Flexible flow and packet length statistics
Contents
Introduction
In traffic mining or interface operations packet length and packets/flow are still parameters with a high information gain. Thus, T2 provides the user with a user controlled packet length statistics and certain packets/flow indicators.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the following plugins:
t2build tranalyzer2 basicFlow basicStats tcpStates nFrstPkts pktSIATHisto descriptiveStats txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The anonymized sample PCAP and the fragmentation PCAP used in this tutorial can be downloaded here:
Please save them in your ~/data folder.
Now you are all set for a T2 packet length statistic tutorial!
Basic packet statistics and packet/flow measure
The end report contains information about packet, bytes and protocol statistics, including measures which gives a practitioner an indication about the stress on a flow engine like T2 when operated on an interface.
t2 -r ~/data/annoloc2.pcap -w ~/results
Fist of all, keep in mind that the L7 is snapped and sometimes the L4 header as well.
Prominent measures are the packets/flows mean and the bandwidth estimation useful
to assess the limits of an interface or to asses whether your newly bought wonder machine
can do its highly advertised job. As the bandwidth is very low, we picked a bad
example. But if it were in the range of 10 GBit then we should look at higher
statistical moments which are computed by the script t2flowstat
from the flow file,
which was originally developed exactly to predict the capabilities of sniffing SW and
different kernel configurations on certain traffic types.
Hence, to calculate both flow directions, using 200 samples with 1 packet/bin being interested only in the final summary the following command can be invoked:
t2flowstat ~/results/annoloc2_flows.txt -c pktsSnt -s 1 -m 200 -n
----------------------------------
#Flows : 17601
Col Sum: 1219015
Max Col: 23601
Median : 1.886458
Mean : 69.258281
Std Dev: 55.265929
KP Skew: 1.219048
For the A
direction only
t2flowstat ~/results/annoloc2_flows.txt -c pktsSnt -s 1 -m 200 -n -d A
#Flows : 9947
Col Sum: 564233
Max Col: 12342
Median : 1.937084
Mean : 56.723937
Std Dev: 40.676018
KP Skew: 1.346908
For the B
direction only
t2flowstat ~/results/annoloc2_flows.txt -c pktsSnt -s 1 -m 200 -n -d B
#Flows : 7654
Col Sum: 654782
Max Col: 23601
Median : 1.801782
Mean : 85.547687
Std Dev: 38.590034
KP Skew: 2.170143
The overall median is around 1.9 pkts/flow, hence 50% of the flows contain two packets or less. So the flow engine has to create a flow every second to third packet in average, which brings every tool down when run at 10 GBit++, if not optimized.
If I need to do a job at the interface, I first run t2flowstat
in order to get an impression
about the load on T2’s core. Really valuable also for other flow tools as well, but we like
that you use the anteater.
For more information about this topic, refer to the Performance on interface et al tutorial. The mean and NP skew indicated a highly asymmetric but rapid declining distribution with increasing packets/flow.
We might integrate this statistics into the end report in a future version so that the generation of a flow file is not necessary for the calculation of theses important parameters.
Controlling the packet length
All the statistics available from the loaded plugin in the flow file depend on the packet length which is computed in the core, using different L3/4 header information. Hence, if the L7 content is snapped it does not alter the statistics. However, the content plugins must use the snapped length information, as the parsing of the information might be truncated.
The layer of the packet length to be considered can be configured by the PACKETLENGTH
variable residing in the
core definition file packetCapture.h as shown below:
tranalyzer2
vi src/packetCapture.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
// Interpretation of packet length
// Following plugins are influenced by PACKETLENGTH:
// nFrstPkts, pktSIATHisto, basicStats, descriptiveStats
#define PACKETLENGTH 3 // 0: including L2, L3 and L4 header,
// 1: including L3 and L4 header,
// 2: including L4 header,
// 3: only higher layer payload (Layer 7)
// If PACKETLENGTH == 1:
#define FRGIPPKTLENVIEW 1 // 0: IP header stays with 2nd++ fragmented packets,
// 1: IP header stripped from 2nd++ fragmented packets
...
The constant FRGIPPKTLENVIEW
defines for fragmented packets whether the length of the IP header
for all following packets should be added or not. In Traffic Mining,
you like only to look at the content length, so all fragments following the first packet should be stripped of the IP header.
For a troubleshooter or admin different story.
