Tutorial: Flexible Flow and Packet Length Statistics
Contents
Introduction
In traffic mining or interface operations packet length and packets/flow are still parameters with a high information gain. Thus, T2 provides the user with a user controlled packet length statistics and certain packets/flow indicators.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the following plugins:
t2build tranalyzer2 basicFlow basicStats tcpStates nFrstPkts pktSIATHisto descriptiveStats txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The anonymized sample PCAP and the fragmentation PCAP used in this tutorial can be downloaded here:
Please save them in your ~/data folder.
Now you are all set for a T2 packet length statistic tutorial!
Basic packet statistics and packet/flow measure
The end report contains information about packet, bytes and protocol statistics, including measures which gives a practitioner an indication about the stress on a flow engine like T2 when operated on an interface.
t2 -r ~/data/annoloc2.pcap -w ~/results================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 61911 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: basicStats, 0.8.14 03: tcpStates, 0.8.14 04: nFrstPkts, 0.8.14 05: pktSIATHisto, 0.8.14 06: descriptiveStats, 0.8.14 07: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/annoloc2.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1022171701.691172 sec (Thu 23 May 2002 16:35:01 GMT) [WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500 Dump stop : 1022171726.640398 sec (Thu 23 May 2002 16:35:26 GMT) Total dump duration: 24.949226 sec Finished processing. Elapsed time: 1.313986 sec Finished unloading flow memory. Time: 1.925223 sec Percentage completed: 100.00% Number of processed packets: 1219015 (1.22 M) Number of processed bytes: 64082726 (64.08 M) Number of raw bytes: 844642686 (844.64 M) Number of pad bytes: 8591685635 (8.59 G) Number of pcap bytes: 83586990 (83.59 M) Number of IPv4 packets: 1218588 (1.22 M) [99.96%] Number of IPv6 packets: 180 [0.01%] Number of A packets: 564233 (564.23 K) [46.29%] Number of B packets: 654782 (654.78 K) [53.71%] Number of A bytes: 29448166 (29.45 M) [45.95%] Number of B bytes: 34634560 (34.63 M) [54.05%] Average A packet load: 52.19 Average B packet load: 52.89 -------------------------------------------------------------------------------- basicStats: Biggest L2 talker: 00:d0:02:6d:78:00: 57 [0.00%] packets basicStats: Biggest L2 talker: 00:d0:02:6d:78:00: 3420 (3.42 K) [0.01%] bytes basicStats: Biggest L3 talker: 138.212.189.38 (JP): 23601 (23.60 K) [1.94%] packets basicStats: Biggest L3 talker: 138.212.189.38 (JP): 35005508 (35.01 M) [54.63%] bytes tcpStates: Aggregated tcpStatesAFlags=0xdf -------------------------------------------------------------------------------- Headers count: min: 2, max: 5, average: 3.01 Number of GRE packets: 20 [0.00%] Number of IGMP packets: 12 [0.00%] Number of ICMP packets: 3059 (3.06 K) [0.25%] Number of ICMPv6 packets: 11 [0.00%] Number of TCP packets: 948743 (948.74 K) [77.83%] Number of TCP bytes: 52643546 (52.64 M) [82.15%] Number of UDP packets: 266900 (266.90 K) [21.89%] Number of UDP bytes: 11234272 (11.23 M) [17.53%] Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 17603 (17.60 K) Number of processed A flows: 9995 (9.99 K) [56.78%] Number of processed B flows: 7608 (7.61 K) [43.22%] Number of request flows: 9948 (9.95 K) [56.51%] Number of reply flows: 7655 (7.66 K) [43.49%] Total A/B flow asymmetry: 0.14 Total req/rply flow asymmetry: 0.13 Number of processed packets/flows: 69.25 Number of processed A packets/flows: 56.45 Number of processed B packets/flows: 86.06 Number of processed total packets/s: 48859.83 (48.86 K) Number of processed A+B packets/s: 48859.83 (48.86 K) Number of processed A packets/s: 22615.25 (22.61 K) Number of processed B packets/s: 26244.58 (26.24 K) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 705.55 Average full raw bandwidth: 270835712 b/s (270.84 Mb/s) Average snapped bandwidth : 20548206 b/s (20.55 Mb/s) Average full bandwidth : 270268480 b/s (270.27 Mb/s) Max number of flows in memory: 15220 (15.22 K) [5.81%] Memory usage: 0.26 GB [0.39%] Aggregated flowStat=0x0c0098fa0222d044 [WRN] L3 SnapLength < Length in IP header [WRN] L4 header snapped [WRN] Consecutive duplicate IP ID [WRN] IPv4/6 payload length > framing length [WRN] IPv4/6 fragmentation header packet missing [WRN] IPv4/6 packet fragmentation sequence not finished [INF] Stop dissecting: Clipped packet, unhandled protocol or subsequent fragment [INF] Layer 2 flows [INF] IPv4 flows [INF] IPv6 flows [INF] ARP [INF] IPv4/6 fragmentation [INF] IPv4/6 in IPv4/6 [INF] GRE encapsulation [INF] GTP tunnel [INF] SSDP/UPnP
Fist of all, keep in mind that the L7 is snapped and sometimes the L4 header as well.
