IP/TCP troubleshooting (tcpFlags)

IP IPv4 IPv6 layer 3 layer 4 TCP troubleshooting

IP/TCP header features

In this tutorial we will show you the hidden power of the layer 3/4 for troubleshooting, security and admin applications. All is integrated in one plugin: tcpFlags. Its name is a bit misleading, as it evolved during practical application from a simple TCP flags decoder to a full blown troubleshooting plugin for L3/4. Hence, it provides the following features:

  • TCP warning bits for troubleshooting, similar to Wireshark/TShark
  • OS and application fingerprinting (TTL, initial window size, flags)
  • Host load estimation (IPv4 IPID)
  • L3/4 options
  • Sequence/Acknowledge Number Tricks
  • NAT flow bundling: boot time estimation, host clock estimation (OS fingerprinting)
  • Multipath TCP (MPTCP)
  • Trip and Round Trip Time (RTT), jitter estimation
  • L3/4 checksum evaluation
  • Protocol anomalies
  • Fragmentation anomalies
  • Flow health: window size statistics, bytes in flight
  • Scan detection support

If you read the The Basics tutorial, you already had a glimpse of some basic features from tcpFlags. Here we will explain the application of such features. Note that you need a version of the tcpFlags plugin 0.8.14 or higher, so that the output in your command line matches to the website.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y

Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the core (tranalyzer2) and the following plugins:

t2build tranalyzer2 basicFlow tcpFlags tcpStates txtSink

...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAPs used in this tutorial can be downloaded here:

Please save them in your ~/data folder.

Now you are all set!

tcpFlags default

Let’s start with tcpFlags in minimal mode.

Since 0.8.14 version, tcpFlags anomaly bits moved a bit closer to Wireshark and the flags bits for the TCP header changed. And IP ToS can now be represented in different forms.

A lot is different now, but a bit easier to interpret for the troubleshooter.

Nevertheless, the setting stayed the same. Open tcpFlags.h in the tcpFlags plugin folder:

tcpFlags

vi src/tcpFlags.h

...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define IPTOS            0 // IPv4 ToS / IPv6 Class:
                           //   0: IP ToS hex
                           //   1: DSCP_ECN dec
                           //   2: Precedence(1-7)_ECN

#define RTT_ESTIMATE     1 // 1: Round trip time estimation
#define IPCHECKSUM       2 // Checksum calculation
                           //   0: No checksum calculation
                           //   1: Calculation of L3 (IP) header checksum
                           //   2: Calculation of L3 (IP) and L4 (TCP, UDP, ...) checksum

#define WINDOWSIZE       1 // 1: Calculation of TCP window size parameters
#define WINMIN           1 // Minimal window size threshold defining a healthy communication
                           // (only packets below the threshold are counted)
#define SEQ_ACK_NUM      1 // 1: SEQ/ACK number feature analysis
#define FRAG_ANALYZE     1 // 1: Fragmentation analysis
#define NAT_BT_EST       1 // 1: NAT boot time estimation
#define SCAN_DETECTOR    1 // 1: Scan flow detector
#define MPTCP            1 // 1: Dissect MPTCP
#define TCPJA4T          1 // Output JA4T/JA4TS fingerprints
#define JA4TOPTMX       20 // Maximal options stored in flow, requires JA4T = 1
#define TCPFLGCNT        0 // TCP Flags Count

// The following options require SEQ_ACK_NUM = 1

#define SPKTMD_SEQACKREL 0 // SEQ/ACK numbers representation (-s option):
                           //   0: absolute,
                           //   1: relative

#define SPKTMD_SEQACKHEX 0 // SEQ/ACK numbers representation (-s option):
                           //   0: uint32_t
                           //   1: hex32

/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */

/*         No env / runtime configuration flags available for tcpFlags        */

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

The constants SPKTMD_SEQACKREL and SPKTMD_SEQACKHEX refer to the packet mode for absolute and relative SEQ/ACK number output and decimal/hex representation respectively, see the packet mode tutorial. All the other switches we will discuss in the following chapters. First, let’s look at the end report.

Now invoke t2 with the -s option.

t2 -s -r ~/data/faf-exercise.pcap -w ~/results

================================================================================
Tranalyzer 0.9.4 (Anteater), Cobra. PID: 59081, Prio: 0, SID: 666
================================================================================
Date: 1751728437.000441950 sec (Sat 05 Jul 2025 17:13:57 CEST)
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.4
    02: tcpFlags, 0.9.4
    03: tcpStates, 0.9.4
    04: txtSink, 0.9.4
[INF] IPv4 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 7237865 (7.24 M)
[INF] IPv6 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 1419083 (1.42 M)
Processing file: /home/user/data/faf-exercise.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 65535 (65.53 K)
Dump start: 1258544215.037210000 sec (Wed 18 Nov 2009 11:36:55 GMT)
Dump stop : 1258594491.683288000 sec (Thu 19 Nov 2009 01:34:51 GMT)
Total dump duration: 50276.646078000 sec (13h 57m 56s)
Finished processing. Elapsed time: 0.004168519 sec
Finished unloading flow memory. Time: 0.004208935 sec
Percentage completed: 100.00%
Number of processed packets: 5902 (5.90 K)
Number of processed bytes: 4993414 (4.99 M)
Number of raw bytes: 4993414 (4.99 M)
Number of pad bytes: 11668 (11.67 K)
Number of pcap bytes: 5087870 (5.09 M)
Number of IPv4 packets: 5902 (5.90 K) [100.00%]
Number of A packets: 1986 (1.99 K) [33.65%]
Number of B packets: 3916 (3.92 K) [66.35%]
Number of A bytes: 209315 (209.31 K) [4.19%]
Number of B bytes: 4784099 (4.78 M) [95.81%]
<A packet load>: 105.40
<B packet load>: 1221.68 (1.22 K)
--------------------------------------------------------------------------------
tcpFlags: Aggregated ipFlags=0x0044
tcpFlags: Aggregated tcpFStat=0x4ff1
tcpFlags: Aggregated tcpFlags=0x071f
tcpFlags: Aggregated tcpAnomaly=0x02cc
tcpFlags: Number of TCP SYN retries, seq retries: 0, 27
tcpFlags: Number WinSz below 1: 3 [0.05%]
tcpStates: Aggregated tcpStatesAFlags=0x4a
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, avg: 3.00
Number of TCP packets: 5902 (5.90 K) [100.00%]
Number of TCP bytes: 4993414 (4.99 M) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 72
Number of processed IPv4 flows: 72 [100.00%]
Number of processed A    flows: 36 [50.00%]
Number of processed B    flows: 36 [50.00%]
Number of request        flows: 36 [50.00%]
Number of reply          flows: 36 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed A+B packets/A+B flows: 81.97
Number of processed A   packets/A   flows: 55.17
Number of processed   B packets/  B flows: 108.78
Number of processed total packets/s: 0.12
Number of processed A+B   packets/s: 0.12
Number of processed A     packets/s: 0.04
Number of processed   B   packets/s: 0.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 0.00
<Bandwidth>: 792 b/s
<Raw bandwidth>: 795 b/s
Max number of flows in memory: 18 [0.01%]
Memory usage: 0.02 GB [0.03%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows

Between the dashed lines tcpFlags reports a summary of the flow variables tcpFStat, tcpFlags, ipFlags, tcpAnomaly and SYN retry, WinSize threshold counts.

Note the bits are now grouped strictly according to their topic: windows, flags, IP header and TCP anomalies. The scans moved now to the tcpFlags, which became a 16 bit field, so bit combinations, such as FIN ACK are now in the upper byte of tcpFlags status bit field.

Let’s have a look at them:

tawk -V tcpFStat=0x4ff1 -V ipFlags=0x0044 -V tcpFlags=0x071f -V tcpAnomaly=0x02cc

The tcpFStat column with value 0x4ff1 is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     6 | 0x0040   | Win 0 probe
     7 | 0x0080   | Win 0 probe ACK
     8 | 0x0100   | Min Window detected
     9 | 0x0200   | WS used
    10 | 0x0400   | Window full
    11 | 0x0800   | Window state-machine count up(1)/down(0)
    14 | 0x4000   | TCP Selective ACK Option


The ipFlags column with value 0x0044 is to be interpreted as follows:

   bit | ipFlags | Description
   =============================================================================
      | 0x0004  | IPv4 ID roll over
     6 | 0x0040  | IPv4: Don't Fragment bit, IPv6: reserve bit


The tcpFlags column with value 0x071f is to be interpreted as follows:

   bit | tcpFlags | Description
   =============================================================================
     0 | 0x0001     | FIN: No more data, finish connection
     1 | 0x0002     | SYN: Synchronize sequence numbers
     2 | 0x0004     | RST: Reset connection
     3 | 0x0008     | PSH: Push data
     4 | 0x0010     | ACK: Acknowledgement field value valid
     8 | 0x0100     | FIN_ACK: Acknowledgement of FIN
     9 | 0x0200     | SYN_ACK: Acknowledgement of SYN
    10 | 0x0400     | RST_ACK: Acknowledgement of RST


The tcpAnomaly column with value 0x02cc is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     2 | 0x0004     | SEQ Fast retransmission
     3 | 0x0008     | Duplicate ACK
     6 | 0x0040     | Sequence number out-of-order
     7 | 0x0080     | Sequence mess, rather spurious Retransmission
     9 | 0x0200     | Previous packet not captured

Some duplicate ACKs with SEQ fast retransmissions, so packets were lost and retransmitted. As the WINMIN=1, the warning Min Window detected denotes that the window size hit 0, indicating that there is some overflow on the receiver side buffer. Win 0 probe indicates that it happened longer, so that the sender tries to probe the receiver side. Window full denotes that the transmission Window of the TCP flow is full as advertised by the receiver.

OS fingerprinting

The L3/4 Header provide still some information in order to estimate the Operating System of the sending host. All these parameters are included in the flow and packet file output, such as:

  • TTL (ipMinTTL, ipMaxTTL, ipTTLChg): Minimal/Maximal TTL, # TTL changes during flow life time
  • Initial Window Size (tcpInitWinSz): Init Winsize only valid if 3 way handshake is captured.
  • tcpOptions: aggregated or in the packet mode as hex or human readable interpreted

If you load the OS fingerprinting plugin tp0f, several other parameters will be used, and the calculation for the TTL to the next higher 2^n value is already done for you. If you are hard core, just use the parameters from tcpFlags and do the calculations by heart.

If you switch on TCPJA4T=1 then the JA4T/JA4TS fingerprints consisting of TCP window size, options, MSS and WS are printed. JA3 and JA4 hashes are also calculated in sslDecode for SSL/TLS fingerprinting.

Host load estimation

I hate IPv6! Why? Because these bastards omitted the IP ID in the L3 header. And I hate OS which do not increment the IP ID by 1 for each packet being sent. Why? Because it is an excellent parameter to estimate the load of a server. If the IP ID increments by a large value, several other connections (flows) must exist beside the one I’m looking at, so the host has a lot of work to do.

  • IPv4 (ipMindIPID, ipMaxdIPID): Minimal/Maximal IP ID during flow life time.

There are still OS which increment the IP ID by 1, so if the ipMindIPID==2, ipMaxdIPID is an indicator of the host load.

Another indication are the number of flows per host. Have a look at the connStat plugin tutorial.

tcpFlags troubleshooting TCP connections

Basically the status bit fields tcpFStat and tcpAnomaly flag flows in trouble. Let’s have a look at all flows with duplicate ACKs and retransmissions. In the flow file you might notice, there is a new column tcpBFlgtMx. It denotes the maximum TCP bytes in flight of a certain flow. Why mostly B flows? Because the packet got lost in the A flow, right?