Let’s look at the default output of all loaded plugins first using the smaller frag.pcap as we will need it in the next chapter anyway.
t2 -r ~/data/frag.pcap -w ~/results -s
Interesting! The Stop dissecting info is also present. So let’s extract flows with fragmentation:
tawk 'bitsanyset($flowStat, 0x0000001000000000)' ~/results/frag_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktsSnt pktsRcvd padBytesSnt l7BytesSnt l7BytesRcvd minL7PktSz maxL7PktSz avgL7PktSz stdL7PktSz minIAT maxIAT avgIAT stdIAT pktps bytps pktAsm bytAsm tcpStatesAFlags nFpCnt L2L3L4Pl_Iat tCnt Ps_Iat_Cnt_PsCnt_IatCnt dsMinPl dsMaxPl dsMeanPl dsLowQuartilePl dsMedianPl dsUppQuartilePl dsIqdPl dsModePl dsRangePl dsStdPl dsRobStdPl dsSkewPl dsExcPl dsMinIat dsMaxIat dsMeanIat dsLowQuartileIat dsMedianIat dsUppQuartileIat dsIqdIat dsModeIat dsRangeIat dsStdIat dsRobStdIat dsSkewIat dsExcIat
A 4 0x0400081000004000 1294260266.528280000 1294260266.528923000 0.000643000 1 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 "!Private network" 1509 192.168.203.134 07 "!Private network" 0 6 26 1 0 10000 0 20 400 384.6154 74.53298 0 0.00015 2.473077e-05 2.787862e-05 40435.46 1.55521e+07 0.9259259 1 0x83 20 380_0.000000000;400_0.000038000;400_0.000017000;400_0.000013000;400_0.000015000;400_0.000020000;400_0.000021000;400_0.000020000;400_0.000019000;400_0.000019000;400_0.000018000;400_0.000017000;400_0.000015000;400_0.000014000;400_0.000018000;400_0.000017000;400_0.000014000;400_0.000013000;400_0.000013000;400_0.000012000 3 20_0_1_1_26;380_0_1_1_26;400_0_24_24_26 20 400 384.6154 400 400 400 0 400 380 73.02427 0 -4.77911 20.90731 0.5 0 0.5 0.5 0.5 0.5 0 0.5 -0.5 0 0 0 0
Only one. In the default configuration, the layer 7 length is used in all statistic plugins and the L3/L4 header is stripped off the length
for the second and all following packets. The column numBytesSnt
states 10000 bytes, being the total payload being transmitted by
all fragments. If you look at the output of nFrstPkts: L2L3L4Pl_Iat
and
pktSIATHisto: Ps_Iat_Cnt_PsCnt_IatCnt
, you notice that the first packet length is 380 and all subsequent
packets are 400. So the L4 header is only present in the first packet.
Let’s look at the packets. You see the first packet and all subsequent fragmented packets have the Stop dissecting info set. Why?
Because the dissector tries to understand the packet and does not know about fragmentation. A mishap, which will be corrected in future.
So don’t worry. Note, that you see the pktLen
and the l7Len
, so you can compare it for every packet. This will not change with
PACKETLENGTH
config.
tawk 'bitsanyset($flowStat, 0x0000001000000000)' ~/results/frag_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPo>
4 4 0x0400009000004000 1294260266.528280000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 1509 192.168.203.134 07 !Private network 0 >
5 4 0x0400089000004000 1294260266.528318000 0.000038000 0.000000000 0.000038000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
6 4 0x0400089000004000 1294260266.528335000 0.000017000 0.000000000 0.000055000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
7 4 0x0400089000004000 1294260266.528348000 0.000013000 0.000000000 0.000068000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
8 4 0x0400089000004000 1294260266.528363000 0.000015000 0.000000000 0.000083000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
9 4 0x0400089000004000 1294260266.528383000 0.000020000 0.000000000 0.000103000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
10 4 0x0400089000004000 1294260266.528404000 0.000021000 0.000000000 0.000124000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
11 4 0x0400089000004000 1294260266.528424000 0.000020000 0.000000000 0.000144000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
12 4 0x0400089000004000 1294260266.528443000 0.000019000 0.000000000 0.000163000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
13 4 0x0400089000004000 1294260266.528462000 0.000019000 0.000000000 0.000182000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
14 4 0x0400089000004000 1294260266.528480000 0.000018000 0.000000000 0.000200000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
15 4 0x0400089000004000 1294260266.528497000 0.000017000 0.000000000 0.000217000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
16 4 0x0400089000004000 1294260266.528512000 0.000015000 0.000000000 0.000232000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
17 4 0x0400089000004000 1294260266.528526000 0.000014000 0.000000000 0.000246000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
18 4 0x0400089000004000 1294260266.528544000 0.000018000 0.000000000 0.000264000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
19 4 0x0400089000004000 1294260266.528561000 0.000017000 0.000000000 0.000281000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
20 4 0x0400089000004000 1294260266.528575000 0.000014000 0.000000000 0.000295000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
21 4 0x0400089000004000 1294260266.528588000 0.000013000 0.000000000 0.000308000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
22 4 0x0400089000004000 1294260266.528601000 0.000013000 0.000000000 0.000321000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
23 4 0x0400089000004000 1294260266.528613000 0.000012000 0.000000000 0.000333000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
24 4 0x0400089000004000 1294260266.528626000 0.000013000 0.000000000 0.000346000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
25 4 0x0400089000004000 1294260266.528776000 0.000150000 0.000000000 0.000496000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
26 4 0x0400089000004000 1294260266.528818000 0.000042000 0.000000000 0.000538000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
27 4 0x0400089000004000 1294260266.528854000 0.000036000 0.000000000 0.000574000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
28 4 0x0400089000004000 1294260266.528889000 0.000035000 0.000000000 0.000609000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
29 4 0x0400081000004000 1294260266.528923000 0.000034000 0.000000000 0.000643000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 !Private network 0 192.168.203.134 07 !Private network 0 >
If you want to see more info about more fragmentation info in the packet mode, load tcpFlags and rerun T2. Homework!
