort  dstIP           dstIPCC  dstIPWho                 dstPort  l4Proto  srcManuf  dstManuf  pktLen  l7Len  ipTOS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq         ack      seqDiff  ackDiff  seqPktLen  ackPktLen  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpTmS  tcpTmER  tcpOptLen  tcpOpts  icmpType  icmpCode  icmpPFindex  l7Content
5532     890      0x0000000200004000  1022171701.812410  0.000000   0.000000      3        eth:ipv4:udp             00:d0:02:6d:78:00  00:80:48:d7:ed:7a  0x0800   201.116.161.83  mx       Uninet S.A. de C.V.          1214     138.212.189.88  jp       ASAHI KASEI CORPORATION  1214     17       Ditech    CompexUs  85      43     0x00   46654  0         0x0000  120    0xd972       0xd972       0x3fd4       0x4cc6       0x1800   0                       0                     0
8844     1052     0x0000000200004000  1022171701.881348  0.000000   0.000000      3        eth:ipv4:udp             00:d0:02:6d:78:00  00:48:54:7a:04:0f  0x0800   146.208.9.41    us       Keysight Technologies        1214     138.212.184.71  jp       ASAHI KASEI CORPORATION  1214     17       Ditech    DigitalS  89      47     0x00   13149  0         0x0000  114    0x3630       0x3630       0xd5ee       0x20a2       0x1800   0                       0                     0
12057    1166     0x0000000200004000  1022171701.947721  0.000000   0.000000      3        eth:ipv4:tcp             00:80:48:b3:22:c4  00:d0:02:6d:78:00  0x0800   138.212.189.66  jp       ASAHI KASEI CORPORATION      1214     201.118.86.105  mx       Uninet S.A. de C.V.      1053     6        CompexUs  Ditech    69      15     0x00   36935  0         0x4000  128    0x0283       0x0283       0xa722       0x97df       0x1840   0                       0                     0                 1440205039  1722942  0        0        0          0          0x0041    0x98      0x0000      64159   0       0        0
12689    1180     0x0000000200004000  1022171701.960091  0.000000   0.000000      3        eth:ipv4:udp             00:80:48:b3:22:c4  00:d0:02:6d:78:00  0x0800   138.212.189.66  jp       ASAHI KASEI CORPORATION      1214     138.213.40.91   --       --                       1214     17       CompexUs  Ditech    87      45     0x00   36936  0         0x0000  128    0xaf14       0xaf14       0x7510       0x0472       0x1800   0                       0                     0
14665    1222     0x0000000200004000  1022171702.003111  0.000000   0.000000      3        eth:ipv4:udp             00:d0:02:6d:78:00  00:48:54:7a:04:0f  0x0800   36.237.77.156   tw       Data Communication Business  1214     138.212.184.71  jp       ASAHI KASEI CORPORATION  1214     17       Ditech    DigitalS  77      35     0x00   9616   0         0x0000  115    0x6c79       0x6c79       0xb91a       0x4a1e       0x1800   0                       0                     0
26630    1555     0x0000000200004000  1022171702.246779  0.000000   0.000000      3        eth:ipv4:udp             00:d0:02:6d:78:00  00:04:76:22:07:90  0x0800   201.19.77.72    br       Telemar Norte Leste S.A.     1214     138.212.186.88  jp       ASAHI KASEI CORPORATION  1214     17       Ditech    3Com      88      46     0x00   29131  0         0x0000  111    0x7e4f       0x7e4f       0x7f50       0xa42f       0x1800   0                       0                     0
407160   1166     0x0000000200004000  1022171710.079893  8.132172   8.132172      3        eth:ipv4:tcp             00:80:48:b3:22:c4  00:d0:02:6d:78:00  0x0800   138.212.189.66  jp       ASAHI KASEI CORPORATION      1214     201.118.86.105  mx       Uninet S.A. de C.V.      1053     6        CompexUs  Ditech    69      15     0x00   38484  1549      0x4000  128    0xfc75       0xfc75       0xa722       0x2fbf       0x1840   0                       0                     0                 1440205039  1722942  0        0        0          0          0x0040    0x98      0x8000      64159   0       0        0
1214274  1166     0x0000000200004000  1022171726.546595  16.466702  24.598873     3        eth:ipv4:tcp             00:80:48:b3:22:c4  00:d0:02:6d:78:00  0x0800   138.212.189.66  jp       ASAHI KASEI CORPORATION      1214     201.118.86.105  mx       Uninet S.A. de C.V.      1053     6        CompexUs  Ditech    69      15     0x00   41574  3090      0x4000  128    0xf063       0xf063       0xa722       0xc79e       0x1840   0                       0                     0                 1440205039  1722942  0        0        0          0          0x0040    0x98      0x8000      64159   0       0        0
$

That is just a very brief demo of what you can do with T2 packet mode. A more extensive introduction to mining and drill down methods can be found in the drill down tutorial (coming soon).