tawk 'bitsanyset($tcpAnomaly, 0x000c)' ~/results/faf-exercise_flows.txt | tcol

%dir  flowInd  flowStat            timeFirst             timeLast              duration      numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  vlanID  srcIP          srcIPCC  srcIPOrg            srcPort  dstIP           dstIPCC  dstIPOrg            dstPort  l4Proto  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipToS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx  tcpInitWinSz  tcpAvgWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpJA4T                 tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPDSSF  tcpTmS  tcpTmER  tcpEcI  tcpUtm    tcpBtm       tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAvg  tcpRTTAckTripJitAvg  tcpRTTSseqAA  tcpRTTAckJitAvg  tcpStatesAFlags
B     12       0x0400000000004001  1258563573.941709000  1258563576.594045000  2.652336000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  1397     6        0x0011    14578       41494       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1702698086  29          1440            0               30          2943                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_00        1             2          0x00000014  1460    0      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000452032    0.000294976       2.176203          0.1305968         0.5305589            0.1459511     0.5378596        0x08
B     13       0x0400000000004001  1258565030.304696000  1258565030.420877000  0.116181000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  1749     6        0x0011    16590       55298       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  645942508   29          1405            0               30          5679                   2               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_00        1             2          0x00000014  1460    0      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000204992    0.000204992       0.002953984       0.0009045759      0.0008665445         0.004287214   0.01671437       0x08
B     14       0x0400000000004001  1258565174.919179000  1258565175.037828000  0.118649000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  1755     6        0x0011    33510       47342       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  328872932   27          1405            0               28          2357                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_00        1             2          0x00000014  1460    0      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000454016    0.000212          0.005176          0.001105356       0.00130898           0.004723747   0.0173547        0x08
B     15       0x0400000000004001  1258565820.302128000  1258565821.898612000  1.596484000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.105   07       "!Private network"  49218    6        0x0a11    811         52183       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  652739796   29          1519            0               29          4899                   2               852         65535         524219.4     65535        524280       1               2              2                  0             0x031b    0x0008      65535_2-1-3-41460_3     1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.0002         0.0002            1.393001          0.08960117        0.3407968            0.09602135    0.3424536        0x00
B     16       0x0400000000004001  1258565880.189338000  1258565880.212279000  0.022941000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.105   07       "!Private network"  49219    6        0x0a11    11001       47310       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1405763652  30          799             0               30          4429                   2               166         65535         524225.7     65535        524280       1               2              2                  0             0x031b    0x0008      65535_2-1-3-41460_3     1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000152       0.000152          0.002171008       0.0006970613      0.000583964          0.001095558   0.00164214       0x00
B     17       0x0400000000004001  1258566050.124650000  1258566050.238828000  0.114178000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.105   07       "!Private network"  49220    6        0x0a11    19206       47121       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  916601873   27          1466            0               27          2750                   2               852         65535         524220.3     65535        524280       1               2              2                  0             0x031b    0x0008      65535_2-1-3-41460_3     1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000189       0.000189          0.003914992       0.000969187       0.001131419          0.004689855   0.01614901       0x00
B     18       0x0400000000004001  1258566123.706462000  1258566123.739692000  0.033230000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  1806     6        0x0011    63527       61713       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  925488549   28          1370            0               28          4371                   2               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_0         1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000206016    0.000174016       0.00302304        0.0009781156      0.0008168654         0.001666861   0.002317145      0x00
B     19       0x0400000000004001  1258567109.383558000  1258567113.574642000  4.191084000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.102   07       "!Private network"  1400     6        0x0011    25388       44643       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1816175150  25          1370            0               26          1522                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_0         1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000201984    0.000101952       3.94484           0.2614954         1.016245             0.2686045     1.016971         0x08
B     20       0x0400000000004001  1258567248.261635000  1258567248.374809000  0.113174000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.102   07       "!Private network"  1404     6        0x0011    28675       64081       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  113675184   28          1370            0               28          5247                   2               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_0         1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000200992    0.000200992       0.002393984       0.0008873368      0.0006575508         0.004495227   0.01739412       0x00
B     21       0x0400000000004001  1258567289.262156000  1258567289.283642000  0.021486000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.102   07       "!Private network"  1405     6        0x0011    58923       49123       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  6599705     28          632             0               28          5796                   1               166         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_0         1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000206       0.000206          0.001728          0.0006774779      0.0003972771         0.0010908     0.001682575      0x00
B     22       0x0400000000004001  1258567757.457805000  1258567757.572984000  0.115179000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.105   07       "!Private network"  49336    6        0x0a11    52210       51969       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  226877106   27          1466            0               27          2430                   2               852         65535         524228.2     65535        524280       1               2              2                  0             0x031b    0x0008      65535_2-1-3-41460_3     1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000196       0.000196          0.004917952       0.000966626       0.001316972          0.004713143   0.01617481       0x00
B     23       0x0400000000004001  1258568036.508400000  1258568036.620325000  0.111925000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.105   07       "!Private network"  49353    6        0x0a11    60435       51877       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1304812153  26          1466            0               27          2462                   2               852         65535         524227.5     65535        524280       1               2              2                  0             0x031b    0x0008      65535_2-1-3-41460_3     1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000209984    0.000140992       0.003169024       0.0008697344      0.0009256471         0.004721354   0.01613474       0x08
B     24       0x0400000000004001  1258568059.128711000  1258568059.160696000  0.031985000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  1836     6        0x0011    25036       31267       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1667500374  26          1370            0               26          3372                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_0         1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000443       0.000247008       0.003048          0.0009271289      0.0007896523         0.001641512   0.00236274       0x00
B     25       0x0400000000004001  1258568667.549083000  1258568667.662999000  0.113916000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.102   07       "!Private network"  1709     6        0x0011    13070       63071       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1075440067  25          1370            0               26          2374                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_0         1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000446976    0.000219008       0.002756992       0.001155537       0.0008531204         0.005134015   0.01773331       0x08
B     26       0x0400000000004001  1258568738.108301000  1258568738.141266000  0.032965000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.105   07       "!Private network"  49561    6        0x0a11    20209       59196       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1983906088  28          1466            0               28          4334                   2               852         65535         524166.4     65535        524280       2               2              3                  0             0x031b    0x0008      65535_2-1-3-41460_3     1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000203       0.000196          0.002545          0.000893353       0.0008881817         0.001596995   0.002412417      0x00
B     27       0x0400000000004001  1258574141.027497000  1258574141.466226000  0.438729000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.104   07       "!Private network"  1572     6        0x0011    1033        49706       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1684028818  17          308             0               17          1021                   1               166         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_0         1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000464       0.000308          0.210095          0.0226374         0.0659134            0.03517511    0.08721392       0x00
B     28       0x0400000000004001  1258577484.692644000  1258577484.971707000  0.279063000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.104   07       "!Private network"  1604     6        0x0011    12132       53911       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1644748927  17          308             0               17          761                    1               166         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_0         1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000445056    0.00026304        0.164624          0.0189601         0.05140582           0.0242697     0.05600978       0x00
B     29       0x0400000000004001  1258577840.949804000  1258577841.204644000  0.254840000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.104   07       "!Private network"  1665     6        0x0011    35109       30475       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1401071890  17          308             0               17          574                    1               166         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_0         1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000449984    0.000265          0.135147          0.0165157         0.04199369           0.02183446    0.0475346        0x00
B     30       0x0400000000004001  1258581757.587891000  1258581758.358901000  0.771010000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  1934     6        0x0011    5853        51672       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  18417741    26          1370            0               27          5732                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_0         1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000198976    0.000171008       0.01887301        0.002281166       0.004975774          0.02947947    0.156808         0x08
B     31       0x0400000000004001  1258582107.588266000  1258582108.822724000  1.234458000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  2008     6        0x0011    61421       45039       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2088358893  25          1370            0               26          3460                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_0         1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000198016    0.000192          0.333958          0.05834953        0.09598713           0.07774249    0.1417972        0x08
B     32       0x0400000000004001  1258583614.298161000  1258583615.323218000  1.025057000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.102   07       "!Private network"  1911     6        0x0011    60719       59161       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  398501520   28          1370            0               29          7079                   2               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      65535_2-41460_0         1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000395008    0.000195008       0.139913          0.03019411        0.04570331           0.05901732    0.179593         0x08
A     33       0x0400000000004000  1258587444.865917000  1258587445.631435000  0.765518000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800           192.168.1.104  07       "!Private network"  1908     198.189.255.75  us       "CENIC"             80       6        0x0011    1           2           128       128       0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3626872219  23          319             0               23          95699                  1               319         65535         65535        65535        65535        0               0              0                  0             0x011b    0x0008      65535_2-1-1-41460_0     1             4          0x00000016  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.007304       0.007046976       0.573488          0.01674977        0.07036759           0.007744      0                0x02
A     36       0x0400000000004000  1258594163.408285000  1258594191.015208000  27.606923000  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800           192.168.1.105  07       "!Private network"  49330    143.166.11.10   us       "DELL-BLK"          64334    6        0x49b1    1           223         128       128       0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3392384642  1511        0               0               1511        4255056                437             0           8192          45402        0            64860        253             194            254                0.001981506   0x0416    0x0008      8192_2-1-3-1-1-41460_2  511           1536       0x0000003e  1460    4      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.07874201     1.024e-06         0.67088           0.03865783        0.04070456           0.079203      0                0x42
B     36       0x0400000000004001  1258594163.487027000  1258594185.427506000  21.940479000  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           143.166.11.10  us       "DELL-BLK"          64334    192.168.1.105   07       "!Private network"  49330    6        0x0c51    1           6365        111       111       0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3177226489  2866        5233476         27              3099        0                      0               28980       8192          64860        8192         64860        0               1              1                  0             0x031b    0x02c4      8192_2-1-1-41380_0      1             4          0x00000016  1380    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000460992    1.984e-06         5.587702          0.004777641       0.1448904            0.04343547    0.1504994        0x02

Have a look at A&B flow 36, which is lit up like a Xmas tree. Here we have a lot of reasons why there is a major mess:

tawk -V tcpFStat=0x49b1 -V tcpFStat=0x0c51 -V tcpAnomaly=0x02c4 -V tcpAnomaly=0008

The tcpFStat column with value 0x49b1 is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     7 | 0x0080   | Win 0 probe ACK
     8 | 0x0100   | Min Window detected
    11 | 0x0800   | Window state-machine count up(1)/down(0)
    14 | 0x4000   | TCP Selective ACK Option


The tcpFStat column with value 0x0c51 is to be interpreted as follows:
   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     4 | 0x0010   | Window state-machine initialized
     6 | 0x0040   | Win 0 probe
    10 | 0x0400   | Window full
    11 | 0x0800   | Window state-machine count up(1)/down(0)


The tcpAnomaly column with value 0x02c4 is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     2 | 0x0004     | SEQ Fast retransmission
     6 | 0x0040     | Sequence number out-of-order
     7 | 0x0080     | Sequence mess, rather spurious Retransmission
     9 | 0x0200     | Previous packet not captured

The tcpAnomaly column with value 0x0008 is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     3 | 0x0008     | Duplicate ACK

So flow A had a full buffer, reduced winsize to 0, B hit a window full alarm, since then B probes whether the win is non-zero to send more data. Therefore you have retransmissions, fast and spurious, and we have a case of a missing packet in the pcap. And therefore flow B sends duplicate ACKS.

You can follow that in the corresponding packet file:

tawk 'flow(36)' ~/results/faf-exercise_packets.txt | tcol

%pktNo  flowInd  flowStat            time                  pktIAT       pktTrip      flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPOrg          srcPort  dstIP          dstIPCC  dstIPOrg          dstPort  l4Proto  ipToS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq         ack         seqMax      seqDiff  ackDiff  seqLen  ackLen  seqFlowLen  ackFlowLen  tcpMLen  tcpBFlgt  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpWS  tcpMSS  tcpTmS  tcpTmER  tcpMPTyp  tcpMPF  tcpMPAID  tcpMPDSSF  tcpOptLen  tcpOpts                                                      tcpStatesAFlags  l7Content
1280    36       0x0400000000004000  1258594163.408285000  0.000000000  0.000000000  0.000000000   3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   16259  0         0x4000  128    0x5e7f       0x5e7f       0xbd9c       0xbd9c       0x0040   0                       0                     0                 3392384642  0           3392384642  0        0        0       0       0           0           0        0         0x0010    0x0002    0x0000      8192    0      1460    0       0        0         0x00    0         0x00       12         0x02;0x04;0x05;0xb4;0x01;0x03;0x03;0x02;0x01;0x01;0x04;0x02  0x00             
1281    36       0x0400000000004001  1258594163.487027000  0.000000000  0.078742016  0.000000000   3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       DELL-BLK          64334    192.168.1.105  07       !Private network  49330    6        0x00   17228  0         0x4000  111    0x6bba       0x6bba       0x738a       0x738a       0x0040   0                       0                     0                 3177226489  3392384643  3177226489  0        0        0       0       0           0           0        0         0x0010    0x0212    0x0000      8192    0      1380    0       0        0         0x00    0         0x00       8          0x02;0x04;0x05;0x64;0x01;0x01;0x04;0x02                      0x00             
1282    36       0x0400000000004000  1258594163.487488000  0.079203000  0.000460992  0.079203000   3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   16266  7         0x4000  128    0x5e84       0x5e84       0xc2a1       0xc2a1       0x0040   0                       0                     0                 3392384643  3177226490  3392384643  1        0        0       0       0           0           0        0         0x0811    0x0010    0x0000      64860   0      1460    0       0        0         0x00    0         0x00       0                                                                       0x00             
1287    36       0x0400000000004001  1258594163.644682000  0.157655000  0.157193984  0.157655000   3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       DELL-BLK          64334    192.168.1.105  07       !Private network  49330    6        0x00   18966  1738      0x4000  111    0x5f94       0x5f94       0x153a       0x153a       0x0040   0                       0                     0                 3177226490  3392384643  3177226490  1        0        0       0       0           0           1380     1380      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             MZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\r\n$.......PE..L....IV:............\v....&...*...............@....@.................................Z.A...................................... .......@...$............@......p..t....................................................#...............................text....$.......&.................. ..`.rdata..\t....@.......*..............@..@.data...|....P.......,..............@....idata....... .......H..............@....rsrc....$...@...&...\\..............@..@.reloc...!...p..."..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................U....X...SVWh....3.W...%C.P...%C.W.u\bW.E.h....V...%C..u\f......Q.l.....\b......hhPA.Q.`.....\bWj.V...%C.P...%C.............PQ..h$C......ubj.V...%C.P...%C.f=..w7.u\f.T).......u4.u\f......Q.......\b......hhPA.Q.......\b...E\f.@................V...%C..E....C...\\g..k.....................P..!.....H......PQ.......\b.......uA.......u/.......u&.u\f...........r`hdPA.......
1288    36       0x0400000000004001  1258594163.644692000  0.000010000  0.157203968  0.157665000   3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       DELL-BLK          64334    192.168.1.105  07       !Private network  49330    6        0x00   18967  1         0x4000  111    0x5f93       0x5f93       0x77eb       0x77eb       0x0040   0                       0                     0                 3177227870  3392384643  3177227870  1380     0        1380    0       1380        0           2760     2760      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             P.F.....\b.\t.......tA.E.......PQ..............PQ.u....#C.;].}..].......Pj.h....V...%C.......PW..l$C.....2...j.Sh....V...%C.W..\f%C.j.j.h....V...%C..u....%C._^[..].U3.....(V.E\b.M..M..E..M..u\f.M..E..u.P.M..E...@..E.6....\r\\PA..M....%C.f.......tD3....C..M..M..E..M..M..u...`PA..M..M..U..E...@..E.\b...Q...%C.f=....@^..].V......t$\b.5\\PA....%C...u.3..t$\b.5`PA....%C...u.3...^.U........SVW.xPA..}...E\f...tS.....3........1........D.....+........,......=...........u..u..u\f.u\b..|%C._^[..]....u.j.3..v..v..v..v..u\b...%C.S....C..5..C.S...Dg...u\bk.....P.F....Pj.j.h.. P.v$hlPA.S...%C.P.E.S.u\b...%C.S.5XZA.j0.u....%C..u..}..].......:...... .E.........Ha.A.......E..E.P..d$C..E....t#...t4..............w....E......|......C....g.....g...f......C.hhPA..........g.....g..Q......\\.X.....\b..X.........PQ..h$C.hdPA.......Q.E..%.....\b......Q..#...........PQ.......\b.u...\f%C.......E.......P..............E.....QR.@...........j\\......P.......\b...@P. #...........Pjs...C..2...PQ.Z%...........Q..".................PjcQR.2%.................QR.R.....\b.\r..C....... ...g.....g...!=.\b..t\t.E..........C....g.....g...}..t2......Pj.hC....u....%C..........\v.QPhQ....u....%C..E..}...........C.......:u\n......$.........@...................Pj.hM....u....%C.3......3......j..u\b...%C....P...%C.3............P.u\b..h&C..M.Q.u\b..p&C.j..u..u..u..u........pE...........Q.u\b...&C.3.......u..~\b.u.V.\nD................F\f..t"V.AB..
1289    36       0x0400000000004000  1258594163.644891000  0.157403000  0.000199040  0.236606000   3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   16277  11        0x4000  128    0x5e79       0x5e79       0xbd3d       0xbd3d       0x0040   0                       0                     0                 3392384643  3177229250  3392384643  0        2760     0       2760    0           2760        0        0         0x0011    0x0010    0x0000      63480   0      1460    0       0        0         0x00    0         0x00       0                                                                       0x00             
1290    36       0x0400000000004000  1258594163.647385000  0.002494000  0.002693056  0.239100000   3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   16278  1         0x4000  128    0x5e78       0x5e78       0xb7d9       0xb7d9       0x0040   0                       0                     0                 3392384643  3177229250  3392384643  0        0        0       0       0           2760        0        0         0x0831    0x0010    0x0000      64860   0      1460    0       0        0         0x00    0         0x00       0                                                                       0x00             
1291    36       0x0400000000004001  1258594163.722388000  0.077696000  0.075002944  0.235361000   3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       DELL-BLK          64334    192.168.1.105  07       !Private network  49330    6        0x00   19785  818       0x4000  111    0x5c61       0x5c61       0xf480       0xf480       0x0040   0                       0                     0                 3177229250  3392384643  3177229250  1380     0        1380    0       2760        0           4140     1380      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             ....F..t\tV..C...........V.....t.V..B...........?.......%...V..C...........$....M..A\fd......C....Dg........Q.......E....f=..uDj..u\b...%C....j.......QP...%C...M\bf..........QPh.....u\b...%C.P...%C.3......U........SVW.u\f...w-..|......tl.....H....u..u.V.u\b..|%C._^[..]........f.....+........,...........%...........5..............................].j..K @....{.3..s..7.s..s..u\b...%C.V.C..5..C..s\b.u\b...P.....Pj.j.hS..P.s$h.PA.V...%C.....u.V..PA.PP.u\b...%C.3..XZA.VPj0S...%C.V.............Ph....S...%C.h.....p........SV.u\b...%C.Wj..u\b..l%C.Vj..u\b...%C.Vh....j..u\b..p%C.3......j..u\b..x%C.P........j..u\b..t%C.3......j..u\b...%C....P...%C..x....E.P.u\b..h&C..M.Q.u\b..p&C.j..u..u..u..u..u...B......M.Q.u\b...&C.3..A....}...\b.u.W.a?...........%....G\f..t"W.x=......G..t\tW.8?.................t.W.R=.......................W..?..................C..U....Dg........J.......u..u.V.u\b...%C.P...%C.......E................3.W.u\b...%C....j..u\b..x%C...WWh....V...%C......L...QPh....V...%C...L... u\vS.a..........L...PS.......\bh|PA.S.......\bSV.>.....\bSS.d......Ph.....u\b...%C.P...%C.3......j..u\b...%C.f@Pj..u\b...%C.3......j..u\b..x%C..u.P.........\bV.........|..\\t.h|PA.V.x.....\bj..u\b...%C....VP.......\bVV........Ph.....u\b...%C.P...%C.3..F...U....L....}\f....SVWv..E\b.......M....E.....jD..|...j.P.......\f.E\b.M\f........|...Iu..E\f9.|...u.3..U..E .\n.\b...........E..8.u\v...A.U.;.v..E .M...9\bs.........E..8.u....N..|..
1292    36       0x0400000000004001  1258594163.722400000  0.000012000  0.075014976  0.235373000   3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       DELL-BLK          64334    192.168.1.105  07       !Private network  49330    6        0x00   19786  1         0x4000  111    0x5c60       0x5c60       0xe46d       0xe46d       0x0040   0                       0                     0                 3177230630  3392384643  3177230630  1380     0        1380    0       4140        0           5520     2760      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             .;.u..E .u.90v..0........E.;.v....|....8)}.x(...A.}...;..}.w....|.....)E.y.......g.........]....E.3.N...E.............t\r.8....9...Nu..u\b3........t..........@...<..tA.G;}\fr.3.3..}.........8..........}..}..E..tA..E.....9U........E....|....M....E..E..M.....p....u......5<.....;E...3....E.@.E...5<.......U..E +..E...;.v....E.+..E.......M...;E.v$.M..E.A+..M.;U.v......;.v\n+..E.;U.w..E...;E.v\r9].v\b.E.+..E.......M....M..E....\b.....5<...R.P...............M..U.A....\r\b.C..E..H....\n.M.........5....tP.E..M.....5......58....E....U..E..E..U..U........J*.58...#U.......M...5.......J...5<.....;E........M..E\f*.....tA..M.;U.w..E.c.^.E...;U.s.f.U........E...U...E..E..6.}$.t..E.......E.+u...p.E..}$.t\bf.E.....+U..E.f..Pf.E..E........U......E...9U.v..E..\f..E.....M..E..u..U..E..M....E..N..E.9U.w.......M......E.t\n1E....E.u..U......1E........H#E.;............+..8...............H.M.#E.;......u.......E..E.9E...a.....<....E .}...\bt(.}..t"........}..t......................3._^[..]..D$.V..t..p...\bP.\f..........u.3.^.U...C....\r..C.....E..E..M.SVW.5..C...\fE.UA..U..M....U.UA..E..E.9E.sQ..{A..\r.{A...~ .\r..A.x..\r$.A......$.A..\f......................M....M.\tE..E.\b9M.r..M..E\b#M..<...............c.......O.....m....)E.9].sN..{A..\r.{A...~ .\r..A.x..\r$.A......$.A..\f.y...............t....M....E.\b\tE.9].r....].UA.#E.....G...........v....O..m....)E....ug.G.F.........|A........=.YA..t1.@.A...;.,{A.w2V.@.A.h.|
...