In any case, as a network person we might be interested in the full length of the packets, so set PACKETLENGTH=0
,
so that the full packet length including layer 2 is added to the length statistics.
t2conf tranalyzer2 -D PACKETLENGTH=0 && t2build -R
t2 -r ~/data/frag.pcap -w ~/results
As the end report and packet/flow statistics does not change, therefore it is not printed. Now look into the flow file again.
tawk 'bitsanyset($flowStat, 0x0000001000000000)' ~/results/frag_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktsSnt pktsRcvd padBytesSnt l2BytesSnt l2BytesRcvd minL2PktSz maxL2PktSz avgL2PktSz stdL2PktSz minIAT maxIAT avgIAT stdIAT pktps bytps pktAsm bytAsm tcpStatesAFlags nFpCnt L2L3L4Pl_Iat tCnt Ps_Iat_Cnt_PsCnt_IatCnt dsMinPl dsMaxPl dsMeanPl dsLowQuartilePl dsMedianPl dsUppQuartilePl dsIqdPl dsModePl dsRangePl dsStdPl dsRobStdPl dsSkewPl dsExcPl dsMinIat dsMaxIat dsMeanIat dsLowQuartileIat dsMedianIat dsUppQuartileIat dsIqdIat dsModeIat dsRangeIat dsStdIat dsRobStdIat dsSkewIat dsExcIat
A 4 0x0400081000004000 1294260266.528280000 1294260266.528923000 0.000643000 1 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 "!Private network" 1509 192.168.203.134 07 "!Private network" 0 6 26 1 0 10404 54 34 434 400.1538 74.84607 0 0.00015 2.473077e-05 2.787862e-05 40435.46 1.61804e+07 0.9259259 0.989673 0x83 20 434_0.000000000;414_0.000038000;414_0.000017000;414_0.000013000;414_0.000015000;414_0.000020000;414_0.000021000;414_0.000020000;414_0.000019000;414_0.000019000;414_0.000018000;414_0.000017000;414_0.000015000;414_0.000014000;414_0.000018000;414_0.000017000;414_0.000014000;414_0.000013000;414_0.000013000;414_0.000012000 3 34_0_1_1_26;414_0_24_24_26;434_0_1_1_26 34 434 400.1538 414 414 414 0 414 400 73.33154 0 -4.777904 20.90952 0.5 0 0.5 0.5 0.5 0.5 0 0.5 -0.5 0 0 0 0
Now L2/3/4 header lengths are added and 10404 bytes are present.
You can easily spot the change in the header of basicStats instaead of l7 they are now denoted as l2BytesSnt
, l2BytesRcvd
columns.
Note the difference between the first and the subsequent packets in the L3L4Pl_Iat
column.
Try PACKETLENGTH=2
yourself.
Fragmentation header option
If fragmentation is present the packet length can be seen as one big packet, so the 2nd fragmented packet does not include the IP header. Or you want to see the true packet statistics on the wire and all packets count the length of each subsequent header.
In order to see the effect of FRGIPPKTLENVIEW
, we add L3 and L4 headers to the length.
Recompile all loaded plugins, as the packet length statistics plugins also depend on PACKETLENGTH
.
t2conf tranalyzer2 -G PACKETLENGTH -G FRGIPPKTLENVIEW
PACKETLENGTH = 0
FRGIPPKTLENVIEW = 1
t2conf tranalyzer2 -D PACKETLENGTH=1 && t2build -R
t2 -r ~/data/frag.pcap -w ~/results
Now extract again the fragmentation flows again.