Prominent measures are the packets/flows mean and the bandwidth estimation useful to assess the limits of an interface or to asses whether your newly bought wonder machine can do its highly advertised job. As the bandwidth is very low, we picked a bad example. But if it were in the range of 10 GBit then we should look at higher statistical moments which are computed by the script t2flowstat from the flow file, which was originally developed exactly to predict the capabilities of sniffing SW and different kernel configurations on certain traffic types.
Hence, to calculate both flow directions, using 200 samples with 1 packet/bin being interested only in the final summary the following command can be invoked:
t2flowstat ~/results/annoloc2_flows.txt -c numPktsSnt -s 1 -m 200 -n
----------------------------------
#Flows : 17603
Col Sum: 1219015
Max Col: 23601
Median : 1.886137
Mean : 69.250412
Std Dev: 55.267790
KP Skew: 1.218870For the A direction only
t2flowstat ~/results/annoloc2_flows.txt -c numPktsSnt -s 1 -m 200 -n -d A
----------------------------------
#Flows : 9948
Col Sum: 564233
Max Col: 12342
Median : 1.936793
Mean : 56.718235
Std Dev: 40.677681
KP Skew: 1.346720For the B direction only
t2flowstat ~/results/annoloc2_flows.txt -c numPktsSnt -s 1 -m 200 -n -d B
----------------------------------
#Flows : 7655
Col Sum: 654782
Max Col: 23601
Median : 1.801446
Mean : 85.536512
Std Dev: 38.589966
KP Skew: 2.169866The overall median is around 1.9 pkts/flow, hence 50% of the flows contain two packets or less. So the flow engine has to create a flow every second to third packet in average, which brings every tool down when run at 10 GBit++, if not optimized.
If I need to do a job at the interface, I first run t2flowstat in order to get an impression about the load on T2’s core. Really valuable also for other flow tools.
For more information about this topic, refer to the Performance on interface et al tutorial. The mean and NP skew indicated a highly asymmetric but rapid declining distribution with increasing packets/flow.
We might integrate this statistics into the end report in a future version so that the generation of a flow file is not necessary for the calculation of theses important parameters.
Controlling the packet length
All the statistics available from the loaded plugin in the flow file depend on the packet length which is computed in the core, using different L3/4 header information. Hence, if the L7 content is snapped it does not alter the statistics. However, the content plugins must use the snapped length information, as the parsing of the information might be truncated.
The layer of the packet length to be considered can be configured by the PACKETLENGTH variable residing in the core definition file packetCapture.h as shown below:
tranalyzer2
vi src/packetCapture.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
// Interpretation of packet length
// Following plugins are influenced by PACKETLENGTH:
// nFrstPkts, pktSIATHisto, basicStats, descriptiveStats
#define PACKETLENGTH 3 // 0: including L2, L3 and L4 header,
// 1: including L3 and L4 header,
// 2: including L4 header,
// 3: only higher layer payload (Layer 7)
// If PACKETLENGTH == 1:
#define FRGIPPKTLENVIEW 1 // 0: IP header stays with 2nd++ fragmented packets,
// 1: IP header stripped from 2nd++ fragmented packets
...The constant FRGIPPKTLENVIEW defines for fragmented packets whether the length of the IP header for all following packets should be added or not. In Traffic Mining, you like only to look at the content length, so all fragments following the first packet should be stripped of the IP header. For a troubleshooter or admin different story.