In the following a chapters we will discuss window size, sequence number and other features useful in troubleshooting and security analysis.

Window size features

The TCP window size is part of TCP flow control receiving buffer and gives an indication about the digestive performance of the destination host. As indicated in the previous chapter all anomaly window bits are situated in tcpFStat now:

tawk -V tcpFStat

The tcpFStat column is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     1 | 0x0002   | TCP option init
     2 | 0x0004   | Timestamp option decreasing
     3 | 0x0008   | L4 option field corrupt or not acquired

     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     6 | 0x0040   | Win 0 probe
     7 | 0x0080   | Win 0 probe ACK

     8 | 0x0100   | Min Window detected
     9 | 0x0200   | WS used
    10 | 0x0400   | Window full
    11 | 0x0800   | Window state-machine count up(1)/down(0)

    12 | 0x1000   | L4 Checksum calculation if present
    13 | 0x2000   | UDPLITE Checksum coverage error
    14 | 0x4000   | TCP Selective ACK Option
    15 | 0x8000   | MPTCP detected

So Windows Scaling was used at the beginning. Then after a Min Window detected a sender Window full followed, then a Win 0 probe was issued in order to test the acceptance of more bytes. Makes sense, and can be investigated in the packet file in the previous chapter.

In the flow file the initial window size tcpInitWinSz in combination with the TTL is still a reasonable feature to estimate the type of OS. If tcpMinWinSz hits 0 the buffer of the receiving host is full, and the sender has to wait. As in the end report the variable tcpWinSzThRt counts the occurrences where the window size drops below a configurable threshold WINMIN in tcpFlags.h; default 1. So it counts how often the receiver performs back-pressure to the sender. The parameters tcpWinSzDwnCnt, tcpWinSzUpCnt, tcpWinSzChgDirCnt are experimental, trying to aggregate the evolution of the window size, which is governed by several algorithms. They denote the up or down count/packet of the window size and how often these counts reverse the direction. Giving an indication about irregularities in flow control. As you can see, the counts are increased in flow 36, which has a lot of flow and error control problems.

tawk 'bitsanyset($tcpFStat, 0x0700) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $tcpInitWinSz, $tcpAveWinSz, $tcpMinWinSz, $tcpMaxWinSz, $tcpWinSzDwnCnt, $tcpWinSzUpCnt, $tcpWinSzChgDirCnt, $tcpWinSzThRt }' ~/results/faf-exercise_flows.txt | tcol

%dir  flowInd  flowStat            srcIP          srcIPCC  srcIPOrg            srcPort  dstIP          dstIPCC  dstIPOrg            dstPort  l4Proto  tcpFStat  ipFlags  tcpFlags  tcpAnomaly  tcpInitWinSz  %dir  flowInd  flowStat            timeFirst             timeLast              duration      numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  vlanID  srcIP          srcIPCC  srcIPOrg            srcPort  dstIP          dstIPCC  dstIPOrg            dstPort  l4Proto  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipToS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx  tcpInitWinSz  tcpAvgWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpJA4T                 tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPDSSF  tcpTmS  tcpTmER  tcpEcI  tcpUtm    tcpBtm       tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAvg  tcpRTTAckTripJitAvg  tcpRTTSseqAA  tcpRTTAckJitAvg  tcpStatesAFlags  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt
A     15       0x0400000000004000  192.168.1.105  07       "!Private network"  49218    192.168.1.1    07       "!Private network"  25       6        0x0a11    0x0040   0x011b    0x0000      8192          A     15       0x0400000000004000  1258565820.302090000  1258565821.898589000  1.596499000   1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800           192.168.1.105  07       "!Private network"  49218    192.168.1.1    07       "!Private network"  25       6        0x0a11    1           2           128       128       0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3728208594  17          4899            0               17          1520                   0               2920        8192          64982.55     8192         65536        3               2              4                  0             0x011b    0x0000      8192_2-1-3-1-1-41460_8  1             6          0x0000001e  1460    256    0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  3.8016e-05     1.6992e-05        0.155662          0.006420172       0.03364547           0.000238016   0                0x00             8192         65536        3               2              4                  0
B     15       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.105  07       "!Private network"  49218    6        0x0a11    0x0044   0x031b    0x0008      65535         B     15       0x0400000000004001  1258565820.302128000  1258565821.898612000  1.596484000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.105  07       "!Private network"  49218    6        0x0a11    811         52183       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  652739796   29          1519            0               29          4899                   2               852         65535         524219.4     65535        524280       1               2              2                  0             0x031b    0x0008      65535_2-1-3-41460_3     1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.0002         0.0002            1.393001          0.08960117        0.3407968            0.09602135    0.3424536        0x00             65535        524280       1               2              2                  0
A     16       0x0400000000004000  192.168.1.105  07       "!Private network"  49219    192.168.1.1    07       "!Private network"  25       6        0x0a11    0x0040   0x011b    0x0000      8192          A     16       0x0400000000004000  1258565880.189257000  1258565880.212242000  0.022985000   1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800           192.168.1.105  07       "!Private network"  49219    192.168.1.1    07       "!Private network"  25       6        0x0a11    1           2           128       128       0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  209286222   17          4429            0               17          800                    0               2920        8192          64673.17     8192         65536        3               1              4                  0             0x011b    0x0000      8192_2-1-3-1-1-41460_8  1             6          0x0000001e  1460    256    0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  8.1008e-05     1.2992e-05        0.008296          0.0003984966      0.001534799          0.000233008   0                0x00             8192         65536        3               1              4                  0
B     16       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.105  07       "!Private network"  49219    6        0x0a11    0x0044   0x031b    0x0008      65535         B     16       0x0400000000004001  1258565880.189338000  1258565880.212279000  0.022941000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.105  07       "!Private network"  49219    6        0x0a11    11001       47310       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1405763652  30          799             0               30          4429                   2               166         65535         524225.7     65535        524280       1               2              2                  0             0x031b    0x0008      65535_2-1-3-41460_3     1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000152       0.000152          0.002171008       0.0006970613      0.000583964          0.001095558   0.00164214       0x00             65535        524280       1               2              2                  0
A     17       0x0400000000004000  192.168.1.105  07       "!Private network"  49220    192.168.1.1    07       "!Private network"  25       6        0x0a11    0x0040   0x011b    0x0000      8192          A     17       0x0400000000004000  1258566050.124592000  1258566050.238771000  0.114179000   1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800           192.168.1.105  07       "!Private network"  49220    192.168.1.1    07       "!Private network"  25       6        0x0a11    1           1           128       128       0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  536920513   15          2750            0               15          1467                   0               1989        8192          64668.98     8192         65536        3               2              4                  0             0x011b    0x0000      8192_2-1-3-1-1-41460_8  1             6          0x0000001e  1460    256    0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  5.8e-05        1.2e-05           0.07157201        0.003720668       0.01610933           0.000247      0                0x00             8192         65536        3               2              4                  0
B     17       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.105  07       "!Private network"  49220    6        0x0a11    0x0044   0x031b    0x0008      65535         B     17       0x0400000000004001  1258566050.124650000  1258566050.238828000  0.114178000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.105  07       "!Private network"  49220    6        0x0a11    19206       47121       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  916601873   27          1466            0               27          2750                   2               852         65535         524220.3     65535        524280       1               2              2                  0             0x031b    0x0008      65535_2-1-3-41460_3     1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000189       0.000189          0.003914992       0.000969187       0.001131419          0.004689855   0.01614901       0x00             65535        524280       1               2              2                  0
A     22       0x0400000000004000  192.168.1.105  07       "!Private network"  49336    192.168.1.1    07       "!Private network"  25       6        0x0a11    0x0040   0x011b    0x0000      8192          A     22       0x0400000000004000  1258567757.457759000  1258567757.572930000  0.115171000   1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800           192.168.1.105  07       "!Private network"  49336    192.168.1.1    07       "!Private network"  25       6        0x0a11    1           1           128       128       0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1862212203  15          2430            0               15          1467                   0               1669        8192          64668.98     8192         65536        3               2              4                  0             0x011b    0x0000      8192_2-1-3-1-1-41460_8  1             6          0x0000001e  1460    256    0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  4.5984e-05     1.4016e-05        0.071596          0.003746517       0.01612111           0.000241984   0                0x00             8192         65536        3               2              4                  0
B     22       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.105  07       "!Private network"  49336    6        0x0a11    0x0044   0x031b    0x0008      65535         B     22       0x0400000000004001  1258567757.457805000  1258567757.572984000  0.115179000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.105  07       "!Private network"  49336    6        0x0a11    52210       51969       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  226877106   27          1466            0               27          2430                   2               852         65535         524228.2     65535        524280       1               2              2                  0             0x031b    0x0008      65535_2-1-3-41460_3     1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000196       0.000196          0.004917952       0.000966626       0.001316972          0.004713143   0.01617481       0x00             65535        524280       1               2              2                  0
A     23       0x0400000000004000  192.168.1.105  07       "!Private network"  49353    192.168.1.1    07       "!Private network"  25       6        0x0a11    0x0040   0x011b    0x0000      8192          A     23       0x0400000000004000  1258568036.508358000  1258568036.620287000  0.111929000   1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800           192.168.1.105  07       "!Private network"  49353    192.168.1.1    07       "!Private network"  25       6        0x0a11    1           1           128       128       0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2096859172  15          2462            0               15          1466                   0               1701        8192          64668.98     8192         65536        3               2              4                  0             0x011b    0x0000      8192_2-1-3-1-1-41460_8  1             6          0x0000001e  1460    256    0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  4.1984e-05     1.3056e-05        0.07023001        0.00385162        0.01610817           0.000251968   0                0x00             8192         65536        3               2              4                  0
B     23       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.105  07       "!Private network"  49353    6        0x0a11    0x0044   0x031b    0x0008      65535         B     23       0x0400000000004001  1258568036.508400000  1258568036.620325000  0.111925000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.105  07       "!Private network"  49353    6        0x0a11    60435       51877       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1304812153  26          1466            0               27          2462                   2               852         65535         524227.5     65535        524280       1               2              2                  0             0x031b    0x0008      65535_2-1-3-41460_3     1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000209984    0.000140992       0.003169024       0.0008697344      0.0009256471         0.004721354   0.01613474       0x08             65535        524280       1               2              2                  0
A     26       0x0400000000004000  192.168.1.105  07       "!Private network"  49561    192.168.1.1    07       "!Private network"  25       6        0x0a11    0x0040   0x011b    0x0000      8192          A     26       0x0400000000004000  1258568738.108255000  1258568738.141234000  0.032979000   1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800           192.168.1.105  07       "!Private network"  49561    192.168.1.1    07       "!Private network"  25       6        0x0a11    1           1           128       128       0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  731213116   16          4334            0               16          1467                   0               3573        8192          64740.93     8192         65536        3               2              4                  0             0x011b    0x0000      8192_2-1-3-1-1-41460_8  1             6          0x0000001e  1460    256    0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  4.6e-05        1.7e-05           0.009698          0.0007036423      0.002242964          0.000249      0                0x00             8192         65536        3               2              4                  0
B     26       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.105  07       "!Private network"  49561    6        0x0a11    0x0044   0x031b    0x0008      65535         B     26       0x0400000000004001  1258568738.108301000  1258568738.141266000  0.032965000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           192.168.1.1    07       "!Private network"  25       192.168.1.105  07       "!Private network"  49561    6        0x0a11    20209       59196       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1983906088  28          1466            0               28          4334                   2               852         65535         524166.4     65535        524280       2               2              3                  0             0x031b    0x0008      65535_2-1-3-41460_3     1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000203       0.000196          0.002545          0.000893353       0.0008881817         0.001596995   0.002412417      0x00             65535        524280       2               2              3                  0
A     36       0x0400000000004000  192.168.1.105  07       "!Private network"  49330    143.166.11.10  us       "DELL-BLK"          64334    6        0x49b1    0x0040   0x0416    0x0008      8192          A     36       0x0400000000004000  1258594163.408285000  1258594191.015208000  27.606923000  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800           192.168.1.105  07       "!Private network"  49330    143.166.11.10  us       "DELL-BLK"          64334    6        0x49b1    1           223         128       128       0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3392384642  1511        0               0               1511        4255056                437             0           8192          45402        0            64860        253             194            254                0.001981506   0x0416    0x0008      8192_2-1-3-1-1-41460_2  511           1536       0x0000003e  1460    4      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.07874201     1.024e-06         0.67088           0.03865783        0.04070456           0.079203      0                0x42             0            64860        253             194            254                0.001981506
B     36       0x0400000000004001  143.166.11.10  us       "DELL-BLK"          64334    192.168.1.105  07       "!Private network"  49330    6        0x0c51    0x0044   0x031b    0x02c4      8192          B     36       0x0400000000004001  1258594163.487027000  1258594185.427506000  21.940479000  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800           143.166.11.10  us       "DELL-BLK"          64334    192.168.1.105  07       "!Private network"  49330    6        0x0c51    1           6365        111       111       0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3177226489  2866        5233476         27              3099        0                      0               28980       8192          64860        8192         64860        0               1              1                  0             0x031b    0x02c4      8192_2-1-1-41380_0      1             4          0x00000016  1380    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000000  0.000460992    1.984e-06         5.587702          0.004777641       0.1448904            0.04343547    0.1504994        0x02             8192         64860        0               1              1                  0

Have a look at the packet file and identify the flow control problems in flow 36. Is this flow benign or part of malicious activity?

Sequence and acknowledge numbers

I added some more columns for the packet mode to track faults and to make counts more consistent. seqDiff and ackDiff are now the real difference of the seq or ack numbers, so they could also be negative. seqLen and ackLen denote the positive difference, hence an indication for the payload length. seqFlowLen and ackFlowLen are aggregated seqLen and ackLen. tcpMLen is the real l7Len, just like in basicStats. tcpBFlgt denotes the bytes in time of flight. Similar columns exist in the flow file.

