IP/TCP troubleshooting (tcpFlags)
Contents
- IP/TCP header features
- Preparation
- tcpFlags default
- OS fingerprinting
- Host load estimation
- tcpFlags troubleshooting TCP connections
- Window size features
- Sequence and acknowledge numbers
- RTT estimate
- L3/4 checksums
- TCP options
- Boot time estimation
- Multipath TCP (MPTCP)
- Fragmentation
- Detecting scans
- Flags count as AI features
- Conclusion
IP/TCP header features
In this tutorial we will show you the hidden power of the layer 3/4 for troubleshooting, security and admin applications. All is integrated in one plugin: tcpFlags. Its name is a bit misleading, as it evolved during practical application from a simple TCP flags decoder to a full blown troubleshooting plugin for L3/4. Hence, it provides the following features:
- TCP warning bits for troubleshooting, similar to Wireshark/TShark
- OS and application fingerprinting (TTL, initial window size, flags)
- Host load estimation (IPv4 IPID)
- L3/4 options
- Sequence/Acknowledge Number Tricks
- NAT flow bundling: boot time estimation, host clock estimation (OS fingerprinting)
- Multipath TCP (MPTCP)
- Trip and Round Trip Time (RTT), jitter estimation
- L3/4 checksum evaluation
- Protocol anomalies
- Fragmentation anomalies
- Flow health: window size statistics, bytes in flight
- Scan detection support
If you read the The Basics tutorial, you already had a glimpse of some basic features from tcpFlags. Here we will explain the application of such features. Note that you need a version of the tcpFlags plugin 0.8.14 or higher, so that the output in your command line matches to the website.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpFlags tcpStates txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAPs used in this tutorial can be downloaded here:
Please save them in your ~/data folder.
Now you are all set!
tcpFlags default
Let’s start with tcpFlags in minimal mode.
Since 0.8.14 version, tcpFlags anomaly bits moved a bit closer to Wireshark and the flags bits for the TCP header changed. And IP ToS can now be represented in different forms.
A lot is different now, but a bit easier to interpret for the troubleshooter.
Nevertheless, the setting stayed the same. Open tcpFlags.h in the tcpFlags plugin folder:
tcpFlags
vi src/tcpFlags.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define IPTOS 0 // IPv4 ToS / IPv6 Class:
// 0: IP ToS hex
// 1: DSCP_ECN dec
// 2: Precedence(1-7)_ECN
#define RTT_ESTIMATE 1 // 1: Round trip time estimation
#define IPCHECKSUM 2 // Checksum calculation
// 0: No checksum calculation
// 1: Calculation of L3 (IP) header checksum
// 2: Calculation of L3 (IP) and L4 (TCP, UDP, ...) checksum
#define WINDOWSIZE 1 // 1: Calculation of TCP window size parameters
#define WINMIN 1 // Minimal window size threshold defining a healthy communication
// (only packets below the threshold are counted)
#define SEQ_ACK_NUM 1 // 1: SEQ/ACK number feature analysis
#define FRAG_ANALYZE 1 // 1: Fragmentation analysis
#define NAT_BT_EST 1 // 1: NAT boot time estimation
#define SCAN_DETECTOR 1 // 1: Scan flow detector
#define MPTCP 1 // 1: Dissect MPTCP
#define TCPJA4T 0 // 1: JA4 Output Syn/Syn-Ack, 0: T2 output for these values
#define JA4TOPTMX 20 // Maximal options stored in flow, requires JA4T = 1
#define TCPFLGCNT 0 // TCP Flags Count
// The following options require SEQ_ACK_NUM = 1
#define SPKTMD_SEQACKREL 0 // SEQ/ACK numbers representation (-s option):
// 0: absolute,
// 1: relative
#define SPKTMD_SEQACKHEX 0 // SEQ/ACK numbers representation (-s option):
// 0: uint32_t
// 1: hex32
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
/* No env / runtime configuration flags available for tcpFlags */
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...
The constants SPKTMD_SEQACKREL
and SPKTMD_SEQACKHEX
refer to the packet mode for absolute and relative SEQ/ACK number output
and decimal/hex representation respectively, see the packet mode tutorial.
All the other switches we will discuss in the following chapters. First, let’s look
at the end report.
Now invoke t2
with the -s
option.
================================================================================ Tranalyzer 0.9.1 (Anteater), Cobra. PID: 21416, Prio: 0, SID: 666 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.1 02: tcpFlags, 0.9.1 03: tcpStates, 0.9.1 04: txtSink, 0.9.1 [INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K) [INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K) Processing file: /home/user/data/faf-exercise.pcap Link layer type: Ethernet [EN10MB/1] Snapshot length: 65535 (65.53 K) Dump start: 1258544215.037210000 sec (Wed 18 Nov 2009 11:36:55 GMT) Dump stop : 1258594491.683288000 sec (Thu 19 Nov 2009 01:34:51 GMT) Total dump duration: 50276.646078000 sec (13h 57m 56s) Finished processing. Elapsed time: 0.136815419 sec Finished unloading flow memory. Time: 0.136854832 sec Percentage completed: 100.00% Number of processed packets: 5902 (5.90 K) Number of processed bytes: 4993414 (4.99 M) Number of raw bytes: 4993414 (4.99 M) Number of pcap bytes: 5087870 (5.09 M) Number of IPv4 packets: 5902 (5.90 K) [100.00%] Number of A packets: 1986 (1.99 K) [33.65%] Number of B packets: 3916 (3.92 K) [66.35%] Number of A bytes: 209315 (209.31 K) [4.19%] Number of B bytes: 4784099 (4.78 M) [95.81%] <A packet load>: 105.40 <B packet load>: 1221.68 (1.22 K) -------------------------------------------------------------------------------- tcpFlags: Aggregated ipFlags=0x0044 tcpFlags: Aggregated tcpFStat=0x4ff1 tcpFlags: Aggregated tcpFlags=0x071f tcpFlags: Aggregated tcpAnomaly=0x02cc tcpFlags: Number of TCP SYN retries, seq retries: 0, 27 tcpFlags: Number WinSz below 1: 3 [0.05%] tcpStates: Aggregated tcpStatesAFlags=0x4a -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, avg: 3.00 Number of TCP packets: 5902 (5.90 K) [100.00%] Number of TCP bytes: 4993414 (4.99 M) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 72 Number of processed IPv4 flows: 72 [100.00%] Number of processed A flows: 36 [50.00%] Number of processed B flows: 36 [50.00%] Number of request flows: 36 [50.00%] Number of reply flows: 36 [50.00%] Total A/B flow asymmetry: 0.00 Total req/rply flow asymmetry: 0.00 Number of processed A+B packets/A+B flows: 81.97 Number of processed A packets/A flows: 55.17 Number of processed B packets/ B flows: 108.78 Number of processed total packets/s: 0.12 Number of processed A+B packets/s: 0.12 Number of processed A packets/s: 0.04 Number of processed B packets/s: 0.08 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <Number of processed flows/s>: 0.00 <Bandwidth>: 792 b/s <Raw bandwidth>: 795 b/s Max number of flows in memory: 18 [0.01%] Memory usage: 0.04 GB [0.05%] Aggregated flowStat=0x0400000000004000 [INF] IPv4 flows
Between the dashed lines tcpFlags reports a summary of the flow variables
tcpFStat
, tcpFlags
, ipFlags
, tcpAnomaly
and SYN retry, WinSize threshold counts.
Note the bits are now grouped strictly according to their topic:
windows, flags, IP header and TCP anomalies.
The scans moved now to the tcpFlags
, which became a 16 bit field,
so bit combinations, such as FIN ACK
are now in the upper byte of tcpFlags
status
bit field.
Let’s have a look at them:
tawk -V tcpFStat=0x4ff1 -V ipFlags=0x0044 -V tcpFlags=0x071f -V tcpAnomaly=0x02ccThe tcpFStat column with value 0x4ff1 is to be interpreted as follows: bit | tcpFStat | Description ============================================================================= 0 | 0x0001 | Packet good for inter-distance assessment 4 | 0x0010 | Window state-machine initialized 5 | 0x0020 | Window update 6 | 0x0040 | Win 0 probe 7 | 0x0080 | Win 0 probe ACK 8 | 0x0100 | Min Window detected 9 | 0x0200 | WS used 10 | 0x0400 | Window full 11 | 0x0800 | Window state-machine count up(1)/down(0) 14 | 0x4000 | TCP Selective ACK Option The ipFlags column with value 0x0044 is to be interpreted as follows: bit | ipFlags | Description ============================================================================= | 0x0004 | IPv4 ID roll over 6 | 0x0040 | IPv4: Don't Fragment bit, IPv6: reserve bit The tcpFlags column with value 0x071f is to be interpreted as follows: bit | tcpFlags | Description ============================================================================= 0 | 0x0001 | FIN: No more data, finish connection 1 | 0x0002 | SYN: Synchronize sequence numbers 2 | 0x0004 | RST: Reset connection 3 | 0x0008 | PSH: Push data 4 | 0x0010 | ACK: Acknowledgement field value valid 8 | 0x0100 | FIN_ACK: Acknowledgement of FIN 9 | 0x0200 | SYN_ACK: Acknowledgement of SYN 10 | 0x0400 | RST_ACK: Acknowledgement of RST The tcpAnomaly column with value 0x02cc is to be interpreted as follows: bit | tcpAnomaly | Description ============================================================================= 2 | 0x0004 | SEQ Fast retransmission 3 | 0x0008 | Duplicate ACK 6 | 0x0040 | Sequence number out-of-order 7 | 0x0080 | Sequence mess, rather spurious Retransmission 9 | 0x0200 | Previous packet not captured
Some duplicate ACKs with SEQ fast retransmissions, so packets were lost and retransmitted.
As the WINMIN=1
, the warning Min Window detected denotes that the window size hit 0, indicating
that there is some overflow on the receiver side buffer. Win 0 probe indicates that it happened
longer, so that the sender tries to probe the receiver side. Window full denotes that the transmission
Window of the TCP flow is full as advertised by the receiver.
OS fingerprinting
The L3/4 Header provide still some information in order to estimate the Operating System of the sending host. All these parameters are included in the flow and packet file output, such as:
- TTL (
ipMinTTL
,ipMaxTTL
,ipTTLChg
): Minimal/Maximal TTL, # TTL changes during flow life time - Initial Window Size (
tcpInitWinSz
): Init Winsize only valid if 3 way handshake is captured. tcpOptions
: aggregated or in the packet mode as hex or human readable interpreted
If you load the OS fingerprinting plugin tp0f, several other parameters will be used, and the calculation for the TTL to the next higher 2^n value is already done for you. If you are hard core, just use the parameters from tcpFlags and do the calculations by heart.
If you switch on TCPJA4T=1
then TCP window size, options, MSS and WS are printed in a JA4T notation
to facilitate the creation of fingerprinting DB’s:
JA4T=tcpWinSize_SSAtcpOpts_MSS_WS
JA3/4 hashes are also calculated in sslDecode for SSL/TLS fingerprinting.
Host load estimation
I hate IPv6! Why? Because these bastards omitted the IP ID in the L3 header. And I hate OS which
do not increment the IP ID by 1
for each packet being sent. Why? Because it is an excellent
parameter to estimate the load of a server. If the IP ID increments by a large value, several other
connections (flows) must exist beside the one I’m looking at, so the host has a lot of work to do.
- IPv4 (
ipMindIPID
,ipMaxdIPID
): Minimal/Maximal IP ID during flow life time.
There are still OS which increment the IP ID by 1
, so if the ipMindIPID==2
, ipMaxdIPID
is
an indicator of the host load.
Another indication are the number of flows per host. Have a look at the connStat plugin tutorial.
tcpFlags troubleshooting TCP connections
Basically the status bit fields tcpFStat
and tcpAnomaly
flag flows in trouble.
Let’s have a look at all flows with duplicate ACKs and retransmissions.
In the flow file you might notice, there is a new column tcpBFlgtMx
.
It denotes the maximum TCP bytes in flight of a certain flow.
Why mostly B flows? Because the packet got lost in the A flow, right?
tawk 'bitsanyset($tcpAnomaly, 0x000c)' ~/results/faf-exercise_flows.txt | tcol
Have a look at A&B flow 36, which is lit up like a Xmas tree. Here we have a lot of reasons why there is a major mess:
tawk -V tcpFStat=0x49b1 -V tcpFStat=0x0c51 -V tcpAnomaly=0x02c4 -V tcpAnomaly=0008The tcpFStat column with value 0x49b1 is to be interpreted as follows: bit | tcpFStat | Description ============================================================================= 0 | 0x0001 | Packet good for inter-distance assessment 4 | 0x0010 | Window state-machine initialized 5 | 0x0020 | Window update 7 | 0x0080 | Win 0 probe ACK 8 | 0x0100 | Min Window detected 11 | 0x0800 | Window state-machine count up(1)/down(0) 14 | 0x4000 | TCP Selective ACK Option The tcpFStat column with value 0x0c51 is to be interpreted as follows: bit | tcpFStat | Description ============================================================================= 0 | 0x0001 | Packet good for inter-distance assessment 4 | 0x0010 | Window state-machine initialized 6 | 0x0040 | Win 0 probe 10 | 0x0400 | Window full 11 | 0x0800 | Window state-machine count up(1)/down(0) The tcpAnomaly column with value 0x02c4 is to be interpreted as follows: bit | tcpAnomaly | Description ============================================================================= 2 | 0x0004 | SEQ Fast retransmission 6 | 0x0040 | Sequence number out-of-order 7 | 0x0080 | Sequence mess, rather spurious Retransmission 9 | 0x0200 | Previous packet not captured The tcpAnomaly column with value 0x0008 is to be interpreted as follows: bit | tcpAnomaly | Description ============================================================================= 3 | 0x0008 | Duplicate ACK
So flow A had a full buffer, reduced winsize to 0, B hit a window full alarm, since then B probes whether the win is non-zero to send more data. Therefore you have retransmissions, fast and spurious, and we have a case of a missing packet in the pcap. And therefore flow B sends duplicate ACKS.