Let’s look at the default output of all loaded plugins first using the smaller frag.pcap as we will need it in the next chapter anyway.
t2 -r ~/data/frag.pcap -w ~/results -s================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 27066 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: basicStats, 0.8.14 03: tcpStates, 0.8.14 04: nFrstPkts, 0.8.14 05: pktSIATHisto, 0.8.14 06: descriptiveStats, 0.8.14 07: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/frag.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1294260264.274530 sec (Wed 05 Jan 2011 20:44:24 GMT) Dump stop : 1294260291.961272 sec (Wed 05 Jan 2011 20:44:51 GMT) Total dump duration: 27.686742 sec Finished processing. Elapsed time: 0.000424 sec Finished unloading flow memory. Time: 0.000831 sec Percentage completed: 100.00% Number of processed packets: 82 Number of processed bytes: 14857 (14.86 K) Number of raw bytes: 14857 (14.86 K) Number of pad bytes: 124 Number of pcap bytes: 16193 (16.19 K) Number of IPv4 packets: 38 [46.34%] Number of A packets: 80 [97.56%] Number of B packets: 2 [2.44%] Number of A bytes: 14737 (14.74 K) [99.19%] Number of B bytes: 120 [0.81%] Average A packet load: 184.21 Average B packet load: 60.00 -------------------------------------------------------------------------------- basicStats: Biggest L2 talker: 00:0d:65:4f:38:94: 14 [17.07%] packets basicStats: Biggest L2 talker: 00:1e:13:0c:02:07: 780 [5.25%] bytes basicStats: Biggest L3 talker: 192.168.203.131: 26 [31.71%] packets basicStats: Biggest L3 talker: 192.168.203.131: 10904 (10.90 K) [73.39%] bytes tcpStates: Aggregated tcpStatesAFlags=0xc3 -------------------------------------------------------------------------------- Headers count: min: 2, max: 4, average: 2.67 Number of LLC packets: 16 [19.51%] Number of ICMP packets: 3 [3.66%] Number of TCP packets: 27 [32.93%] Number of TCP bytes: 10964 (10.96 K) [73.80%] Number of UDP packets: 5 [6.10%] Number of UDP bytes: 763 [5.14%] Number of IPv4 fragmented packets: 26 [68.42%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 20 Number of processed A flows: 18 [90.00%] Number of processed B flows: 2 [10.00%] Number of request flows: 18 [90.00%] Number of reply flows: 2 [10.00%] Total A/B flow asymmetry: 0.80 Total req/rply flow asymmetry: 0.80 Number of processed packets/flows: 4.10 Number of processed A packets/flows: 4.44 Number of processed B packets/flows: 1.00 Number of processed total packets/s: 2.96 Number of processed A+B packets/s: 2.96 Number of processed A packets/s: 2.89 Number of processed B packets/s: 0.07 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 0.72 Average full raw bandwidth: 4293 b/s (4.29 Kb/s) Average full bandwidth : 3515 b/s (3.52 Kb/s) Max number of flows in memory: 18 [0.01%] Memory usage: 0.19 GB [0.28%] Aggregated flowStat=0x0400081000004044 [INF] Stop dissecting: Clipped packet, unhandled protocol or subsequent fragment [INF] Layer 2 flows [INF] IPv4 flows [INF] ARP [INF] IPv4/6 fragmentation
Interesting! The Stop dissecting info is also present. So let’s extract flows with fragmentation:
tawk 'bitsanyset($flowStat, 0x0000001000000000)' ~/results/frag_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpStatesAFlags nFpCnt L2L3L4Pl_Iat tCnt Ps_Iat_Cnt_PsCnt_IatCnt dsMinPl dsMaxPl dsMeanPl dsLowQuartilePl dsMedianPl dsUppQuartilePl dsIqdPl dsModePl dsRangePl dsStdPl dsRobStdPl dsSkewPl dsExcPl dsMinIat dsMaxIat dsMeanIat dsLowQuartileIat dsMedianIat dsUppQuartileIat dsIqdIat dsModeIat dsRangeIat dsStdIat dsRobStdIat dsSkewIat dsExcIat
A 4 0x0400081000004000 1294260266.528280 1294260266.528923 0.000643 1 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 "Private network" 1509 192.168.203.134 07 "Private network" 0 6 26 1 10000 0 20 400 384.6154 71.57208 0 0.00015 2.473077e-05 2.590013e-05 40435.46 1.55521e+07 0.9259259 1 0x83 20 380_0.000000;400_0.000038;400_0.000017;400_0.000013;400_0.000015;400_0.000020;400_0.000021;400_0.000020;400_0.000019;400_0.000019;400_0.000018;400_0.000017;400_0.000015;400_0.000014;400_0.000018;400_0.000017;400_0.000014;400_0.000013;400_0.000013;400_0.000012 3 20_0_1_1_26;380_0_1_1_26;400_0_24_24_26 20 400 384.6154 400 400 400 0 400 380 73.02427 0 -4.77911 20.90731 0.5 0.5 0.5 0.5 0.5 0.5 0 0.5 0 0 0 0 0Only one. In the default configuration, the layer 7 length is used in all statistic plugins and the L3/L4 header is stripped off the length for the second and all following packets. The column numBytesSnt states 10000 bytes, being the total payload being transmitted by all fragments. If you look at the output of nFrstPkts: L2L3L4Pl_Iat and pktSIATHisto: Ps_Iat_Cnt_PsCnt_IatCnt, you notice that the first packet length is 380 and all subsequent packets are 400. So the L4 header is only present in the first packet.