TCP error control is achieved by Seq and Ack numbers which are a formidable tool for troubleshooting and contain information about network or host problems. The differences between these parameters denote the bytes being transferred between both peers. The packet ACK count is only correct if each packet being sent is acknowledged, so Idle Repeat Request mode, which would actually defeat the purpose of an efficient TCP communication. So in general only a lower limit.

The fault counts from both directions are an indicator for the health of the connection. If divided by the packet sent from basicStats you have a good performance measure.

The initial sequence number tcpISeqN is used for covert channels and it can help to identify crafting tools if more than one flow from the same IP is available. Make sure that the flow is complete by checking the tcpFlags for a SYN, otherwise tcpISeqN denotes just the sequence number of the first packet being seen.

As in earlier versions the column tcpFlwLssAckRcvdBytes denotes the amount of content being transmitted of the opposite flow. So if you have only one flow, you have a number to estimate the amount of traffic not being seen by that pcap. Some magic to impress customers.

tawk 'bitsanyset($tcpAnomaly, 0x0008) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $ipFlags, $tcpFStat, $tcpFlags, $tcpAnomaly, $tcpISeqN, $tcpSeqSntBytes, $tcpSeqFaultCnt, $tcpPAckCnt, $tcpFlwLssAckRcvdBytes, $tcpAckFaultCnt, $tcpBFlgtMx }' ~/results/faf-exercise_flows.txt | tcol

%dir  flowInd  flowStat            srcIP          srcIPCC  srcIPOrg            srcPort  dstIP           dstIPCC  dstIPOrg            dstPort  l4Proto  ipFlags  tcpFStat  tcpFlags  tcpAnomaly  tcpISeqN    tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx
B     12       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  1397     6        0x0044   0x0011    0x031b    0x0008      1702698086  1440            0               30          2943                   1               852
B     13       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  1749     6        0x0044   0x0011    0x031b    0x0008      645942508   1405            0               30          5679                   2               852
B     14       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  1755     6        0x0044   0x0011    0x031b    0x0008      328872932   1405            0               28          2357                   1               852
B     15       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.105   07       "!Private network"  49218    6        0x0044   0x0a11    0x031b    0x0008      652739796   1519            0               29          4899                   2               852
B     16       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.105   07       "!Private network"  49219    6        0x0044   0x0a11    0x031b    0x0008      1405763652  799             0               30          4429                   2               166
B     17       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.105   07       "!Private network"  49220    6        0x0044   0x0a11    0x031b    0x0008      916601873   1466            0               27          2750                   2               852
B     18       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  1806     6        0x0044   0x0011    0x031b    0x0008      925488549   1370            0               28          4371                   2               852
B     19       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.102   07       "!Private network"  1400     6        0x0044   0x0011    0x031b    0x0008      1816175150  1370            0               26          1522                   1               852
B     20       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.102   07       "!Private network"  1404     6        0x0044   0x0011    0x031b    0x0008      113675184   1370            0               28          5247                   2               852
B     21       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.102   07       "!Private network"  1405     6        0x0044   0x0011    0x031b    0x0008      6599705     632             0               28          5796                   1               166
B     22       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.105   07       "!Private network"  49336    6        0x0044   0x0a11    0x031b    0x0008      226877106   1466            0               27          2430                   2               852
B     23       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.105   07       "!Private network"  49353    6        0x0044   0x0a11    0x031b    0x0008      1304812153  1466            0               27          2462                   2               852
B     24       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  1836     6        0x0044   0x0011    0x031b    0x0008      1667500374  1370            0               26          3372                   1               852
B     25       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.102   07       "!Private network"  1709     6        0x0044   0x0011    0x031b    0x0008      1075440067  1370            0               26          2374                   1               852
B     26       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.105   07       "!Private network"  49561    6        0x0044   0x0a11    0x031b    0x0008      1983906088  1466            0               28          4334                   2               852
B     27       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.104   07       "!Private network"  1572     6        0x0044   0x0011    0x031b    0x0008      1684028818  308             0               17          1021                   1               166
B     28       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.104   07       "!Private network"  1604     6        0x0044   0x0011    0x031b    0x0008      1644748927  308             0               17          761                    1               166
B     29       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.104   07       "!Private network"  1665     6        0x0044   0x0011    0x031b    0x0008      1401071890  308             0               17          574                    1               166
B     30       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  1934     6        0x0044   0x0011    0x031b    0x0008      18417741    1370            0               27          5732                   1               852
B     31       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.103   07       "!Private network"  2008     6        0x0044   0x0011    0x031b    0x0008      2088358893  1370            0               26          3460                   1               852
B     32       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.102   07       "!Private network"  1911     6        0x0044   0x0011    0x031b    0x0008      398501520   1370            0               29          7079                   2               852
A     33       0x0400000000004000  192.168.1.104  07       "!Private network"  1908     198.189.255.75  us       "CENIC"             80       6        0x0040   0x0011    0x011b    0x0008      3626872219  319             0               23          95699                  1               319
A     36       0x0400000000004000  192.168.1.105  07       "!Private network"  49330    143.166.11.10   us       "DELL-BLK"          64334    6        0x0040   0x49b1    0x0416    0x0008      3392384642  0               0               1511        4255056                437             0

If you look at the packet mode from packet 4188 on you will notice during the fast retransmit the seqDiff is negative in packet 4209 and seqLen is 0, denoting, no new L7 content is sent. You can follow now the process of sending and acknowledging data. If you got only one flow, you are now able to estimate the payload of the other flow via ackLen and ackFlowLen for each packet. Comes in really handy if you cannot see the other flow and still want to be able to assess the amount of traffic is flowing in the other direction.

tawk 'packet("4188-4211")' ~/results/faf-exercise_packets.txt | tcol

%pktNo  flowInd  flowStat            time                  pktIAT       pktTrip      flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPOrg          srcPort  dstIP          dstIPCC  dstIPOrg          dstPort  l4Proto  ipToS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq         ack         seqMax      seqDiff  ackDiff  seqLen  ackLen  seqFlowLen  ackFlowLen  tcpMLen  tcpBFlgt  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpWS  tcpMSS  tcpTmS  tcpTmER  tcpMPTyp  tcpMPF  tcpMPAID  tcpMPDSSF  tcpOptLen  tcpOpts                                                      tcpStatesAFlags  l7Content
4188    36       0x0400000000004001  1258594178.123989000  0.000008000  0.005184000  14.636962000  3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       DELL-BLK          64334    192.168.1.105  07       !Private network  49330    6        0x00   28901  1         0x4000  111    0x38c5       0x38c5       0x8f75       0x8f75       0x0040   0                       0                     0                 3179900510  3392384643  3179900510  1380     0        1380    0       3304680     0           2687822  24840     0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             .X,........\\R\b.7o*.\f...[6...UiT...p.[X@(.OW..;\b.Qn#..-.-\\[..Z..`...E.T..]\v.a!k..is..@.....K.>jb\vK...i ...o..p.Pp..G....a.n\v..t=..e^...D....!9..l.....SPX....a]....E....\f.*y.T.\n.A.n.^....\b..<.z[...CBlJ......O.N...r.Z.....A....f..P..).X.h..........p^.c.....J..M.j..E....el....B.....B?...aS...T:4...\v.n..Dqe...3..l.HQ3&f,KZ....R)..B.....]..........I>....e...w..\v..bp6p.......C..T.[..\v.81......I....w.|....!.8....5....A..\f....T?.m..p\v<...a...[.../.....P.plD..y .....j............p...^..\\..\\...j..(.....^...r.....lw.kQ.......<..u....;..........~..;......Is{.Y...<?..;............;.m..k...N?..;...W.(...[-..~.iw.?.....o.*.^..x\b...^...p.t..~...|...c..s.8.G........?Nw.~......\\...eS..~.w.!.F?..w.sy...v..g.....7....U.?................w.../....K....s..........7(..6.....r...oV......'!..j^..0........3.R.yj....p.....k...]~........z.....g\n..?.t.nA.u%J..iJ.@:}..)-.?..wH....W...........~...T\t#....F.k..]A......jJ.E.g..Lz\r.^.>..;...xj|p...a..Y.......k/S.......;.....M.p.\nWX.R....Q2!0.J....0m.....T.6...n!!_h..2I^..e..2.t..%...`.>o,....G......l....\r....kK).\v.1.i@7.,.\\......@.J..A.....F5e....K...P..Ni.HWn..D.F....zU..h3A..\\...l3W.....5KA....C..Z.}O.FiT...o..H.U|VP...R.u%..\boh...,L.\\\n.,I.:.u....n...mrc...9A[..P....!..\v:.....O...\v\vK....:.*=....[2WZ\n`J....(.....@...6A...u...H...uk7f.......4..S\n!...SYTJ..B.&....89.TPP\n."E../9.E.-7<_S.|-..U..Y...?.b.....z$.w~I.6'QXs.\n...\v...2.|.v\nx.B.l...]W..w.
4189    36       0x0400000000004000  1258594178.124053000  0.005248000  0.000064000  14.715768000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17789  1         0x4000  128    0x5885       0x5885       0xa53a       0xa53a       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x18;0x1e  0x00             
4190    36       0x0400000000004000  1258594178.124055000  0.000002000  0.000066000  14.715770000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17790  1         0x4000  128    0x5884       0x5884       0x9fd6       0x9fd6       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x1d;0x82  0x00             
4191    36       0x0400000000004000  1258594178.124056000  0.000001000  0.000067000  14.715771000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17791  1         0x4000  128    0x5883       0x5883       0x9a72       0x9a72       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x22;0xe6  0x00             
4192    36       0x0400000000004000  1258594178.124058000  0.000002000  0.000069000  14.715773000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17792  1         0x4000  128    0x5882       0x5882       0x950e       0x950e       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x28;0x4a  0x00             
4193    36       0x0400000000004000  1258594178.124295000  0.000237000  0.000306000  14.716010000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17793  1         0x4000  128    0x5881       0x5881       0x8faa       0x8faa       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x2d;0xae  0x00             
4194    36       0x0400000000004000  1258594178.124297000  0.000002000  0.000308000  14.716012000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17794  1         0x4000  128    0x5880       0x5880       0x8a46       0x8a46       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x33;0x12  0x00             
4195    36       0x0400000000004000  1258594178.124298000  0.000001000  0.000309000  14.716013000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17795  1         0x4000  128    0x587f       0x587f       0x84e2       0x84e2       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x38;0x76  0x00             
4196    36       0x0400000000004000  1258594178.124300000  0.000002000  0.000311000  14.716015000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17796  1         0x4000  128    0x587e       0x587e       0x7f7e       0x7f7e       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x3d;0xda  0x00             
4197    36       0x0400000000004000  1258594178.124302000  0.000002000  0.000313000  14.716017000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17797  1         0x4000  128    0x587d       0x587d       0x7a1a       0x7a1a       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x43;0x3e  0x00             
4198    36       0x0400000000004000  1258594178.124303000  0.000001000  0.000314000  14.716018000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17798  1         0x4000  128    0x587c       0x587c       0x74b6       0x74b6       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x48;0xa2  0x00             
4199    36       0x0400000000004000  1258594178.124305000  0.000002000  0.000316000  14.716020000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17799  1         0x4000  128    0x587b       0x587b       0x6f52       0x6f52       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x4e;0x06  0x00             
4200    36       0x0400000000004000  1258594178.124306000  0.000001000  0.000317000  14.716021000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17800  1         0x4000  128    0x587a       0x587a       0x69ee       0x69ee       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x53;0x6a  0x00             
4201    36       0x0400000000004000  1258594178.124308000  0.000002000  0.000319000  14.716023000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17801  1         0x4000  128    0x5879       0x5879       0x648a       0x648a       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x58;0xce  0x00             
4202    36       0x0400000000004000  1258594178.124309000  0.000001000  0.000320000  14.716024000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17802  1         0x4000  128    0x5878       0x5878       0x5f26       0x5f26       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x5e;0x32  0x00             
4203    36       0x0400000000004000  1258594178.124545000  0.000236000  0.000556000  14.716260000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17803  1         0x4000  128    0x5877       0x5877       0x59c2       0x59c2       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x63;0x96  0x00             
4204    36       0x0400000000004000  1258594178.124547000  0.000002000  0.000558000  14.716262000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17804  1         0x4000  128    0x5876       0x5876       0x545e       0x545e       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x68;0xfa  0x00             
4205    36       0x0400000000004000  1258594178.124548000  0.000001000  0.000559000  14.716263000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17805  1         0x4000  128    0x5875       0x5875       0x4efa       0x4efa       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x6e;0x5e  0x00             
4206    36       0x0400000000004000  1258594178.124550000  0.000002000  0.000561000  14.716265000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17806  1         0x4000  128    0x5874       0x5874       0x4996       0x4996       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x73;0xc2  0x00             
4207    36       0x0400000000004001  1258594178.196555000  0.072566000  0.072005008  14.709528000  3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       DELL-BLK          64334    192.168.1.105  07       !Private network  49330    6        0x00   30005  1104      0x4000  111    0x3475       0x3475       0x74c0       0x74c0       0x0040   0                       0                     0                 3179901890  3392384643  3179901890  1380     0        1380    0       3306060     0           2689202  1380      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             ...k.J-E..4.hV...P..I....\fbTCy...R:.zY........$*+.....E)....!..L..Bq..]I\n.1..~\b.....e..... T).a#Q....u......|..E"....>.\\a.....6.d).7..FR.=...$..f].%.r*y...e...>..O-..O.\b5....gE.Z./...6.O.Q.4.Y... ..................B........}m.X...RkR.Jo......\r....,]JQv........c.w.....kW...6m...~E..xS?'.J.~M.W.*o...k7..M}..6...kKY..i.D.~.IQ..u..V......T'.\n.^T._+.z.!.f.*.#>k.$.}m...vK.~A...P.;Z.2.G\n...M.....,\\[...YhcK.w4K..!\t2.\r.P......=r..b.K..\n\f=$T....m..?.>./.\nNh...M..\n.TF5.bn...{.......9..V(5Q..)0..;..+...R.jI.....B\v...$..g.=ys.!\r..`..0.P.>.....2..6...r.C...L@.A...m..c...t|..8~9.....++F,\v.."`.[\b?w......u..{...^w......u..{......-.2pY...{i..E..2?j.._b....;x...B-<a.<.[..........>?....[..p.LIT\t..96...\v......vF."..e.W.>.yK!.I.\\..P}...H-D8\ng.(j....q.s.......}..?{.B1.-........y..gt.....e........?\r....aa+(+..Z\fyXI..r\bL:..* .y$.T.C......+..V.'/_..x.....,?%ie...f]..|Ez..d....l.T...ONZ......x.u.n....4)3....b..../9Y.KJ.r...,pK....,..h.....Y....M...t0...`....w.....n..#*kS..m.......\t....G............F....h..-u.~...\t..7 ..\n"..[&...7<\r..(.x#.....oW .1x...Up........p....U.{...pO...W\vnR.i.i....h......XSq.i.i.6bk....3.8S....|#..n\v.O_.d...Z,..7n^.a]>1&.......x.\v7.g.....o....E..k7./.Ux.......'..R..4.....\v...aS.f@._.....2p.k-T......y.F.7...B.Q....Gw@u.z.r.m.Z.^w......u..{...^w......u..{...^w......u..{...^w......u..{._v.m@.........c......a7..Q.;.U..o D....?........?...5.;.....6)...)xZX...]......
4208    36       0x0400000000004000  1258594178.197003000  0.072453000  0.000448000  14.788718000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       !Private network  49330    143.166.11.10  us       DELL-BLK          64334    6        0x00   17813  7         0x4000  128    0x586d       0x586d       0x4432       0x4432       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x79;0x26  0x00             
4209    36       0x0400000000004001  1258594178.202048000  0.005493000  0.005044992  14.715021000  3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       DELL-BLK          64334    192.168.1.105  07       !Private network  49330    6        0x00   30105  100       0x4000  111    0x3411       0x3411       0xbb17       0xbb17       0x0040   0                       0                     0                 3179870150  3392384643  3179903270  -31740   0        0       0       3306060     0           2690582  1380      0x0811    0x0010    0x0044      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             ....5.$*...{5.......\r.I'.,...S.p.Q...XG...T...k.M...hC.8..].q....>!......B.......\v8...x.r|..5(m....'.....,....|B.[.*.@.S..(X.Z...\vV..,..,.W..9.`|..>.R....W._.%&3e.Rh".-..E/vL.....t"g4_..*.....{v..%....J..R....-\v...YL.}L..&...\vj.{R>.|. .....a9#>.....,.g.S..+.Z.@9...rc.5.p.4.U.E4h..V...G.dW...\v....`.O...hw.\\g..........Z./2.....8.K.....wJ....w.. @...g.[.h5r.3.l...x.......L.............{.O...e.*!....[@.(...)].\b..$s...-^s....@...u`UN..8].i#`...BQ...Y...g ....b....\bA..;..h.c..\f....@L0.......#MP&...Z.r.b&(......Kh....D..%\\#... J.L...+..\v..H\n...g..l...T..!..X.v.r..<..\vo..C.......@"n.AF..T/..i....U.\t....P>.d.Q..........=F9pT.ft}.)<2W%0W.E,....E.J..l.6.%.9p.24.[...c".6....bk..-3....F.4tz.-C.._.2.r.U..`..j\bp1a.@...y."...-.RV<.\\F..2.eMuI............}-+j.d x..\b3.=V..LX\t.#\r=....+....{>'.#.T=.3n+mn..r...{.0t.$V..`.;.5.....'Z*.W.G....)..%..2(.Yz..q...7..P.)...x...0..\\;.\n._.R'...).[}\nW0F...~..X........1Co6...e..>.H:..Oi(M.Z.V8.k\rM\tJ.+............5N....P..M.z...L.B../&...hC\r..\v%t;...z37p.x...h4.....t.%......AH.E....1\\.`.....g..w........f..+>D'n..,..\f..OL.h.dtB.....lD.\b1-B.E\b.#<.@........F.....bH...\bm\\./..a.X.8t7..NFz.PG.E.../l..!.]..l%tI..6H|O..x.%,a0g...&?q[..&TC._s\tm....'V..U.0...~{....."(n..-......\b2...)...}&q{.."...<.t.a..\b.j.J..T.-.ph..,.d%h..&..\b........jq.......>.B2..a......i..........^. B%..=..~....!}N>tY.=..S....I..V.f..[ y.s.......g.Mz|...\\...X..Q..D\\.....f\v..P.c\b..
4210    36       0x0400000000004001  1258594178.202058000  0.000010000  0.005054992  14.715031000  3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       DELL-BLK          64334    192.168.1.105  07       !Private network  49330    6        0x00   30106  1         0x4000  111    0x3410       0x3410       0xb02e       0xb02e       0x0040   0                       0                     0                 3179903270  3392384643  3179903270  33120    0        33120   0       3339180     0           2691962  2760      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             k..Epx.PT}..g\f<...O....._}~...i..]~.?.{.......... px..~K..i...1.z-.^.....\\..w.{..b'.\r..pO..P...}..{..PQp..;..<\v.Qp_...p..w<....6.u.\r...6.?...p...1...\vo#..\b.^Y.\r.H'\v.U..PUA.1=..\t.......r.h...H.taY.An....^w....hi.....k....x...O.......Wm.....E....a.G{L....>.nQ........~......=....._..-..r7y...)....LT.G....A...n....E..Tbb;..4y..N.c..m.?...~\n..}\n.=xn.....{.....6\\..w.....a?4Tu.?^....'.....M..B..T.......F..QJ.[J(...........J.s.z.B\r...j..~.\bO.|^}.M).yQM.7.......j..jxT.B\v.....{n\t.....=[....m...sL.P.......>..>8Ry..92..Y....c.G.:..b.x..%S......`9.{c.?G=.|...<.....<$.}....\\{......>]....w....{..q....lnj...:.....Kz............o...'.~y.S....._l....{....'e.q..z^1~.....x~s.j..........X......\v#?...V8B.U...r$-={....8.<.....L..?s..=.,>......:v..W..9w.....b..\\......I......%.c...G~.3S.v....8,.?..C.r.......pO\t..,x....r..6\r.....tl....G.~........F/z....f.....6.1.os..Y.?.......g......n.8..:|..._\\p..U....|.'_.Y....f........\v>Y..3..?...{.,......o.g..._.6+...O..C.._..7......&.z....{...N.j....T........'>.zp....M\\....X5...=0..u..g..<o.p2..E?;@...|.6...'.....37U[....97.......>5...o..z8..'..;>...K............J.y..;i..isf-.|..#...._...P.u.i.._.>....wl...e..~........\b.8.._.?.B..Rk\b5.B92NC......=."g.Pk.N.\f.\\..KC.PD......}......6.........n.......o.o..5U.j....*........4Dv.^.>..^...3....Ap..~.J-.....\vm..B...b.K5......n....n.>.4.Tf...e"....B.!Zp0.)..}...9qI3.S...OI.6+..4-q...i.s.g..57avBBR....m.wJ.
4211    36       0x0400000000004001  1258594178.202310000  0.000252000  0.005306992  14.715283000  3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       DELL-BLK          64334    192.168.1.105  07       !Private network  49330    6        0x00   30115  9         0x4000  111    0x3407       0x3407       0x0894       0x0894       0x0040   0                       0                     0                 3179904650  3392384643  3179904650  1380     0        1380    0       3340560     0           2693342  4140      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             8X..W2Wj/,U.o........w.......o...?.x..)(..|Yo.o_.`.....\n\nK\n...er..J4r....!~..;)}yJ.R.$.`\vd)...G...\v.&.I.....<.K5cZ....iV..9.....d.,B'$.B..0ocM.L].U.?XUHpL..|. .C^...;..8f.(....W..v.........Q.B \f.....G....(....mu_..}..?\r|?.S...=\r3..{..3...[a.]..>k\b../>....w.Qd...sC.9.v...'M....P......tA.Hd.(.=./\f."Mij....'h.4 ..S.....(..5.=n../...b)o..Q1)ih..p.....4n.W.S..j.k~aJ.......\rW.YM........\t5p._F.4f.4...T......Z3T.S.......V.^...xS.6.F,.k....z......{..\\...q~~k.....;..y....{s.'..'......[..{.......R....G.@.I..TF..._C.......?.[/-...=YH_l...n.R..L....*....&J..J}G...{W..!5.K...e.....y[.85.*c\v6o,.......<.B}o..^.T..u.a....|..~...E..._-5.........3....u.>........\vx...W.....?...t......N.....7.!..*\r.i..f).4Z....Ko....tlE....F.].....O..|../.ZgY.(5...r..`\fJ\r\vMx...P.(P...v.\\..0.x...N]....)..../\b...Z..AH.[....I..@j.d"zl..\v..o,.6..o....\\...-..`........#."..}..h.z..|!....v.k=....P.?.......67..9.D.P. Q.......%P.....G<k....b.....l.e\v\v...e...P......OS./...n...z..w.(A.G.=......F.y.C.3l.V...........^..L!........p...:L....nf7.m...R...^..\r..\r.....M.H.~.d..~.t.9.p`.......Ay...Q.....4R/...T..6.......@Co.0j......s ...'..D.T9...7.J...m.]................Z.C.].<=5 O......;...+.. .x..?^)Q.....S..#.9@r@...Q....P.N!,..];.=.......7..E..\r.c.\\.f........6...BE/T......>.'.e..y..Q...lN`#h.S_9..+\n.H-b.....M3....Q{...p.S7i7...?EM......\n..G\v.....[tD#.a.;\b.g.UR......n......x........?+.0o<..D........j(#n..6...\fn