You can follow that in the corresponding packet file:
tawk 'flow(36)' ~/results/faf-exercise_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto ipToS ipID ipIDDiff ipFrag ipTTL ipHdrChkSum ipCalChkSum l4HdrChkSum l4CalChkSum ipFlags ip6HHOptLen ip6HHOpts ip6DOptLen ip6DOpts ipOptLen ipOpts seq ack seqMax seqDiff ackDiff seqLen ackLen seqFlowLen ackFlowLen tcpMLen tcpBFlgt tcpFStat tcpFlags tcpAnomaly tcpWin tcpWS tcpMSS tcpTmS tcpTmER tcpMPTyp tcpMPF tcpMPAID tcpMPDSSF tcpOptLen tcpOpts tcpStatesAFlags l7Content
1280 36 0x0400000000004000 1258594163.408285000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 16259 0 0x4000 128 0x5e7f 0x5e7f 0xbd9c 0xbd9c 0x0040 0 0 0 3392384642 0 3392384642 0 0 0 0 0 0 0 0 0x0010 0x0002 0x0000 8192 0 1460 0 0 0 0x00 0 0x00 12 0x02;0x04;0x05;0xb4;0x01;0x03;0x03;0x02;0x01;0x01;0x04;0x02 0x00
1281 36 0x0400000000004001 1258594163.487027000 0.000000000 0.078742016 0.000000000 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 64334 192.168.1.105 07 Private network 49330 6 0x00 17228 0 0x4000 111 0x6bba 0x6bba 0x738a 0x738a 0x0040 0 0 0 3177226489 3392384643 3177226489 0 0 0 0 0 0 0 0 0x0010 0x0212 0x0000 8192 0 1380 0 0 0 0x00 0 0x00 8 0x02;0x04;0x05;0x64;0x01;0x01;0x04;0x02 0x00
1282 36 0x0400000000004000 1258594163.487488000 0.079203000 0.000460992 0.079203000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 16266 7 0x4000 128 0x5e84 0x5e84 0xc2a1 0xc2a1 0x0040 0 0 0 3392384643 3177226490 3392384643 1 0 0 0 0 0 0 0 0x0811 0x0010 0x0000 64860 0 1460 0 0 0 0x00 0 0x00 0 0x00
1287 36 0x0400000000004001 1258594163.644682000 0.157655000 0.157193984 0.157655000 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 64334 192.168.1.105 07 Private network 49330 6 0x00 18966 1738 0x4000 111 0x5f94 0x5f94 0x153a 0x153a 0x0040 0 0 0 3177226490 3392384643 3177226490 1 0 0 0 0 0 1380 1380 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 0 0x00 0 0x00 MZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\r\n$.......PE..L....IV:.................&...*...............@....@.................................Z.A...................................... .......@...$............@......p..t\e...................................................#...............................text....$.......&.................. ..`.rdata..\t....@.......*..............@..@.data...|....P.......,..............@....idata....... .......H..............@....rsrc....$...@...&...\..............@..@.reloc...!...p..."..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................U....X...SVWh....3.W...%C.P...%C.W.u\bW.E.h....V...%C..u\f......Q.l.....\b......hhPA.Q.`.....\bWj.V...%C.P...%C.............PQ..h$C......ubj.V...%C.P...%C.f=..w7.u\f.T).......u4.u\f......Q.......\b......hhPA.Q.......\b...E\f.@................V...%C..E....C...\g..k.....................P..!.....H......PQ.......\b.......uA.......u/.......u&.u\f...........r`hdPA.......
1288 36 0x0400000000004001 1258594163.644692000 0.000010000 0.157203968 0.157665000 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 64334 192.168.1.105 07 Private network 49330 6 0x00 18967 1 0x4000 111 0x5f93 0x5f93 0x77eb 0x77eb 0x0040 0 0 0 3177227870 3392384643 3177227870 1380 0 1380 0 1380 0 2760 2760 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 0 0x00 0 0x00 P.F.....\b.\t.......tA.E.......PQ..............PQ.u....#C.;].}..].......Pj.h....V...%C.......PW..l$C.....2...j.Sh....V...%C.W..\f%C.j.j.h....V...%C..u....%C._^[..].U3.....(V.E\b.M..M..E..M..u\f.M..E..u.P.M..E...@..E.6....\r\PA..M....%C.f.......tD3....C..M..M..E..M..M..u...`PA..M..M..U..E...@..E.\b...Q...%C.f=..\e.@^..].V......t$\b.5\PA....%C...u.3..t$\b.5`PA....%C...u.3...^.U........SVW.xPA..}...E\f...tS.....3........1........D.....+........,......=...........u..u..u\f.u\b..|%C._^[..]....u.j.3..v..v..v..v..u\b...%C.S....C..5..C.S...Dg...u\bk.....P.F....Pj.j.h.. P.v$hlPA.S...%C.P.E.S.u\b...%C.S.5XZA.j0.u....%C..u..}..].......:...... .E.........Ha.A.......E..E.P..d$C..E....t#...t4..............w....E......|......C....g.....g...f......C.hhPA..........g.....g..Q......\.X.....\b..X.........PQ..h$C.hdPA.......Q.E..%.....\b......Q..#...........PQ.......\b.u...\f%C.......E.......P..............E.....QR.@...........j\......P.......\b...@P. #...........Pjs...C..2...PQ.Z%...........Q..".................PjcQR.2%.................QR.R.....\b.\r..C....... ...g.....g...!=.\b..t\t.E..........C....g.....g...}..t2......Pj.hC....u....%C............QPhQ....u....%C..E..}...........C.......:u\n......$.........@...................Pj.hM....u....%C.3......3......j..u\b...%C....P...%C.3............P.u\b..h&C..M.Q.u\b..p&C.j..u..u..u..u........pE...........Q.u\b...&C.3.......u..~\b.u.V.\nD................F\f..t"V.AB..
1289 36 0x0400000000004000 1258594163.644891000 0.157403000 0.000199040 0.236606000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 16277 11 0x4000 128 0x5e79 0x5e79 0xbd3d 0xbd3d 0x0040 0 0 0 3392384643 3177229250 3392384643 0 2760 0 2760 0 2760 0 0 0x0011 0x0010 0x0000 63480 0 1460 0 0 0 0x00 0 0x00 0 0x00
1290 36 0x0400000000004000 1258594163.647385000 0.002494000 0.002693056 0.239100000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 16278 1 0x4000 128 0x5e78 0x5e78 0xb7d9 0xb7d9 0x0040 0 0 0 3392384643 3177229250 3392384643 0 0 0 0 0 2760 0 0 0x0831 0x0010 0x0000 64860 0 1460 0 0 0 0x00 0 0x00 0 0x00
1291 36 0x0400000000004001 1258594163.722388000 0.077696000 0.075002944 0.235361000 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 64334 192.168.1.105 07 Private network 49330 6 0x00 19785 818 0x4000 111 0x5c61 0x5c61 0xf480 0xf480 0x0040 0 0 0 3177229250 3392384643 3177229250 1380 0 1380 0 2760 0 4140 1380 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 0 0x00 0 0x00 ....F..t\tV..C...........V.....t.V.\eB...........?.......%...V..C...........$....M..A\fd......C....Dg........Q.......E....f=..uDj..u\b...%C....j.......QP...%C...M\bf..........QPh.....u\b...%C.P...%C.3......U........SVW.u\f...w-..|......tl.....H....u..u.V.u\b..|%C._^[..]........f.....+........,...........%...........5..............................].j..K @....{.3..s..7.s..s..u\b...%C.V.C..5..C..s\b.u\b...P.....Pj.j.hS..P.s$h.PA.V...%C.....u.V..PA.PP.u\b...%C.3..XZA.VPj0S...%C.V.............Ph....S...%C.h.....p........SV.u\b...%C.Wj..u\b..l%C.Vj..u\b...%C.Vh....j..u\b..p%C.3......j..u\b..x%C.P........j..u\b..t%C.3......j..u\b...%C....P...%C..x....E.P.u\b..h&C..M.Q.u\b..p&C.j..u..u..u..u..u...B......M.Q.u\b...&C.3..A....}...\b.u.W.a?...........%....G\f..t"W.x=......G..t\tW.8?.................t.W.R=.......................W..?..................C..U....Dg........J.......u..u.V.u\b...%C.P...%C.......E................3.W.u\b...%C....j..u\b..x%C...WWh....V...%C......L...QPh....V...%C...L... u.S.a..........L...PS.......\bh|PA.S.......\bSV.>.....\bSS.d......Ph.....u\b...%C.P...%C.3......j..u\b...%C.f@Pj..u\b...%C.3......j..u\b..x%C..u.P.........\bV.........|..\t.h|PA.V.x.....\bj..u\b...%C....VP.......\bVV........Ph.....u\b...%C.P...%C.3..F...U....L....}\f....SVWv..E\b.......M....E.....jD..|...j.P.......\f.E\b.M\f........|...Iu..E\f9.|...u.3..U..E .\n.\b...........E..8.u....A.U.;.v..E .M...9\bs.........E..8.u....N..|..
1292 36 0x0400000000004001 1258594163.722400000 0.000012000 0.075014976 0.235373000 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 64334 192.168.1.105 07 Private network 49330 6 0x00 19786 1 0x4000 111 0x5c60 0x5c60 0xe46d 0xe46d 0x0040 0 0 0 3177230630 3392384643 3177230630 1380 0 1380 0 4140 0 5520 2760 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 0 0x00 0 0x00 .;.u..E .u.90v..0........E.;.v....|....8)}.x(...A.}...;..}.w....|.....)E.y.......g.........]....E.3.N...E.............t\r.8....9...Nu..u\b3........t..........@...<..tA.G;}\fr.3.3..}.........8..........}..}..E..tA..E.....9U........E....|....M....E..E..M.....p....u......5<.....;E...3....E.@.E...5<.......U..E +..E...;.v....E.+..E.......M...;E.v$.M..E.A+..M.;U.v......;.v\n+..E.;U.w..E...;E.v\r9].v\b.E.+..E.......M....M..E....\b.....5<...R.P...............M..U.A....\r\b.C..E..H....\n.M.........5....tP.E..M.....5......58....E....U..E..E..U..U........J*.58...#U.......M...5.......J...5<.....;E........M..E\f*.....tA..M.;U.w..E.c.^.E...;U.s.f.U........E...U...E..E..6.}$.t..E.......E.+u...p.E..}$.t\bf.E.....+U..E.f..Pf.E..E........U......E...9U.v..E..\f..E.....M..E..u..U..E..M....E..N..E.9U.w.......M......E.t\n1E....E.u..U......1E........H#E.;............+..8...............H.M.#E.;......u.......E..E.9E...a.....<....E .}...\bt(.}..t"........}..t......................3._^[..]..D$.V..t..p...\bP.\f..........u.3.^.U...C....\r..C.....E..E..M.SVW.5..C...\fE.UA..U..M....U.UA..E..E.9E.sQ..{A..\r.{A...~ .\r..A.x..\r$.A......$.A..\f......................M....M.\tE..E.\b9M.r..M..E\b#M..<...............c.......O.....m....)E.9].sN..{A..\r.{A...~ .\r..A.x..\r$.A......$.A..\f.y...............t....M....E.\b\tE.9].r....].UA.#E.....G...........v....O..m....)E....ug.G.F.........|A........=.YA..t1.@.A...;.,{A.w2V.@.A.h.|
...
In the following a chapters we will discuss window size, sequence number and other features useful in troubleshooting and security analysis.
Window size features
The TCP window size is part of TCP flow control receiving buffer and gives an indication about the digestive performance of the destination host.
As indicated in the previous chapter all anomaly window bits are situated in tcpFStat
now:
The tcpFStat column is to be interpreted as follows: bit | tcpFStat | Description ============================================================================= 0 | 0x0001 | Packet good for inter-distance assessment 1 | 0x0002 | TCP option init 2 | 0x0004 | Timestamp option decreasing 3 | 0x0008 | L4 option field corrupt or not acquired 4 | 0x0010 | Window state-machine initialized 5 | 0x0020 | Window update 6 | 0x0040 | Win 0 probe 7 | 0x0080 | Win 0 probe ACK 8 | 0x0100 | Min Window detected 9 | 0x0200 | WS used 10 | 0x0400 | Window full 11 | 0x0800 | Window state-machine count up(1)/down(0) 12 | 0x1000 | L4 Checksum calculation if present 13 | 0x2000 | UDPLITE Checksum coverage error 14 | 0x4000 | TCP Selective ACK Option 15 | 0x8000 | MPTCP detected
So Windows Scaling was used at the beginning. Then after a Min Window detected a sender Window full followed, then a Win 0 probe was issued in order to test the acceptance of more bytes. Makes sense, and can be investigated in the packet file in the previous chapter.
In the flow file the initial window size tcpInitWinSz
in combination with the TTL is still a reasonable
feature to estimate the type of OS. If tcpMinWinSz
hits 0 the buffer of the receiving host is full,
and the sender has to wait.
As in the end report the variable tcpWinSzThRt
counts the occurrences where the window size drops below a configurable
threshold WINMIN
in tcpFlags.h; default 1. So it counts how often the receiver performs back-pressure to the sender.
The parameters tcpWinSzDwnCnt
, tcpWinSzUpCnt
, tcpWinSzChgDirCnt
are experimental, trying to aggregate the
evolution of the window size, which is governed by several algorithms. They denote the up or down count/packet of the window size
and how often these counts reverse the direction. Giving an indication about irregularities in flow control.