Let’s look at the packets. You see the first packet and all subsequent fragmented packets have the Stop dissecting info set. Why? Because the dissector tries to understand the packet and does not know about fragmentation. A mishap, which will be corrected in future. So don’t worry. Note, that you see the pktLen and the l7Len, so you can compare it for every packet. This will not change with PACKETLENGTH config.
tawk 'bitsanyset($flowStat, 0x0000001000000000)' ~/results/frag_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktLen l7Len tcpStatesAFlags l7Content
4 4 0x0400009000004000 1294260266.528280 0.000000 0.000000 0.000000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 1509 192.168.203.134 07 Private network 0 6 434 380 0x81 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 4 0x0400089000004000 1294260266.528318 0.000038 0.000000 0.000038 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6 4 0x0400089000004000 1294260266.528335 0.000017 0.000000 0.000055 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7 4 0x0400089000004000 1294260266.528348 0.000013 0.000000 0.000068 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8 4 0x0400089000004000 1294260266.528363 0.000015 0.000000 0.000083 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9 4 0x0400089000004000 1294260266.528383 0.000020 0.000000 0.000103 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10 4 0x0400089000004000 1294260266.528404 0.000021 0.000000 0.000124 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
11 4 0x0400089000004000 1294260266.528424 0.000020 0.000000 0.000144 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
12 4 0x0400089000004000 1294260266.528443 0.000019 0.000000 0.000163 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
13 4 0x0400089000004000 1294260266.528462 0.000019 0.000000 0.000182 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14 4 0x0400089000004000 1294260266.528480 0.000018 0.000000 0.000200 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
15 4 0x0400089000004000 1294260266.528497 0.000017 0.000000 0.000217 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
16 4 0x0400089000004000 1294260266.528512 0.000015 0.000000 0.000232 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
17 4 0x0400089000004000 1294260266.528526 0.000014 0.000000 0.000246 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
18 4 0x0400089000004000 1294260266.528544 0.000018 0.000000 0.000264 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
19 4 0x0400089000004000 1294260266.528561 0.000017 0.000000 0.000281 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
20 4 0x0400089000004000 1294260266.528575 0.000014 0.000000 0.000295 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
21 4 0x0400089000004000 1294260266.528588 0.000013 0.000000 0.000308 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
22 4 0x0400089000004000 1294260266.528601 0.000013 0.000000 0.000321 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
23 4 0x0400089000004000 1294260266.528613 0.000012 0.000000 0.000333 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
24 4 0x0400089000004000 1294260266.528626 0.000013 0.000000 0.000346 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
25 4 0x0400089000004000 1294260266.528776 0.000150 0.000000 0.000496 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
26 4 0x0400089000004000 1294260266.528818 0.000042 0.000000 0.000538 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
27 4 0x0400089000004000 1294260266.528854 0.000036 0.000000 0.000574 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
28 4 0x0400089000004000 1294260266.528889 0.000035 0.000000 0.000609 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
29 4 0x0400081000004000 1294260266.528923 0.000034 0.000000 0.000643 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 54 20 XXXXXXXXXXXXXXXXXXXXIf you want to see more info about more fragmentation info in the packet mode, load tcpFlags and rerun T2. Homework!
