Tutorial: IP/TCP Troubleshooting
IP IPv4 IPv6 layer 3 layer 4 TCP troubleshootingContents
- IP/TCP header features
- Preparation
- tcpFlags default
- OS Fingerprinting
- Host load estimation
- tcpFlags troubleshooting TCP connections
- Window size features
- Sequence and Acknowledge numbers
- RTT estimate
- L3/4 Checksums
- TCP Options
- Boot time estimation
- Multipath TCP (MPTCP)
- Fragmentation
- Detecting Scans
- Conclusion
IP/TCP header features
In this tutorial we will show you the hidden power of the layer 3/4 for troubleshooting, security and admin applications. All is integrated in one plugin: tcpFlags. Its name is a bit misleading, as it evolved during practical application from a simple TCP flags decoder to a full blown troubleshooting plugin for L3/4. Hence, it provides the following features:
- TCP warning bits for troubleshooting, similar to Wireshark/TShark
- OS and application fingerprinting (TTL, initial window size, flags)
- Host load estimation (IPv4 IPID)
- L3/4 options
- Sequence/Acknowledge Number Tricks
- NAT flow bundling: boot time estimation, host clock estimation (OS fingerprinting)
- Multipath TCP (MPTCP)
- Trip and Round Trip Time (RTT), jitter estimation
- L3/4 checksum evaluation
- Protocol anomalies
- Fragmentation anomalies
- Flow health: window size statistics, bytes in flight
- Scan detection support
If you read the The Basics tutorial, you already had a glimpse of some basic features from tcpFlags. Here we will explain the application of such features. Note that you need a version of the tcpFlags plugin 0.8.14 or higher, so that the output in your command line matches to the website.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpFlags tcpStates txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAPs used in this tutorial can be downloaded here:
Please save them in your ~/data folder.
Now you are all set!
tcpFlags default
Let’s start with tcpFlags in minimal mode.
With the 0.8.14 version, tcpFlags anomaly bits moved a bit closer to Wireshark and the flags bits for the TCP header changed. And IP ToS can now be represented in different form.
A lot is different now, but a bit easier to interpret for the troubleshooter.
Nevertheless, the setting stayed the same. Open tcpFlags.h in the tcpFlags plugin folder:
tcpFlags
vi src/tcpFlags.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define IPTOS 0 // IPv4 ToS / IPv6 Class:
// 0: IP ToS hex
// 1: DSCP_ECN dec
// 2: Precedence(1-7)_ECN
#define RTT_ESTIMATE 1 // 1: Round trip time estimation
#define IPCHECKSUM 2 // Checksum calculation
// 0: No checksum calculation
// 1: Calculation of L3 (IP) header checksum
// 2: Calculation of L3 (IP) and L4 (TCP, UDP, ...) checksum
#define WINDOWSIZE 1 // 1: Calculation of TCP window size parameters
#define WINMIN 1 // Minimal window size threshold defining a healthy communication
// (only packets below the threshold are counted)
#define SEQ_ACK_NUM 1 // 1: SEQ/ACK number feature analysis
#define FRAG_ANALYZE 1 // 1: Fragmentation analysis
#define NAT_BT_EST 1 // 1: NAT boot time estimation
#define SCAN_DETECTOR 1 // 1: Scan flow detector
#define MPTCP 1 // 1: Dissect MPTCP
// The following options require SEQ_ACK_NUM = 1
#define SPKTMD_SEQACKREL 0 // SEQ/ACK numbers representation (-s option):
// 0: absolute,
// 1: relative
#define SPKTMD_SEQACKHEX 0 // SEQ/ACK numbers representation (-s option):
// 0: uint32_t
// 1: hex32
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...The constants SPKTMD_SEQACKREL and SPKTMD_SEQACKHEX refer to the packet mode for absolute and relative SEQ/ACK number output and decimal/hex representation respectively, see the packet mode tutorial. All the other switches we will discuss in the following chapters. First, let’s look at the end report.
Now invoke t2 with the -s option.
================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 23548 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: tcpFlags, 0.8.14 03: tcpStates, 0.8.14 04: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/faf-exercise.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1258544215.037210 sec (Wed 18 Nov 2009 11:36:55 GMT) Dump stop : 1258594491.683288 sec (Thu 19 Nov 2009 01:34:51 GMT) Total dump duration: 50276.646078 sec (13h 57m 56s) Finished processing. Elapsed time: 0.035239 sec Finished unloading flow memory. Time: 0.035283 sec Percentage completed: 100.00% Number of processed packets: 5902 (5.90 K) Number of processed bytes: 4993414 (4.99 M) Number of raw bytes: 4993414 (4.99 M) Number of pcap bytes: 5087870 (5.09 M) Number of IPv4 packets: 5902 (5.90 K) [100.00%] Number of A packets: 1986 (1.99 K) [33.65%] Number of B packets: 3916 (3.92 K) [66.35%] Number of A bytes: 209315 (209.31 K) [4.19%] Number of B bytes: 4784099 (4.78 M) [95.81%] Average A packet load: 105.40 Average B packet load: 1221.68 (1.22 K) -------------------------------------------------------------------------------- tcpFlags: Aggregated ipFlags=0x0044 tcpFlags: Aggregated tcpFStat=0x4ff1 tcpFlags: Aggregated tcpFlags=0x071f tcpFlags: Aggregated tcpAnomaly=0x02cc tcpFlags: Number of TCP SYN retries, seq retries: 0, 27 tcpFlags: Number WinSz below 1: 3 [0.05%] tcpStates: Aggregated tcpStatesAFlags=0x4a -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, average: 3.00 Number of TCP packets: 5902 (5.90 K) [100.00%] Number of TCP bytes: 4993414 (4.99 M) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 72 Number of processed A flows: 36 [50.00%] Number of processed B flows: 36 [50.00%] Number of request flows: 36 [50.00%] Number of reply flows: 36 [50.00%] Total A/B flow asymmetry: 0.00 Total req/rply flow asymmetry: 0.00 Number of processed packets/flows: 81.97 Number of processed A packets/flows: 55.17 Number of processed B packets/flows: 108.78 Number of processed total packets/s: 0.12 Number of processed A+B packets/s: 0.12 Number of processed A packets/s: 0.04 Number of processed B packets/s: 0.08 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 0.00 Average full raw bandwidth: 795 b/s Average full bandwidth : 792 b/s Max number of flows in memory: 18 [0.01%] Memory usage: 0.01 GB [0.02%] Aggregated flowStat=0x0400000000004000 [INF] IPv4 flows
Between the dashed lines tcpFlags reports a summary of the flow variables tcpFStat, tcpFlags, ipFlags, tcpAnomaly and SYN retry, WinSize threshold counts.
Note the bits are now grouped strictly according to their topic: windows, flags, IP header and TCP anomalies. The scans moved now to the tcpFlags, which became a 16 bit field, so bit combinations, such as FIN ACK are now in the upper byte of tcpFlags status bit field.
Let’s have a look at them:
tawk -V tcpFStat=0x4ff1 -V ipFlags=0x0044 -V tcpFlags=0x071f -V tcpAnomaly=0x02ccThe tcpFStat column with value 0x4ff1 is to be interpreted as follows: bit | tcpFStat | Description ============================================================================= 0 | 0x0001 | Packet good for inter-distance assessment 4 | 0x0010 | Window state-machine initialized 5 | 0x0020 | Window update 6 | 0x0040 | Win 0 probe 7 | 0x0080 | Win 0 probe ACK 8 | 0x0100 | Min Window detected 9 | 0x0200 | WS used 10 | 0x0400 | Window full 11 | 0x0800 | Window state-machine count up(1)/down(0) 14 | 0x4000 | TCP Selective ACK Option The ipFlags column with value 0x0044 is to be interpreted as follows: bit | ipFlags | Description ============================================================================= | 0x0004 | IPv4 ID roll over 6 | 0x0040 | IPv4: Don't Fragment bit, IPv6: reserve bit The tcpFlags column with value 0x071f is to be interpreted as follows: bit | tcpFlags | Description ============================================================================= 0 | 0x0001 | FIN: No more data, finish connection 1 | 0x0002 | SYN: Synchronize sequence numbers 2 | 0x0004 | RST: Reset connection 3 | 0x0008 | PSH: Push data 4 | 0x0010 | ACK: Acknowledgement field value valid 8 | 0x0100 | FIN_ACK: Acknowledgement of FIN 9 | 0x0200 | SYN_ACK: Acknowledgement of SYN 10 | 0x0400 | RST_ACK: Acknowledgement of RST The tcpAnomaly column with value 0x02cc is to be interpreted as follows: bit | tcpAnomaly | Description ============================================================================= 2 | 0x0004 | SEQ Fast retransmission 3 | 0x0008 | Duplicate ACK 6 | 0x0040 | Sequence number out-of-order 7 | 0x0080 | Sequence mess, rather spurious Retransmission 9 | 0x0200 | Previous packet not captured
Some duplicate ACKs with SEQ fast retransmissions, so packets were lost and retransmitted. As the WINMIN=1, the warning Min Window detected denotes that the window size hit 0, indicating that there is some overflow on the receiver side buffer. Win 0 probe indicates that it happened longer, so that the sender tries to probe the receiver side. Window full denotes that the transmission Window of the TCP flow is full as advertised by the receiver.