As you can see, the counts are increased in flow 36, which has a lot of flow and error control problems.
tawk 'bitsanyset($tcpFStat, 0x0700) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $tcpInitWinSz, $tcpAveWinSz, $tcpMinWinSz, $tcpMaxWinSz, $tcpWinSzDwnCnt, $tcpWinSzUpCnt, $tcpWinSzChgDirCnt, $tcpWinSzThRt }' ~/results/faf-exercise_flows.txt | tcol
%dir flowInd flowStat srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpFStat ipFlags tcpFlags tcpAnomaly tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt
A 15 0x0400000000004000 192.168.1.105 07 "Private network" 49218 192.168.1.1 07 "Private network" 25 6 0x0a11 0x0040 0x011b 0x0000 8192 64982.55 8192 65536 3 2 4 0
B 15 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49218 6 0x0a11 0x0044 0x031b 0x0008 65535 524219.4 65535 524280 1 2 2 0
A 16 0x0400000000004000 192.168.1.105 07 "Private network" 49219 192.168.1.1 07 "Private network" 25 6 0x0a11 0x0040 0x011b 0x0000 8192 64673.17 8192 65536 3 1 4 0
B 16 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49219 6 0x0a11 0x0044 0x031b 0x0008 65535 524225.7 65535 524280 1 2 2 0
A 17 0x0400000000004000 192.168.1.105 07 "Private network" 49220 192.168.1.1 07 "Private network" 25 6 0x0a11 0x0040 0x011b 0x0000 8192 64668.98 8192 65536 3 2 4 0
B 17 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49220 6 0x0a11 0x0044 0x031b 0x0008 65535 524220.3 65535 524280 1 2 2 0
A 22 0x0400000000004000 192.168.1.105 07 "Private network" 49336 192.168.1.1 07 "Private network" 25 6 0x0a11 0x0040 0x011b 0x0000 8192 64668.98 8192 65536 3 2 4 0
B 22 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49336 6 0x0a11 0x0044 0x031b 0x0008 65535 524228.2 65535 524280 1 2 2 0
A 23 0x0400000000004000 192.168.1.105 07 "Private network" 49353 192.168.1.1 07 "Private network" 25 6 0x0a11 0x0040 0x011b 0x0000 8192 64668.98 8192 65536 3 2 4 0
B 23 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49353 6 0x0a11 0x0044 0x031b 0x0008 65535 524227.5 65535 524280 1 2 2 0
A 26 0x0400000000004000 192.168.1.105 07 "Private network" 49561 192.168.1.1 07 "Private network" 25 6 0x0a11 0x0040 0x011b 0x0000 8192 64740.93 8192 65536 3 2 4 0
B 26 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49561 6 0x0a11 0x0044 0x031b 0x0008 65535 524166.4 65535 524280 2 2 3 0
A 36 0x0400000000004000 192.168.1.105 07 "Private network" 49330 143.166.11.10 us "Dell Technologies" 64334 6 0x49b1 0x0040 0x0416 0x0008 8192 45402 0 64860 253 194 254 0.001981506
B 36 0x0400000000004001 143.166.11.10 us "Dell Technologies" 64334 192.168.1.105 07 "Private network" 49330 6 0x0c51 0x0044 0x031b 0x02c4 8192 64860 8192 64860 0 1 1 0
Have a look at the packet file and identify the flow control problems in flow 36. Is this flow benign or part of malicious activity?
Sequence and acknowledge numbers
I added some more columns for the packet mode to track faults and to make counts more consistent.
seqDiff
and ackDiff
are now the real difference of the seq or ack numbers, so they could also be negative.
seqLen
and ackLen
denote the positive difference, hence an indication for the payload length.
seqFlowLen
and ackFlowLen
are aggregated seqLen
and ackLen
.
tcpMLen
is the real l7Len
, just like in basicStats.
tcpBFlgt
denotes the bytes in time of flight.
Similar columns exist in the flow file.
TCP error control is achieved by Seq and Ack numbers which are a formidable tool for troubleshooting and contain information about network or host problems. The differences between these parameters denote the bytes being transferred between both peers. The packet ACK count is only correct if each packet being sent is acknowledged, so Idle Repeat Request mode, which would actually defeat the purpose of an efficient TCP communication. So in general only a lower limit.
The fault counts from both directions are an indicator for the health of the connection. If divided by the packet sent from basicStats you have a good performance measure.
The initial sequence number tcpISeqN
is used for covert channels and it can help to identify
crafting tools if more than one flow from the same IP is available.
Make sure that the flow is complete by checking the tcpFlags
for a SYN,
otherwise tcpISeqN
denotes just the sequence number of the first packet being seen.
As in earlier versions the column tcpFlwLssAckRcvdBytes
denotes the amount of content
being transmitted of the opposite flow.
So if you have only one flow, you have a number to estimate the amount of traffic not being seen by that pcap.
Some magic to impress customers.
tawk 'bitsanyset($tcpAnomaly, 0x0008) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $ipFlags, $tcpFStat, $tcpFlags, $tcpAnomaly, $tcpISeqN, $tcpSeqSntBytes, $tcpSeqFaultCnt, $tcpPAckCnt, $tcpFlwLssAckRcvdBytes, $tcpAckFaultCnt, $tcpBFlgtMx }' ~/results/faf-exercise_flows.txt | tcol
%dir flowInd flowStat srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto ipFlags tcpFStat tcpFlags tcpAnomaly tcpISeqN tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpBFlgtMx
B 12 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1397 6 0x0044 0x0011 0x031b 0x0008 1702698086 1440 0 30 2943 1 852
B 13 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1749 6 0x0044 0x0011 0x031b 0x0008 645942508 1405 0 30 5679 2 852
B 14 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1755 6 0x0044 0x0011 0x031b 0x0008 328872932 1405 0 28 2357 1 852
B 15 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49218 6 0x0044 0x0a11 0x031b 0x0008 652739796 1519 0 29 4899 2 852
B 16 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49219 6 0x0044 0x0a11 0x031b 0x0008 1405763652 799 0 30 4429 2 166
B 17 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49220 6 0x0044 0x0a11 0x031b 0x0008 916601873 1466 0 27 2750 2 852
B 18 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1806 6 0x0044 0x0011 0x031b 0x0008 925488549 1370 0 28 4371 2 852
B 19 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1400 6 0x0044 0x0011 0x031b 0x0008 1816175150 1370 0 26 1522 1 852
B 20 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1404 6 0x0044 0x0011 0x031b 0x0008 113675184 1370 0 28 5247 2 852
B 21 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1405 6 0x0044 0x0011 0x031b 0x0008 6599705 632 0 28 5796 1 166
B 22 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49336 6 0x0044 0x0a11 0x031b 0x0008 226877106 1466 0 27 2430 2 852
B 23 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49353 6 0x0044 0x0a11 0x031b 0x0008 1304812153 1466 0 27 2462 2 852
B 24 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1836 6 0x0044 0x0011 0x031b 0x0008 1667500374 1370 0 26 3372 1 852
B 25 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1709 6 0x0044 0x0011 0x031b 0x0008 1075440067 1370 0 26 2374 1 852
B 26 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49561 6 0x0044 0x0a11 0x031b 0x0008 1983906088 1466 0 28 4334 2 852
B 27 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1572 6 0x0044 0x0011 0x031b 0x0008 1684028818 308 0 17 1021 1 166
B 28 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1604 6 0x0044 0x0011 0x031b 0x0008 1644748927 308 0 17 761 1 166
B 29 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1665 6 0x0044 0x0011 0x031b 0x0008 1401071890 308 0 17 574 1 166
B 30 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1934 6 0x0044 0x0011 0x031b 0x0008 18417741 1370 0 27 5732 1 852
B 31 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 2008 6 0x0044 0x0011 0x031b 0x0008 2088358893 1370 0 26 3460 1 852
B 32 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1911 6 0x0044 0x0011 0x031b 0x0008 398501520 1370 0 29 7079 2 852
A 33 0x0400000000004000 192.168.1.104 07 "Private network" 1908 198.189.255.75 us "California State University" 80 6 0x0040 0x0011 0x011b 0x0008 3626872219 319 0 23 95699 1 319
A 36 0x0400000000004000 192.168.1.105 07 "Private network" 49330 143.166.11.10 us "Dell Technologies" 64334 6 0x0040 0x49b1 0x0416 0x0008 3392384642 0 0 1511 4255056 437 0
If you look at the packet mode from packet 4188 on you will notice during the fast retransmit the seqDiff
is negative in packet 4209 and seqLen
is 0, denoting, no new L7 content is sent.
You can follow now the process of sending and acknowledging data.
If you got only one flow, you are now able to estimate the payload of the other flow via ackLen
and ackFlowLen
for each packet. Comes in really handy if you cannot see the other flow
and still want to be able to assess the amount of traffic is flowing in the other direction.
tawk 'packet("4188-4211")' ~/results/faf-exercise_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto ipToS ipID ipIDDiff ipFrag ipTTL ipHdrChkSum ipCalChkSum l4HdrChkSum l4CalChkSum ipFlags ip6HHOptLen ip6HHOpts ip6DOptLen ip6DOpts ipOptLen ipOpts seq ack seqMax seqDiff ackDiff seqLen ackLen seqFlowLen ackFlowLen tcpMLen tcpBFlgt tcpFStat tcpFlags tcpAnomaly tcpWin tcpWS tcpMSS tcpTmS tcpTmER tcpMPTyp tcpMPF tcpMPAID tcpMPDSSF tcpOptLen tcpOpts tcpStatesAFlags l7Content
4188 36 0x0400000000004001 1258594178.123989000 0.000008000 0.005184000 14.636962000 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 64334 192.168.1.105 07 Private network 49330 6 0x00 28901 1 0x4000 111 0x38c5 0x38c5 0x8f75 0x8f75 0x0040 0 0 0 3179900510 3392384643 3179900510 1380 0 1380 0 3304680 0 2687822 24840 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 0 0x00 0 0x00 .X,........\R\b.7o*.\f...[6...UiT...p.[X@(.OW..;\b.Qn#..-.-\[..Z..`...E.T..]..a!k..is..@.....K.>jb.K...i ...o..p.Pp..G....a.n...t=..e^...D....!9..l.....SPX....a]....E....\f.*y.T.\n.A.n.^....\b..<.z[...CBlJ......O.N...r.Z.....A....f..P..).X.h..........p^.c.....J..M.j..E....el....B.....B?...aS...T:4.....n..Dqe...3..l.HQ3&f,KZ....R)..B.....]..........I>....e...w.....bp6p.......C..T.[....81......I....w.|....!.8....5....A..\f....T?.m..p.<...a...[.../.....P.plD..y .....j............p...^..\..\...j..(.....^...r.....lw.kQ.......<..u....;..........~..;......Is{.Y...<?..;............;.m..k...N?..;...W.(...[-..~.iw.?.....o.*.^..x\b...^...p.t..~...|...c..s.8.G.\e......?Nw.~......\...eS..~.w.!.F?..w.sy...v..g.....7....U.?................w.../....K....s..........7(..6.....r...oV......'!..j^..0........3.R.yj....p.....k...]~........z.....g\n..?.t.nA.u%J..iJ.@:}..)-.?..wH....W...........~...T\t#....F.k..]A......jJ.E.g..Lz\r.^.>..;...xj|p...a..Y.......k/S.......;.....M.p.\nWX.R....Q2!0.J....0m.....T.6...n!!_h..2I^..e..2.t..%\e..`.>o,....G......l....\r....kK)...1.i@7.,.\......@.J..A.....F5e....K...P..Ni.HWn..D.F....zU..h3A..\...l3W.....5KA....C..Z.}O.FiT...o..H.U|VP...R.u%..\boh...,L.\\n.,I.:.u....n...mrc...9A[..P....!...:.....O..\e..K....:.*=....[2WZ\n`J....(.....@..\e6A...u...H...uk7f.......4..S\n!...SYTJ..B.&....89.TPP\n."E../9.E.-7<_S.|-..U..Y...?.b.....z$.w~I.6'QXs.\n.......2.|.v\nx.B.l...]W..w.