In any case, as a network person we might be interested in the full length of the packets, so set PACKETLENGTH=0, so that the full packet length including layer 2 is added to the length statistics.
t2conf tranalyzer2 -D PACKETLENGTH=0 && t2build -R
t2 -r ~/data/frag.pcap -w ~/results
As the end report and packet/flow statistics does not change, therefore it is not printed. Now look into the flow file again.
tawk 'bitsanyset($flowStat, 0x0000001000000000)' ~/results/frag_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpStatesAFlags nFpCnt L2L3L4Pl_Iat tCnt Ps_Iat_Cnt_PsCnt_IatCnt dsMinPl dsMaxPl dsMeanPl dsLowQuartilePl dsMedianPl dsUppQuartilePl dsIqdPl dsModePl dsRangePl dsStdPl dsRobStdPl dsSkewPl dsExcPl dsMinIat dsMaxIat dsMeanIat dsLowQuartileIat dsMedianIat dsUppQuartileIat dsIqdIat dsModeIat dsRangeIat dsStdIat dsRobStdIat dsSkewIat dsExcIat
A 4 0x0400081000004000 1294260266.528280 1294260266.528923 0.000643 1 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 "Private network" 1509 192.168.203.134 07 "Private network" 0 6 26 1 10404 54 34 434 400.1538 71.87354 0 0.00015 2.473077e-05 2.590013e-05 40435.46 1.61804e+07 0.9259259 0.989673 0x83 20 434_0.000000;414_0.000038;414_0.000017;414_0.000013;414_0.000015;414_0.000020;414_0.000021;414_0.000020;414_0.000019;414_0.000019;414_0.000018;414_0.000017;414_0.000015;414_0.000014;414_0.000018;414_0.000017;414_0.000014;414_0.000013;414_0.000013;414_0.000012 3 34_0_1_1_26;414_0_24_24_26;434_0_1_1_26 34 434 400.1538 414 414 414 0 414 400 73.33154 0 -4.777904 20.90952 0.5 0.5 0.5 0.5 0.5 0.5 0 0.5 0 0 0 0 0Now L2/3/4 header lengths are added and 10404 bytes are present. You can easily spot the change in the numPktsSnt, numPktsRcvd, L2L3L4Pl_Iat and Ps_Iat_Cnt_PsCnt_IatCnt columns. Note the difference between the first and the subsequent packets.
Try PACKETLENGTH=2 yourself.
Fragmentation header option
If fragmentation is present the packet length can be seen as one big packet, so the 2nd fragmented packet does not include the IP header. Or you want to see the true packet statistics on the wire and all packets count the length of each subsequent header.
In order to see the effect of FRGIPPKTLENVIEW, we add L3 and L4 headers to the length. Recompile all loaded plugins, as the packet length statistics plugins also depend on PACKETLENGTH.
t2conf tranalyzer2 -G PACKETLENGTH -G FRGIPPKTLENVIEW
PACKETLENGTH = 0
FRGIPPKTLENVIEW = 1t2conf tranalyzer2 -D PACKETLENGTH=1 && t2build -R
t2 -r ~/data/frag.pcap -w ~/results
Now extract again the fragmentation flows again.
