Tutorial: Remote Authentication Dial-In User Service (RADIUS)
Contents
RADIUS allows users to authenticate to a network on a centralized entity, the RADIUS server. Moreover the protocol can be used for accounting as well. It was wide spread in companies to grant access to WLANs but is now replaced by DIAMETER. Nevertheless, we will discuss the plugin radiusDecode in the following.
Preparation
Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.
First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.
$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$Then compile the following plugins
$ t2build tranalyzer2 basicFlow radiusDecode txtSink
...
BUILD SUCCESSFUL
$If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:
$ mkdir ~/data ~/results
$Download the sample pcap here: radius2.pcap. Now you’re all set.
radiusDecode
Let’s look at the plugin configuration first:
$ radiusDecode
$ vi src/radiusDecode.hYou can switch on/off Network Access Server, Framed, Tunnel and accounting info. MOreover the counts of message and AVP types can be controlled via RADIUS_CNTS and RADIUS_AVPTYPE repectively. RADIUS_NMS influences numeric or text based based output of all codes or types. We leave everything as default.
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define RADIUS_CNTS 1 // 1: Counts; 0: none ; Must be enabled for FORCE Mode
#define RADIUS_NAS 1 // Output NAS info
#define RADIUS_FRAMED 1 // Output framed info
#define RADIUS_TUNNEL 1 // Output tunnel info
#define RADIUS_ACCT 1 // Output accounting info
#define RADIUS_NMS 1 // 2: names; 1: values; 0: None
#define RADIUS_AVPTYPE 1 // Output AVP types
#define RAD_CNTMX 20
#define RADIUS_STRMAX 128 // Max length for strings
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Now run t2 on the supplied pcap.
$ t2 -r ~/test_data/data/radius/radius2.pcap -w ~/results -s
================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 84306
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
01: basicFlow, 0.8.14
02: radiusDecode, 0.8.14
03: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/download/data/radius2.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1159224178.228064 sec (Mon 25 Sep 2006 22:42:58 GMT)
Dump stop : 1159224184.240228 sec (Mon 25 Sep 2006 22:43:04 GMT)
Total dump duration: 6.012164 sec
Finished processing. Elapsed time: 0.000822 sec
Finished unloading flow memory. Time: 0.000925 sec
Percentage completed: 100.00%
Number of processed packets: 34
Number of processed bytes: 11873 (11.87 K)
Number of raw bytes: 11873 (11.87 K)
Number of pcap bytes: 12441 (12.44 K)
Number of IPv4 packets: 34 [100.00%]
Number of A packets: 17 [50.00%]
Number of B packets: 17 [50.00%]
Number of A bytes: 6017 (6.02 K) [50.68%]
Number of B bytes: 5856 (5.86 K) [49.32%]
Average A packet load: 353.94
Average B packet load: 344.47
--------------------------------------------------------------------------------
radiusDecode: Aggregated radiusStat=0x17
radiusDecode: Number of RADIUS packets: 34 [100.00%]
radiusDecode: Number of RADIUS Access packets: 28 [82.35%]
radiusDecode: Number of RADIUS Access-Accept packets: 2 [5.88%]
radiusDecode: Number of RADIUS Accounting packets: 6 [17.65%]
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of UDP packets: 34 [100.00%]
Number of UDP bytes: 11873 (11.87 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed flows: 4
Number of processed A flows: 2 [50.00%]
Number of processed B flows: 2 [50.00%]
Number of request flows: 2 [50.00%]
Number of reply flows: 2 [50.00%]
Total A/B flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed packets/flows: 8.50
Number of processed A packets/flows: 8.50
Number of processed B packets/flows: 8.50
Number of processed total packets/s: 5.66
Number of processed A+B packets/s: 5.66
Number of processed A packets/s: 2.83
Number of processed B packets/s: 2.83
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.67
Average full raw bandwidth: 15799 b/s (15.80 Kb/s)
Average full bandwidth : 15799 b/s (15.80 Kb/s)
Max number of flows in memory: 4 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows
$So the aggregated radiusStat states that there is RADIUS traffic, actually 100%. Precisely Athentication, configuration and accounting traffic. And users connected successfully to the network.
$ tawk -V radiusStat=0x17
The radiusStat column with value 0x17 is to be interpreted as follows:
bit | radiusStat | Description
=============================================================================
0 | 0x01 | Flow is radius
1 | 0x02 | Authentication and configuration traffic
2 | 0x04 | Accounting traffic
4 | 0x10 | Connection successful
$All vital parametes are printed in the flow file. Note the aggregated list of codes an AVP types.