SPKTMD_SEQACKREL in tcpFlags.h controls the output of the seq/ack numbers in the packet mode. Switching to relative it facilitates the analysis of irregularities in throughput. Look into the packet mode tutorial to see an example of Absolute Relative Seq Ack Numbers.

RTT estimate

The Round Trip Time (RTT) estimate is a vital tool for troubleshooting. The mode is controlled by RTT_ESTIMATE in tcpFlags.h. The RTT features are estimated for all L4 protocols and gives additional information about TCP connection anomalies such as ACK retries and SYN connection timeout retries.

  • tcpSSASAATrip denotes the RTT during the TCP connection phase, which has no influence of the src and dst host.
  • tcpSSASAATrip denotes the Time from the measurement point to the dst host and back.
  • tcpRTTAckTripMin, tcpRTTAckTripMax, tcpRTTAckTripAve denote the minimal, maximal and average Trip time
  • tcpRTTSseqAA denotes the total RTT, which also includes delays at the hosts
  • tcpRTTAckJitAve denotes the average jitter, useful for voice communication, see also the voipDetector plugin

RTT can also be estimated from the TCP timestamp option. Using the MSS, which is supplied in the TCP options part and the RTT a bandwidth / flow can be calculated.

Let’s look for flows which have a <RTT> or Initial sequence RTT > 0.5 seconds.

tawk '$tcpRTTAckTripJitAvg > 0.5 || $tcpRTTSseqAA > 0.5 { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $tcpSSASAATrip, $tcpRTTAckTripMin, $tcpRTTAckTripMax, $tcpRTTAckTripAvg, $tcpRTTAckTripJitAvg, $tcpRTTSseqAA, $tcpRTTAckJitAvg}' ~/results/faf-exercise_flows.txt | tcol

%dir  flowInd  flowStat            srcIP          srcIPCC  srcIPOrg            srcPort  dstIP          dstIPCC  dstIPOrg            dstPort  l4Proto  tcpFStat  ipFlags  tcpFlags  tcpAnomaly  tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAvg  tcpRTTAckTripJitAvg  tcpRTTSseqAA  tcpRTTAckJitAvg
A     11       0x0400000000004000  192.168.1.104  07       "!Private network"  1384     63.245.221.11  us       "!Mozilla Anycast"  80       6        0x0011    0x0040   0x011b    0x0000      0.061556       0.02061101        23.03958          2.930275          8.20785              0.06196701    0
B     11       0x0400000000004001  63.245.221.11  us       "!Mozilla Anycast"  80       192.168.1.104  07       "!Private network"  1384     6        0x0811    0x0044   0x031b    0x0000      0.000411008    0.000405984       8.196325          1.171332          3.09773              4.101607      8.772954
A     10       0x0400000000004000  192.168.1.104  07       "!Private network"  1379     63.245.221.11  us       "!Mozilla Anycast"  80       6        0x0811    0x0040   0x011b    0x0000      0.005547008    7.1008e-05        22.97788          1.313045          5.416256             0.005753984   0
B     10       0x0400000000004001  63.245.221.11  us       "!Mozilla Anycast"  80       192.168.1.104  07       "!Private network"  1379     6        0x0811    0x0044   0x031b    0x0000      0.000206976    0.000186016       9.952202          1.338241          3.450881             2.651285      6.422182
B     12       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.103  07       "!Private network"  1397     6        0x0011    0x0044   0x031b    0x0008      0.000452032    0.000294976       2.176203          0.1305968         0.5305589            0.1459511     0.5378596
B     19       0x0400000000004001  192.168.1.1    07       "!Private network"  25       192.168.1.102  07       "!Private network"  1400     6        0x0011    0x0044   0x031b    0x0008      0.000201984    0.000101952       3.94484           0.2614954         1.016245             0.2686045     1.016971
A     35       0x0400000000004000  192.168.1.105  07       "!Private network"  49329    143.166.11.10  us       "DELL-BLK"          21       6        0x0811    0x0040   0x001a    0x0000      0.08025197     0.07749402        306.0649          29.85101          91.8391              0.08094997    0
B     35       0x0400000000004001  143.166.11.10  us       "DELL-BLK"          21       192.168.1.105  07       "!Private network"  49329    6        0x0811    0x0044   0x061e    0x0000      0.000698       0.000449984       0.194089          0.04303963        0.07786669           29.89405      91.83913

L3/4 checksums

Looking at checksums reveals whether there are manipulations of the L4 header or the content. Moreover you can determine whether a pcap is acquired on a computer itself or at a network intercept, such as a span port. Only works, if the checksum off load option is present and activated on the HW. Think how a checksum would look like if a pcap is acquired on a computer.

Another reason can be snapped payload during traffic capture.

annoloc2.pcap was acquired in 2002 and it is very murky.

t2 -r ~/data/annoloc2.pcap -w ~/results -s

================================================================================
Tranalyzer 0.9.4 (Anteater), Cobra. PID: 61373, Prio: 0, SID: 666
================================================================================
Date: 1751730418.000205279 sec (Sat 05 Jul 2025 17:46:58 CEST)
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.4
    02: tcpFlags, 0.9.4
    03: tcpStates, 0.9.4
    04: txtSink, 0.9.4
[INF] IPv4 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 7237865 (7.24 M)
[INF] IPv6 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 1419083 (1.42 M)
Processing file: /home/user/data/annoloc2.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 66
Dump start: 1022171701.691172000 sec (Thu 23 May 2002 16:35:01 GMT)
[WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500
Dump stop : 1022171726.640398000 sec (Thu 23 May 2002 16:35:26 GMT)
Total dump duration: 24.949226000 sec
Finished processing. Elapsed time: 4.461510050 sec
Finished unloading flow memory. Time: 4.593032726 sec
Percentage completed: 100.00%
Number of processed packets: 1219015 (1.22 M)
Number of processed bytes: 64082726 (64.08 M)
Number of raw bytes: 844642686 (844.64 M)
Number of pad bytes: 1758405 (1.76 M)
Number of pcap bytes: 83586990 (83.59 M)
Number of L2 packets: 247 [0.02%]
Number of IPv4 packets: 1218588 (1.22 M) [99.96%]
Number of IPv6 packets: 180 [0.01%]
Number of A packets: 564233 (564.23 K) [46.29%]
Number of B packets: 654782 (654.78 K) [53.71%]
Number of A bytes: 29448166 (29.45 M) [45.95%]
Number of B bytes: 34634560 (34.63 M) [54.05%]
<A packet load>: 52.19
<B packet load>: 52.89
--------------------------------------------------------------------------------
tcpFlags: Aggregated ipFlags=0x7964
tcpFlags: Aggregated tcpFStat=0x5fff
tcpFlags: Aggregated tcpFlags=0x07ff
tcpFlags: Aggregated tcpAnomaly=0x23ff
tcpFlags: Aggregated ipToS=0xff
tcpFlags: Number of TCP scans attempted, successful: 970, 875 [90.21%]
tcpFlags: Number of TCP SYN retries, seq retries: 147, 5286 (5.29 K)
tcpFlags: Number WinSz below 1: 1280 (1.28 K) [0.13%]
tcpStates: Aggregated tcpStatesAFlags=0xdf
--------------------------------------------------------------------------------
Headers count: min: 2, max: 5, avg: 3.01
Number of ARP packets: 247 [0.02%]
Number of GRE packets: 20 [0.00%]
Number of IGMP packets: 12 [0.00%]
Number of ICMP packets: 3059 (3.06 K) [0.25%]
Number of ICMPv6 packets: 11 [0.00%]
Number of TCP packets: 948743 (948.74 K) [77.83%]
Number of TCP bytes: 52643546 (52.64 M) [82.15%]
Number of UDP packets: 266900 (266.90 K) [21.89%]
Number of UDP bytes: 11234272 (11.23 M) [17.53%]
Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 17601 (17.60 K)
Number of processed L2   flows: 99 [0.56%]
Number of processed IPv4 flows: 17440 (17.44 K) [99.09%]
Number of processed IPv6 flows: 62 [0.35%]
Number of processed A    flows: 9994 (9.99 K) [56.78%]
Number of processed B    flows: 7607 (7.61 K) [43.22%]
Number of request        flows: 9947 (9.95 K) [56.51%]
Number of reply          flows: 7654 (7.65 K) [43.49%]
Total   A/B    flow asymmetry: 0.14
Total req/rply flow asymmetry: 0.13
Number of processed A+B packets/A+B flows: 69.26
Number of processed A   packets/A   flows: 56.46
Number of processed   B packets/  B flows: 86.08
Number of processed total packets/s: 48859.83 (48.86 K)
Number of processed A+B   packets/s: 48859.83 (48.86 K)
Number of processed A     packets/s: 22615.25 (22.61 K)
Number of processed   B   packets/s: 26244.58 (26.24 K)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 705.47
<Bandwidth>: 270268555 b/s (270.27 Mb/s)
<Snapped bandwidth>: 20548205 b/s (20.55 Mb/s)
<Raw bandwidth>: 270835716 b/s (270.84 Mb/s)
Max number of flows in memory: 15218 (15.22 K) [5.81%]
Memory usage: 0.12 GB [0.18%]
Aggregated flowStat=0x0c0018fa0222d044
[WRN] L3 SnapLength < Length in IP header
[WRN] L4 header snapped
[WRN] Consecutive duplicate IP ID
[WRN] IPv4/6 fragmentation header packet missing
[WRN] IPv4/6 packet fragmentation sequence not finished
[INF] Stop dissecting: Clipped packet, unhandled protocol or subsequent fragment
[INF] Layer 2 flows
[INF] IPv4 flows
[INF] IPv6 flows
[INF] ARP
[INF] IPv4/6 fragmentation
[INF] IPv4/6 in IPv4/6
[INF] GRE encapsulation
[INF] GTP tunnel
[INF] SSDP/UPnP
tawk -V ipFlags=0x7964