OS Fingerprinting
The L3/4 Header provide still some information in order to estimate the Operating System of the sending host. All these parameters are included in the flow and packet file output, such as:
- TTL (
ipMinTTL,ipMaxTTL,ipTTLChg): Minimal/Maximal TTL, # TTL changes during flow life time - Initial Window Size (
tcpInitWinSz): Init Winsize only valid if 3 way handshake is captured. tcpOptions: aggregated or in the packet mode as hex or human readable interpreted
If you load the OS fingerprinting plugin tp0f, several other parameters will be used, and the calculation for the TTL to the next higher 2^n value is already done for you. If you are hard core, just use the parameters from tcpFlags and do the calculations by heart.
Host load estimation
I hate IPv6! Why? Because these bastards omitted the IP ID in the L3 header. And I hate OS which do not increment the IP ID by 1 for each packet being sent. Why? Because it is an excellent parameter to estimate the load of a server. If the IP ID increments by a large value, several other connections (flows) must exist beside the one I’m looking at, so the host has a lot of work to do.
- IPv4 (
ipMindIPID,ipMaxdIPID): Minimal/Maximal IP ID during flow life time.
There are still OS which increment the IP ID by 1, so if the ipMindIPID==2, ipMaxdIPID is an indicator of the host load.
Another indication are the number of flows per host. Have a look at the connStat plugin tutorial.
tcpFlags troubleshooting TCP connections
Basically the status bit fields tcpFStat and tcpAnomaly flag flows in trouble. Let’s have a look at all flows with duplicate ACKs and retransmissions. In the flow file you might notice, there is a new column tcpBFlgtMx. It denotes the maximum TCP bytes in flight of a certain flow. Why mostly B flows? Because the packet got lost in the A flow, right?
tawk 'bitsanyset($tcpAnomaly, 0x000c)' ~/results/faf-exercise_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpFStat ipMindIPID ipMaxdIPID ipMinTTL ipMaxTTL ipTTLChg ipToS ipFlags ipOptCnt ipOptCpCl_Num ip6OptCntHH_D ip6OptHH_D tcpISeqN tcpPSeqCnt tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpBFlgtMx tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt tcpFlags tcpAnomaly tcpOptPktCnt tcpOptCnt tcpOptions tcpMSS tcpWS tcpMPTBF tcpMPF tcpMPAID tcpMPdssF tcpTmS tcpTmER tcpEcI tcpUtm tcpBtm tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve tcpStatesAFlags
B 12 0x0400000000004001 1258563573.941709 1258563576.594045 2.652336 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1397 6 0x0011 14578 41494 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1702698086 29 1440 0 30 2943 1 852 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 0 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000452 0.000295 2.176203 0.1305968 0.4659222 0.1459511 0.4690861 0x08
B 13 0x0400000000004001 1258565030.304696 1258565030.420877 0.116181 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1749 6 0x0011 16590 55298 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 645942508 29 1405 0 30 5679 2 852 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 0 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000205 0.000205 0.002954 0.000904579 0.0007303541 0.004287212 0.01039787 0x08
B 14 0x0400000000004001 1258565174.919179 1258565175.037828 0.118649 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1755 6 0x0011 33510 47342 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 328872932 27 1405 0 28 2357 1 852 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 0 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000454 0.000212 0.005176 0.001105353 0.001147219 0.004723745 0.01078533 0x08
B 15 0x0400000000004001 1258565820.302128 1258565821.898612 1.596484 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49218 6 0x0a11 811 52183 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 652739796 29 1519 0 29 4899 2 852 65535 524219.4 65535 524280 1 2 2 0 0x031b 0x0008 1 4 0x0000001e 1460 8 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.0002 0.0002 1.393001 0.08960117 0.2993275 0.09602135 0.3002903 0x00
B 16 0x0400000000004001 1258565880.189338 1258565880.212279 0.022941 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49219 6 0x0a11 11001 47310 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1405763652 30 799 0 30 4429 2 166 65535 524225.7 65535 524280 1 2 2 0 0x031b 0x0008 1 4 0x0000001e 1460 8 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000152 0.000152 0.002171 0.0006970555 0.0005016186 0.001095556 0.001520281 0x00
B 17 0x0400000000004001 1258566050.124650 1258566050.238828 0.114178 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49220 6 0x0a11 19206 47121 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 916601873 27 1466 0 27 2750 2 852 65535 524220.3 65535 524280 1 2 2 0 0x031b 0x0008 1 4 0x0000001e 1460 8 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000189 0.000189 0.003915 0.0009691875 0.0009807491 0.004689854 0.01158726 0x00
B 18 0x0400000000004001 1258566123.706462 1258566123.739692 0.033230 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1806 6 0x0011 63527 61713 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 925488549 28 1370 0 28 4371 2 852 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000206 0.000174 0.003023 0.0009781176 0.0006968529 0.001666868 0.00209575 0x00
B 19 0x0400000000004001 1258567109.383558 1258567113.574642 4.191084 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1400 6 0x0011 25388 44643 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1816175150 25 1370 0 26 1522 1 852 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000202 0.000102 3.94484 0.2614954 0.8918523 0.2686044 0.8921642 0x08
B 20 0x0400000000004001 1258567248.261635 1258567248.374809 0.113174 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1404 6 0x0011 28675 64081 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 113675184 28 1370 0 28 5247 2 852 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000201 0.000201 0.002394 0.0008873334 0.0005642879 0.004495226 0.010784 0x00
B 21 0x0400000000004001 1258567289.262156 1258567289.283642 0.021486 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1405 6 0x0011 58923 49123 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 6599705 28 632 0 28 5796 1 166 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000206 0.000206 0.001728 0.0006774737 0.0003368751 0.001090795 0.001555589 0x00
B 22 0x0400000000004001 1258567757.457805 1258567757.572984 0.115179 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49336 6 0x0a11 52210 51969 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 226877106 27 1466 0 27 2430 2 852 65535 524228.2 65535 524280 1 2 2 0 0x031b 0x0008 1 4 0x0000001e 1460 8 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000196 0.000196 0.004918 0.0009666248 0.001149992 0.004713143 0.01161447 0x00
B 23 0x0400000000004001 1258568036.508400 1258568036.620325 0.111925 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49353 6 0x0a11 60435 51877 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1304812153 26 1466 0 27 2462 2 852 65535 524227.5 65535 524280 1 2 2 0 0x031b 0x0008 1 4 0x0000001e 1460 8 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.00021 0.000141 0.003169 0.0008697333 0.0008035267 0.00472135 0.01157178 0x08
B 24 0x0400000000004001 1258568059.128711 1258568059.160696 0.031985 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1836 6 0x0011 25036 31267 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1667500374 26 1370 0 26 3372 1 852 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000443 0.000247 0.003048 0.000927125 0.0006814631 0.00164151 0.002140057 0x00
B 25 0x0400000000004001 1258568667.549083 1258568667.662999 0.113916 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1709 6 0x0011 13070 63071 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1075440067 25 1370 0 26 2374 1 852 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000447 0.000219 0.002757 0.001155533 0.0007415987 0.005134013 0.01097302 0x08
B 26 0x0400000000004001 1258568738.108301 1258568738.141266 0.032965 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49561 6 0x0a11 20209 59196 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1983906088 28 1466 0 28 4334 2 852 65535 524166.4 65535 524280 2 2 3 0 0x031b 0x0008 1 4 0x0000001e 1460 8 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000203 0.000196 0.002545 0.0008933531 0.0007415114 0.001596996 0.002200871 0x00
B 27 0x0400000000004001 1258574141.027497 1258574141.466226 0.438729 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1572 6 0x0011 1033 49706 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1684028818 17 308 0 17 1021 1 166 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000464 0.000308 0.210095 0.0226374 0.05931785 0.03517511 0.0687353 0x00
B 28 0x0400000000004001 1258577484.692644 1258577484.971707 0.279063 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1604 6 0x0011 12132 53911 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1644748927 17 308 0 17 761 1 166 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000445 0.000263 0.164624 0.0189601 0.04624642 0.02426969 0.04818752 0x00