tawk 'bitsanyset($flowStat, 0x0000001000000000)' ~/results/frag_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktsSnt pktsRcvd padBytesSnt l3BytesSnt l3BytesRcvd minL3PktSz maxL3PktSz avgL3PktSz stdL3PktSz minIAT maxIAT avgIAT stdIAT pktps bytps pktAsm bytAsm tcpStatesAFlags nFpCnt L2L3L4Pl_Iat tCnt Ps_Iat_Cnt_PsCnt_IatCnt dsMinPl dsMaxPl dsMeanPl dsLowQuartilePl dsMedianPl dsUppQuartilePl dsIqdPl dsModePl dsRangePl dsStdPl dsRobStdPl dsSkewPl dsExcPl dsMinIat dsMaxIat dsMeanIat dsLowQuartileIat dsMedianIat dsUppQuartileIat dsIqdIat dsModeIat dsRangeIat dsStdIat dsRobStdIat dsSkewIat dsExcIat
A 4 0x0400081000004000 1294260266.528280000 1294260266.528923000 0.000643000 1 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 "!Private network" 1509 192.168.203.134 07 "!Private network" 0 6 26 1 0 10040 40 20 420 386.1538 74.84607 0 0.00015 2.473077e-05 2.787862e-05 40435.46 1.561431e+07 0.9259259 0.9920635 0x83 20 420_0.000000000;400_0.000038000;400_0.000017000;400_0.000013000;400_0.000015000;400_0.000020000;400_0.000021000;400_0.000020000;400_0.000019000;400_0.000019000;400_0.000018000;400_0.000017000;400_0.000015000;400_0.000014000;400_0.000018000;400_0.000017000;400_0.000014000;400_0.000013000;400_0.000013000;400_0.000012000 3 20_0_1_1_26;400_0_24_24_26;420_0_1_1_26 20 420 386.1538 400 400 400 0 400 400 73.33154 0 -4.777904 20.90952 0.5 0 0.5 0.5 0.5 0.5 0 0.5 -0.5 0 0 0 0
Note that the length columns now are prepended with l3
as now all lengths are measured from the l3 Header on.
And you see the bytes being sent: 10040 and the first packet length 420 and all subsequent 400 until the last with 20, as we could see in
the packet file.
When we switch off the IP header length suppression in subsidiary fragments what do we expect? Think, don’t look down!
So set FRGIPPKTLENVIEW=0
, recompile and run t2
on the pcap.
t2conf tranalyzer2 -D FRGIPPKTLENVIEW=0 && t2build -R
t2 -r ~/data/annoloc2.pcap -w ~/results
As expected now the L4 header is added to all subsequent fragments, so the total bytes being seen: numBytesSnt=10540
. Makes sense?
Think!
tawk 'bitsanyset($flowStat, 0x0000001000000000)' ~/results/annoloc2_flows.txt | tcol
dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktsSnt pktsRcvd padBytesSnt l3BytesSnt l3BytesRcvd minL3PktSz maxL3PktSz avgL3PktSz stdL3PktSz minIAT maxIAT avgIAT stdIAT pktps bytps pktAsm bytAsm tcpStatesAFlags nFpCnt L2L3L4Pl_Iat tCnt Ps_Iat_Cnt_PsCnt_IatCnt dsMinPl dsMaxPl dsMeanPl dsLowQuartilePl dsMedianPl dsUppQuartilePl dsIqdPl dsModePl dsRangePl dsStdPl dsRobStdPl dsSkewPl dsExcPl dsMinIat dsMaxIat dsMeanIat dsLowQuartileIat dsMedianIat dsUppQuartileIat dsIqdIat dsModeIat dsRangeIat dsStdIat dsRobStdIat dsSkewIat dsExcIat
A 4 0x0400081000004000 1294260266.528280000 1294260266.528923000 0.000643000 1 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 "!Private network" 1509 192.168.203.134 07 "!Private network" 0 6 26 1 0 10540 40 40 420 405.3846 74.52413 0 0.00015 2.473077e-05 2.787862e-05 40435.46 1.639191e+07 0.9259259 0.9924386 0x83 20 420_0.000000000;420_0.000038000;420_0.000017000;420_0.000013000;420_0.000015000;420_0.000020000;420_0.000021000;420_0.000020000;420_0.000019000;420_0.000019000;420_0.000018000;420_0.000017000;420_0.000015000;420_0.000014000;420_0.000018000;420_0.000017000;420_0.000014000;420_0.000013000;420_0.000013000;420_0.000012000 2 40_0_1_1_26;420_0_25_25_26 40 420 405.3846 420 420 420 0 420 380 73.07693 0 -4.799999 21.04 0.5 0 0.5 0.5 0.5 0.5 0 0.5 -0.5 0 0 0 0
Conclusion
You probably wonder why did I did all these stunts with pktlen/iat numbers, right? You will need them for Traffic Mining in encrypted payloads! Interested? Have a look at (Encrypted) traffic mining tutorial.
But don’t forget to reset constants and recompile for the next tutorials:
t2conf tranalyzer2 --reset && t2build -R
Have fun!