$ cd ~/results
$ tcol radius2_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto radiusStat radiusAxsReq_Acc_Rej_Chal radiusAccReq_Resp radiusAccStart_Stop radiusCodes radiusAVPTypes radiusUser radiusPW radiusServiceType radiusLoginService radiusVendor radiusNasId radiusNasIp radiusNasPort radiusNasPortType radiusNasPortId radiusFramedIp radiusFramedMask radiusFramedProto radiusFramedComp radiusFramedMtu radiusTunnel_Medium radiusTunnelCli radiusTunnelSrv radiusTunnelCliAId radiusTunnelSrvAId radiusTunnelPref radiusAcctSessId radiusAcctSessTime radiusAcctStatType radiusAcctTerm radiusAcctInOct_OutOct radiusAcctInPkt_OutPkt radiusAcctInGw_OutGw radiusConnInfo radiusFilterId radiusCalledId radiusCallingId radiusReplyMsg
A 1 0x0400000000004000 1159224178.228064 1159224184.014749 5.786685 1 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 "Private network" 1034 192.107.171.165 nz "The University of Waikato" 1812 17 0x13 14_0_0_0 0_0 0_0 1 1;4;5;30;31;12;61;77;79;80;24 "test" "" 0 0 0 "" 10.1.12.20 0 19 "" 0.0.0.0 0.0.0.0 0 0 1400 0_0 "" "" "" "" 0 "" 0 0 0 0_0 0_0 0_0 "CONNECT 0Mbps 802.11" "" "00-02-6F-21-EC-52:CRCnet-test" "00-02-6F-21-EC-5F" ""
B 1 0x0400000000004001 1159224178.308331 1159224184.113480 5.805149 1 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz "The University of Waikato" 1812 10.1.12.20 04 "Private network" 1034 17 0x13 0_2_0_12 0_0 0_0 11;2 85;8;9;79;80;24;26;1 "test" "" 0 0 311 "" 0.0.0.0 0 0 "" 10.1.40.34 255.255.255.0 0 0 0 0_0 "" "" "" "" 0 "" 0 0 0 0_0 0_0 0_0 "" "" "" "" ""
A 2 0x0400000000004000 1159224179.366554 1159224184.174770 4.808216 1 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 "Private network" 1035 192.107.171.165 nz "The University of Waikato" 1813 17 0x05 0_0_0_0 3_0 2_1 4 44;40;45;1;4;5;30;31;61;77;46;55;49 "test" "" 0 0 0 "" 10.1.12.20 0 19 "" 0.0.0.0 0.0.0.0 0 0 0 0_0 "" "" "" "" 0 "451859ED-00000006" 2 1 1 0_0 0_0 0_0 "CONNECT 0Mbps 802.11" "" "00-02-6F-21-EC-52:CRCnet-test" "00-02-6F-21-EC-5F" ""
B 2 0x0400000000004001 1159224179.437656 1159224184.240228 4.802572 1 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz "The University of Waikato" 1813 10.1.12.20 04 "Private network" 1035 17 0x05 0_0_0_0 0_3 0_0 5 "" "" 0 0 0 "" 0.0.0.0 0 0 "" 0.0.0.0 0.0.0.0 0 0 0 0_0 "" "" "" "" 0 "" 0 0 0 0_0 0_0 0_0 "" "" "" "" ""Currently only status, code and avp types per packets are available. THe text based output can be detected in the l7Content.
$ tcol radius2_packets.txt
%pktNo flowInd flowStat time pktIAT flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto radiusStat radiusCode radiusAVPTypes l7Content
1 1 0x0400000000004000 1159224178.228064 0.000000 0.000000 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 Private network 1034 192.107.171.165 nz The University of Waikato 1812 17 0x03 1 1;4;5;30;31;12;61;77;79;80; ....6._...\ta...9...4..test..\n...........00-02-6F-21-EC-52:CRCnet-test..00-02-6F-21-EC-5F.....x=.....M.CONNECT 0Mbps 802.11O....\t.testP....eE.*.B.._..).