B 29 0x0400000000004001 1258577840.949804 1258577841.204644 0.254840 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1665 6 0x0011 35109 30475 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1401071890 17 308 0 17 574 1 166 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.00045 0.000265 0.135147 0.0165157 0.03776046 0.02183446 0.0401205 0x00
B 30 0x0400000000004001 1258581757.587891 1258581758.358901 0.771010 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1934 6 0x0011 5853 51672 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 18417741 26 1370 0 27 5732 1 852 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000199 0.000171 0.018873 0.002281166 0.004088756 0.02947946 0.09640119 0x08
B 31 0x0400000000004001 1258582107.588266 1258582108.822724 1.234458 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 2008 6 0x0011 61421 45039 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2088358893 25 1370 0 26 3460 1 852 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000198 0.000192 0.333958 0.05834953 0.08417293 0.07774249 0.1057726 0x08
B 32 0x0400000000004001 1258583614.298161 1258583615.323218 1.025057 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1911 6 0x0011 60719 59161 64 64 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 398501520 28 1370 0 29 7079 2 852 65535 65535 65535 65535 0 0 0 0 0x031b 0x0008 1 2 0x00000014 1460 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000395 0.000195 0.139913 0.03019411 0.04022271 0.05901732 0.1140707 0x08
A 33 0x0400000000004000 1258587444.865917 1258587445.631435 0.765518 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1908 198.189.255.75 us "California State University" 80 6 0x0011 1 2 128 128 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3626872219 23 319 0 23 95699 1 319 65535 65535 65535 65535 0 0 0 0 0x011b 0x0008 1 4 0x00000016 1460 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.007304 0.007047 0.573488 0.01674978 0.06118462 0.007744 0 0x02
A 36 0x0400000000004000 1258594163.408285 1258594191.015208 27.606923 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "Private network" 49330 143.166.11.10 us "Dell" 64334 6 0x49b1 1 223 128 128 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3392384642 1511 0 0 1511 4255056 437 0 8192 45402 0 64860 253 194 254 0.001981506 0x0416 0x0008 511 1536 0x0000003e 1460 4 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.078742 1e-06 0.67088 0.03865783 0.04056465 0.07920299 0 0x42
B 36 0x0400000000004001 1258594163.487027 1258594185.427506 21.940479 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us "Dell" 64334 192.168.1.105 07 "Private network" 49330 6 0x0c51 1 6365 111 111 0 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3177226489 2866 5233476 27 3099 0 0 28980 8192 64860 8192 64860 0 1 1 0 0x031b 0x02c4 1 4 0x00000016 1380 1 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000461 2e-06 5.587702 0.004777641 0.1447472 0.04343547 0.1503238 0x02Have a look at flow 36, which is lit up like a Xmas tree. Here we have a lot of reasons why there is a major mess:
tawk -V tcpFStat=0x49b1 -V tcpFStat=0x0c51 -V tcpAnomaly=0x02c4The tcpFStat column with value 0x49b1 is to be interpreted as follows: bit | tcpFStat | Description ============================================================================= 0 | 0x0001 | Packet good for inter-distance assessment 4 | 0x0010 | Window state-machine initialized 5 | 0x0020 | Window update 7 | 0x0080 | Win 0 probe ACK 8 | 0x0100 | Min Window detected 11 | 0x0800 | Window state-machine count up(1)/down(0) 14 | 0x4000 | TCP Selective ACK Option The tcpFStat column with value 0x0c51 is to be interpreted as follows: bit | tcpFStat | Description ============================================================================= 0 | 0x0001 | Packet good for inter-distance assessment 4 | 0x0010 | Window state-machine initialized 6 | 0x0040 | Win 0 probe 10 | 0x0400 | Window full 11 | 0x0800 | Window state-machine count up(1)/down(0) The tcpAnomaly column with value 0x02c4 is to be interpreted as follows: bit | tcpAnomaly | Description ============================================================================= 2 | 0x0004 | SEQ Fast retransmission 6 | 0x0040 | Sequence number out-of-order 7 | 0x0080 | Sequence mess, rather spurious Retransmission 9 | 0x0200 | Previous packet not captured
So flow A had a full buffer, reduced winsize to 0, B hit a window full alarm, since then B probes whether the win is non-zero to send more data. Therefore you have retransmissions, fast and spurious, and we have a case of a missing packet in the pcap.
You can follow that in the corresponding packet file:
tawk 'flow(36)' ~/results/faf-exercise_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto ipToS ipID ipIDDiff ipFrag ipTTL ipHdrChkSum ipCalChkSum l4HdrChkSum l4CalChkSum ipFlags ip6HHOptLen ip6HHOpts ip6DOptLen ip6DOpts ipOptLen ipOpts seq ack seqMax seqDiff ackDiff seqLen ackLen seqFlowLen ackFlowLen tcpMLen tcpBFlgt tcpFStat tcpFlags tcpAnomaly tcpWin tcpWS tcpMSS tcpTmS tcpTmER tcpOptLen tcpOpts tcpStatesAFlags l7Content
1280 36 0x0400000000004000 1258594163.408285 0.000000 0.000000 0.000000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell 64334 6 0x00 16259 0 0x4000 128 0x5e7f 0x5e7f 0xbd9c 0xbd9c 0x0040 0 0 0 3392384642 0 3392384642 0 0 0 0 0 0 0 0 0x0010 0x0002 0x0000 8192 0 1460 0 0 12 0x02;0x04;0x05;0xb4;0x01;0x03;0x03;0x02;0x01;0x01;0x04;0x02 0x00
1281 36 0x0400000000004001 1258594163.487027 0.000000 0.078742 0.000000 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 17228 0 0x4000 111 0x6bba 0x6bba 0x738a 0x738a 0x0040 0 0 0 3177226489 3392384643 3177226489 0 0 0 0 0 0 0 0 0x0010 0x0212 0x0000 8192 0 1380 0 0 8 0x02;0x04;0x05;0x64;0x01;0x01;0x04;0x02 0x00
1282 36 0x0400000000004000 1258594163.487488 0.079203 0.000461 0.079203 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell 64334 6 0x00 16266 7 0x4000 128 0x5e84 0x5e84 0xc2a1 0xc2a1 0x0040 0 0 0 3392384643 3177226490 3392384643 1 0 0 0 0 0 0 0 0x0811 0x0010 0x0000 64860 0 1460 0 0 0 0x00
1287 36 0x0400000000004001 1258594163.644682 0.157655 0.157194 0.157655 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 18966 1738 0x4000 111 0x5f94 0x5f94 0x153a 0x153a 0x0040 0 0 0 3177226490 3392384643 3177226490 1 0 0 0 0 0 1380 1380 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 MZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\r\n$.......PE..L....IV:.................&...*...............@....@.................................Z.A...................................... .......@...$............@......p..t....................................................#...............................text....$.......&.................. ..`.rdata..\t....@.......*..............@..@.data...|....P.......,..............@....idata....... .......H..............@....rsrc....$...@...&...\..............@..@.reloc...!...p..."..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................U....X...SVWh....3.W...%C.P...%C.W.u.W.E.h....V...%C..u.......Q.l............hhPA.Q.`......Wj.V...%C.P...%C.............PQ..h$C......ubj.V...%C.P...%C.f=..w7.u..T).......u4.u.......Q..............hhPA.Q...........E..@................V...%C..E....C...\g..k.....................P..!.....H......PQ...............uA.......u/.......u&.u............r`hdPA.......
1288 36 0x0400000000004001 1258594163.644692 0.000010 0.157204 0.157665 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 18967 1 0x4000 111 0x5f93 0x5f93 0x77eb 0x77eb 0x0040 0 0 0 3177227870 3392384643 3177227870 1380 0 1380 0 1380 0 2760 2760 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 P.F.......\t.......tA.E.......PQ..............PQ.u....#C.;].}..].......Pj.h....V...%C.......PW..l$C.....2...j.Sh....V...%C.W...%C.j.j.h....V...%C..u....%C._^[..].U3.....(V.E..M..M..E..M..u..M..E..u.P.M..E...@..E.6....\r\PA..M....%C.f.......tD3....C..M..M..E..M..M..u...`PA..M..M..U..E...@..E.....Q...%C.f=....@^..].V......t$..5\PA....%C...u.3..t$..5`PA....%C...u.3...^.U........SVW.xPA..}...E....tS.....3........1........D.....+........,......=...........u..u..u..u...|%C._^[..]....u.j.3..v..v..v..v..u....%C.S....C..5..C.S...Dg...u.k.....P.F....Pj.j.h.. P.v$hlPA.S...%C.P.E.S.u....%C.S.5XZA.j0.u....%C..u..}..].......:...... .E.........Ha.A.......E..E.P..d$C..E....t#...t4..............w....E......|......C....g.....g...f......C.hhPA..........g.....g..Q......\.X........X.........PQ..h$C.hdPA.......Q.E..%............Q..#...........PQ.........u....%C.......E.......P..............E.....QR.@...........j\......P...........@P. #...........Pjs...C..2...PQ.Z%...........Q..".................PjcQR.2%.................QR.R.......\r..C....... ...g.....g...!=....t\t.E..........C....g.....g...}..t2......Pj.hC....u....%C............QPhQ....u....%C..E..}...........C.......:u\n......$.........@...................Pj.hM....u....%C.3......3......j..u....%C....P...%C.3............P.u...h&C..M.Q.u...p&C.j..u..u..u..u........pE...........Q.u....&C.3.......u..~..u.V.\nD................F...t"V.AB..