The ipFlags column with value 0x7964 is to be interpreted as follows:

   bit | ipFlags | Description
   =============================================================================
     2 | 0x0004  | IPv4 ID roll over
     5 | 0x0020  | More Fragment bit
     6 | 0x0040  | IPv4: Don't Fragment bit, IPv6: reserve bit
     8 | 0x0100  | Fragmentation position error
    11 | 0x0800  | L4 checksum error
    12 | 0x1000  | Length in L3/4 header < actual L3/4 length
    13 | 0x2000  | Length in UDP/UDP-Lite header != actual UDP/UDP-Lite length
    14 | 0x4000  | Packet inter-distance = 0

tawk -V tcpFStat=0x5fff

The tcpFStat column with value 0x5fff is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     1 | 0x0002   | TCP option init
     2 | 0x0004   | Timestamp option decreasing
     3 | 0x0008   | L4 option field corrupt or not acquired
     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     6 | 0x0040   | Win 0 probe
     7 | 0x0080   | Win 0 probe ACK
     8 | 0x0100   | Min Window detected
     9 | 0x0200   | WS used
    10 | 0x0400   | Window full
    11 | 0x0800   | Window state-machine count up(1)/down(0)
    12 | 0x1000   | L4 checksum calculation if present
    14 | 0x4000   | TCP Selective ACK option

tawk -V tcpFlags=0x0fdf

The tcpFlags column with value 0x0fdf is to be interpreted as follows:

   bit | tcpFlags | Description
   =============================================================================
     0 | 0x0001     | FIN: No more data, finish connection
     1 | 0x0002     | SYN: Synchronize sequence numbers
     2 | 0x0004     | RST: Reset connection
     3 | 0x0008     | PSH: Push data
     4 | 0x0010     | ACK: Acknowledgement field value valid
     6 | 0x0040     | ECE: ECN-Echo
     7 | 0x0080     | CWR: Congestion Window Reduced flag is set
     8 | 0x0100     | FIN_ACK: Acknowledgement of FIN
     9 | 0x0200     | SYN_ACK: Acknowledgement of SYN
    10 | 0x0400     | RST_ACK: Acknowledgement of RST
    11 | 0x0800     | Potential NULL scan packet or malicious channel

tawk -V tcpAnomaly=0x33ff

The tcpAnomaly column with value 0x33ff is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     0 | 0x0001     | SYN retransmission
     1 | 0x0002     | SEQ Timeout retransmission
     2 | 0x0004     | SEQ Fast retransmission
     3 | 0x0008     | Duplicate ACK
     4 | 0x0010     | TCP Keep-Alive
     5 | 0x0020     | TCP Keep-Alive ACK
     6 | 0x0040     | Sequence number out-of-order
     7 | 0x0080     | Sequence mess, rather spurious Retransmission
     8 | 0x0100     | ACK for unseen packet
     9 | 0x0200     | Previous packet not captured
    12 | 0x1000     | Scan detected in flow
    13 | 0x2000     | Successful scan detected in flow

As the end report ipFlags=0x7964 and tcpAnomaly=0x33ff indicate, there are lots of broken packets, due to anonymization. And there are scans detected.

The flowStat in the rend report and all flows have a L3 packet length field warning, resulting in wrong L4 checksums. Just select all L3/4 checksum errors and display the first 20, as all flows have the problem.

tawk 'bitsanyset($ipFlags, 0x0c00) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly }' ~/results/annoloc2_flows.txt | head -n 20 | tcol

%dir  flowInd  flowStat            srcIP            srcIPCC  srcIPOrg                            srcPort  dstIP            dstIPCC  dstIPOrg                            dstPort  l4Proto  tcpFStat  ipFlags  tcpFlags  tcpAnomaly
A     265      0x0400000000004000  209.171.12.143   ca       "TELUS Communications"              4987     138.212.185.230  jp       "!ASAHI KASEI CORPORATION"          41250    6        0x0011    0x0840   0x00c4    0x0000
A     447      0x0400000000004000  217.41.129.13    gb       "BT-MIDBAND"                        58872    138.212.187.186  jp       "!ASAHI KASEI CORPORATION"          80       6        0x0011    0x0840   0x0044    0x0000
A     392      0x0400000000004000  36.242.181.230   jp       "SOFTBANK Corp"                     4685     138.212.188.67   jp       "!ASAHI KASEI CORPORATION"          1214     6        0x0011    0x0840   0x00c2    0x3000
B     392      0x0400000000004001  138.212.188.67   jp       "!ASAHI KASEI CORPORATION"          1214     36.242.181.230   jp       "SOFTBANK Corp"                     4685     6        0x0011    0x0800   0x04d4    0x2000
A     906      0x0400000000004000  161.135.53.11    us       "FedEx"                             5001     138.212.191.94   jp       "!ASAHI KASEI CORPORATION"          80       6        0x0011    0x0840   0x00c2    0x3000
B     906      0x0400000000004001  138.212.191.94   jp       "!ASAHI KASEI CORPORATION"          80       161.135.53.11    us       "FedEx"                             5001     6        0x0011    0x0800   0x04d4    0x2000
A     1027     0x0400000000004000  146.162.158.230  gb       "!Norwich Union Insurance Limited"  2849     138.212.184.193  jp       "!ASAHI KASEI CORPORATION"          6346     6        0x0011    0x0840   0x0042    0x3000
B     1027     0x0400000000004001  138.212.184.193  jp       "!ASAHI KASEI CORPORATION"          6346     146.162.158.230  gb       "!Norwich Union Insurance Limited"  2849     6        0x0011    0x0840   0x0454    0x2000
A     1154     0x0400000000004000  193.133.224.57   gb       "Verizon UK Limited"                3286     138.212.188.67   jp       "!ASAHI KASEI CORPORATION"          1214     6        0x0011    0x0840   0x0002    0x3000
B     1154     0x0400000000004001  138.212.188.67   jp       "!ASAHI KASEI CORPORATION"          1214     193.133.224.57   gb       "Verizon UK Limited"                3286     6        0x0011    0x0800   0x0414    0x2000
A     867      0x0400000200004000  138.212.184.48   jp       "!ASAHI KASEI CORPORATION"          6666     36.74.248.27     id       "PT TELKOM INDONESIA"               1108     6        0x0011    0x1840   0x0058    0x0000
B     867      0x0400000000004001  36.74.248.27     id       "PT TELKOM INDONESIA"               1108     138.212.184.48   jp       "!ASAHI KASEI CORPORATION"          6666     6        0x0011    0x0840   0x0044    0x0000
A     864      0x0400000200004000  19.54.241.65     us       "!Ford Motor Company"               6667     138.212.191.209  jp       "!ASAHI KASEI CORPORATION"          45891    6        0x0011    0x1840   0x00d8    0x0000
B     864      0x0400000000004001  138.212.191.209  jp       "!ASAHI KASEI CORPORATION"          45891    19.54.241.65     us       "!Ford Motor Company"               6667     6        0x0011    0x0844   0x01d5    0x3000
A     1336     0x0400000000004000  216.21.10.20     us       "!High Mountain Broadband"          1305     138.212.191.94   jp       "!ASAHI KASEI CORPORATION"          80       6        0x0011    0x0840   0x0002    0x3000
B     1336     0x0400000000004001  138.212.191.94   jp       "!ASAHI KASEI CORPORATION"          80       216.21.10.20     us       "!High Mountain Broadband"          1305     6        0x0011    0x0800   0x0414    0x2000
A     1512     0x0400000000004000  19.150.217.57    us       "!Ford Motor Company"               1678     138.212.189.66   jp       "!ASAHI KASEI CORPORATION"          1214     6        0x0011    0x0800   0x0004    0x0000
A     1534     0x0400000000004000  216.233.229.167  us       "MCI Communications Services, LLC"  3782     138.212.185.86   jp       "!ASAHI KASEI CORPORATION"          1058     6        0x0011    0x0840   0x0042    0x3000
B     1534     0x0400000000004001  138.212.185.86   jp       "!ASAHI KASEI CORPORATION"          1058     216.233.229.167  us       "MCI Communications Services, LLC"  3782     6        0x0011    0x0800   0x0454    0x2000

Below the flow with flowInd 1336 is extracted to indicate that each packet has a wrong checksum, compare l4HdrChkSum and l4CalChkSum. The L3 checksums add up, why?

tawk 'flow(1336)' ~/results/annoloc2_packets.txt | tcol

%pktNo  flowInd  flowStat            time                  pktIAT       pktTrip      flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP           srcIPCC  srcIPOrg                  srcPort  dstIP           dstIPCC  dstIPOrg                  dstPort  l4Proto  ipToS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq      ack      seqMax   seqDiff  ackDiff  seqLen  ackLen  seqFlowLen  ackFlowLen  tcpMLen  tcpBFlgt  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpWS  tcpMSS  tcpTmS  tcpTmER  tcpMPTyp  tcpMPF  tcpMPAID  tcpMPDSSF  tcpOptLen  tcpOpts                                  tcpStatesAFlags  l7Content
19221   1336     0x0400000000004000  1022171702.098369000  0.000000000  0.000000000  0.000000000   3        eth:ipv4:tcp          00:d0:02:6d:78:00  00:60:08:69:80:dd  0x0800   216.21.10.20    us       !High Mountain Broadband  1305     138.212.191.94  jp       !ASAHI KASEI CORPORATION  80       6        0x00   11025  0         0x4000  119    0xac5a       0xac5a       0xa8c3       0x0150       0x0840   0                       0                     0                 1389457  0        1389457  0        0        0       0       0           0           0        0         0x0010    0x0002    0x0000      8192    0      536     0       0        0         0x00    0         0x00       8          0x02;0x04;0x02;0x18;0x01;0x01;0x04;0x02  0x00             
19247   1336     0x0400000000004001  1022171702.098389000  0.000000000  0.000020000  0.000000000   3        eth:ipv4:tcp          00:60:08:69:80:dd  00:d0:02:6d:78:00  0x0800   138.212.191.94  jp       !ASAHI KASEI CORPORATION  80       216.21.10.20    us       !High Mountain Broadband  1305     6        0x00   22725  0         0x0000  128    0xb5ae       0xb5ae       0xf1d7       0x4a64       0x0800   0                       0                     0                 0        1389458  0        0        0        0       0       0           0           0        0         0x0010    0x0414    0x0000      0       0      0       0       0        0         0x00    0         0x00       0

TCP options

TCP options contain vital information about connection characteristics and even let us guess something about the type of application being involved. Let us select MSS and WSC options to see whether the decoding works, so bit position 2 and 3 in tcpOptions.

tawk 'bitsanyset($tcpOptions, 0x0000000c) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $tcpFlags, $ipFlags, $tcpAnomaly, $tcpOptCnt, $tcpOptions, $tcpMSS, $tcpWS }' ~/results/annoloc2_flows.txt | head -n 20 | tcol

%dir  flowInd  flowStat            srcIP            srcIPCC  srcIPOrg                            srcPort  dstIP            dstIPCC  dstIPOrg                    dstPort  l4Proto  tcpFStat  tcpFlags  ipFlags  tcpAnomaly  tcpOptCnt  tcpOptions  tcpMSS  tcpWS
A     392      0x0400000000004000  36.242.181.230   jp       "SOFTBANK Corp"                     4685     138.212.188.67   jp       "!ASAHI KASEI CORPORATION"  1214     6        0x0011    0x00c2    0x0840   0x3000      4          0x00000016  1436    0
A     906      0x0400000000004000  161.135.53.11    us       "FedEx"                             5001     138.212.191.94   jp       "!ASAHI KASEI CORPORATION"  80       6        0x0011    0x00c2    0x0840   0x3000      3          0x0000000e  1460    0
A     1027     0x0400000000004000  146.162.158.230  gb       "!Norwich Union Insurance Limited"  2849     138.212.184.193  jp       "!ASAHI KASEI CORPORATION"  6346     6        0x0011    0x0042    0x0840   0x3000      4          0x00000016  1460    0
A     1154     0x0400000000004000  193.133.224.57   gb       "Verizon UK Limited"                3286     138.212.188.67   jp       "!ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  1460    0
A     1336     0x0400000000004000  216.21.10.20     us       "!High Mountain Broadband"          1305     138.212.191.94   jp       "!ASAHI KASEI CORPORATION"  80       6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  536     0
A     1534     0x0400000000004000  216.233.229.167  us       "MCI Communications Services, LLC"  3782     138.212.185.86   jp       "!ASAHI KASEI CORPORATION"  1058     6        0x0011    0x0042    0x0840   0x3000      4          0x00000016  1460    0
A     1586     0x0400000200004000  130.92.198.110   ch       "Universitaet Bern"                 1249     138.212.191.248  jp       "!ASAHI KASEI CORPORATION"  1214     6        0x4811    0x01db    0x1840   0x0088      16         0x00000036  1460    0
B     1586     0x0400000200004001  138.212.191.248  jp       "!ASAHI KASEI CORPORATION"          1214     130.92.198.110   ch       "Universitaet Bern"         1249     6        0x0011    0x03df    0x5840   0x0044      4          0x00000016  1460    0
A     1836     0x0400000000004000  209.114.247.93   us       "AMAZON-02"                         1335     138.212.187.11   jp       "!ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0042    0x0840   0x3000      4          0x00000016  536     0
A     1909     0x0400000000004000  19.27.88.236     us       "!Ford Motor Company"               4045     138.212.186.88   jp       "!ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0082    0x0840   0x3000      4          0x00000016  1452    0
A     1959     0x0400000000004000  216.21.10.20     us       "!High Mountain Broadband"          1305     138.212.191.94   jp       "!ASAHI KASEI CORPORATION"  80       6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  536     0
A     1904     0x0400000000004000  138.212.186.27   jp       "!ASAHI KASEI CORPORATION"          1396     83.220.134.126   de       "PLUSSERVER-ASN1"           4661     6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  1452    0
A     1969     0x0400000000004000  83.0.129.97      pl       "TPNET"                             1395     138.212.187.11   jp       "!ASAHI KASEI CORPORATION"  1214     6        0x0011    0x00c2    0x0840   0x3000      4          0x00000016  1460    0
A     2060     0x0400000000004000  18.97.211.233    us       "AMAZON-02"                         3448     138.212.187.247  jp       "!ASAHI KASEI CORPORATION"  1214     6        0x0011    0x00c2    0x0840   0x3000      4          0x00000016  1460    0
A     2113     0x0400000000004000  36.92.31.200     id       "TELKOMNET-AS-AP PT Telekomunikas"  48337    138.212.185.86   jp       "!ASAHI KASEI CORPORATION"  1052     6        0x0011    0x0042    0x0800   0x3000      4          0x00000016  1460    0
A     2183     0x0400000000004000  201.133.193.218  mx       "UNINET"                            3134     138.212.187.11   jp       "!ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  1440    0
A     2236     0x0400000000004000  83.45.182.68     es       "RIMA"                              1322     138.212.187.10   jp       "!ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0082    0x0840   0x3000      4          0x00000016  1460    0
A     2274     0x0400000000004000  201.53.22.207    br       "LACNIC-CIDR-BLOCK"                 4810     138.212.187.11   jp       "!ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  1460    0
A     2333     0x0400000000004000  193.99.26.18     de       "DE-EUNET-19941130"                 1925     138.212.188.67   jp       "!ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0082    0x0840   0x3000      6          0x0000001e  1452    0

Time stamp options are a formidable tool for RTT estimation and for revealing the boot time of the src host, if the RTT measurements are influenced by L7 protocol reaction times.