tawk 'bitsanyset($flowStat, 0x0000001000000000)' ~/results/frag_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpStatesAFlags nFpCnt L2L3L4Pl_Iat tCnt Ps_Iat_Cnt_PsCnt_IatCnt dsMinPl dsMaxPl dsMeanPl dsLowQuartilePl dsMedianPl dsUppQuartilePl dsIqdPl dsModePl dsRangePl dsStdPl dsRobStdPl dsSkewPl dsExcPl dsMinIat dsMaxIat dsMeanIat dsLowQuartileIat dsMedianIat dsUppQuartileIat dsIqdIat dsModeIat dsRangeIat dsStdIat dsRobStdIat dsSkewIat dsExcIat
A 4 0x0400081000004000 1294260266.528280 1294260266.528923 0.000643 1 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 "Private network" 1509 192.168.203.134 07 "Private network" 0 6 26 1 10040 40 20 420 386.1538 71.87354 0 0.00015 2.473077e-05 2.590013e-05 40435.46 1.561431e+07 0.9259259 0.9920635 0x83 20 420_0.000000;400_0.000038;400_0.000017;400_0.000013;400_0.000015;400_0.000020;400_0.000021;400_0.000020;400_0.000019;400_0.000019;400_0.000018;400_0.000017;400_0.000015;400_0.000014;400_0.000018;400_0.000017;400_0.000014;400_0.000013;400_0.000013;400_0.000012 3 20_0_1_1_26;400_0_24_24_26;420_0_1_1_26 20 420 386.1538 400 400 400 0 400 400 73.33154 0 -4.777904 20.90952 0.5 0.5 0.5 0.5 0.5 0.5 0 0.5 0 0 0 0 0And you see the bytes being sent: 10040 and the first packet length 420 and all subsequent 400 until the last with 20, as we could see in the packet file.
When we switch off the IP header length suppression in subsidiary fragments what do we expect? Think, don’t look down!
So set FRGIPPKTLENVIEW=0, recompile and run t2 on the pcap.
t2conf tranalyzer2 -D FRGIPPKTLENVIEW=0 && t2build -R
t2 -r ~/data/annoloc2.pcap -w ~/results
As expected now the L4 header is added to all subsequent fragments, so the total bytes being seen: numBytesSnt=10540. Makes sense? Think!
tawk 'bitsanyset($flowStat, 0x0000001000000000)' ~/results/annoloc2_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpStatesAFlags nFpCnt L2L3L4Pl_Iat tCnt Ps_Iat_Cnt_PsCnt_IatCnt dsMinPl dsMaxPl dsMeanPl dsLowQuartilePl dsMedianPl dsUppQuartilePl dsIqdPl dsModePl dsRangePl dsStdPl dsRobStdPl dsSkewPl dsExcPl dsMinIat dsMaxIat dsMeanIat dsLowQuartileIat dsMedianIat dsUppQuartileIat dsIqdIat dsModeIat dsRangeIat dsStdIat dsRobStdIat dsSkewIat dsExcIat
A 4 0x0400081000004000 1294260266.528280 1294260266.528923 0.000643 1 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 "Private network" 1509 192.168.203.134 07 "Private network" 0 6 26 1 10540 40 40 420 405.3846 71.65782 0 0.00015 2.473077e-05 2.590013e-05 40435.46 1.639191e+07 0.9259259 0.9924386 0x83 20 420_0.000000;420_0.000038;420_0.000017;420_0.000013;420_0.000015;420_0.000020;420_0.000021;420_0.000020;420_0.000019;420_0.000019;420_0.000018;420_0.000017;420_0.000015;420_0.000014;420_0.000018;420_0.000017;420_0.000014;420_0.000013;420_0.000013;420_0.000012 2 40_0_1_1_26;420_0_25_25_26 40 420 405.3846 420 420 420 0 420 380 73.07693 0 -4.799999 21.04 0.5 0.5 0.5 0.5 0.5 0.5 0 0.5 0 0 0 0 0Conclusion
You probably wonder why did I do all these stunts with pktlen/iat numbers, right? You will need them for Traffic Mining in encrypted payloads! Interested? Have a look at (Encrypted) Traffic Mining tutorial.
But don’t forget to reset constants and recompile for the next tutorials:
t2conf tranalyzer2 --reset && t2build -R
Have fun!