...
1417 36 0x0400000000004001 1258594164.283560 0.000010 0.009815 0.796533 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 25964 1 0x4000 111 0x443e 0x443e 0xb0e2 0xb0e2 0x0040 0 0 0 3177343790 3392384643 3177343790 1380 0 1380 0 171120 0 118680 6900 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 mH6..\t..0...4..i.Rk..xy_?..o....f7[~.E.\tC.hu.C.-. ..M=...b.E.a......&...#"......|......'m..=0.AU9RV*~X.a...z.....2.V..w.DI.=...A@:...:.,Y.Rwm..1v.....N`d.`q.p1{.K].1..*M..w......\nLX@.......jV.-?.(w"<.....v..b..2~z3.. U.f.......r..d"...o.......(..cE.....p....L(...0..L..V.......t..di.\t......C.c<;.F.IB^../"..sn.|..K.|.j.4......|~.............4..._..R.xUBs./......\P>..Jz.Fv..?..!@ul.8%Z..c....\.5.._...0...nB..C......X. W...........y.M.......L.`q\n6....C.....a..7Q...%.......%..n~..v._...4r.B..%. ..~.?HG....*.2..u.?.[TG.b...N.\n@2.\t\t.G.b7g.....A.}.B.#.C.......U.e...u.9..9]..0.$......aG.c.C..i.p:?pz...%..v...>......a@.......OScwP..U.OO....>...._..H....w..0.....]../.@.0.X ..j.!R$..b..W..Ig..x~.DgL.@;.;bs:c;.;...9m....d`u. .L.!...0.t..2 v.........]t.....5e(...r}i)..4+g......v...\r.l.R.g3.HU..&..kq....;..D..T..]\,....m.B.}.[.[.D.....sH#.M.....S50..k?.>LH.e...$.......S..-.'.R...[~.7.1.^+...\n;HD.8..>...}..R..K....xPB..W..R..K...t!.;....!7..c1..^..'..i...Z.w:.R...*.5Bw0...[...`y.o.3....w..K/.B..XS...Bp&Rq.XJ...6r\nw....M..nO./KGF).....Q....".Q...b..:.....D..p.D.!S.8.LvP.~.0D..dY...(..h......8..i.......U.jo...*.."...2..t..#.9......r.!z"R.W*FS...[.1.F..\n.U..!6.+.U7'.L........9s.I@..\$....OJ.L-..>.O........]Y....>Cb.U.W'.\. ..H.U..-&.6hy....M7.....N..........r.id..#..W....y...=....5.@C.8.lu.....]..+q1$N.c\n..sIwH.!..`.+.&..\tNkI7.r.Uv&r.P.J.Cg8\.....$"...i..b..e..)36$e.\r......_..
1418 36 0x0400000000004001 1258594164.283567 0.000007 0.009822 0.796540 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 25965 1 0x4000 111 0x443d 0x443d 0xd898 0xd898 0x0040 0 0 0 3177345170 3392384643 3177345170 1380 0 1380 0 172500 0 120060 8280 0x0c11 0x0010 0x0000 64860 0 1380 0 0 0 0x00 ...;......u...!a<.R..\n........nu.._.B..1...............c#.@#.N2.}\...pQZ..e>:p.../.....2rA...H.....F>3.....n.....l.. ...Sz.A+5.......$.l.....S.)...^K5c....Avq?..V=/3...y1.L2.}...8....#....?.&f..9_k..1.!.S|...7......."..F.N.......2........s\n......1.1....p.w.iv.4.H/9)0..Z.:...p_jIk b.w..R.WY.p\r.K....\n98.n:.....W.=.o.9..........F....X3.0tz.k...O.15p...".:.......F.v\t....@...P.............,h.(Z.N1K>.!../~.<n.>u..&.b...i.l..WIS|..W2TONX.N..{..0^.H...)/.S^%....1G\t.:....:..\r.D.@b.G1.1.d....0.f....L+S...[....V.!\. E.7$.6B.....E....c...V?)@?.M....^.EW.p......2.E.M.4=k`.>.p.k....d.....{.....9.Y.:It.D..L&F\nLgtG....tN.m....Sb..s._..J.Z...S=9t+.....D...d....x.b'\n.......eh&...;q.1.W@g(.\...'......_65....)..L..Cf.....c.d#..1@.o.4..........Tg...1......N.......7...t.... T....a.L.....".L.\rt*q1..JU;..t....c\r+].K(.Hl.A.%.u..r.._..c. ,...U....).x.!..9lza.....\l.-_.^_(....[w..N..N.!.v9..:(Z....9.....B.b.0...ue..a....{4Idr.?..n.SP.*.6..b...;erJ......x..3.....i#......Dw8......F......_..J....$.?v...kH. L........v...M.b~.h.s...8c..M/j`.........)4.}i.s. rd..].....86..v....@#\t..v\..A..&n.m..}7P9. 'C."!a$...a...0?.IXg|.u9.K".\t.D..Ero...L.\nCPU.....|i0j....V.\rC8....p\@.Xx.0N5...E..S..{9:#K.."-...A>UMo..qs..z.a.h..b... F....x........x|U.166....~o.j..........)..P..P.v\t.....x..*.k..hc.@@......\r*9=G.....A......9p.W....kw.....B..$...z*u8.:*...Y..]`..........>.....6....P....o...\n..Cf-..\rYwe.ub..
1419 36 0x0400000000004000 1258594164.283986 0.010241 0.000419 0.875701 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell 64334 6 0x00 16348 1 0x4000 128 0x5e32 0x5e32 0xeb00 0xeb00 0x0040 0 0 0 3392384643 3177343790 3392384643 0 5520 0 5520 0 117300 0 0 0x0011 0x0010 0x0000 2760 0 1460 0 0 0 0x00
1420 36 0x0400000000004000 1258594164.283988 0.000002 0.000421 0.875703 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell 64334 6 0x00 16349 1 0x4000 128 0x5e31 0x5e31 0xeb00 0xeb00 0x0040 0 0 0 3392384643 3177346550 3392384643 0 2760 0 2760 0 120060 0 0 0x0111 0x0010 0x0000 0 0 1460 0 0 0 0x00
1421 36 0x0400000000004001 1258594164.647545 0.363978 0.363557 1.160518 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 30033 4068 0x4000 111 0x39bc 0x39bc 0x52a2 0x52a2 0x0040 0 0 0 3177346550 3392384643 3177346550 0 0 0 0 172500 0 120061 1 0x0851 0x0010 0x0000 64860 0 1380 0 0 0 0x00 .
1422 36 0x0400000000004000 1258594164.647755 0.363767 0.000210 1.239470 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell 64334 6 0x00 16364 15 0x4000 128 0x5e22 0x5e22 0xeb00 0xeb00 0x0040 0 0 0 3392384643 3177346550 3392384643 0 0 0 0 0 120060 0 0 0x0991 0x0010 0x0000 0 0 1460 0 0 0 0x00
1423 36 0x0400000000004001 1258594165.318635 0.671090 0.670880 1.831608 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 4104 -25929 0x4000 111 0x9f05 0x9f05 0x52a2 0x52a2 0x0044 0 0 0 3177346550 3392384643 3177346550 0 0 0 0 172500 0 120062 1 0x0851 0x0010 0x0000 64860 0 1380 0 0 0 0x00 .