4189 36 0x0400000000004000 1258594178.124053000 0.005248000 0.000064000 14.715768000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17789 1 0x4000 128 0x5885 0x5885 0xa53a 0xa53a 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x18;0x1e 0x00
4190 36 0x0400000000004000 1258594178.124055000 0.000002000 0.000066000 14.715770000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17790 1 0x4000 128 0x5884 0x5884 0x9fd6 0x9fd6 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x1d;0x82 0x00
4191 36 0x0400000000004000 1258594178.124056000 0.000001000 0.000067000 14.715771000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17791 1 0x4000 128 0x5883 0x5883 0x9a72 0x9a72 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x22;0xe6 0x00
4192 36 0x0400000000004000 1258594178.124058000 0.000002000 0.000069000 14.715773000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17792 1 0x4000 128 0x5882 0x5882 0x950e 0x950e 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x28;0x4a 0x00
4193 36 0x0400000000004000 1258594178.124295000 0.000237000 0.000306000 14.716010000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17793 1 0x4000 128 0x5881 0x5881 0x8faa 0x8faa 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x2d;0xae 0x00
4194 36 0x0400000000004000 1258594178.124297000 0.000002000 0.000308000 14.716012000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17794 1 0x4000 128 0x5880 0x5880 0x8a46 0x8a46 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x33;0x12 0x00
4195 36 0x0400000000004000 1258594178.124298000 0.000001000 0.000309000 14.716013000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17795 1 0x4000 128 0x587f 0x587f 0x84e2 0x84e2 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x38;0x76 0x00
4196 36 0x0400000000004000 1258594178.124300000 0.000002000 0.000311000 14.716015000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17796 1 0x4000 128 0x587e 0x587e 0x7f7e 0x7f7e 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x3d;0xda 0x00
4197 36 0x0400000000004000 1258594178.124302000 0.000002000 0.000313000 14.716017000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17797 1 0x4000 128 0x587d 0x587d 0x7a1a 0x7a1a 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x43;0x3e 0x00
4198 36 0x0400000000004000 1258594178.124303000 0.000001000 0.000314000 14.716018000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17798 1 0x4000 128 0x587c 0x587c 0x74b6 0x74b6 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x48;0xa2 0x00
4199 36 0x0400000000004000 1258594178.124305000 0.000002000 0.000316000 14.716020000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17799 1 0x4000 128 0x587b 0x587b 0x6f52 0x6f52 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x4e;0x06 0x00
4200 36 0x0400000000004000 1258594178.124306000 0.000001000 0.000317000 14.716021000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17800 1 0x4000 128 0x587a 0x587a 0x69ee 0x69ee 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x53;0x6a 0x00
4201 36 0x0400000000004000 1258594178.124308000 0.000002000 0.000319000 14.716023000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17801 1 0x4000 128 0x5879 0x5879 0x648a 0x648a 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x58;0xce 0x00
4202 36 0x0400000000004000 1258594178.124309000 0.000001000 0.000320000 14.716024000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17802 1 0x4000 128 0x5878 0x5878 0x5f26 0x5f26 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x5e;0x32 0x00
4203 36 0x0400000000004000 1258594178.124545000 0.000236000 0.000556000 14.716260000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17803 1 0x4000 128 0x5877 0x5877 0x59c2 0x59c2 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x63;0x96 0x00
4204 36 0x0400000000004000 1258594178.124547000 0.000002000 0.000558000 14.716262000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17804 1 0x4000 128 0x5876 0x5876 0x545e 0x545e 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x68;0xfa 0x00
4205 36 0x0400000000004000 1258594178.124548000 0.000001000 0.000559000 14.716263000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17805 1 0x4000 128 0x5875 0x5875 0x4efa 0x4efa 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x6e;0x5e 0x00
4206 36 0x0400000000004000 1258594178.124550000 0.000002000 0.000561000 14.716265000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17806 1 0x4000 128 0x5874 0x5874 0x4996 0x4996 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x73;0xc2 0x00
4207 36 0x0400000000004001 1258594178.196555000 0.072566000 0.072005008 14.709528000 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 64334 192.168.1.105 07 Private network 49330 6 0x00 30005 1104 0x4000 111 0x3475 0x3475 0x74c0 0x74c0 0x0040 0 0 0 3179901890 3392384643 3179901890 1380 0 1380 0 3306060 0 2689202 1380 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 0 0x00 0 0x00 ...k.J-E..4.hV...P..I....\fbTCy...R:.zY........$*+.....E)....!..L..Bq..]I\n.1..~\b.....e..... T).a#Q....u......|..E"....>.\a.....6.d).7..FR.=...$..f].%.r*y...e...>..O-..O.\b5....gE.Z./...6.O.Q.4.Y... ..................B........}m.X...RkR.Jo......\r\e...,]JQv........c.w.....kW.\e.6m...~E..xS?'.J.~M.W.*o...k7..M}..6...kKY..i.D.~.IQ..u..V......T'.\n.^T._+.z.!.f.*.#>k.$.}m...vK.~A...P.;Z.2.G\n...M.....,\[...YhcK.w4K..!\t2.\r.P......=r..b.K..\n\f=$T....m..?.>./.\nNh...M..\n.TF5.bn...{.......9..V(5Q..)0..;..+...R.jI.....B....$..g.=ys.!\r..`..0.P.>...\e.2..6...r.C...L@.A...m..c...t|..8~9.....++F,..."`.[\b?w......u..{...^w......u..{......-.2pY...{i..E..2?j.._b....;x...B-<a.<.[..........>?....[..p.LIT\t..96..........vF."..e.W.>.yK!.I.\..P}...H-D8\ng.(j....q.s.......}..?{.B1.-........y..gt.....e........?\r....aa+(+..Z\fyXI..r\bL:..* .y$.T.C......+..V.'/_..x.....,?%ie...f]..|Ez..d....l.T...ONZ......x.u.n....4)3....b..../9Y.KJ.r...,pK....,..h.....Y....M...t0...`....w.....n..#*kS..m.......\t..\e.G............F....h..-u.~...\t..7 ..\n"..[&...7<\r..(.x#.....oW .1x...Up........p....U.{...pO...W.nR.i.i....h......XSq.i.i.6bk....3.8S....|#..n..O_.d...Z,..7n^.a]>1&.......x\e.7.g.....o....E..k7./.Ux.......'..R..4.........aS.f@._.....2p.k-T......y.F.7...B.Q....Gw@u.z.r.m.Z.^w......u..{...^w......u..{...^w......u..{...^w......u..{._v.m@.........c......a7..Q.;.U..o D....?........?...5.;.....6)...)xZX...]......
4208 36 0x0400000000004000 1258594178.197003000 0.072453000 0.000448000 14.788718000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell Technologies 64334 6 0x00 17813 7 0x4000 128 0x586d 0x586d 0x4432 0x4432 0x0040 0 0 0 3392384643 3179870150 3392384643 0 0 0 0 0 2643660 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 0 0x00 0 0x00 12 0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x79;0x26 0x00
4209 36 0x0400000000004001 1258594178.202048000 0.005493000 0.005044992 14.715021000 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 64334 192.168.1.105 07 Private network 49330 6 0x00 30105 100 0x4000 111 0x3411 0x3411 0xbb17 0xbb17 0x0040 0 0 0 3179870150 3392384643 3179903270 -31740 0 0 0 3306060 0 2690582 1380 0x0811 0x0010 0x0044 64860 0 1380 0 0 0 0x00 0 0x00 0 0x00 ....5.$*.\e.{5.......\r.I'.,...S.p.Q...XG...T...k.M...hC.8..].q....>!......B........8...x.r|..5(m....'.....,....|B.[.*.@.S..(X.Z....V..,..,.W..9.`|..>.R....W._.%&3e.Rh".-..E/vL.....t"g4_..*.....{v..%....J..R....-....YL.}L..&....j.{R>.|. .....a9#>.....,.g.S..+.Z.@9...rc.5.p.4\eU.E4h..V...G.dW........`.O...hw.\g..........Z./2.....8.K.....wJ....w.. @...g.[.h5r.3.l...x.......L.............{.O...e.*!....[@.(...)].\b..$s...-^s....@...u`UN..8].i#`...BQ...Y...g ....b....\bA..;..h.c..\f....@L0.......#MP&...Z.r.b&(......Kh....D..%\#... J.L...+.....H\n...g..l...T..!..X.v.r..<...o..C.......@"n.AF..T/..i....U.\t....P>.d.Q..........=F9pT.ft}.)<2W%0W.E,....E.J..l.6.%.9p.24.[...c".6.\e..bk..-3....F.4tz.-C.._.2.r.U..`..j\bp1a.@...y."...-.RV<.\F..2.eMuI............}-+j.d x..\b3.=V..LX\t.#\r=....+....{>'.#.T=.3n+mn..r...{.0t.$V..`.;.5.....'Z*.W.G....)..%..2(.Yz..q...7..P.)...x...0..\;.\n._.R'...).[}\nW0F...~..X........1Co6...e..>.H:..Oi(M.Z.V8.k\rM\tJ.+............5N....P..M.z...L.B../&...hC\r...%t;...z37p.x...h4.....t.%......AH.E....1\.`.....g..w........f..+>D'n..,..\f..OL.h.dtB.....lD.\b1-B.E\b.#<.@........F.....bH...\bm\./..a.X.8t7..NFz.PG.E.../l..!.]..l%tI..6H|O..x.%,a0g...&?q[..&TC._s\tm....'V..U.0...~{....."(n..-.\e....\b2...)...}&q{.."...<.t.a..\b.j.J..T.-.ph..,.d%h..&..\b........jq.......>.B2..a......i..........^. B%..=..~....!}N>tY.=..S....I..V.f..[ y.s.......g.Mz|...\...X..Q..D\.....f...P.c\b..
4210 36 0x0400000000004001 1258594178.202058000 0.000010000 0.005054992 14.715031000 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 64334 192.168.1.105 07 Private network 49330 6 0x00 30106 1 0x4000 111 0x3410 0x3410 0xb02e 0xb02e 0x0040 0 0 0 3179903270 3392384643 3179903270 33120 0 33120 0 3339180 0 2691962 2760 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 0 0x00 0 0x00 k..Epx.PT}..g\f<...O....._}~...i..]~.?.{.......... px..~K..i...1.z-.^.....\..w.{..b'.\r..pO..P...}..{..PQp..;..<..Qp_...p..w<....6.u.\r...6.?...p...1....o#..\b.^Y.\r.H'..U..PUA.1=..\t.......r.h...H.taY.An....^w....hi.....k....x...O.......Wm.....E....a.G{L....>.nQ........~......=....._..-..r7y...)....LT.G....A...n....E..Tbb;..4y..N.c..m.?...~\n..}\n.=xn.....{.....6\..w.....a?4Tu.?^....'.....M..B..T.......F..QJ.[J(...........J.s.z.B\r...j..~.\bO.|^}.M).yQM.7.......j..jxT.B......{n\t.....=[....m...sL.P.......>..>8Ry..92..Y....c.G.:..b.x..%S......`9.{c.?G=.|...<.....<$.}....\{......>]..\e.w....{..q....lnj...:.....Kz............o...'.~y.S....._l....{....'e.q..z^1~.....x~s.j..........X.......#?...V8B.U...r$-={....8.<.....L..?s..=.,>......:v..W..9w..\e..b..\......I......%.c...G~.3S.v....8,.?..C.r.......pO\t..,x....r..6\r.....tl....G.~........F/z....f....\e6.1.os..Y.?.......g......n.8..:|..._\p..U....|.'_.Y....f.........>Y..3..?...{.,......o.g..._.6+...O..C.._..7......&.z....{...N.j....T........'>.zp....M\....X5...=0..u..g..<o.p2..E?;@...|.6...'.....37U[....97.......>5...o..z8..'..;>...K............J.y..;i..isf-.|..#...._...P.u.i.._.>....wl...e..~........\b.8.._.?.B..Rk\b5.B92NC......=."g.Pk.N.\f.\..KC.PD......}......6.........n......\eo.o..5U.j....*........4Dv.^.>..^...3....Ap..~.J-......m..B...b.K5......n....n.>.4.Tf...e"....B.!Zp0.)..}...9qI3.S...OI.6+..4-q...i.s.g..57avBBR....m.wJ.
4211 36 0x0400000000004001 1258594178.202310000 0.000252000 0.005306992 14.715283000 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 64334 192.168.1.105 07 Private network 49330 6 0x00 30115 9 0x4000 111 0x3407 0x3407 0x0894 0x0894 0x0040 0 0 0 3179904650 3392384643 3179904650 1380 0 1380 0 3340560 0 2693342 4140 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 0 0x00 0 0x00 8X..W2Wj/,U.o........w.......o...?.x..)(..|Yo.o_.`.....\n\nK\n...er..J4r....!~..;)}yJ.R.$.`.d)...G.....&.I.....<.K5cZ....iV..9.....d.,B'$.B..0ocM.L].U.?XUHpL..|. .C^...;..8f.(....W..v.........Q.B \f.....G....(....mu_..}..?\r|?.S...=\r3..{..3...[a.]..>k\b../>....w.Qd...sC.9.v...'M....P......tA.Hd.(.=./\f."Mij....'h.4 ..S.....(..5.=n../...b)o..Q1)ih..p.....4n.W.S..j.k~aJ.......\rW.YM........\t5p._F.4f.4...T......Z3T.S.......V.^...xS.6.F,.k....z......{..\...q~~k.....;..y....{s.'..'......[..{.......R..\e.G.@.I..TF..._C.......?.[/-...=YH_l\e..n.R..L....*....&J..J}G...{W..!5.K...e.....y[.85.*c.6o,..\e....<.B}o..^.T..u.a....|..~...E..._-5.........3....u.>.........x...W.....?...t......N.....7.!..*\r.i..f).4Z....Ko....tlE....F.].....O..|../.ZgY.(5...r..`\fJ\r.Mx...P.(P...v.\..0.x.\e.N]....)..../\b...Z..AH.[....I..@j.d"zl.....o,.6..o....\...-..`........#."..}..h.z..|!.\e..v.k=....P.?.......67..9.D.P. Q.......%P.....G<k....b.....l.e.....e...P......OS./...n...z..w.(A.G.=......F.y.C.3l.V...........^..L!........p...:L....nf7.m...R...^..\r..\r...\e.M.H.~.d..~.t.9.p`.......Ay...Q.....4R/...T..6.......@Co.0j......s ...'..D.T9...7.J...m.]................Z.C.].<=5 O......;...+.. .x..?^)Q.....S..#.9@r@...Q....P.N!,..];.=.......7..E..\r.c.\.f.......\e6...BE/T......>.'.e..y..Q...lN`#h.S_9..+\n.H-b.....M3....Q{...p.S7i7...?EM......\n..G......[tD#.a.;\b.g.UR......n......x........?+.0o<..D........j(#n..6...\fn
SPKTMD_SEQACKREL
in tcpFlags.h controls the output of the seq/ack numbers in the packet mode.
Switching to relative it facilitates the analysis of irregularities in throughput.
Look into the packet mode tutorial to see an example of
Absolute Relative Seq Ack Numbers.
RTT estimate
The Round Trip Time (RTT) estimate is a vital tool for troubleshooting.
The mode is controlled by RTT_ESTIMATE
in tcpFlags.h.
The RTT features are estimated for all L4 protocols and gives additional information about TCP connection anomalies such
as ACK retries and SYN connection timeout retries.
tcpSSASAATrip
denotes the RTT during the TCP connection phase, which has no influence of the src and dst host.tcpSSASAATrip
denotes the Time from the measurement point to the dst host and back.tcpRTTAckTripMin
,tcpRTTAckTripMax
,tcpRTTAckTripAve
denote the minimal, maximal and average Trip timetcpRTTSseqAA
denotes the total RTT, which also includes delays at the hoststcpRTTAckJitAve
denotes the average jitter, useful for voice communication, see also the voipDetector plugin
RTT can also be estimated from the TCP timestamp option. Using the MSS, which is supplied in the TCP options part and the RTT a bandwidth / flow can be calculated.
Let’s look for flows which have a <RTT>
or Initial sequence RTT > 0.5 seconds.
tawk '$tcpRTTAckTripJitAve > 0.5 || $tcpRTTSseqAA > 0.5 { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $tcpSSASAATrip, $tcpRTTAckTripMin, $tcpRTTAckTripMax, $tcpRTTAckTripAve, $tcpRTTAckTripJitAve, $tcpRTTSseqAA, $tcpRTTAckJitAve }' ~/results/faf-exercise_flows.txt | tcol
%dir flowInd flowStat srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpFStat ipFlags tcpFlags tcpAnomaly tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve
A 11 0x0400000000004000 192.168.1.104 07 "Private network" 1384 63.245.221.11 us "Mozilla" 80 6 0x0011 0x0040 0x011b 0x0000 0.061556 0.02061101 23.03958 2.930275 8.20785 0.06196701 0
B 11 0x0400000000004001 63.245.221.11 us "Mozilla" 80 192.168.1.104 07 "Private network" 1384 6 0x0811 0x0044 0x031b 0x0000 0.000411008 0.000405984 8.196325 1.171332 3.09773 4.101607 8.772954
A 10 0x0400000000004000 192.168.1.104 07 "Private network" 1379 63.245.221.11 us "Mozilla" 80 6 0x0811 0x0040 0x011b 0x0000 0.005547008 7.1008e-05 22.97788 1.313045 5.416256 0.005753984 0
B 10 0x0400000000004001 63.245.221.11 us "Mozilla" 80 192.168.1.104 07 "Private network" 1379 6 0x0811 0x0044 0x031b 0x0000 0.000206976 0.000186016 9.952202 1.338241 3.450881 2.651285 6.422182
B 12 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1397 6 0x0011 0x0044 0x031b 0x0008 0.000452032 0.000294976 2.176203 0.1305968 0.5305589 0.1459511 0.5378596
B 19 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1400 6 0x0011 0x0044 0x031b 0x0008 0.000201984 0.000101952 3.94484 0.2614954 1.016245 0.2686045 1.016971
A 35 0x0400000000004000 192.168.1.105 07 "Private network" 49329 143.166.11.10 us "Dell Technologies" 21 6 0x0811 0x0040 0x001a 0x0000 0.08025197 0.07749402 306.0649 29.85101 91.8391 0.08094997 0
B 35 0x0400000000004001 143.166.11.10 us "Dell Technologies" 21 192.168.1.105 07 "Private network" 49329 6 0x0811 0x0044 0x061e 0x0000 0.000698 0.000449984 0.194089 0.04303963 0.07786669 29.89405 91.83913
L3/4 checksums
Looking at checksums reveals whether there are manipulations of the L4 header or the content. Moreover you can determine whether a pcap is acquired on a computer itself or at a network intercept, such as a span port. Only works, if the checksum off load option is present and activated on the HW. Think how a checksum would look like if a pcap is acquired on a computer.