2 1 0x0400000000004001 1159224178.308331 0.000000 0.000000 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz The University of Waikato 1812 10.1.12.20 04 Private network 1034 17 0x03 11 85;8;9;79;80;24; ...b..,..@2..T..w.q.U.......\n.("\t.....O.......hJ,H..2A^.......P..rMn..t..&....X.....\tcW.`|IP.aE@,E
3 1 0x0400000000004000 1159224178.314156 0.086092 0.086092 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 Private network 1034 192.107.171.165 nz The University of Waikato 1812 17 0x03 1 1;4;5;30;31;12;61;77;79;24;80; ./...2...\tD?...T<.T...test..\n...........00-02-6F-21-EC-52:CRCnet-test..00-02-6F-21-EC-5F.....x=.....M.CONNECT 0Mbps 802.11O...........\tcW.`|IP.aE@,EP...+.z.]..sW.K...
4 1 0x0400000000004001 1159224178.383704 0.075373 0.075373 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz The University of Waikato 1812 10.1.12.20 04 Private network 1034 17 0x03 11 85;8;9;79;80;24; ./.R._BNJ..z.......2U.......\n.("\t.....O...... P.%...m76...y.K#<....Q...4..........
5 1 0x0400000000004000 1159224178.416858 0.102702 0.188794 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 Private network 1034 192.107.171.165 nz The University of Waikato 1812 17 0x03 1 1;4;5;30;31;12;61;77;79;24;80; .0.\nma7h.EG.rb~..fh...test..\n...........00-02-6F-21-EC-52:CRCnet-test..00-02-6F-21-EC-5F.....x=.....M.CONNECT 0Mbps 802.11Ol...j......_...[..E.R.iS:&..j.VG..{F...d.-h.........4.9.8.5.....\n.3.2./.f.....c.b.a.....\t.e.d.`...............Q...4..........P.a.T...6*I.|".Q1.
6 1 0x0400000000004001 1159224178.529794 0.146090 0.221463 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz The University of Waikato 1812 10.1.12.20 04 Private network 1034 17 0x03 11 85;8;9;79;79;79;79;79;80;24; .0.^_.....u.K....h..U.......\n.("\t.....O....\n.....x....J...F..E.R.n<....O...Y.N...t^.....w.... .y....:?1...\t>4X.{..3.?.....CU.j.5...............]0..Y0....\t...fG....0\r.\t*.H..\r.....0o1.0\t..U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\t..U....CA1 0..\t*.H..\r.\t...admins@crc.net.nz0.O..\r060921042840Z.\r160918042840Z0s1.0\t..U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\r..U....radius1 0..\t*.H..\r.\t...admins@crc.net.nz0..0\r.\t*.H..\r.........0.......(iD...83...x.y0jb.%...).......[c.>*....y$....r...e3..!..M\n..a...V...!.."....O.o....VX.(.P...:...%.S.NN......K[H..t.%.........N........0\r.\t*.H..\r.............]o2..;P...j&Lv1..E...?cS.k.l]},..R........p..$.Y..o.....%.{.x.. ...S.H.QP.W\r..........;r;..3g]! W...!S.D....?Z"m^...h.........50..10.........\t..>..}g..0\r.\t*.H..\r.....0o1.0\t..O.U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\t..U....CA1 0..\t*.H..\r.\t...admins@crc.net.nz0..\r060921042542Z.\r160918042542Z0o1.0\t..U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\t..U....CA1 0..\t*.H..\r.\t...admins@crc.net.nz0..O.0\r.\t*.H..\r.........0..P.C..QTr%l.jB.u...............].96..
...Now switch on the human readable text based output of the codes.
$ t2conf radiusDecode -D RADIUS_NMS=2 && t2build radiusDecode
...
$ t2 -r ~/test_data/data/radius/radius2.pcap -w ~/results -s
...
$The columns are now filled with code and type names.