Boot time estimation

The TCP timestamp option originally being created for Round Trip Time (RTT) measurements can be abused for boot time estimation, because OS used the uptime as a derivative for the TCP timestamp.

As different machines boot at different times this measure separates these machines even behind a NAT where you normally see only one IP address. The only problem is that different OS have different incremental clocks, which can be calculated if several packets / flow are available, otherwise it comes down to OS guessing. The column tcpEcI below denotes this increment.

Unfortunately, newer version of different OS use a random value per connection, aka flow. Hence, a comparison of different flows from the same machine will yield in different up or boot times, becoming useless. Nevertheless, the estimation of tcpEcI is still useful for newer OS.

annoloc2.pcap was acquired in 2002, so if you look at the boot time below you will see a correlation; it works.

tawk '{ print $srcIP, $tcpTmS, $tcpTmER, $tcpEcI, $tcpUtm, $tcpBtm }' ~/results/annoloc2_flows.txt | sort -V | uniq | awkf '$2' | head -n 40 | tcol

18.2.89.211     7748617     849533919  0.01  77486.168268     1022094226.113856951
18.2.89.211     7748924     849534263  0.01  77489.238268     1022094226.117550020
18.2.89.211     7749342     849534680  0.01  77493.418268     1022094226.112001113
18.2.89.211     7749343     849534252  0.01  77493.428268     1022094226.110961114
18.2.89.211     7749424     204508834  0.01  77494.238268     1022094226.109820132
18.2.89.211     7749524     849534270  0.01  77495.238268     1022094226.114325154
18.2.89.211     7749624     849534698  0.01  77496.238268     1022094226.112042176
18.2.89.211     7749726     849535064  0.01  77497.258268     1022094226.108769199
18.2.89.211     7749831     849534861  0.01  77498.308268     1022094226.110498223
18.2.89.211     7749831     849535169  0.01  77498.308268     1022094226.106989223
18.2.89.211     7749838     849535176  0.01  77498.378268     1022094226.108499224
18.2.89.211     7749938     849535064  0.01  77499.378268     1022094226.111826247
18.2.89.211     7749967     849535305  0.01  77499.668268     1022094226.108142253
18.85.17.135    22846249    826368     0.01  228462.484893    1021943255.4210824831
18.85.17.135    22846930    826851     0.01  228469.294893    1021943255.4216715983
18.107.26.21    103819943   373699105  0.01  1038199.406794   1021133503.026879566
18.155.23.221   33847443    43376223   0.01  338474.422435    1021833231.196509494
18.155.23.221   33848762    248428209  0.01  338487.612434    1021833231.192675788
18.155.23.221   33848960    182165005  0.01  338489.592434    1021833231.189960833
18.155.23.221   33849237    6322419    0.01  338492.362434    1021833231.189717895
19.24.4.45      1693583440  72029656   0.01  16935834.021455  1005235877.235268398
19.24.4.45      1693583872  793132504  0.01  16935838.341455  1005235877.273547495
19.29.161.16    19986317    34285718   0.01  199863.165533    1021971858.270385290
19.55.36.202    1098236     390486740  0.01  10982.359755     1022160744.225945475
19.55.36.202    1098240     8297346    0.01  10982.399755     1022160744.232881476
19.59.134.250   199361062   113909808  0.01  1993610.575439   1020178116.063282670
19.67.192.174   35424473    785167233  0.01  354244.722082    1021817463.220257987
19.67.210.218   4323074     689732     0.1   432307.406442    1021739419.180874118
19.114.68.45    78574708    17008889   0.01  785747.062437    1021385960.390761816
19.114.68.45    78574918    34284567   0.01  785749.162437    1021385960.391067863
19.114.68.45    78575088    72029658   0.01  785750.862437    1021385960.3687749197
19.139.46.124   29251       785168750  0.1   2925.100044      1022168799.345161413
19.169.122.89   1806691     853448585  0.01  18066.909596     1022153659.006620827
19.173.18.204   17719695    785166685  0.1   1771969.526404   1020399734.3863648893
19.173.18.204   17719720    785168065  0.01  177197.196039    1021994520.359782667
19.173.18.204   17719731    785168629  0.01  177197.306039    1021994526.080391669
19.182.177.87   49516646    34285659   0.01  495166.448932    1021676554.013430833
19.182.177.87   144345608   34285961   0.01  1443456.047736   1020728267.433656758
19.182.178.138  23254415    34285407   0.01  232544.144802    1021939173.792872767
19.182.178.197  139712      853446502  0.1   13971.200208     1022157733.4261111109

The plugin will evolve, as soon we find something else for this feature it will be implemented in tcpFlags. So if you have an idea, please contact are happy to cooperate with you doing research of such things.

Multipath TCP (MPTCP)

Multipath TCP was developed in order to allow a TCP connection to use multiple paths to optimize resource usage and to increase redundancy. There are several other protocols such as

  • SCTP
  • Multipath QUIC from Google

MPTCP in tcpFlags.h controls the MPTCP dissection. It is enabled by default and decodes the subtype and the different flags. More will be added in future.

Download the sample pcap iperf-mptcp-0-0.pcap and store it under your ~/data folder. More pcaps are available under https://wiki.wireshark.org/SampleCaptures#MPTCP

t2 -r ~/data/iperf-mptcp-0-0.pcap -w ~/results/ -s

================================================================================
Tranalyzer 0.9.4 (Anteater), Cobra. PID: 62324, Prio: 0, SID: 666
================================================================================
Date: 1751731437.000567895 sec (Sat 05 Jul 2025 18:03:57 CEST)
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.4
    02: tcpFlags, 0.9.4
    03: tcpStates, 0.9.4
    04: txtSink, 0.9.4
[INF] IPv4 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 7237865 (7.24 M)
[INF] IPv6 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 1419083 (1.42 M)
Processing file: /home/user/data/iperf-mptcp-0-0.pcap
Link layer type: PPP [PPP/9]
Snapshot length: 65535 (65.53 K)
Dump start: 0.000000000 sec (Thu 01 Jan 1970 00:00:00 GMT)
Dump stop : 12.319482000 sec (Thu 01 Jan 1970 00:00:12 GMT)
Total dump duration: 12.319482000 sec
Finished processing. Elapsed time: 0.002074261 sec
Finished unloading flow memory. Time: 0.002194236 sec
Percentage completed: 100.00%
Number of processed packets: 2560 (2.56 K)
Number of processed bytes: 2538100 (2.54 M)
Number of raw bytes: 2538100 (2.54 M)
Number of pcap bytes: 2579084 (2.58 M)
Number of IPv4 packets: 2554 (2.55 K) [99.77%]
Number of IPv6 packets: 6 [0.23%]
Number of A packets: 1680 (1.68 K) [65.62%]
Number of B packets: 880 [34.38%]
Number of A bytes: 2483492 (2.48 M) [97.85%]
Number of B bytes: 54608 (54.61 K) [2.15%]
<A packet load>: 1478.27 (1.48 K)
<B packet load>: 62.05
--------------------------------------------------------------------------------
tcpFlags: Aggregated ipFlags=0x0040
tcpFlags: Aggregated tcpFStat=0x8a33
tcpFlags: Aggregated tcpFlags=0x031b
tcpFlags: Aggregated tcpAnomaly=0x0009
tcpFlags: Number of TCP SYN retries, seq retries: 4, 0
tcpFlags: Aggregated MPTCP subtypes: tcpMPTBF=0x000f
tcpFlags: Aggregated MPTCP flags: tcpMPF=0x81
tcpFlags: Number of MPTCP packets: 2557 (2.56 K) [99.88%]
tcpStates: Aggregated tcpStatesAFlags=0x03
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, avg: 3.00
Number of ICMPv6 packets: 6 [0.23%]
Number of TCP packets: 2554 (2.55 K) [99.77%]
Number of TCP bytes: 2537752 (2.54 M) [99.99%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 8
Number of processed IPv4 flows: 6 [75.00%]
Number of processed IPv6 flows: 2 [25.00%]
Number of processed A    flows: 6 [75.00%]
Number of processed B    flows: 2 [25.00%]
Number of request        flows: 6 [75.00%]
Number of reply          flows: 2 [25.00%]
Total   A/B    flow asymmetry: 0.50
Total req/rply flow asymmetry: 0.50
Number of processed A+B packets/A+B flows: 320.00
Number of processed A   packets/A   flows: 280.00
Number of processed   B packets/  B flows: 440.00
Number of processed total packets/s: 207.80
Number of processed A+B   packets/s: 207.80
Number of processed A     packets/s: 136.37
Number of processed   B   packets/s: 71.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 0.65
<Bandwidth>: 1648186 b/s (1.65 Mb/s)
<Raw bandwidth>: 1648186 b/s (1.65 Mb/s)
Max number of flows in memory: 8 [0.00%]
Memory usage: 0.02 GB [0.03%]
Aggregated flowStat=0x0c0000000000e002
[INF] IPv4 flows
[INF] IPv6 flows
[INF] No Ethernet header
[INF] PPP/HDLC encapsulation

tcpFStat flags MPTCP, 2557 packets of 2560.

tawk -V tcpFStat=0x8a33

The tcpFStat column with value 0x8a33 is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     1 | 0x0002   | TCP option init
     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     9 | 0x0200   | WS used
    11 | 0x0800   | Window state-machine count up(1)/down(0)
    15 | 0x8000   | MPTCP detected

The subtypes are coded in a T2 bit field:

tawk -V tcpMPTBF=0x000f

The tcpMPTBF column with value 0x000f is to be interpreted as follows:

   bit | tcpMPTBF | Description
   =============================================================================
     0 | 0x0001   | Multipath Capable
     1 | 0x0002   | Join Connection
     2 | 0x0004   | Data Sequence Signal (Data ACK and data sequence mapping)
     3 | 0x0008   | Add Address

So in the flow file you will see the subType bit field, flags, address ID and the DSS flags e.g. for subtype 2.

tawk '{ print $srcIP, $srcPort, $dstIP, $dstPort, $l4Proto, $tcpFStat, $tcpMPTBF, $tcpMPF, $tcpMPAID, $tcpMPDSSF }' ~/results/iperf-mptcp-0-0_flows.txt | tcol

srcIP                srcPort  dstIP     dstPort  l4Proto  tcpFStat  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPDSSF
fe80::200:ff:fe00:1  0        ff02::2   0        58       0x0001    0x0000    0x00    0         0x00
fe80::200:ff:fe00:2  0        ff02::2   0        58       0x0001    0x0000    0x00    0         0x00
10.1.1.1             43376    10.2.0.1  5001     6        0x8013    0x0002    0x00    3         0x00
10.1.1.1             57841    10.2.1.1  5001     6        0x8013    0x0002    0x00    3         0x00
10.1.0.1             49078    10.2.1.1  5001     6        0x8213    0x0006    0x00    2         0x15
10.2.1.1             5001     10.1.0.1  49078    6        0x8a33    0x0006    0x00    3         0x15
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    0x000d    0x81    3         0x05
10.2.0.1             5001     10.1.0.1  5001     6        0x8a13    0x000d    0x81    3         0x01

Same for the packet file, except the subType is the actual value instead of a T2 bit field:

tawk '{ print $srcIP, $srcPort, $dstIP, $dstPort, $l4Proto, $tcpFStat, $tcpMPTyp, $tcpMPF, $tcpMPAID, $tcpMPDSSF }' ~/results/iperf-mptcp-0-0_packets.txt | tcol

srcIP                srcPort  dstIP     dstPort  l4Proto  tcpFStat  tcpMPTyp  tcpMPF  tcpMPAID  tcpMPDSSF
fe80::200:ff:fe00:1           ff02::2            58
fe80::200:ff:fe00:2           ff02::2            58
fe80::200:ff:fe00:1           ff02::2            58
fe80::200:ff:fe00:2           ff02::2            58
10.1.0.1             5001     10.2.0.1  5001     6        0x8012    0         0x81    0         0x00
10.2.0.1             5001     10.1.0.1  5001     6        0x8012    0         0x81    0         0x00
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x81    0         0x01
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    3         0x01
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.2.0.1             5001     10.1.0.1  5001     6        0x8213    2         0x00    3         0x01

In future more features will be added.

Fragmentation

Fragmentation is a diverse subject. In IPv4 it should not occur anymore, because the MTU today is generally large enough throughout the whole networks. If you see it in your corporate network, it should be investigated. IPv6 different story, here fragmentation is an established tool.

The constant FRAG_ANALYZE in tcpFLags.h controls the fragmentation analysis. Moreover the constant FRAGMENTATION has to be enabled in tranalyzer.h under the tranalyzer2/src directory, actually being the default.

I prepared a pcap which illustrates a pitfall of flow based representation when fragmentation is present. So download frag.pcap and add basicStats so that we can look at the packet and payload statistics.

t2build basicStats

Then rerun t2 using the -s option, as we also want to look at the packets.

t2 -r ~/data/frag.pcap -w ~/results/ -s

================================================================================
Tranalyzer 0.9.4 (Anteater), Cobra. PID: 62440, Prio: 0, SID: 666
================================================================================
Date: 1751731598.000436206 sec (Sat 05 Jul 2025 18:06:38 CEST)
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.4
    02: tcpFlags, 0.9.4
    03: tcpStates, 0.9.4
    04: txtSink, 0.9.4
[INF] IPv4 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 7237865 (7.24 M)
[INF] IPv6 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 1419083 (1.42 M)
Processing file: /home/user/data/frag.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 65535 (65.53 K)
Dump start: 1294260264.274530000 sec (Wed 05 Jan 2011 20:44:24 GMT)
Dump stop : 1294260291.961272000 sec (Wed 05 Jan 2011 20:44:51 GMT)
Total dump duration: 27.686742000 sec
Finished processing. Elapsed time: 0.000927781 sec
Finished unloading flow memory. Time: 0.001087731 sec
Percentage completed: 100.00%
Number of processed packets: 82
Number of processed bytes: 14857 (14.86 K)
Number of raw bytes: 14857 (14.86 K)
Number of pad bytes: 727
Number of pcap bytes: 16193 (16.19 K)
Number of L2 packets: 44 [53.66%]
Number of IPv4 packets: 38 [46.34%]
Number of A packets: 80 [97.56%]
Number of B packets: 2 [2.44%]
Number of A bytes: 14737 (14.74 K) [99.19%]
Number of B bytes: 120 [0.81%]
<A packet load>: 184.21
<B packet load>: 60.00
--------------------------------------------------------------------------------
tcpFlags: Aggregated ipFlags=0x0860
tcpFlags: Aggregated tcpFStat=0x1011
tcpFlags: Aggregated tcpFlags=0x0c14
tcpFlags: Aggregated tcpAnomaly=0x3180
tcpFlags: Aggregated ipToS=0xc0
tcpFlags: Number of TCP scans attempted, successful: 0, 1 [inf%]
tcpStates: Aggregated tcpStatesAFlags=0xc3
--------------------------------------------------------------------------------
Headers count: min: 2, max: 4, avg: 2.67
Number of LLC packets: 16 [19.51%]
Number of ARP packets: 25 [30.49%]
Number of ICMP packets: 3 [3.66%]
Number of TCP packets: 27 [32.93%]
Number of TCP bytes: 10964 (10.96 K) [73.80%]
Number of UDP packets: 5 [6.10%]
Number of UDP bytes: 763 [5.14%]
Number of IPv4 fragmented packets: 26 [68.42%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 20
Number of processed L2   flows: 11 [55.00%]
Number of processed IPv4 flows: 9 [45.00%]
Number of processed A    flows: 18 [90.00%]
Number of processed B    flows: 2 [10.00%]
Number of request        flows: 18 [90.00%]
Number of reply          flows: 2 [10.00%]
Total   A/B    flow asymmetry: 0.80
Total req/rply flow asymmetry: 0.80
Number of processed A+B packets/A+B flows: 4.10
Number of processed A   packets/A   flows: 4.44
Number of processed   B packets/  B flows: 1.00
Number of processed total packets/s: 2.96
Number of processed A+B   packets/s: 2.96
Number of processed A     packets/s: 2.89
Number of processed   B   packets/s: 0.07
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 0.72
<Bandwidth>: 3515 b/s (3.52 Kb/s)
<Raw bandwidth>: 4293 b/s (4.29 Kb/s)
Max number of flows in memory: 18 [0.01%]
Memory usage: 0.02 GB [0.03%]
Aggregated flowStat=0x0400081000004044
[INF] Stop dissecting: Clipped packet, unhandled protocol or subsequent fragment
[INF] Layer 2 flows
[INF] IPv4 flows
[INF] ARP
[INF] IPv4/6 fragmentation