Another reason can be snapped payload during traffic capture.
annoloc2.pcap was acquired in 2002 and it is very murky.
t2 -r ~/data/annoloc2.pcap -w ~/results -s================================================================================ Tranalyzer 0.9.1 (Anteater), Cobra. PID: 23618, Prio: 0, SID: 666 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.1 02: tcpFlags, 0.9.1 03: tcpStates, 0.9.1 04: txtSink, 0.9.1 [INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K) [INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K) Processing file: /home/user/data/annoloc2.pcap Link layer type: Ethernet [EN10MB/1] Snapshot length: 66 Dump start: 1022171701.691172000 sec (Thu 23 May 2002 16:35:01 GMT) [WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500 Dump stop : 1022171726.640398000 sec (Thu 23 May 2002 16:35:26 GMT) Total dump duration: 24.949226000 sec Finished processing. Elapsed time: 8.505853382 sec Finished unloading flow memory. Time: 8.744516690 sec Percentage completed: 100.00% Number of processed packets: 1219015 (1.22 M) Number of processed bytes: 64082726 (64.08 M) Number of raw bytes: 844642686 (844.64 M) Number of pad bytes: 8591685635 (8.59 G) Number of pcap bytes: 83586990 (83.59 M) Number of IPv4 packets: 1218588 (1.22 M) [99.96%] Number of IPv6 packets: 180 [0.01%] Number of A packets: 564233 (564.23 K) [46.29%] Number of B packets: 654782 (654.78 K) [53.71%] Number of A bytes: 29448166 (29.45 M) [45.95%] Number of B bytes: 34634560 (34.63 M) [54.05%] <A packet load>: 52.19 <B packet load>: 52.89 -------------------------------------------------------------------------------- tcpFlags: Aggregated ipFlags=0x7964 tcpFlags: Aggregated tcpFStat=0x5fff tcpFlags: Aggregated tcpFlags=0x0fdf tcpFlags: Aggregated tcpAnomaly=0x33ff tcpFlags: Aggregated ipToS=0xff tcpFlags: Number of TCP scans attempted, successful: 959, 886 [92.39%] tcpFlags: Number of TCP SYN retries, seq retries: 147, 5252 (5.25 K) tcpFlags: Number WinSz below 1: 1443 (1.44 K) [0.15%] tcpStates: Aggregated tcpStatesAFlags=0xdf -------------------------------------------------------------------------------- Headers count: min: 2, max: 5, avg: 3.01 Number of ARP packets: 247 [0.02%] Number of GRE packets: 20 [0.00%] Number of IGMP packets: 12 [0.00%] Number of ICMP packets: 3059 (3.06 K) [0.25%] Number of ICMPv6 packets: 11 [0.00%] Number of TCP packets: 948743 (948.74 K) [77.83%] Number of TCP bytes: 52643546 (52.64 M) [82.15%] Number of UDP packets: 266900 (266.90 K) [21.89%] Number of UDP bytes: 11234272 (11.23 M) [17.53%] Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 17603 (17.60 K) Number of processed L2 flows: 99 [0.56%] Number of processed IPv4 flows: 17440 (17.44 K) [99.07%] Number of processed IPv6 flows: 64 [0.36%] Number of processed A flows: 9995 (9.99 K) [56.78%] Number of processed B flows: 7608 (7.61 K) [43.22%] Number of request flows: 9948 (9.95 K) [56.51%] Number of reply flows: 7655 (7.66 K) [43.49%] Total A/B flow asymmetry: 0.14 Total req/rply flow asymmetry: 0.13 Number of processed A+B packets/A+B flows: 69.25 Number of processed A packets/A flows: 56.45 Number of processed B packets/ B flows: 86.06 Number of processed total packets/s: 48859.83 (48.86 K) Number of processed A+B packets/s: 48859.83 (48.86 K) Number of processed A packets/s: 22615.25 (22.61 K) Number of processed B packets/s: 26244.58 (26.24 K) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <Number of processed flows/s>: 705.55 <Bandwidth>: 270268480 b/s (270.27 Mb/s) <Snapped bandwidth>: 20548205 b/s (20.55 Mb/s) <Raw bandwidth>: 270835716 b/s (270.84 Mb/s) Max number of flows in memory: 15220 (15.22 K) [5.81%] Memory usage: 0.07 GB [0.11%] Aggregated flowStat=0x2c0098fa0222d044 [WRN] L3 SnapLength < Length in IP header [WRN] L4 header snapped [WRN] Consecutive duplicate IP ID [WRN] IPv4/6 payload length > framing length [WRN] IPv4/6 fragmentation header packet missing [WRN] IPv4/6 packet fragmentation sequence not finished [INF] Stop dissecting: Clipped packet, unhandled protocol or subsequent fragment [INF] Layer 2 flows [INF] IPv4 flows [INF] IPv6 flows [INF] ARP [INF] IPv4/6 fragmentation [INF] IPv4/6 in IPv4/6 [INF] GRE encapsulation [INF] GTP tunnel [INF] SSDP/UPnP [INF] DTLStawk -V ipFlags=0x7964
The ipFlags column with value 0x7964 is to be interpreted as follows: bit | ipFlags | Description ============================================================================= 2 | 0x0004 | IPv4 ID roll over 5 | 0x0020 | More Fragment bit 6 | 0x0040 | IPv4: Don't Fragment bit, IPv6: reserve bit 8 | 0x0100 | Fragmentation position error 11 | 0x0800 | L4 checksum error 12 | 0x1000 | Length in L3/4 header < actual L3/4 length 13 | 0x2000 | Length in UDP/UDP-Lite header != actual UDP/UDP-Lite length 14 | 0x4000 | Packet inter-distance = 0tawk -V tcpFStat=0x5fff
The tcpFStat column with value 0x5fff is to be interpreted as follows: bit | tcpFStat | Description ============================================================================= 0 | 0x0001 | Packet good for inter-distance assessment 1 | 0x0002 | TCP option init 2 | 0x0004 | Timestamp option decreasing 3 | 0x0008 | L4 option field corrupt or not acquired 4 | 0x0010 | Window state-machine initialized 5 | 0x0020 | Window update 6 | 0x0040 | Win 0 probe 7 | 0x0080 | Win 0 probe ACK 8 | 0x0100 | Min Window detected 9 | 0x0200 | WS used 10 | 0x0400 | Window full 11 | 0x0800 | Window state-machine count up(1)/down(0) 12 | 0x1000 | L4 checksum calculation if present 14 | 0x4000 | TCP Selective ACK optiontawk -V tcpFlags=0x0fdf
The tcpFlags column with value 0x0fdf is to be interpreted as follows: bit | tcpFlags | Description ============================================================================= 0 | 0x0001 | FIN: No more data, finish connection 1 | 0x0002 | SYN: Synchronize sequence numbers 2 | 0x0004 | RST: Reset connection 3 | 0x0008 | PSH: Push data 4 | 0x0010 | ACK: Acknowledgement field value valid 6 | 0x0040 | ECE: ECN-Echo 7 | 0x0080 | CWR: Congestion Window Reduced flag is set 8 | 0x0100 | FIN_ACK: Acknowledgement of FIN 9 | 0x0200 | SYN_ACK: Acknowledgement of SYN 10 | 0x0400 | RST_ACK: Acknowledgement of RST 11 | 0x0800 | Potential NULL scan packet or malicious channeltawk -V tcpAnomaly=0x33ff
The tcpAnomaly column with value 0x33ff is to be interpreted as follows: bit | tcpAnomaly | Description ============================================================================= 0 | 0x0001 | SYN retransmission 1 | 0x0002 | SEQ Timeout retransmission 2 | 0x0004 | SEQ Fast retransmission 3 | 0x0008 | Duplicate ACK 4 | 0x0010 | TCP Keep-Alive 5 | 0x0020 | TCP Keep-Alive ACK 6 | 0x0040 | Sequence number out-of-order 7 | 0x0080 | Sequence mess, rather spurious Retransmission 8 | 0x0100 | ACK for unseen packet 9 | 0x0200 | Previous packet not captured 12 | 0x1000 | Scan detected in flow 13 | 0x2000 | Successful scan detected in flow
As the end report ipFlags=0x7964
and tcpAnomaly=0x33ff
indicate, there are lots of
broken packets, due to anonymization. And there are scans detected.
The flowStat
in the rend report and all flows have a L3 packet length field warning, resulting in wrong
L4 checksums. Just select all L3/4 checksum errors and display the first 20, as all flows have the
problem.
tawk 'bitsanyset($ipFlags, 0x0c00) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly }' ~/results/annoloc2_flows.txt | head -n 20 | tcol
%dir flowInd flowStat srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpFStat ipFlags tcpFlags tcpAnomaly
A 265 0x0400000000004000 209.171.12.143 ca "TELUS Communications Inc" 4987 138.212.185.230 jp "ASAHI KASEI CORPORATION" 41250 6 0x0011 0x0840 0x00c4 0x0000
A 447 0x0400000000004000 217.41.129.13 gb "BT Infrastructure Layer" 58872 138.212.187.186 jp "ASAHI KASEI CORPORATION" 80 6 0x0011 0x0840 0x0044 0x0000
A 392 0x0400000000004000 36.242.181.230 jp "SoftBank Corp" 4685 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0840 0x00c2 0x3000
B 392 0x0400000000004001 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 36.242.181.230 jp "SoftBank Corp" 4685 6 0x0011 0x0800 0x04d4 0x2000
A 906 0x0400000000004000 161.135.53.11 us "Federal Express Corp" 5001 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 6 0x0011 0x0840 0x00c2 0x3000
B 906 0x0400000000004001 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 161.135.53.11 us "Federal Express Corp" 5001 6 0x0011 0x0800 0x04d4 0x2000
A 1027 0x0400000000004000 146.162.158.230 gb "Norwich Union Insurance Limite" 2849 138.212.184.193 jp "ASAHI KASEI CORPORATION" 6346 6 0x0011 0x0840 0x0042 0x3000
B 1027 0x0400000000004001 138.212.184.193 jp "ASAHI KASEI CORPORATION" 6346 146.162.158.230 gb "Norwich Union Insurance Limite" 2849 6 0x0011 0x0840 0x0454 0x2000
A 1154 0x0400000000004000 193.133.224.57 gb "UK PA route" 3286 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0840 0x0002 0x3000
B 1154 0x0400000000004001 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 193.133.224.57 gb "UK PA route" 3286 6 0x0011 0x0800 0x0414 0x2000
A 867 0x0400000200004000 138.212.184.48 jp "ASAHI KASEI CORPORATION" 6666 36.74.248.27 id "PT Telekomunikasi Indonesia" 1108 6 0x0011 0x1840 0x0058 0x0000
B 867 0x0400000000004001 36.74.248.27 id "PT Telekomunikasi Indonesia" 1108 138.212.184.48 jp "ASAHI KASEI CORPORATION" 6666 6 0x0011 0x0840 0x0044 0x0000
A 864 0x0400000200004000 19.54.241.65 us "MAINT-APNIC-AP" 6667 138.212.191.209 jp "ASAHI KASEI CORPORATION" 45891 6 0x0011 0x1840 0x00d8 0x0000
B 864 0x0400000000004001 138.212.191.209 jp "ASAHI KASEI CORPORATION" 45891 19.54.241.65 us "MAINT-APNIC-AP" 6667 6 0x0011 0x0844 0x01d5 0x3000
A 1336 0x0400000000004000 216.21.10.20 ca "XNS Technology Group Inc" 1305 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 6 0x0011 0x0840 0x0002 0x3000
B 1336 0x0400000000004001 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 216.21.10.20 ca "XNS Technology Group Inc" 1305 6 0x0011 0x0800 0x0414 0x2000
A 1512 0x0400000000004000 19.150.217.57 us "MAINT-APNIC-AP" 1678 138.212.189.66 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0800 0x0004 0x0000
A 1534 0x0400000000004000 216.233.229.167 us "MCI Communications Services" 3782 138.212.185.86 jp "ASAHI KASEI CORPORATION" 1058 6 0x0011 0x0840 0x0042 0x3000
B 1534 0x0400000000004001 138.212.185.86 jp "ASAHI KASEI CORPORATION" 1058 216.233.229.167 us "MCI Communications Services" 3782 6 0x0011 0x0800 0x0454 0x2000
Below the flow with flowInd
1336 is extracted to indicate that each packet has a wrong checksum, compare l4HdrChkSum
and l4CalChkSum
. The L3 checksums add up, why?