$ tcol radius2_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto radiusStat radiusAxsReq_Acc_Rej_Chal radiusAccReq_Resp radiusAccStart_Stop radiusCodesNms radiusAVPTypeNms radiusUser radiusPW radiusServiceType radiusLoginService radiusVendor radiusNasId radiusNasIp radiusNasPort radiusNasPortTypeNm radiusNasPortId radiusFramedIp radiusFramedMask radiusFramedProto radiusFramedComp radiusFramedMtu radiusTunnel_Medium radiusTunnelCli radiusTunnelSrv radiusTunnelCliAId radiusTunnelSrvAId radiusTunnelPref radiusAcctSessId radiusAcctSessTime radiusAcctStatType radiusAcctTerm radiusAcctInOct_OutOct radiusAcctInPkt_OutPkt radiusAcctInGw_OutGw radiusConnInfo radiusFilterId radiusCalledId radiusCallingId radiusReplyMsg
A 1 0x0400000000004000 1159224178.228064 1159224184.014749 5.786685 1 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 "Private network" 1034 192.107.171.165 nz "The University of Waikato" 1812 17 0x13 14_0_0_0 0_0 0_0 "Access-Rq" "User-Passwd";"NAS-Port";"Service-Type";"Calling-Station-Id";"NAS-Identifier";"Framed-Compress";"Port-Limit";"Config-Token";"Msg-Auth";"Tunnel-Priv-Group-ID";"Class" "test" "" 0 0 0 "" 10.1.12.20 0 "IEEE 802.11" "" 0.0.0.0 0.0.0.0 0 0 1400 0_0 "" "" "" "" 0 "" 0 0 0 0_0 0_0 0_0 "CONNECT 0Mbps 802.11" "" "00-02-6F-21-EC-52:CRCnet-test" "00-02-6F-21-EC-5F" ""
B 1 0x0400000000004001 1159224178.308331 1159224184.113480 5.805149 1 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz "The University of Waikato" 1812 10.1.12.20 04 "Private network" 1034 17 0x13 0_2_0_12 0_0 0_0 "Access-Chall";"Access-Acpt" "Acct-Tunnel-Pkts-Lst";"Framed-IP-Netmsk";"Framed-Routing";"Msg-Auth";"Tunnel-Priv-Group-ID";"Class";"Session-Timeout";"User-Passwd" "test" "" 0 0 311 "" 0.0.0.0 0 "Async" "" 10.1.40.34 255.255.255.0 0 0 0 0_0 "" "" "" "" 0 "" 0 0 0 0_0 0_0 0_0 "" "" "" "" ""
A 2 0x0400000000004000 1159224179.366554 1159224184.174770 4.808216 1 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 "Private network" 1035 192.107.171.165 nz "The University of Waikato" 1813 17 0x05 0_0_0_0 3_0 2_1 "Accounting-Rq" "Acct-Authentic";"Acct-Delay-Time";"Acct-Session-Time";"User-Passwd";"NAS-Port";"Service-Type";"Calling-Station-Id";"NAS-Identifier";"Port-Limit";"Config-Token";"Acct-Input-Pkts";"Egress-VLANID";"Acct-Multi-Sess-Id" "test" "" 0 0 0 "" 10.1.12.20 0 "IEEE 802.11" "" 0.0.0.0 0.0.0.0 0 0 0 0_0 "" "" "" "" 0 "451859ED-00000006" 2 1 1 0_0 0_0 0_0 "CONNECT 0Mbps 802.11" "" "00-02-6F-21-EC-52:CRCnet-test" "00-02-6F-21-EC-5F" ""
B 2 0x0400000000004001 1159224179.437656 1159224184.240228 4.802572 1 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz "The University of Waikato" 1813 10.1.12.20 04 "Private network" 1035 17 0x05 0_0_0_0 0_3 0_0 "Accounting-Res" "" "" 0 0 0 "" 0.0.0.0 0 "Async" "" 0.0.0.0 0.0.0.0 0 0 0 0_0 "" "" "" "" 0 "" 0 0 0 0_0 0_0 0_0 "" "" "" "" ""Same for the packets
$ tcol radius2_packets.txt
%pktNo flowInd flowStat time pktIAT flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto radiusStat radiusCodeNm radiusAVPTypesNm l7Content
1 1 0x0400000000004000 1159224178.228064 0.000000 0.000000 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 Private network 1034 192.107.171.165 nz The University of Waikato 1812 17 0x03 Access-Rq User-Passwd;NAS-Port;Service-Type;Calling-Station-Id;NAS-Identifier;Framed-Compress;Port-Limit;Config-Token;Msg-Auth;Tunnel-Priv-Group-ID; ....6._...\ta...9...4..test..\n...........00-02-6F-21-EC-52:CRCnet-test..00-02-6F-21-EC-5F.....x=.....M.CONNECT 0Mbps 802.11O....\t.testP....eE.*.B.._..).