1424 36 0x0400000000004000 1258594165.319087 0.671332 0.000452 1.910802 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell 64334 6 0x00 16401 37 0x4000 128 0x5dfd 0x5dfd 0xeb00 0xeb00 0x0040 0 0 0 3392384643 3177346550 3392384643 0 0 0 0 0 120060 0 0 0x0991 0x0010 0x0000 0 0 1460 0 0 0 0x00
1425 36 0x0400000000004000 1258594165.848253 0.529166 0.529618 2.439968 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell 64334 6 0x00 16432 31 0x4000 128 0x5dde 0x5dde 0x94c0 0x94c0 0x0040 0 0 0 3392384643 3177346550 3392384643 0 0 0 0 0 120060 0 0 0x0831 0x0010 0x0000 22080 0 1460 0 0 0 0x00
1426 36 0x0400000000004000 1258594165.848753 0.000500 0.530118 2.440468 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell 64334 6 0x00 16433 1 0x4000 128 0x5ddd 0x5ddd 0xeda3 0xeda3 0x0040 0 0 0 3392384643 3177346550 3392384643 0 0 0 0 0 120060 0 0 0x0831 0x0010 0x0000 64860 0 1460 0 0 0 0x00
1427 36 0x0400000000004001 1258594165.926021 0.607386 0.077268 2.438994 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 10469 6365 0x4000 111 0x80c5 0x80c5 0x92e7 0x92e7 0x0040 0 0 0 3177346550 3392384643 3177346550 0 0 0 0 172500 0 121442 1380 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 ..Q...]....=.2..>.p:3.N..........Ma.../|.\r....<.....II.E.....*.u..\t..`@.H..u+Nd1.m...c%f....{....x.2..N....B9.3}8..\n..E...O.c.u.c...,..d../....hjOekZ..\.........3wfGlg.....Qm.-...=..J.U.z....x.I..ZS.f..o.0#7...........xs_j?.7U..a..S.....u.v........i.....:\rK.....m..$v.2.....a.\.....r....=..(yR{..s.y8t.../.$I..;.b.CC........n.N..........M........m..q.B...D9..'..5..;...6..j^..F..(n....@u..,.y(.2..w4A....4....Nbo....h...7.....^&-E]G....O.~.*[B.Pq@CP.P.#;j.H].U.......n..%c.V.x...G.7WQ....VJ.]}....."t..........,.A.............E..@...xD........aN........ZV.....t....c.s...U./..|..$....\r.pe....!..dY...}..)...F.]L.2,...K<...d.9FY..-.Pf.6\..k.z.... ....ji..\nR..c}..d.H.pW.....[)..........h..o.M...,m.Y.q..........c2.......w....R.F.&U...=...."..3..\n...?A...5.....wAH.5...;A......L.A.3.I..q.."....!M..6....C.U.....65.Kb{........h.|.......<..n"rf...{...1Z2.H_... ...A';.....y#..8E..!..x#..Z..i...=..mf.W....C4..}..\r%......a.A..Z...........!...\n.b...A.Pb.Z.....K..M..w..h.*.[._Jl..U(.O<|\.V....s...=....%.{.2W.....E?..\r..D8B..(L.....NF..6..\tw.b..\n%.c.#@..I.........#.L.....L{..&....Q.Q........Lh{.B..}.n.......A.../'6$.'.....#..e...M4w...6e....D....rc<)..4A..y.P..i1..\n. ;T.Om.Q.c....3.....(-..\n.........A.m+`...@. hG.e.......f......r..v.....#...\t.u...UL.....Bj#....P&...)A.>.2...d...p.8.%..BN.......)..*.....k.w.x.D...`.WO.a.ww`f.^...fi.\.o[..E...Q..oeT..O....wI.Z?....t.......>..Q.#..}
1428 36 0x0400000000004001 1258594165.926514 0.000493 0.077761 2.439487 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 10481 12 0x4000 111 0x80b9 0x80b9 0x07ce 0x07ce 0x0040 0 0 0 3177363110 3392384643 3177347930 16560 0 16560 0 189060 0 122822 2760 0x0811 0x0010 0x0200 64860 0 1380 0 0 0 0x00 .A%..]p.<..+.Jm:....4.V.:.z&.V.f.Y\n+..k....=.7...L..k.:.>...y9w..Y.[..^..X.......m8..q.....@.....|....@....)+b.>...z...H..'s.zr...g.#9GX^.l.3U...s..V...1tG-P;..\r.A.h..^..D.(.ELSQ...v......F..p...$W..?!,.E..d...6........hn....P.q?..\n..;..M@.......@!..^D....v....3...8D...8...8. k;W...|.....\n?....x......B....$}.?\t .+/...$#.*9...t.....vA...j7..Z.V.UkO4.w.....s............p...r...=y.....P>.......y...\t<.....].=+x*_.7sW..\fZ.p.\t'.p.\t'.p.\t'.p.\t'.p.\t'.p...3..PK........!Z....M.,...........PCIUtil.dll.Z.wT..?w.&..\t.@"( ....6..W..Pr...'...!\t*.\rS\n....+I.C.L...Z..ou.=..b.U.m.......xP.....FK.....4.$p.o.;...x..rtf..>....>{..\t...ev....i2.gV)a.@...7..q..1..%....-...w8..}.?o....G...u[..p.s....y........6.......,...J..[O..|Vm?...~_{.............8...i...|.......k.........\r...O....s..h....j.#A.{.\n^...R..hZ..L_'.w.X).........K..L.T.-..d~.s.E.bK.Zmu._.d..)....... .]..O....2.S......y.....u...}.8..:.....'.*.....C....Y..f......_d..\r+..J...#.@W[.....A].\n..?.'.J...m..B.d&l@...O.}....2ZF.h.-.e....2ZF.h...........K..9....\r)$.j.(u)F^..L.(....=T[..S...QUt..{BT.zVHZ..........l7..(,.z..|.}.E.T........u.+....:...6.........^.v...O.h...m@.m...7?....s....)...x..Hn._.c.G.0t.......<Rq.a.cTt.g...Dnn...2...*.|./.E=.)6In....>aTp..g.....a..... >'\tb6H._D61......C.>q9.6.E+.#u....5u..S.....0..`....r...%d.KFGF...d.F.8.Tx1z"_`5\tt.a...$.d.B.f..ya.h...ck.i..E.;j,6.X..0.;;.R...'<.8..a........R6#.V,.i..>........
1429 36 0x0400000000004001 1258594165.926523 0.000009 0.077770 2.439496 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 10479 -2 0x4000 111 0x80bb 0x80bb 0x8a59 0x8a59 0x0044 0 0 0 3177360350 3392384643 3177364490 -2760 0 0 0 189060 0 124202 4140 0x0811 0x0010 0x0040 64860 0 1380 0 0 0 0x00 }......R..{(....l.E..`c..=.ov.`O...n..'._..*.....a[\r6v.$.g.}v.e....`'..(.86..........^...6......6>..f.nT....s..7.M}S..7.M}S..7.M}S..7.M}S..7.M}S..7.M}S..7.M}S..7.M}._..l.>\.FQ].z.lp.................;&..2..O..?...w2"..y.<#..Vn....RV4.............\@.}.m..7..u.........\t..../.6...(........f#Ee.QM...VUU.....D0..d.......2....jJ;.....8..v.,h.E._Sxf\t....hj.......'.]..E.....ax.i.n0|...X.g..,.........]../.....7SZ.....Qx.......(..........m:..U..`~..wRZyv..........m=.==>>B.E..#..NQ......s...0o...........y0O.y...`|`..l.....S..\nL...`.....z0.0.`..Y.f....&.L....T.:..e.........w.AQ.k|c...A....*...}MOO....x=/T|*.E.....0.....x.U.=%x.Q.W....(...`......J"..W..T.......W..|[.3.].......I...........}K........w....2........C...Z..p{...|...U.....tY.W.gVv.........C_u..x.....<+R~.............e...oZ>.6yi....k.o.)..p_.......g.....M;...{..N.&.].w3.....3:g..0..6.A....Y..\z..q.......>.Z........k.....L.k.r..........?b....Zpxq.......t....[T...).=...R....+;....7.,.8...MI\n|..V..3'`.<u...s.......a...K......H.......;......s.....+8......d.N....G..../....q......}C...}w..JQ.v....{l<.~W......Ts.:.\`#.KL.Y...~...>=>*..g..JE.>.^...m_r=_$......yd.k..4n.]..].-'...M^I.n....#F\r.....A.\r...Ew;....4..c?.%......5=....qUiVHl.....1_.*h..........x..1.]a.Fk./O..=.wZ.......6.r....7...n]...<J-.............jis.s.._7#m...$lk.....\r........J...<>.{.0..9..L}|#.e./..C.[...l.._...Og..T.>.A....9~.....su."^.eE......,...~....;
1430 36 0x0400000000004001 1258594165.926532 0.000009 0.077779 2.439505 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 10471 -8 0x4000 111 0x80c3 0x80c3 0xf25d 0xf25d 0x0044 0 0 0 3177349310 3392384643 3177364490 -11040 0 0 0 189060 0 125582 5520 0x0811 0x0010 0x0040 64860 0 1380 0 0 0 0x00 .....w.C........"=..H....BN.../.....bR..2j@..........w..+...I._S4E5..D."9j&Qy....m..Y....r.........jh..B+....F]',.t..Q,+k..f..0.-K...F..$}q..\..\n.B.."..b,...1...\z"..n>.4...A. T(.[..6Y..a?...J\r..Z.c..t......+.....&:...j...HJ<.N.z.MB....5.acZ....b.O5..Y....H...m.*...2..F1...)z.P.+.........B.Q.Vfy....]...W.....-...f...2b..0{......6q..\.l.L..n;.M..)!.....l...L.....K..Z.f.r.C...e.s...f)..7u.....V.\.5\r\t..Ac...Q....2.......x.L_...b......,mx[Bla.....bor./...&...t.v....%......M3.....N.._6..u8T..h.W.@&,....IA9..X..x.jm....R..[w...,...R..1t7..V{..O/ck.x.iXn..b.3.......<Gha.n2.#M....*..o7S......e.E.........<.....5.?3..Xy..M..`m..\t<&..._A.`Z...t..\n...=.v.U..n.p....$.A,.1....\t.ma..1D......W.a`lN..$.C....5?...*.TBz..f.k0..*....y[...y~a%......e....sh....c.=B..H^t..o..A..(f...2d.\t.H...A...=~.#^j.4...6...#....jf........<.)b/..s%...kl.\r..i7...H....LF0...........k.{.EV.......S\\n..\r.R......e.v...f.ra0C(0m.........N..J.e.....1......HC.D_m.3\r..-...Xj....ge(#R....Kd.y.ZD...AF...\n-..n;.p..v...H.......4....p... ...X.......C..?...L# ..q...(<.@zPw.J.?`...IM....E{\r_..`.~.\r.llpC...(....[\n%z...!..F.*....[.i..0.&..-.....C.\rq.]BjZ8...[.N...,,.&(j.#.... #.d.=._.ve-L....B.9.c.q\t.z.H.y....0E..!O..%{@.\n.\rf.G...Q......i...\n........R.....n]\nPN9.5\..!...W....<.1.qF.O.....,3.e .D...Wv._.R..+...D.Q..QK.=..z0....v.....3.....j@...xI....%/...G.....uswJ.3....E.....m..@..7..\.=C.:..)m..;...a.....$.....