tawk 'flow(1336)' ~/results/annoloc2_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto ipToS ipID ipIDDiff ipFrag ipTTL ipHdrChkSum ipCalChkSum l4HdrChkSum l4CalChkSum ipFlags ip6HHOptLen ip6HHOpts ip6DOptLen ip6DOpts ipOptLen ipOpts seq ack seqMax seqDiff ackDiff seqLen ackLen seqFlowLen ackFlowLen tcpMLen tcpBFlgt tcpFStat tcpFlags tcpAnomaly tcpWin tcpWS tcpMSS tcpTmS tcpTmER tcpMPTyp tcpMPF tcpMPAID tcpMPDSSF tcpOptLen tcpOpts tcpStatesAFlags l7Content
19221 1336 0x0400000000004000 1022171702.098369000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:60:08:69:80:dd 0x0800 216.21.10.20 ca XNS Technology Group Inc 1305 138.212.191.94 jp ASAHI KASEI CORPORATION 80 6 0x00 11025 0 0x4000 119 0xac5a 0xac5a 0xa8c3 0x0150 0x0840 0 0 0 1389457 0 1389457 0 0 0 0 0 0 0 0 0x0010 0x0002 0x0000 8192 0 536 0 0 0 0x00 0 0x00 8 0x02;0x04;0x02;0x18;0x01;0x01;0x04;0x02 0x00
19247 1336 0x0400000000004001 1022171702.098389000 0.000000000 0.000020000 0.000000000 3 eth:ipv4:tcp 00:60:08:69:80:dd 00:d0:02:6d:78:00 0x0800 138.212.191.94 jp ASAHI KASEI CORPORATION 80 216.21.10.20 ca XNS Technology Group Inc 1305 6 0x00 22725 0 0x0000 128 0xb5ae 0xb5ae 0xf1d7 0x4a64 0x0800 0 0 0 0 1389458 0 0 0 0 0 0 0 0 0 0x0010 0x0414 0x0000 0 0 0 0 0 0 0x00 0 0x00 0 0x40
TCP options
TCP options contain vital information about connection characteristics and even let us guess something about the
type of application being involved. Let us select MSS and WSC options to see whether the decoding works, so bit
position 2 and 3 in tcpOptions
.
tawk 'bitsanyset($tcpOptions, 0x0000000c) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $tcpFlags, $ipFlags, $tcpAnomaly, $tcpOptCnt, $tcpOptions, $tcpMSS, $tcpWS }' ~/results/annoloc2_flows.txt | head -n 20 | tcol
%dir flowInd flowStat srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpFStat tcpFlags ipFlags tcpAnomaly tcpOptCnt tcpOptions tcpMSS tcpWS
A 392 0x0400000000004000 36.242.181.230 jp "SoftBank Corp" 4685 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x00c2 0x0840 0x3000 4 0x00000016 1436 0
A 906 0x0400000000004000 161.135.53.11 us "Federal Express Corp" 5001 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 6 0x0011 0x00c2 0x0840 0x3000 3 0x0000000e 1460 0
A 1027 0x0400000000004000 146.162.158.230 gb "Norwich Union Insurance Limite" 2849 138.212.184.193 jp "ASAHI KASEI CORPORATION" 6346 6 0x0011 0x0042 0x0840 0x3000 4 0x00000016 1460 0
A 1154 0x0400000000004000 193.133.224.57 gb "UK PA route" 3286 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0002 0x0840 0x3000 4 0x00000016 1460 0
A 1336 0x0400000000004000 216.21.10.20 ca "XNS Technology Group Inc" 1305 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 6 0x0011 0x0002 0x0840 0x3000 4 0x00000016 536 0
A 1534 0x0400000000004000 216.233.229.167 us "MCI Communications Services" 3782 138.212.185.86 jp "ASAHI KASEI CORPORATION" 1058 6 0x0011 0x0042 0x0840 0x3000 4 0x00000016 1460 0
A 1586 0x0400000200004000 130.92.198.110 ch "Universitaet Bern" 1249 138.212.191.248 jp "ASAHI KASEI CORPORATION" 1214 6 0x4811 0x01db 0x1840 0x0088 16 0x00000036 1460 0
B 1586 0x0400000200004001 138.212.191.248 jp "ASAHI KASEI CORPORATION" 1214 130.92.198.110 ch "Universitaet Bern" 1249 6 0x0011 0x03df 0x5840 0x0044 4 0x00000016 1460 0
A 1836 0x0400000000004000 209.114.247.93 us "Ideal Technology Solutions US " 1335 138.212.187.11 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0042 0x0840 0x3000 4 0x00000016 536 0
A 1909 0x0400000000004000 19.27.88.236 us "MAINT-APNIC-AP" 4045 138.212.186.88 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0082 0x0840 0x3000 4 0x00000016 1452 0
A 1959 0x0400000000004000 216.21.10.20 ca "XNS Technology Group Inc" 1305 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 6 0x0011 0x0002 0x0840 0x3000 4 0x00000016 536 0
A 1904 0x0400000000004000 138.212.186.27 jp "ASAHI KASEI CORPORATION" 1396 83.220.134.126 de "MNT-PlusServer" 4661 6 0x0011 0x0002 0x0840 0x3000 4 0x00000016 1452 0
A 1969 0x0400000000004000 83.0.129.97 pl "TPNET" 1395 138.212.187.11 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x00c2 0x0840 0x3000 4 0x00000016 1460 0
A 2060 0x0400000000004000 18.97.211.233 us "Amazon Technologies Inc" 3448 138.212.187.247 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x00c2 0x0840 0x3000 4 0x00000016 1460 0
A 2113 0x0400000000004000 36.92.31.200 id "PT Telekomunikasi Indonesia" 48337 138.212.185.86 jp "ASAHI KASEI CORPORATION" 1052 6 0x0011 0x0042 0x0800 0x3000 4 0x00000016 1460 0
A 2183 0x0400000000004000 201.133.193.218 mx "Uninet SA de CV" 3134 138.212.187.11 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0002 0x0840 0x3000 4 0x00000016 1440 0
A 2236 0x0400000000004000 83.45.182.68 es "Telefonica de Espana SAU" 1322 138.212.187.10 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0082 0x0840 0x3000 4 0x00000016 1460 0
A 2274 0x0400000000004000 201.53.22.207 br "CLARO SA" 4810 138.212.187.11 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0002 0x0840 0x3000 4 0x00000016 1460 0
A 2333 0x0400000000004000 193.99.26.18 nl "Not allocated by APNIC" 1925 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0082 0x0840 0x3000 6 0x0000001e 1452 0
Time stamp options are a formidable tool for RTT estimation and for revealing the boot time of the src host, if the RTT measurements are influenced by L7 protocol reaction times.
Boot time estimation
The TCP timestamp option originally being created for Round Trip Time (RTT) measurements can be abused for boot time estimation, because OS used the uptime as a derivative for the TCP timestamp.
As different machines boot at different times this measure separates these machines
even behind a NAT where you normally see only one IP address. The only problem is that different OS
have different incremental clocks, which can be calculated if several packets / flow are available,
otherwise it comes down to OS guessing. The column tcpEcI
below denotes this increment.
Unfortunately, newer version of different OS use a random value per connection, aka flow. Hence,
a comparison of different flows from the same machine will yield in different up or boot times,
becoming useless. Nevertheless, the estimation of tcpEcI
is still useful for newer OS.
annoloc2.pcap was acquired in 2002, so if you look at the boot time below you will see a correlation; it works.
tawk '{ print $srcIP, $tcpTmS, $tcpTmER, $tcpEcI, $tcpUtm, $tcpBtm }' ~/results/annoloc2_flows.txt | sort -V | uniq | awkf '$2' | head -n 40 | tcol
18.2.89.211 7748617 849533919 0.01 77486.168268 1022094226.113856951
18.2.89.211 7748924 849534263 0.01 77489.238268 1022094226.117550020
18.2.89.211 7749342 849534680 0.01 77493.418268 1022094226.112001113
18.2.89.211 7749343 849534252 0.01 77493.428268 1022094226.110961114
18.2.89.211 7749424 204508834 0.01 77494.238268 1022094226.109820132
18.2.89.211 7749524 849534270 0.01 77495.238268 1022094226.114325154
18.2.89.211 7749624 849534698 0.01 77496.238268 1022094226.112042176
18.2.89.211 7749726 849535064 0.01 77497.258268 1022094226.108769199
18.2.89.211 7749831 849534861 0.01 77498.308268 1022094226.110498223
18.2.89.211 7749831 849535169 0.01 77498.308268 1022094226.106989223
18.2.89.211 7749838 849535176 0.01 77498.378268 1022094226.108499224
18.2.89.211 7749938 849535064 0.01 77499.378268 1022094226.111826247
18.2.89.211 7749967 849535305 0.01 77499.668268 1022094226.108142253
18.85.17.135 22846249 826368 0.01 228462.484893 1021943255.4210824831
18.85.17.135 22846930 826851 0.01 228469.294893 1021943255.4216715983
18.107.26.21 103819943 373699105 0.01 1038199.406794 1021133503.026879566
18.155.23.221 33847443 43376223 0.01 338474.422435 1021833231.196509494
18.155.23.221 33848762 248428209 0.01 338487.612434 1021833231.192675788
18.155.23.221 33848960 182165005 0.01 338489.592434 1021833231.189960833
18.155.23.221 33849237 6322419 0.01 338492.362434 1021833231.189717895
19.24.4.45 1693583440 72029656 0.01 16935834.021455 1005235877.235268398
19.24.4.45 1693583872 793132504 0.01 16935838.341455 1005235877.273547495
19.29.161.16 19986317 34285718 0.01 199863.165533 1021971858.270385290
19.55.36.202 1098236 390486740 0.01 10982.359755 1022160744.225945475
19.55.36.202 1098240 8297346 0.01 10982.399755 1022160744.232881476
19.59.134.250 199361062 113909808 0.01 1993610.575439 1020178116.063282670
19.67.192.174 35424473 785167233 0.01 354244.722082 1021817463.220257987
19.67.210.218 4323074 689732 0.1 432307.406442 1021739419.180874118
19.114.68.45 78574708 17008889 0.01 785747.062437 1021385960.390761816
19.114.68.45 78574918 34284567 0.01 785749.162437 1021385960.391067863
19.114.68.45 78575088 72029658 0.01 785750.862437 1021385960.3687749197
19.139.46.124 29251 785168750 0.1 2925.100044 1022168799.345161413
19.169.122.89 1806691 853448585 0.01 18066.909596 1022153659.006620827
19.173.18.204 17719695 785166685 0.1 1771969.526404 1020399734.3863648893
19.173.18.204 17719720 785168065 0.01 177197.196039 1021994520.359782667
19.173.18.204 17719731 785168629 0.01 177197.306039 1021994526.080391669
19.182.177.87 49516646 34285659 0.01 495166.448932 1021676554.013430833
19.182.177.87 144345608 34285961 0.01 1443456.047736 1020728267.433656758
19.182.178.138 23254415 34285407 0.01 232544.144802 1021939173.792872767
19.182.178.197 139712 853446502 0.1 13971.200208 1022157733.4261111109
The plugin will evolve, as soon we find something else for this feature it will be implemented in tcpFlags. So if you have an idea, please contact are happy to cooperate with you doing research of such things.
Multipath TCP (MPTCP)
Multipath TCP was developed in order to allow a TCP connection to use multiple paths to optimize resource usage and to increase redundancy. There are several other protocols such as
- SCTP
- Multipath QUIC from Google
MPTCP
in tcpFlags.h controls the MPTCP dissection.
It is enabled by default and decodes the subtype and the different flags.
More will be added in future.
Download the sample pcap iperf-mptcp-0-0.pcap and store it under your ~/data folder. More pcaps are available under https://wiki.wireshark.org/SampleCaptures#MPTCP
t2 -r ~/data/iperf-mptcp-0-0.pcap -w ~/results/ -s================================================================================ Tranalyzer 0.9.1 (Anteater), Cobra. PID: 25069, Prio: 0, SID: 666 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.1 02: tcpFlags, 0.9.1 03: tcpStates, 0.9.1 04: txtSink, 0.9.1 [INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K) [INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K) Processing file: /home/user/data/iperf-mptcp-0-0.pcap Link layer type: PPP [PPP/9] Snapshot length: 65535 (65.53 K) Dump start: 0.000000000 sec (Thu 01 Jan 1970 00:00:00 GMT) Dump stop : 12.319482000 sec (Thu 01 Jan 1970 00:00:12 GMT) Total dump duration: 12.319482000 sec Finished processing. Elapsed time: 0.067807865 sec Finished unloading flow memory. Time: 0.067960258 sec Percentage completed: 100.00% Number of processed packets: 2560 (2.56 K) Number of processed bytes: 2538100 (2.54 M) Number of raw bytes: 2538100 (2.54 M) Number of pad bytes: 240 Number of pcap bytes: 2579084 (2.58 M) Number of IPv4 packets: 2554 (2.55 K) [99.77%] Number of IPv6 packets: 6 [0.23%] Number of A packets: 1680 (1.68 K) [65.62%] Number of B packets: 880 [34.38%] Number of A bytes: 2483492 (2.48 M) [97.85%] Number of B bytes: 54608 (54.61 K) [2.15%] <A packet load>: 1478.27 (1.48 K) <B packet load>: 62.05 -------------------------------------------------------------------------------- tcpFlags: Aggregated ipFlags=0x0040 tcpFlags: Aggregated tcpFStat=0x8a33 tcpFlags: Aggregated tcpFlags=0x031b tcpFlags: Aggregated tcpAnomaly=0x0009 tcpFlags: Number of TCP SYN retries, seq retries: 4, 0 tcpFlags: Aggregated MPTCP subtypes: tcpMPTBF=0x000f tcpFlags: Aggregated MPTCP flags: tcpMPF=0x81 tcpFlags: Number of MPTCP packets: 2557 (2.56 K) [99.88%] tcpStates: Aggregated tcpStatesAFlags=0x03 -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, avg: 3.00 Number of ICMPv6 packets: 6 [0.23%] Number of TCP packets: 2554 (2.55 K) [99.77%] Number of TCP bytes: 2537752 (2.54 M) [99.99%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 8 Number of processed IPv4 flows: 6 [75.00%] Number of processed IPv6 flows: 2 [25.00%] Number of processed A flows: 6 [75.00%] Number of processed B flows: 2 [25.00%] Number of request flows: 6 [75.00%] Number of reply flows: 2 [25.00%] Total A/B flow asymmetry: 0.50 Total req/rply flow asymmetry: 0.50 Number of processed A+B packets/A+B flows: 320.00 Number of processed A packets/A flows: 280.00 Number of processed B packets/ B flows: 440.00 Number of processed total packets/s: 207.80 Number of processed A+B packets/s: 207.80 Number of processed A packets/s: 136.37 Number of processed B packets/s: 71.43 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <Number of processed flows/s>: 0.65 <Bandwidth>: 1648186 b/s (1.65 Mb/s) <Raw bandwidth>: 1648186 b/s (1.65 Mb/s) Max number of flows in memory: 8 [0.00%] Memory usage: 0.03 GB [0.05%] Aggregated flowStat=0x0c0000000000e002 [INF] IPv4 flows [INF] IPv6 flows [INF] No Ethernet header [INF] PPP/HDLC encapsulation
tcpFStat
flags MPTCP, 2557 packets of 2560.