2 1 0x0400000000004001 1159224178.308331 0.000000 0.000000 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz The University of Waikato 1812 10.1.12.20 04 Private network 1034 17 0x03 Access-Chall Acct-Tunnel-Pkts-Lst;Framed-IP-Netmsk;Framed-Routing;Msg-Auth;Tunnel-Priv-Group-ID;Class; ...b..,..@2..T..w.q.U.......\n.("\t.....O.......hJ,H..2A^.......P..rMn..t..&....X.....\tcW.`|IP.aE@,E
3 1 0x0400000000004000 1159224178.314156 0.086092 0.086092 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 Private network 1034 192.107.171.165 nz The University of Waikato 1812 17 0x03 Access-Rq User-Passwd;NAS-Port;Service-Type;Calling-Station-Id;NAS-Identifier;Framed-Compress;Port-Limit;Config-Token;Msg-Auth;Class;Tunnel-Priv-Group-ID; ./...2...\tD?...T<.T...test..\n...........00-02-6F-21-EC-52:CRCnet-test..00-02-6F-21-EC-5F.....x=.....M.CONNECT 0Mbps 802.11O...........\tcW.`|IP.aE@,EP...+.z.]..sW.K...
4 1 0x0400000000004001 1159224178.383704 0.075373 0.075373 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz The University of Waikato 1812 10.1.12.20 04 Private network 1034 17 0x03 Access-Chall Acct-Tunnel-Pkts-Lst;Framed-IP-Netmsk;Framed-Routing;Msg-Auth;Tunnel-Priv-Group-ID;Class; ./.R._BNJ..z.......2U.......\n.("\t.....O...... P.%...m76...y.K#<....Q...4..........
5 1 0x0400000000004000 1159224178.416858 0.102702 0.188794 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 Private network 1034 192.107.171.165 nz The University of Waikato 1812 17 0x03 Access-Rq User-Passwd;NAS-Port;Service-Type;Calling-Station-Id;NAS-Identifier;Framed-Compress;Port-Limit;Config-Token;Msg-Auth;Class;Tunnel-Priv-Group-ID; .0.\nma7h.EG.rb~..fh...test..\n...........00-02-6F-21-EC-52:CRCnet-test..00-02-6F-21-EC-5F.....x=.....M.CONNECT 0Mbps 802.11Ol...j......_...[..E.R.iS:&..j.VG..{F...d.-h.........4.9.8.5.....\n.3.2./.f.....c.b.a.....\t.e.d.`...............Q...4..........P.a.T...6*I.|".Q1.
6 1 0x0400000000004001 1159224178.529794 0.146090 0.221463 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz The University of Waikato 1812 10.1.12.20 04 Private network 1034 17 0x03 Access-Chall Acct-Tunnel-Pkts-Lst;Framed-IP-Netmsk;Framed-Routing;Msg-Auth;Msg-Auth;Msg-Auth;Msg-Auth;Msg-Auth;Tunnel-Priv-Group-ID;Class; .0.^_.....u.K....h..U.......\n.("\t.....O....\n.....x....J...F..E.R.n<....O...Y.N...t^.....w.... .y....:?1...\t>4X.{..3.?.....CU.j.5...............]0..Y0....\t...fG....0\r.\t*.H..\r.....0o1.0\t..U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\t..U....CA1 0..\t*.H..\r.\t...admins@crc.net.nz0.O..\r060921042840Z.\r160918042840Z0s1.0\t..U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\r..U....radius1 0..\t*.H..\r.\t...admins@crc.net.nz0..0\r.\t*.H..\r.........0.......(iD...83...x.y0jb.%...).......[c.>*....y$....r...e3..!..M\n..a...V...!.."....O.o....VX.(.P...:...%.S.NN......K[H..t.%.........N........0\r.\t*.H..\r.............]o2..;P...j&Lv1..E...?cS.k.l]},..R........p..$.Y..o.....%.{.x.. ...S.H.QP.W\r..........;r;..3g]! W...!S.D....?Z"m^...h.........50..10.........\t..>..}g..0\r.\t*.H..\r.....0o1.0\t..O.U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\t..U....CA1 0..\t*.H..\r.\t...admins@crc.net.nz0..\r060921042542Z.\r160918042542Z0o1.0\t..U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\t..U....CA1 0..\t*.H..\r.\t...admins@crc.net.nz0..O.0\r.\t*.H..\r.........0..P.C..QTr%l.jB.u...............].96..
...Don’t forget to reset the plugin configuration for the next tutorial.
$ t2conf radiusDecode --reset && t2build radiusDecode
...
$Have fun analyzing.