We see that 26 [68.42%] packets are fragmented. Two warnings about fragmentation in the end report indicate abnormalities of the IPv4 fragmented traffic. Below is fragmented traffic including abnormalities are selected from the flow file.

tawk 'bitsanyset($ipFlags, 0x03b8) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly}' ~/results/frag_flows.txt | tcol

%dir  flowInd  flowStat            srcIP            srcIPCC  srcIPOrg            srcPort  dstIP            dstIPCC  dstIPOrg            dstPort  tcpFStat  ipFlags  tcpFlags  tcpAnomaly
A     4        0x0400081000004000  192.168.203.131  07       "!Private network"  1509     192.168.203.134  07       "!Private network"  0        0x1011    0x0820   0x0800    0x3000

Looking at the packet file the first packet contains a layer 4 header with the checksum. At the last fragment T2 adds the IP pseudo header and calculates the final checksum which matches 0x7366 from the TCP header of the initial packet.

tawk 'flow(4)' ~/results/frag_packets.txt | tcol

%pktNo  flowInd  flowStat            time                  pktIAT       pktTrip      flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP            srcIPCC  srcIPOrg          srcPort  dstIP            dstIPCC  dstIPOrg          dstPort  l4Proto  ipToS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq        ack        seqMax     seqDiff  ackDiff  seqLen  ackLen  seqFlowLen  ackFlowLen  tcpMLen  tcpBFlgt  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpWS  tcpMSS  tcpTmS  tcpTmER  tcpMPTyp  tcpMPF  tcpMPAID  tcpMPDSSF  tcpOptLen  tcpOpts  tcpStatesAFlags  l7Content
4       4        0x0400009000004000  1294260266.528280000  0.000000000  0.000000000  0.000000000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  1509     192.168.203.134  07       !Private network  0        6        0x00   249    0         0x2000  64     0x4000       0x4000       0x7366       0x0000       0x0020   0                       0                     0                 280548844  777151161  280548844  0        0        0       0       0           0           380      0         0x1010    0x0800    0x1000      512     0      0       0       0        0         0x00    0         0x00       0                   0x81             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5       4        0x0400089000004000  1294260266.528318000  0.000038000  0.000000000  0.000038000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x2032  64     0x3fce       0x3fce       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6       4        0x0400089000004000  1294260266.528335000  0.000017000  0.000000000  0.000055000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x2064  64     0x3f9c       0x3f9c       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7       4        0x0400089000004000  1294260266.528348000  0.000013000  0.000000000  0.000068000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x2096  64     0x3f6a       0x3f6a       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8       4        0x0400089000004000  1294260266.528363000  0.000015000  0.000000000  0.000083000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x20c8  64     0x3f38       0x3f38       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9       4        0x0400089000004000  1294260266.528383000  0.000020000  0.000000000  0.000103000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x20fa  64     0x3f06       0x3f06       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10      4        0x0400089000004000  1294260266.528404000  0.000021000  0.000000000  0.000124000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x212c  64     0x3ed4       0x3ed4       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
11      4        0x0400089000004000  1294260266.528424000  0.000020000  0.000000000  0.000144000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x215e  64     0x3ea2       0x3ea2       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
12      4        0x0400089000004000  1294260266.528443000  0.000019000  0.000000000  0.000163000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x2190  64     0x3e70       0x3e70       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
13      4        0x0400089000004000  1294260266.528462000  0.000019000  0.000000000  0.000182000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x21c2  64     0x3e3e       0x3e3e       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14      4        0x0400089000004000  1294260266.528480000  0.000018000  0.000000000  0.000200000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x21f4  64     0x3e0c       0x3e0c       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
15      4        0x0400089000004000  1294260266.528497000  0.000017000  0.000000000  0.000217000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x2226  64     0x3dda       0x3dda       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
16      4        0x0400089000004000  1294260266.528512000  0.000015000  0.000000000  0.000232000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x2258  64     0x3da8       0x3da8       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
17      4        0x0400089000004000  1294260266.528526000  0.000014000  0.000000000  0.000246000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x228a  64     0x3d76       0x3d76       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
18      4        0x0400089000004000  1294260266.528544000  0.000018000  0.000000000  0.000264000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x22bc  64     0x3d44       0x3d44       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
19      4        0x0400089000004000  1294260266.528561000  0.000017000  0.000000000  0.000281000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x22ee  64     0x3d12       0x3d12       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
20      4        0x0400089000004000  1294260266.528575000  0.000014000  0.000000000  0.000295000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x2320  64     0x3ce0       0x3ce0       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
21      4        0x0400089000004000  1294260266.528588000  0.000013000  0.000000000  0.000308000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x2352  64     0x3cae       0x3cae       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
22      4        0x0400089000004000  1294260266.528601000  0.000013000  0.000000000  0.000321000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x2384  64     0x3c7c       0x3c7c       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
23      4        0x0400089000004000  1294260266.528613000  0.000012000  0.000000000  0.000333000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x23b6  64     0x3c4a       0x3c4a       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
24      4        0x0400089000004000  1294260266.528626000  0.000013000  0.000000000  0.000346000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x23e8  64     0x3c18       0x3c18       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
25      4        0x0400089000004000  1294260266.528776000  0.000150000  0.000000000  0.000496000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x241a  64     0x3be6       0x3be6       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
26      4        0x0400089000004000  1294260266.528818000  0.000042000  0.000000000  0.000538000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x244c  64     0x3bb4       0x3bb4       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
27      4        0x0400089000004000  1294260266.528854000  0.000036000  0.000000000  0.000574000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x247e  64     0x3b82       0x3b82       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
28      4        0x0400089000004000  1294260266.528889000  0.000035000  0.000000000  0.000609000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x24b0  64     0x3b50       0x3b50       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
29      4        0x0400081000004000  1294260266.528923000  0.000034000  0.000000000  0.000643000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       !Private network  0        192.168.203.134  07       !Private network  0        6        0x00   249    0         0x04e2  64     0x5c9a       0x5c9a       0x7366       0x5f52       0x0800   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXX
30      4        0x0400000000004001  1294260266.529423000  0.000000000  0.000500000  0.000000000   3        eth:ipv4:tcp          00:0f:ea:e8:f5:51  00:24:e8:ed:3f:10  0x0800   192.168.203.134  07       !Private network  0        192.168.203.131  07       !Private network  1509     6        0x00   14196  0         0x4000  64     0xeb00       0xeb00       0x83db       0x83db       0x0040   0                       0                     0                 0          280558844  0          0        0        0       0       0           0           0        0         0x0010    0x0414    0x0180      0       0      0       0       0        0         0x00    0         0x00       0                   0x40

Detecting scans

Scans are normally an initiation of some serious attacks. Nevertheless, a lot of normal TCP traffic looks like scanning. Anybody who used SNORT, the de facto standard of an IDS, might have suffered from interpreting all the scan alarms. So it needs filtering.

I needed once an indication in the end report and the flow/packet file whether there is a TCP malicious scan around. It is not perfect, but often served its purpose.

To see its effect clearly please download nmap_v_sT.pcap, copy it under your data folder and rerun t2. The pcap is generated by the nmap scanning tool.

t2 -r ~/data/nmap_v_sT.pcap -w ~/results/

tawk -V tcpFlags=0x803b -V tcpAnomaly=0x1008 -V ipToS=0x04

The tcpFlags column with value 0x803b is to be interpreted as follows:

   bit | tcpFlags | Description
   =============================================================================
     0 | 0x0001     | FIN: No more data, finish connection
     1 | 0x0002     | SYN: Synchronize sequence numbers
     3 | 0x0008     | PSH: Push data
     4 | 0x0010     | ACK: Acknowledgement field value valid
     5 | 0x0020     | URG: Urgent pointer valid
    15 | 0x8000     | Potential Xmas scan packet or malicious channel


The tcpAnomaly column with value 0x1008 is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     3 | 0x0008     | Duplicate ACK
    12 | 0x1000     | Scan detected in flow


The ipToS column with value 0x04 is to be interpreted as follows:

   bit | ipToS    | Description
   =============================================================================
     2 | 0x04     | Precedence 0

Below the first 10 rows of the flow file containing scans are printed.

tawk 'bitsanyset($tcpAnomaly, 0x1000)' ~/results/nmap_v_sT_flows.txt | head -n 10 | tcol

%dir  flowInd  flowStat            timeFirst             timeLast              duration     numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  vlanID  srcIP        srcIPCC  srcIPOrg            srcPort  dstIP        dstIPCC  dstIPOrg            dstPort  l4Proto  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipToS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx  tcpInitWinSz  tcpAvgWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpJA4T                 tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPDSSF  tcpTmS   tcpTmER  tcpEcI  tcpUtm        tcpBtm                 tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAvg  tcpRTTAckTripJitAvg  tcpRTTSseqAA  tcpRTTAckJitAvg  tcpStatesAFlags
A     1        0x0400000000004000  1416313200.358106000  1416313200.358106000  0.000000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.125  04       "!Private network"  54118    10.20.0.125  04       "!Private network"  587      6        0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2868435842  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      29200_2-4-8-1-31460_00  1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3992845  0        0.004   15971.380759  1416297228.4273314697  0              65535             0                 0                 0                    0             0                0x03
A     2        0x0400000000004000  1416313200.457149000  1416313200.457149000  0.000000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.125  04       "!Private network"  33056    10.20.0.125  04       "!Private network"  1720     6        0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2506148143  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      29200_2-4-8-1-31460_00  1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3992875  0        0.004   15971.500759  1416297228.4252357691  0              65535             0                 0                 0                    0             0                0x03
A     3        0x0400000000004000  1416313201.458313000  1416313201.458313000  0.000000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.125  04       "!Private network"  45750    10.20.0.125  04       "!Private network"  1720     6        0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1770850395  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      29200_2-4-8-1-31460_00  1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993175  0        0.004   15972.700759  1416297228.4053521634  0              65535             0                 0                 0                    0             0                0x03
A     4        0x0400000000004000  1416313201.458361000  1416313201.458361000  0.000000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.125  04       "!Private network"  38704    10.20.0.125  04       "!Private network"  587      6        0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3336324932  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      29200_2-4-8-1-31460_00  1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993175  0        0.004   15972.700759  1416297228.4053569634  0              65535             0                 0                 0                    0             0                0x03
A     5        0x0400000000004000  1416313201.557900000  1416313201.557900000  0.000000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.125  04       "!Private network"  50322    10.20.0.125  04       "!Private network"  995      6        0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3712758514  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      29200_2-4-8-1-31460_00  1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993205  0        0.004   15972.820759  1416297228.4033108628  0              65535             0                 0                 0                    0             0                0x03
A     6        0x0400000000004000  1416313201.558981000  1416313201.558981000  0.000000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.125  04       "!Private network"  45384    10.20.0.125  04       "!Private network"  135      6        0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2792320487  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      29200_2-4-8-1-31460_00  1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993206  0        0.004   15972.824759  1416297228.4030189628  0              65535             0                 0                 0                    0             0                0x03
A     7        0x0400000000004000  1416313201.559756000  1416313201.559756000  0.000000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.125  04       "!Private network"  55726    10.20.0.125  04       "!Private network"  443      6        0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  742007355   0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      29200_2-4-8-1-31460_00  1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993206  0        0.004   15972.824759  1416297228.4030964628  0              65535             0                 0                 0                    0             0                0x03
A     8        0x0400000000004000  1416313201.759706000  1416313201.759706000  0.000000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.125  04       "!Private network"  55879    10.20.0.125  04       "!Private network"  443      6        0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3280881276  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      29200_2-4-8-1-31460_00  1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993266  0        0.004   15973.064759  1416297228.694947321   0              65535             0                 0                 0                    0             0                0x03
A     9        0x0400000000004000  1416313201.759861000  1416313201.759861000  0.000000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.125  04       "!Private network"  45598    10.20.0.125  04       "!Private network"  135      6        0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3916203706  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      29200_2-4-8-1-31460_00  1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993266  0        0.004   15973.064759  1416297228.695102321   0              65535             0                 0                 0                    0             0                0x03
...

If you look at the bit tcpFlags=0x0002 it is also a measure to select unsuccessful SYN scan flows. The aggregated TCP flags indicate that these flows are unanswered SYN scans.

Odd is the high window scale factor, the random initial Window size and the TTL indicate a Linux platform. Is it malicious?

Flags count as AI features

t2conf tcpFlags -D TCPFLGCNT=1 && t2build tcpFlags

t2 -r ~/data/nmap_v_sT.pcap -w ~/results/

tawk ’{ split($tcpCntF_S_R_P_A_U_E_C_FA_SA_RA_N_SF_SFR_RF_X,A,“_“); if (A[16]>0) print;}’ nmap_v_sT_flows.txt | tcol

%dir  flowInd  flowStat            timeFirst             timeLast              duration     numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  vlanID  srcIP        srcIPCC  srcIPOrg            srcPort  dstIP        dstIPCC  dstIPOrg            dstPort  l4Proto  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipToS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx  tcpInitWinSz  tcpAvgWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpCntF_S_R_P_A_U_E_C_FA_SA_RA_N_SF_SFR_RF_X  tcpJA4T          tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPDSSF  tcpTmS      tcpTmER  tcpEcI  tcpUtm           tcpBtm                 tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAvg  tcpRTTAckTripJitAvg  tcpRTTSseqAA  tcpRTTAckJitAvg  tcpStatesAFlags
A     1038     0x0400000000004000  1416313207.768806000  1416313209.490977000  1.722171000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.125  04       "!Private network"  56864    10.20.0.125  04       "!Private network"  41089    6        0x0013    5943        47665       43        56        3         0x00   0x0004   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2449289213  0           0               0               0           0                      0               0           65535         65535        65535        65535        0               0              0                  0             0x8029    0x1000      4_0_0_4_0_4_0_0_0_0_0_0_0_0_0_4               65535_00_265_00  4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363537.3796944294  0              65535             0                 0                 0                    0             0                0x83
A     1042     0x0400000000004000  1416313212.619118000  1416313214.101341000  1.482223000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.125  04       "!Private network"  56864    10.20.0.125  04       "!Private network"  36508    6        0x0013    3455        6768        47        56        3         0x00   0x0004   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3748830669  0           0               0               0           0                      0               0           65535         65535        65535        65535        0               0              0                  0             0x8029    0x1000      4_0_0_4_0_4_0_0_0_0_0_0_0_0_0_4               65535_00_265_00  4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363542.3407308294  0              65535             0                 0                 0                    0             0                0x83

So you see right away the counts of X-mas scan flags in both flows, if you want to build a X-mas detector. But for that you do not need AI. Note that the FIN, PUSH, URG flags are also set, as some people are not interested in the Xmas count. They can mask bits 8-15. So if you are interested in the true flags count, then you have to substract the count from the combined flags, such as FA, SA,…, X. In a later version I will add a mode where this is done automatically.

Conclusion

You may now reset the whole configuration of T2 to ensure that in the next tutorial all flags are properly set to default.

t2conf --reset -a

Look at the other pcaps and checkout the scan alarms.

Have fun!