The tcpFStat column with value 0x8a33 is to be interpreted as follows:
bit | tcpFStat | Description
=============================================================================
0 | 0x0001 | Packet good for inter-distance assessment
1 | 0x0002 | TCP option init
4 | 0x0010 | Window state-machine initialized
5 | 0x0020 | Window update
9 | 0x0200 | WS used
11 | 0x0800 | Window state-machine count up(1)/down(0)
15 | 0x8000 | MPTCP detected
The subtypes are coded in a T2 bit field:
tawk -V tcpMPTBF=0x000f
The tcpMPTBF column with value 0x000f is to be interpreted as follows:
bit | tcpMPTBF | Description
=============================================================================
0 | 0x0001 | Multipath Capable
1 | 0x0002 | Join Connection
2 | 0x0004 | Data Sequence Signal (Data ACK and data sequence mapping)
3 | 0x0008 | Add Address
So in the flow file you will see the subType bit field, flags, address ID and the DSS flags e.g. for subtype 2.
tawk '{ print $srcIP, $srcPort, $dstIP, $dstPort, $l4Proto, $tcpFStat, $tcpMPTBF, $tcpMPF, $tcpMPAID, $tcpMPDSSF }' ~/results/iperf-mptcp-0-0_flows.txt | tcol
srcIP srcPort dstIP dstPort l4Proto tcpFStat tcpMPTBF tcpMPF tcpMPAID tcpMPDSSF
fe80::200:ff:fe00:1 0 ff02::2 0 58 0x0001 0x0000 0x00 0 0x00
fe80::200:ff:fe00:2 0 ff02::2 0 58 0x0001 0x0000 0x00 0 0x00
10.1.1.1 43376 10.2.0.1 5001 6 0x8013 0x0002 0x00 3 0x00
10.1.1.1 57841 10.2.1.1 5001 6 0x8013 0x0002 0x00 3 0x00
10.1.0.1 49078 10.2.1.1 5001 6 0x8213 0x0006 0x00 2 0x15
10.2.1.1 5001 10.1.0.1 49078 6 0x8a33 0x0006 0x00 3 0x15
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 0x000d 0x81 3 0x05
10.2.0.1 5001 10.1.0.1 5001 6 0x8a13 0x000d 0x81 3 0x01
Same for the packet file, except the subType is the actual value instead of a T2 bit field:
tawk '{ print $srcIP, $srcPort, $dstIP, $dstPort, $l4Proto, $tcpFStat, $tcpMPTyp, $tcpMPF, $tcpMPAID, $tcpMPDSSF }' ~/results/iperf-mptcp-0-0_packets.txt | tcol
srcIP srcPort dstIP dstPort l4Proto tcpFStat tcpMPTyp tcpMPF tcpMPAID tcpMPDSSF
fe80::200:ff:fe00:1 ff02::2 58
fe80::200:ff:fe00:2 ff02::2 58
fe80::200:ff:fe00:1 ff02::2 58
fe80::200:ff:fe00:2 ff02::2 58
10.1.0.1 5001 10.2.0.1 5001 6 0x8012 0 0x81 0 0x00
10.2.0.1 5001 10.1.0.1 5001 6 0x8012 0 0x81 0 0x00
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x81 0 0x01
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 3 0x01
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.2.0.1 5001 10.1.0.1 5001 6 0x8213 2 0x00 3 0x01
In future more features will be added.
Fragmentation
Fragmentation is a diverse subject. In IPv4 it should not occur anymore, because the MTU today is generally large enough throughout the whole networks. If you see it in your corporate network, it should be investigated. IPv6 different story, here fragmentation is an established tool.
The constant FRAG_ANALYZE
in tcpFLags.h controls the fragmentation analysis. Moreover the constant FRAGMENTATION
has to be
enabled in tranalyzer.h under the tranalyzer2/src directory, actually being the default.
I prepared a pcap which illustrates a pitfall of flow based representation when fragmentation is present. So download frag.pcap and add basicStats so that we can look at the packet and payload statistics.
t2build basicStats
Then rerun t2
using the -s
option, as we also want to look at the packets.
================================================================================ Tranalyzer 0.9.1 (Anteater), Cobra. PID: 25747, Prio: 0, SID: 666 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.1 02: basicStats, 0.9.1 03: tcpFlags, 0.9.1 04: tcpStates, 0.9.1 05: txtSink, 0.9.1 [INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K) [INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K) Processing file: /home/user/data/frag.pcap Link layer type: Ethernet [EN10MB/1] Snapshot length: 65535 (65.53 K) Dump start: 1294260264.274530000 sec (Wed 05 Jan 2011 20:44:24 GMT) Dump stop : 1294260291.961272000 sec (Wed 05 Jan 2011 20:44:51 GMT) Total dump duration: 27.686742000 sec Finished processing. Elapsed time: 0.000896996 sec Finished unloading flow memory. Time: 0.001257418 sec Percentage completed: 100.00% Number of processed packets: 82 Number of processed bytes: 14857 (14.86 K) Number of raw bytes: 14857 (14.86 K) Number of pad bytes: 124 Number of pcap bytes: 16193 (16.19 K) Number of IPv4 packets: 38 [46.34%] Number of A packets: 80 [97.56%] Number of B packets: 2 [2.44%] Number of A bytes: 14737 (14.74 K) [99.19%] Number of B bytes: 120 [0.81%] <A packet load>: 184.21 <B packet load>: 60.00 -------------------------------------------------------------------------------- basicStats: Flow max(pktload): 384 basicStats: Flow max(b/s), pkts: 124416792 (124.42 Mb/s), 26 basicStats: Biggest L2 flow talker: 00:0d:65:4f:38:94: 14 [17.07%] packets basicStats: Biggest L2 flow talker: 00:0d:65:4f:38:94: 602 [4.05%] bytes basicStats: Biggest L3 flow talker: 192.168.203.131: 26 [31.71%] packets basicStats: Biggest L3 flow talker: 192.168.203.131: 10000 (10.00 K) [67.31%] bytes tcpFlags: Aggregated ipFlags=0x0860 tcpFlags: Aggregated tcpFStat=0x1011 tcpFlags: Aggregated tcpFlags=0x0c14 tcpFlags: Aggregated tcpAnomaly=0x3180 tcpFlags: Aggregated ipToS=0xc0 tcpFlags: Number of TCP scans attempted, successful: 0, 1 [inf%] tcpStates: Aggregated tcpStatesAFlags=0xc3 -------------------------------------------------------------------------------- Headers count: min: 2, max: 4, avg: 2.67 Number of LLC packets: 16 [19.51%] Number of ARP packets: 25 [30.49%] Number of ICMP packets: 3 [3.66%] Number of TCP packets: 27 [32.93%] Number of TCP bytes: 10964 (10.96 K) [73.80%] Number of UDP packets: 5 [6.10%] Number of UDP bytes: 763 [5.14%] Number of IPv4 fragmented packets: 26 [68.42%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 20 Number of processed L2 flows: 11 [55.00%] Number of processed IPv4 flows: 9 [45.00%] Number of processed A flows: 18 [90.00%] Number of processed B flows: 2 [10.00%] Number of request flows: 18 [90.00%] Number of reply flows: 2 [10.00%] Total A/B flow asymmetry: 0.80 Total req/rply flow asymmetry: 0.80 Number of processed A+B packets/A+B flows: 4.10 Number of processed A packets/A flows: 4.44 Number of processed B packets/ B flows: 1.00 Number of processed total packets/s: 2.96 Number of processed A+B packets/s: 2.96 Number of processed A packets/s: 2.89 Number of processed B packets/s: 0.07 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <Number of processed flows/s>: 0.72 <Bandwidth>: 3515 b/s (3.52 Kb/s) <Raw bandwidth>: 4293 b/s (4.29 Kb/s) Max number of flows in memory: 18 [0.01%] Memory usage: 0.04 GB [0.05%] Aggregated flowStat=0x0400081000004044 [INF] Stop dissecting: Clipped packet, unhandled protocol or subsequent fragment [INF] Layer 2 flows [INF] IPv4 flows [INF] ARP [INF] IPv4/6 fragmentation
We see that 26 [68.42%] packets are fragmented.
Two warnings about fragmentation in the end report indicate abnormalities of the IPv4 fragmented traffic.
Below is fragmented traffic including abnormalities are selected from the flow file.
We have a perfect fragmented packet, all packets sum up in the numBytesSnt
and numBytesRcvd
columns.
tawk 'bitsanyset($ipFlags, 0x03b8) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $numPktsSnt, $numPktsRcvd, $numBytesSnt, $numBytesRcvd }' ~/results/frag_flows.txt | tcol
%dir flowInd flowStat srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort tcpFStat ipFlags tcpFlags tcpAnomaly numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd
A 4 0x0400081000004000 192.168.203.131 07 "Private network" 1509 192.168.203.134 07 "Private network" 0 0x1011 0x0820 0x0800 0x3000 26 1 10000 0
Looking at the packet file the first packet contains a layer 4 header with the checksum.
At the last fragment T2 adds the IP pseudo header and calculates the final checksum which matches 0x7366
from the TCP header
of the initial packet.
tawk 'flow(4)' ~/results/frag_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktLen udpLen snapL4Len snapL7Len l7Len ipToS ipID ipIDDiff ipFrag ipTTL ipHdrChkSum ipCalChkSum l4HdrChkSum l4CalChkSum ipFlags ip6HHOptLen ip6HHOpts ip6DOptLen ip6DOpts ipOptLen ipOpts seq ack seqMax seqDiff ackDiff seqLen ackLen seqFlowLen ackFlowLen tcpMLen tcpBFlgt tcpFStat tcpFlags tcpAnomaly tcpWin tcpWS tcpMSS tcpTmS tcpTmER tcpMPTyp tcpMPF tcpMPAID tcpMPDSSF tcpOptLen tcpOpts tcpStatesAFlags l7Content
4 4 0x0400009000004000 1294260266.528280000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 1509 192.168.203.134 07 Private network 0 6 434 0 400 380 380 0x00 249 0 0x2000 64 0x4000 0x4000 0x7366 0x0000 0x0020 0 0 0 280548844 777151161 280548844 0 0 0 0 0 0 380 0 0x1010 0x0800 0x1000 512 0 0 0 0 0 0x00 0 0x00 0 0x81 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 4 0x0400089000004000 1294260266.528318000 0.000038000 0.000000000 0.000038000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x2032 64 0x3fce 0x3fce 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6 4 0x0400089000004000 1294260266.528335000 0.000017000 0.000000000 0.000055000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x2064 64 0x3f9c 0x3f9c 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7 4 0x0400089000004000 1294260266.528348000 0.000013000 0.000000000 0.000068000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x2096 64 0x3f6a 0x3f6a 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8 4 0x0400089000004000 1294260266.528363000 0.000015000 0.000000000 0.000083000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x20c8 64 0x3f38 0x3f38 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9 4 0x0400089000004000 1294260266.528383000 0.000020000 0.000000000 0.000103000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x20fa 64 0x3f06 0x3f06 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10 4 0x0400089000004000 1294260266.528404000 0.000021000 0.000000000 0.000124000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x212c 64 0x3ed4 0x3ed4 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
11 4 0x0400089000004000 1294260266.528424000 0.000020000 0.000000000 0.000144000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x215e 64 0x3ea2 0x3ea2 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
12 4 0x0400089000004000 1294260266.528443000 0.000019000 0.000000000 0.000163000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x2190 64 0x3e70 0x3e70 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
13 4 0x0400089000004000 1294260266.528462000 0.000019000 0.000000000 0.000182000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x21c2 64 0x3e3e 0x3e3e 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14 4 0x0400089000004000 1294260266.528480000 0.000018000 0.000000000 0.000200000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x21f4 64 0x3e0c 0x3e0c 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
15 4 0x0400089000004000 1294260266.528497000 0.000017000 0.000000000 0.000217000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x2226 64 0x3dda 0x3dda 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
16 4 0x0400089000004000 1294260266.528512000 0.000015000 0.000000000 0.000232000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x2258 64 0x3da8 0x3da8 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
17 4 0x0400089000004000 1294260266.528526000 0.000014000 0.000000000 0.000246000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x228a 64 0x3d76 0x3d76 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
18 4 0x0400089000004000 1294260266.528544000 0.000018000 0.000000000 0.000264000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x22bc 64 0x3d44 0x3d44 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
19 4 0x0400089000004000 1294260266.528561000 0.000017000 0.000000000 0.000281000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x22ee 64 0x3d12 0x3d12 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
20 4 0x0400089000004000 1294260266.528575000 0.000014000 0.000000000 0.000295000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x2320 64 0x3ce0 0x3ce0 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
21 4 0x0400089000004000 1294260266.528588000 0.000013000 0.000000000 0.000308000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x2352 64 0x3cae 0x3cae 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
22 4 0x0400089000004000 1294260266.528601000 0.000013000 0.000000000 0.000321000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x2384 64 0x3c7c 0x3c7c 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
23 4 0x0400089000004000 1294260266.528613000 0.000012000 0.000000000 0.000333000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x23b6 64 0x3c4a 0x3c4a 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
24 4 0x0400089000004000 1294260266.528626000 0.000013000 0.000000000 0.000346000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x23e8 64 0x3c18 0x3c18 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
25 4 0x0400089000004000 1294260266.528776000 0.000150000 0.000000000 0.000496000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x241a 64 0x3be6 0x3be6 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
26 4 0x0400089000004000 1294260266.528818000 0.000042000 0.000000000 0.000538000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x244c 64 0x3bb4 0x3bb4 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
27 4 0x0400089000004000 1294260266.528854000 0.000036000 0.000000000 0.000574000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x247e 64 0x3b82 0x3b82 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
28 4 0x0400089000004000 1294260266.528889000 0.000035000 0.000000000 0.000609000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 0 400 400 400 0x00 249 0 0x24b0 64 0x3b50 0x3b50 0x0000 0x0000 0x0020 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
29 4 0x0400081000004000 1294260266.528923000 0.000034000 0.000000000 0.000643000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 54 0 20 20 20 0x00 249 0 0x04e2 64 0x5c9a 0x5c9a 0x7366 0x5f52 0x0800 0 0 0 0x0000 0 0x00 XXXXXXXXXXXXXXXXXXXX
30 4 0x0400000000004001 1294260266.529423000 0.000000000 0.000500000 0.000000000 3 eth:ipv4:tcp 00:0f:ea:e8:f5:51 00:24:e8:ed:3f:10 0x0800 192.168.203.134 07 Private network 0 192.168.203.131 07 Private network 1509 6 60 0 20 0 0 0x00 14196 0 0x4000 64 0xeb00 0xeb00 0x83db 0x83db 0x0040 0 0 0 0 280558844 0 0 0 0 0 0 0 0 0 0x0010 0x0414 0x0180 0 0 0 0 0 0 0x00 0 0x00 0 0x40
Detecting scans
Scans are normally an initiation of some serious attacks. Nevertheless, a lot of normal TCP traffic looks like scanning. Anybody who used SNORT, the de facto standard of an IDS, might have suffered from interpreting all the scan alarms. So it needs filtering.