...
1450 36 0x0400000000004000 1258594165.927471 0.000002 0.000223 2.519186 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell 64334 6 0x00 16449 1 0x4000 128 0x5dc1 0x5dc1 0xda41 0xda41 0x0040 0 0 0 3392384643 3177352070 3392384643 0 0 0 0 0 125580 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 12 0x01;0x01;0x05;0x0a;0xbd;0x62;0x90;0xea;0xbd;0x62;0xbc;0x0a 0x00
1451 36 0x0400000000004000 1258594165.927703 0.000232 0.000455 2.519418 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell 64334 6 0x00 16450 1 0x4000 128 0x5dcc 0x5dcc 0xa78f 0xa78f 0x0040 0 0 0 3392384643 3177364490 3392384643 0 12420 0 12420 0 138000 0 0 0x0811 0x0010 0x0000 64860 0 1460 0 0 0 0x00
1452 36 0x0400000000004001 1258594166.005251 0.078003 0.077548 2.518224 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11247 774 0x4000 111 0x7dbb 0x7dbb 0x2871 0x2871 0x0040 0 0 0 3177364490 3392384643 3177364490 12420 0 12420 0 233220 0 139382 1380 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 ........r.[&.J...s.f.s.....7...N.k..R.._..K.0.....\\t4.....L}.!.z.....^.....SXT..>Of...%.LO..0...O.I..K....".P.=zuBz..|.q...PA._K..A...H]7..u...\re..{.....U(\'....5dC...6..J....\nP....^C1+a.....U...a0.k..#..+.}.9.Q...\n...\n....._3M.e.{....Oh.....i.w.g.\...].:..?../...J<....j...JzNS..\ ^...@...@\t_.z...=\t[..O....1.\.r.....IH.../]B.'kS.p.......N..Q.N.....az..t.S...j..*{..o..........+\.JoS.z}..Z.\n.h....7.7c.U.^.Mc.Km.w}8.....o..|. .1.8...=QU....!.R.LR.L_.I;i..R.\r_*.zO..22...<Q\tI...@...;m...1....`.b...l...p|.]Z.k..z...h.b.*.........7[...~.E.[..1\n.-..@..i..c^t.p../Xz.....D..$...i.....bQ....j.e.n..G..m.....|.f\t......_.........)^.'bKU|.\tl..+u9.....-...z.K.....0......!...\rbY.^^..#.U...t-.......P".Ng..n3....8~<.hkA.hQd............`.\r..W..."....\rx..G_...>"...D.5...B..>....v....<.hw.....\n...Z.h.F#...D: .}.&..d..D...'.h...y....^......~C.....l..(..eqnxLk...|QB.......^.7.7u.;.y..M.....;d.....ce.o._...Sh....."_.......h._.JqH.;8.....\nM..C^......bS.....[..`...I...b+U^F.Ch\n....\r.V+.9..I..K\r.A.....#..(.),$Y....%.X.V.'..)..fk...-....g_;.".r*.;....."...69....\n.!\t...`.I7.hA.^...".a...J.k!#...b..\t..Z......J........K.E..7b.BO.....U-KMh........Y.p.K\r.!)..f.%.WZ...(:'.e.H....'.c2.:.....*nt.P.P9... .._"K..^.f}..A.....B...].v...*.5.5..UO):.)......#m.C.0...x.M.2.....eJs[.$O..N...*%^^..|.a.(B.....R.....d.w....6......M7<..n..%.....E}?..c]Oa.\n..W....}.....V.$E.....\n.n........&.'.I.D.9Bq\t..wi..R
1453 36 0x0400000000004001 1258594166.005261 0.000010 0.077558 2.518234 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11248 1 0x4000 111 0x7dba 0x7dba 0x0539 0x0539 0x0040 0 0 0 3177365870 3392384643 3177365870 1380 0 1380 0 234600 0 140762 2760 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 =..!$.. .$..J.)8.4...+..u..,..5Lp....Y..p..u}>..8#./O......d=H.".m.o./.+.KJ.....B.A..!..D...LH;>.@....a...J.1..qd(....g-..1..g...X....\r...*...,.e...L .ya0.P....N..<.'N4....V....y..,..D.....u.K.cM.....yo..vt8.;...rD]m.T.{.*..m..{...A.......\n.:.~.b_...g....D....d6..U.X..J9......e..+06...-X.......[..H..ZL.].....s..3Uq(..].C.h'.....g....W+p.p)..*:[.N..+.._..z.I..R..:c.'(M....S...%.T=...x.........k.v.N.l..)..o..Z.....m....a....L.#.......!..K...v.p.v.My........H...c....>n..K......l. ?.Ny.3.I.{^`.......^......s....;&...#.n..e..R..=.t..........:jHL$T.}db..+..N.RS.....6....4..p9..>.....B.X.>S?.g^!....^$Ik......,....r..p...b.q.}.5.g!.\t.`.[K.|...y...U...!.v...?.....U.H.y..\t..;#Ig..Id.....AR.....p..aW.`)(.%......r...w2\nV.;....4ds..N...Q.p&,.I"...`.......8...'=.\..Y.......)...}..EBR...|.....^x...F.\nt./ P....GE{...=..y.o.:...%...l.u..6.....h.b.#.........|......bhzA...sa,6=..6....b..H...SV......8U.. ..Zupy.......|....._...y..+".\r.1a.....w..Z..V.....-..VM......"X..j.-Z..(.......5..\r.&B.....!......mB..."......!%..t.oe.u.Y..2..H......|....0...#...o.....9..@p1.@a4....8........j.o..n..1w[.0.=\t.9`....0.|T..K..44...Vpv../Svd...Q...u...u.XWw.\r]...7[.o.h..}....q<...)./.=..z.u..l...i.ym..B.oQ..6.-.......q.#...Z.......<.J.....!....5w...g.(. s'..l..p..j$]....E..Z.]....'pq...m...;e{.L..G.c....T.c6...F:.....U0....a3.4....x@...........*...S...>&...fK.\.%$..$..7.k.V5...\...$.d~..\t..|8<.H.