I needed once an indication in the end report and the flow/packet file whether there is a TCP malicious scan around. It is not perfect, but often served its purpose.
To see its effect clearly please download nmap_v_sT.pcap,
copy it under your data folder and rerun t2
. The pcap is generated
by the nmap scanning tool.
t2 -r ~/data/nmap_v_sT.pcap -w ~/results/
tawk -V tcpFlags=0x803b -V tcpAnomaly=0x1008 -V ipToS=0x04The tcpFlags column with value 0x803b is to be interpreted as follows: bit | tcpFlags | Description ============================================================================= 0 | 0x0001 | FIN: No more data, finish connection 1 | 0x0002 | SYN: Synchronize sequence numbers 3 | 0x0008 | PSH: Push data 4 | 0x0010 | ACK: Acknowledgement field value valid 5 | 0x0020 | URG: Urgent pointer valid 15 | 0x8000 | Potential Xmas scan packet or malicious channel The tcpAnomaly column with value 0x1008 is to be interpreted as follows: bit | tcpAnomaly | Description ============================================================================= 3 | 0x0008 | Duplicate ACK 12 | 0x1000 | Scan detected in flow The ipToS column with value 0x04 is to be interpreted as follows: bit | ipToS | Description ============================================================================= 2 | 0x04 | Precedence 0
Below the first 20 rows of the flow file containing scans are printed.
tawk 'bitsanyset($tcpAnomaly, 0x1000)' ~/results/nmap_v_sT_flows.txt | head -n 10 | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpFStat ipMindIPID ipMaxdIPID ipMinTTL ipMaxTTL ipTTLChg ipToS ipFlags ipOptCnt ipOptCpCl_Num ip6OptCntHH_D ip6OptHH_D tcpISeqN tcpPSeqCnt tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpBFlgtMx tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt tcpFlags tcpAnomaly tcpOptPktCnt tcpOptCnt tcpOptions tcpMSS tcpWS tcpMPTBF tcpMPF tcpMPAID tcpMPdssF tcpTmS tcpTmER tcpEcI tcpUtm tcpBtm tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve tcpStatesAFlags
A 1 0x0400000000004000 1416313200.358106 1416313200.358106 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 54118 10.20.0.125 04 "Private network" 587 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2868435842 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3992845 0 0.004 15971.380759 1416297228.977348 0 65535 0 0 0 0 0 0x03
A 2 0x0400000000004000 1416313200.457149 1416313200.457149 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 33056 10.20.0.125 04 "Private network" 1720 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2506148143 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3992875 0 0.004 15971.500759 1416297228.956391 0 65535 0 0 0 0 0 0x03
A 3 0x0400000000004000 1416313201.458313 1416313201.458313 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 45750 10.20.0.125 04 "Private network" 1720 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1770850395 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993175 0 0.004 15972.700759 1416297228.757555 0 65535 0 0 0 0 0 0x03
A 4 0x0400000000004000 1416313201.458361 1416313201.458361 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 38704 10.20.0.125 04 "Private network" 587 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3336324932 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993175 0 0.004 15972.700759 1416297228.757603 0 65535 0 0 0 0 0 0x03
A 5 0x0400000000004000 1416313201.557900 1416313201.557900 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 50322 10.20.0.125 04 "Private network" 995 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3712758514 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993205 0 0.004 15972.820759 1416297228.737142 0 65535 0 0 0 0 0 0x03
A 6 0x0400000000004000 1416313201.558981 1416313201.558981 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 45384 10.20.0.125 04 "Private network" 135 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2792320487 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993206 0 0.004 15972.824759 1416297228.734223 0 65535 0 0 0 0 0 0x03
A 7 0x0400000000004000 1416313201.559756 1416313201.559756 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 55726 10.20.0.125 04 "Private network" 443 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 742007355 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993206 0 0.004 15972.824759 1416297228.734998 0 65535 0 0 0 0 0 0x03
A 8 0x0400000000004000 1416313201.759706 1416313201.759706 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 55879 10.20.0.125 04 "Private network" 443 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3280881276 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993266 0 0.004 15973.064759 1416297228.694948 0 65535 0 0 0 0 0 0x03
A 9 0x0400000000004000 1416313201.759861 1416313201.759861 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 45598 10.20.0.125 04 "Private network" 135 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3916203706 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993266 0 0.004 15973.064759 1416297228.695103 0 65535 0 0 0 0 0 0x03
...
tawk '$numPktsSnt > 1' ~/results/nmap_v_sT_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpFStat ipMindIPID ipMaxdIPID ipMinTTL ipMaxTTL ipTTLChg ipToS ipFlags ipOptCnt ipOptCpCl_Num ip6OptCntHH_D ip6OptHH_D tcpISeqN tcpPSeqCnt tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpBFlgtMx tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt tcpFlags tcpAnomaly tcpOptPktCnt tcpOptCnt tcpOptions tcpMSS tcpWS tcpMPTBF tcpMPF tcpMPAID tcpMPdssF tcpTmS tcpTmER tcpEcI tcpUtm tcpBtm tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve tcpStatesAFlags
A 1035 0x0400100000004000 1416313207.526140 1416313209.202341 1.676201 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56907 10.20.0.125 04 "Private network" 41661 17 4 0 1200 0 300 300 300 0 0 0.571979 0.4190502 0.1840924 2.386349 715.9046 1 1 0x0001 0 0 51 51 0 0x00 0x0000 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x0000 0x0000 0 0 0x00000000 0 0 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 0 0x00
A 1036 0x0400000000004000 1416313207.600509 1416313209.299168 1.698659 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56862 10.20.0.125 04 "Private network" 41089 6 4 0 0 0 0 0 0 0 0 0.58213 0.4246647 0.1861713 2.354799 0 1 0 0x0013 14560 41214 40 53 3 0x00 0x0004 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2449289213 0 0 0 0 0 0 0 31337 31337 31337 31337 0 0 0 0 0x0002 0x1000 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363537.309168 0 65535 0 0 0 0 0 0x03
A 1037 0x0400000000004000 1416313207.670968 1416313209.394928 1.723960 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56863 10.20.0.125 04 "Private network" 41089 6 4 0 0 0 0 0 0 0 0 0.582315 0.43099 0.187417 2.320239 0 1 0 0x0013 723 11955 50 54 2 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2449289213 4 0 0 4 0 3 0 32768 32768 32768 32768 0 0 0 0 0x0010 0x0008 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363537.404928 0 65535 0 0 0 0 0 0x03
A 1038 0x0400000000004000 1416313207.768806 1416313209.490977 1.722171 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56864 10.20.0.125 04 "Private network" 41089 6 4 0 0 0 0 0 0 0 0 0.579505 0.4305428 0.1871625 2.32265 0 1 0 0x0013 5943 47665 43 56 3 0x00 0x0004 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2449289213 0 0 0 0 0 0 0 65535 65535 65535 65535 0 0 0 0 0x8029 0x1000 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363537.500977 0 65535 0 0 0 0 0 0x83
A 1034 0x0400000000004000 1416313207.399029 1416313213.771996 6.372967 1 3 eth:ipv4:icmp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 0 10.20.0.125 04 "Private network" 0 1 16 0 2160 0 120 150 135 13.60319 0 3.084397 0.3983104 0.6733372 2.510605 338.9316 1 1 0x0001 24122 39230 37 59 14 0x04 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x0000 0x0000 0 0 0x00000000 0 0 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 0 0x00
A 1039 0x0400100000004000 1416313212.383429 1416313213.855100 1.471671 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56907 10.20.0.125 04 "Private network" 44093 17 4 0 1200 0 300 300 300 0 0 0.497902 0.3679178 0.1605711 2.717999 815.3997 1 1 0x0001 0 0 56 56 0 0x00 0x0000 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x0000 0x0000 0 0 0x00000000 0 0 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 0 0x00
A 1040 0x0400000000004000 1416313212.449125 1416313213.938839 1.489714 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56862 10.20.0.125 04 "Private network" 36508 6 4 0 0 0 0 0 0 0 0 0.50196 0.3724285 0.1617426 2.685079 0 1 0 0x0013 3237 53852 43 57 3 0x00 0x0004 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3748830669 0 0 0 0 0 0 0 31337 31337 31337 31337 0 0 0 0 0x0002 0x1000 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363541.948839 0 65535 0 0 0 0 0 0x03
A 1041 0x0400000000004000 1416313212.530015 1416313214.021189 1.491174 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56863 10.20.0.125 04 "Private network" 36508 6 4 0 0 0 0 0 0 0 0 0.498118 0.3727935 0.1617746 2.68245 0 1 0 0x0013 10342 29962 41 52 3 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3748830669 4 0 0 4 0 3 0 32768 32768 32768 32768 0 0 0 0 0x0010 0x0008 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363542.031189 0 65535 0 0 0 0 0 0x03
A 1042 0x0400000000004000 1416313212.619118 1416313214.101341 1.482223 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56864 10.20.0.125 04 "Private network" 36508 6 4 0 0 0 0 0 0 0 0 0.494521 0.3705558 0.1608062 2.698649 0 1 0 0x0013 3455 6768 47 56 3 0x00 0x0004 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3748830669 0 0 0 0 0 0 0 65535 65535 65535 65535 0 0 0 0 0x8029 0x1000 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363542.111341 0 65535 0 0 0 0 0 0x83
If you look at the bit tcpFlags=0x0002
it is also a measure to select unsuccessful SYN scan flows.
The aggregated TCP flags indicate that these flows are unanswered SYN scans.
Odd is the high window scale factor, the random initial Window size and the TTL indicate a Linux platform. Is it malicious?
Flags count as AI features
t2conf tcpFlags -D TCPFLGCNT=1 && t2build tcpFlags
t2 -r ~/data/nmap_v_sT.pcap -w ~/results/
tawk ’{ split($tcpCntF_S_R_P_A_U_E_C_FA_SA_RA_N_SF_SFR_RF_X,A,“_“); if (A[16]>0) print;}’ nmap_v_sT_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktsSnt pktsRcvd padBytesSnt l7BytesSnt l7BytesRcvd minL7PktSz maxL7PktSz avgL7PktSz stdL7PktSz minIAT maxIAT avgIAT stdIAT pktps bytps pktAsm bytAsm tcpFStat ipMindIPID ipMaxdIPID ipMinTTL ipMaxTTL ipTTLChg ipToS ipFlags ipOptCnt ipOptCpCl_Num ip6OptCntHH_D ip6OptHH_D tcpISeqN tcpPSeqCnt tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpBFlgtMx tcpInitWinSz tcpAvgWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt tcpFlags tcpAnomaly tcpCntF_S_R_P_A_U_E_C_FA_SA_RA_N_SF_SFR_RF_X tcpOptPktCnt tcpOptCnt tcpOptions tcpMSS tcpWS tcpMPTBF tcpMPF tcpMPAID tcpMPDSSF tcpTmS tcpTmER tcpEcI tcpUtm tcpBtm tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAvg tcpRTTAckTripJitAvg tcpRTTSseqAA tcpRTTAckJitAvg tcpStatesAFlags
A 1038 0x0400000000004000 1416313207.768806000 1416313209.490977000 1.722171000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56864 10.20.0.125 04 "Private network" 41089 6 4 0 0 0 0 0 0 0 0 0 0.579505 0.4305428 0.3343525 2.32265 0 1 0 0x0013 5943 47665 43 56 3 0x00 0x0004 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2449289213 0 0 0 0 0 0 0 65535 65535 65535 65535 0 0 0 0 0x8029 0x1000 4_0_0_4_0_4_0_0_0_0_0_0_0_0_0_4 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363537.3796944294 0 65535 0 0 0 0 0 0x83
A 1042 0x0400000000004000 1416313212.619118000 1416313214.101341000 1.482223000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56864 10.20.0.125 04 "Private network" 36508 6 4 0 0 0 0 0 0 0 0 0 0.494521 0.3705558 0.2881742 2.698649 0 1 0 0x0013 3455 6768 47 56 3 0x00 0x0004 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3748830669 0 0 0 0 0 0 0 65535 65535 65535 65535 0 0 0 0 0x8029 0x1000 4_0_0_4_0_4_0_0_0_0_0_0_0_0_0_4 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363542.3407308294 0 65535 0 0
So you see right away the counts of X-mas scan flags in both flows, if you want to build a X-mas detector. But for that you do not need AI. Note that the FIN, PUSH, URG flags are also set, as some people are not interested in the Xmas count. They can mask bits 8-15. So if you are interested in the true flags count, then you have to substract the count from the combined flags, such as FA, SA,…, X. In a later version I will add a mode where this is done automatically.
Conclusion
You may now reset the whole configuration of T2 to ensure that in the next tutorial all flags are properly set to default.
t2conf --reset -a
Look at the other pcaps and checkout the scan alarms.
Have fun!