1454 36 0x0400000000004001 1258594166.005270 0.000009 0.077567 2.518243 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11249 1 0x4000 111 0x7db9 0x7db9 0xdab8 0xdab8 0x0040 0 0 0 3177347930 3392384643 3177367250 -17940 0 0 0 234600 0 142142 4140 0x0811 0x0010 0x00c0 64860 0 1380 0 0 0 0x00 ..ig.J.qk.ro...a.Pc.... .4...#...)<......c..0..M....\....#psP....d....".._Ll...V.....T..R.....SS........$........Z.".m^~`.h.;\4..g+\tB..s..m.....6c.X..)..Nr...0........R....!....../.>VN..{...D.qN.....UV. fY.4..H...@.0..2.*Z.K.P.d..Gw`..M;.C..C........qC..-.fG.+rC.5.O. R..!............0(.NU.`0C.j..6..g.I.L...5...d.2"........................x>1....h.].W.......x.;zPjJ.."...woG..f.....r.....m...AA`.GI...t....q.:.*..X..F|........\...a.ci{...!.....s.C.p.#.E.a-....su8.....n.y..k..: ..>@\n...."mcN(OdSG...\t.1RA?....![.^#..`..E.!..@.........3."7h:*..0ha..G.m?$m3.wr3m...s.....P.B.op-..V.d hC .g...U..K.....7.&.\q..-....LdzjtV..\t\r..(..H.Z.9..+.X..x.**Q..@r.....8.q<....].5|..\nw\n-..F.....y..(.d.+.....L.....O..d.....].....RH.......4.1w.y.{h....63...T....^...xVJ.g....K[.J+.|n@.;...*u........$..~..B....!......;h;...Z..sX.@......Hw..\F...._gS.k..6........u...(..L.[i.caf.b..\.#v.3-3T^.[......T.M.Z......_X.....k.y6.\....8H.F..<V....Z.....>hb..q...I..r.......`.e....r.\r6...S.i....;p.O.f.$....xr......P\n....8..|k.... ^..<..+.. ..~.^#..-..d./.K....B..$.L_b.....h1-.b.......\.A.....\n....a........}...wdkT~G.O...Y..G.H.!84.YA2...............+.B.....2.n...EZ..-1...a..\nJ... ..D......a.J..Ah.v.7... ..\n..0.J`-!Y.m......c.e..qY+.[.^bF.o.Q...oaP...&.(p.I..s..!a.........;.....N(......D..S.me....q9..6F..\t..[.......N...\r....R....u.evUb...5.T[..H.[p@.........C...l<....IX..H{.....C..A.:.h<0..B._....v
1455 36 0x0400000000004001 1258594166.005476 0.000206 0.077773 2.518449 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11250 1 0x4000 111 0x7db8 0x7db8 0xeab0 0xeab0 0x0040 0 0 0 3177350690 3392384643 3177367250 2760 0 2760 0 237360 0 143522 5520 0x0811 0x0010 0x00c0 64860 0 1380 0 0 0 0x00 v......T;.4..4...NO.%.cW\n..N\rX.'N.R..]...L..&.....k..y.r2.n....EN..^{.h...n..Q0...f..wi..B...Pb!.<\n......~..n...k.......k.@.-...@...&..o...OD|...... !..o...\n.l........EB...../.5..F..`..o5.........&.".....5.g}..u.......5..&S...._..O.NB....E{......f........C.JCg...v.4.=&.. .k...G...(..c.{.......\r&. Vb.......y0..<\t.\t0..i.....~.......e.e...}..A.....{......A..<(..6.i...QB.\n..9...%.M.e..w`.&....!P.I..R.`%.6....O........!..u....@ek..o.=.j....QUK...wl../.t...1.;...T... ....b....6....E.........h...4._aq-..\r3.d.q`%.I...."0K.d.).#...tN.;..x......\n6...6.....M.MOn..>...+..0O.Mh....zB;...6..6..\...6+13..8.1u..#.......x.'.O...w.....}<.....zP..g.......s........=.......~\rXK.,...L...0q`...w.GB\t.+\..\t......8....Oy.s<..$...;..w....{...............\r..`^....7.........].Q...@Y.0.`.4.7.GM...>aC....sf.....k.q v\.|..&.Sx....?KMx.'Sl>c[F.S7y"..W.<AI.H~\r...|@.}[.T......%7...b.n~%t.2S.......|...U.'.Z....W....H"]@.w...L.....7..&.l..d.......r.2T.......W.....?...ym.n.zLrA...,.....AT....A.n.92.,f...=.....Pds......."..W...A...C....o.3.]...."...n...Y....f.....`.....2.w..0(.(./........u..#u....;...M.g..f.fl.r...JD..*&.[.y........1... 2#UV2.k..`..P.\.5^..+.^.#XV(.X.#.X.,...+.....r..n...mo....\..-....b....f.'x..5...q..=.1.`)...{X.....zJ..\r...v.........@.G...............G...`..k.Q.....:..N&.Gi.*.%..<..q(tq.x....=\n...v.\r.d.*.....b>p...|W.=.....s......C.....e..fc].{..........r..:\n.....DA....\t... <D
1456 36 0x0400000000004001 1258594166.005486 0.000010 0.077783 2.518459 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11251 1 0x4000 111 0x7db7 0x7db7 0x7ab2 0x7ab2 0x0040 0 0 0 3177352070 3392384643 3177367250 1380 0 1380 0 238740 0 144902 6900 0x0811 0x0010 0x00c0 64860 0 1380 0 0 0 0x00 .u..a~.%...S...<......q.....Q1K..H....qi....x..%.4....R.D....o.../..>..g`..........2.X.....A...%...J.TG\t#..<......F..H]...._AB.[...M/....Tb......A.?...-.1.O./.G.z...`..r.b1.'.....?.9...........I..<...9|.\r.M...JCKC..y...0.#.......E.9.vZ.......y[4...[. ./P...q.|....E..7...4.|...V..H.yKe........}..z................>.i........q*a!.\,..Y....,.3..U........d..x..I...>..u....+..M.<0..-....@......S.0...A.F.z.....T..Q.;t...U.j.......R|..&N.#....f....(.>.Y..#...b...q...q9.n."....|/}._....q...!...q....?3.>n.@\rD.r.H[.z.....d.V.(...|.%...0..r...ax.pk..s.q.%.hy......Q.ST.........z....... ..R..r.J..j7...DY..\r..._.....Kxsi.C .h................l&.....R......E."7.7..,...!.~....<.Js....A..:<.. .9M7.`.I`......3..-q..Lwx...T.\r!>..v.0]....M......,n...L.gF..u..!..>..\r.j....%\n....0M...D..........9e\r.....-....&....Z'!......0k..k$......J~ ..w......\t...$|w..s..b.\tOi?%....J..S.f..n..,S1yR...f...7..|........7........*E..(...6.L]A+..d..o7............9.i.[...d?Y,qC..Y.pP.....#...."P..........n9..zi|..H~.....B...LC.c8.*....T|K.o>vc..=..|.q.-N...>.m....... {..c..^..........d.f..8...%6.B|...QVI/....#...`..?:......~.......a........9..K....o..3...........r.o.....x..\tE.YL...\-.t..\rN......ry@.:..........ymg...%W.b..T.....MUb.m.\n#m.Z1I...d....sZ&4xE.5+.,.T.......!tIa.X^.....a.F...t...d.+\.]t...=+AH\ty..;t.\.X..2.+.......%.{....'&.I>..*.Kb.y..-+X.A;...\r...$..f.]......B.$o.j......"_.....p!.0I..U.4.$.
1457 36 0x0400000000004001 1258594166.005495 0.000009 0.077792 2.518468 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11252 1 0x4000 111 0x7db6 0x7db6 0xcad4 0xcad4 0x0040 0 0 0 3177353450 3392384643 3177367250 1380 0 1380 0 240120 0 146282 8280 0x0811 0x0010 0x00c0 64860 0 1380 0 0 0 0x00 ....2G.\_.....c...G...OmZCF.....V'>....L..i..:........F.0..,.....\..[.a...(G|.o.T\8..gT.|...p.. .....\n.mY..G.I.....b../.w9....[...eag...l..\r$...U.....|+w\r.r.I<.t..t..r0.<........`...o.{....].....G.RM=....`~..HQ....\r\..D.J......wY.w;.M...>~..[...v..@m..7.....2..7".h%.T!.....`.V.....\n`{.=N%'..e8k.)6...=.\r..z... ..Y...;.~#.......-. .-H...7..A&....z...G..A)....$...Y]#'M=.=...p....F|.)0r..t..h..q]DH._./r9.|._n........9....GA...Lg..zh.Ju...yy#GE.=...... ....j.3..%..0..._\L~..\rO.....BH.Q.j.U.........:...~m..j....bcw........6>d....VF..V.!)..D.:].E....l......&v).~...l|.K...@W.g.....OY!.>....,.g....)7....\..H.,..\t..|/S,.Qf..e....C.2....3.L1...]MNZ........Q<...R........,.:.k..Ja........Q| .\r..47Kt........\........2.\n. ..C.....<..L~[_.M.....\....W...8.!.e..i.d{..S.(X.k...R..of..Zm....q...q..8.F.C/kfhn:t...r.s.q...\rz."o......].J..t.x...-........6......d....6?..dS\t...2bj.d^h;..mo7.....J.(mO.g%.K.C.]~.......rhP......0...`0tW...........h.e..20..q+-.m..R.E...s.......PO...s....e0Y.A;@$....E.gs..D.\r....?.../..).......\t.x-.XS.......d@.]%8i..4.-..V...<.g.s.\..r..U%/.8e#...j.B..........\t...T|....M=V..d....../[.,F4.../..O...PP.....^.-....Q0io.^........P.(..=J+....`~/9.e...A.....n...B..~....i../.O..#......~Vh.vZ|..AS...F..F.a..1.i.........:...- ..I..\n..w..&..r....i`6./...z..O.@.x...r2{...X...v.."r..c.....lP...$..|...N(.l.\t)....*.1\....`.b.....w9...`.p{.t..M..~D|n..^px...`d..D.t.0..
1458 36 0x0400000000004001 1258594166.005506 0.000011 0.077803 2.518479 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11263 11 0x4000 111 0x7dab 0x7dab 0x6121 0x6121 0x0040 0 0 0 3177371390 3392384643 3177367250 17940 0 17940 0 258060 0 147662 9660 0x0811 0x0010 0x0200 64860 0 1380 0 0 0 0x00 .......@..A..v.3\y.c(...........$..B.q.5I....3..V.'.....&..B3\na........:.&pr......Z...Ua.....*n#.H..dq3.2....D...\...X........F..e..?C...3.....xs.)hhQ."....:.].0.aM.<.4.5K...a.\n.n......0.~+..."...\n..Q.pg......c..J....R.Q.U6[.\tsd;k.f.....fs.T9.hM5\n...:.nu...*....d<.3`.;..%ab.....[..!M,#ob\r......R,t./...&-...]K8._.........Y.........2j..t..f...aV|...... ....`..a..#....o....Qqf...."....\n.+?A].^h*...A~8\n..9.7G..m"l.)...)V..*.<....X.p.(...~....\tn.e..#.Y6......ly>.U)....)/..6.....i.."..\)......r.Y.+.^.H).Iy..W#.UK.9..|D.$>.T.f[.........Z..r+D8rc..."P.,.E.l.X.y$og .H.,......!...Ul..a...+......op... ...o.3.b.,.n...qB....V.@.-....v..h.6...\.jG.. vD..........,Ls=.........]2.4.0.U..A.}............,...&Z.|!....JFF.X'.;m..p..x..7.}C5W.v\t.|.L+:J`.......;..S.TXa.....q.R....'.....q.\tksDU..Z.D.(..'.s...C...#_...y.....2...W-.x\t.E`?..juv...Tk.....)B.W~lk.QZ..WGq.>Hfq..!W..A .}.&..F..S".5N=.6..Q%..4.N.'.Yo...`.(3...(.1....G......D..j.~... .Xi..2...D.Iw.a....`q8\n........k...z....#,I;.z(..8......u....\nf.k..(>._)W.....;q=.s'...V.+.[..C^.........uY$Y.....6L..X.vl...-. .V...#.o."F.....2.~......C......e..."...1..c.z.~k&..~!..h9%. .3..H.vl..5b.....= ....2..v.tnB.'....z......+\n...(.....Ngg...j.%.D.....\t#|....r..-...QxFI.x8...)[9....pX.....a.r.#./S.;.F.....e1y.pRe$.T.pF;.C.n_..L.......fF.....2";."4.QT..0..L...#K....Wn..%..d...*%......9^....2......#.,e23..It)........1&...j&...}s..1P.v...{
1459 36 0x0400000000004001 1258594166.005525 0.000019 0.077822 2.518498 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11253 -10 0x4000 111 0x7db5 0x7db5 0x4ace 0x4ace 0x0044 0 0 0 3177354830 3392384643 3177372770 -16560 0 0 0 258060 0 149042 11040 0x0811 0x0010 0x00c0 64860 0 1380 0 0 0 0x00 .H.iy..-..[.n.fi.......q;.p0}.Q....\t*B.W8.x.w+...RT...`<^...e........:...j.....tR./....V.......\.N.........~...&...M...t.#...D..(R.[,m.p......C......3.^..{."i.(.E.Uk.l..Yh.\n.......-..ce........y.\....P..B..b...DnX3..kBt.[..[E.....F.......ki'/....'b....h....f......S..u..5[..i.^{?....Ib.....o.&..4....D....#...8..N....Zp.r.....NL$..5.Q..K.....fi{..x..t{.q.....&...U...P.t.....q.......-u<K.Q.%{..9.U...=....3..p.3_n6..`....s&.=>=.4gJ.',......O....+j@..\n..I......~B4..c.v|..RJ....j3.mG..v/..b.2.ZPa.XrP.zD.a...S.......S.s!. B.T..7..UcB0)F>.m?Y&<....+..(.~.8.4`P..S.K`........`....<....<..:(.,0.?.....%..N|.J..O...b.....CE=.3o...\n.30...........,.....r.....e.#lxO.......b.....w]...Lof....<\n#z.L..,:e`..?X.......U...k.p....e...*...z.$%%....h.{Dx.. .[.....$.G.fW...)..W..tC>ad}j..2.z2.9K../V>..tP|.f.....k>.&$S.. .1H..J........a.E..o..+..Q.`?o9.3r.<. ..F..*[./...0A...".......xC...N...R....vf...t4......gF..%.R..............\t.......b.\.p.5#..~.4h.!...YP.]....f...{B.C....A........3..|*O#.F+.3#z.ept./..\t>.e|\r..N....u....=.3W...]\,...Rl~.....{..\..H2tF.j..~.....e....U..c.P...KK...C....>`H.m\n#?.s\......|s...W.........c...Y9v....c}....(.....~..t....&|.i.....7....ct...'.W.@s......e.X\6.....u.jL...dm]_7._.'k..w.....?..m.....P%.........:.Q]l.\n.st.r.ds...#.3..s,.......2(E$.Hz.4JKzA.Q....$...*.UQ.]E(.....J1'J..\n.........~.L.r..].3......?.............,.<.9.,../.-.l.z.... ...@~K.J.....p.b..
1460 36 0x0400000000004001 1258594166.005533 0.000008 0.077830 2.518506 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11254 1 0x4000 111 0x7db4 0x7db4 0x7295 0x7295 0x0040 0 0 0 3177356210 3392384643 3177372770 1380 0 1380 0 259440 0 150422 12420 0x0811 0x0018 0x00c0 64860 0 1380 0 0 0 0x00 .G.+m}.u.\r....Y47-....9...\r.x.(. FB...v3.E..AS.yU%..#.b._..."?.....,/Q..@....A..\.Po....DlP\n.x...0....j......Q......B.?.jg.]8..c........q)Mf.P.d..Ib...Y.z(.5'[......;#....6.\o?K....U...|.Y..}..\r..N..l.......ZF.....o.H.....(..S....?..6........^.g.O..T..).j..e..`h`35....?....b....#>.W.^).D).*G>....4..\n.........(...p...j....3..1=..njF\r......ut3\t....T\n.Bdj......l6...6?{..l.u)O..E..,5....G....!<.${.&... 9.}.......\t.....-1.....*..[;.s:o\...{~A...3..>I4.....O.....fv%......j..%~..#j;..I|P..0.:MO.j/M~.k.2..S; ..1.9+.N..A.Y.W..N.o.r._....n..Y].I.....E...dc.>I@..{..im."...\r.D\Kn6O.Z.K...{o".....tF.s!..9+......[......:\t...7..<...CioX.~..^.Ux..;.9.>.U.o...z....x.....&.0.D.3<..s.;/..;'g.Z.p..P....'.b[7....9.....$.z.#.O.|,./.J....B.[.?}[......\$..#....?.\tyU..'lL....q|.F.Tq.nP.0(V..........Ai......f\nX.....I...\r0.6...9.,.._`...2.oj...g.w..I\r....\r.h....hh...\r.DD4".s.Pvz.#6...m.3..qy.....'...$O....I.DF*4....%^.....t.D..A..L....zo..........'ShD......]..B.Y..t.....)......K`.....\tp.....V....).Ss.C^..$......<.[B.(.".+r.~....P=.*....T.7R...j?..]/.&.......w.#.......r....v.N.Vr..J..(.J@3..*y..^\r....h6....c....P...7<.R.0....])...7..1..bM..f....A.zK........|z .SU.........\S..7.M}S..7.M}S.....;.<E..y.L..QT..i.O?GQ..y...`....&...........f=......B.c`Z....7.;E-y...`.......y.....|.v.?(....`....!_0.`......f#...{..z0-`:..C...n.\..>.+t..9...s+..!.R.=`X0.....'0/.9....Z........R0..C.I8E."...W..k
1461 36 0x0400000000004001 1258594166.005542 0.000009 0.077839 2.518515 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11255 1 0x4000 111 0x7db3 0x7db3 0x84c4 0x84c4 0x0040 0 0 0 3177357590 3392384643 3177372770 1380 0 1380 0 260820 0 151802 13800 0x0811 0x0010 0x00c0 64860 0 1380 0 0 0 0x00 S....z.L....2...`j.<..2C._.z<....5....c0..5.\n.....].......o....l(.?<*..................Y..?J...S.........a..c..\...6}.=0..?....u.r'e...Z....24.......^XAY_\1.7=............f..y}....}.....r...bp.b.S...y\r.o.&wCC.7.].r^...np....U.u......\t.;9%%.........\].k.t.9...Y......te.[?1..y.Z.z.;....y.A...~.z......r.........g......=eaZL.-.\m.}5.D..........~..X.....!...W[.&.k........7..+!...-......u...n..t\rl...[....|...^.+.I..j7!L.......p....Y].{k5..r..D..8........w.....:.W...7M..i..Z....+.e&..a...f3W.V.U^wy.Ph..W..7].D..l9..D..W[.........-.......k'.+%.;..k..u.....8..}'l..~...B.MY...5u.]....u..,I\n!..\n-...M....J6.U..M.....N.......{.!\..9=........*...0u...RKC..-.(.....-.wj........L...7....X......o`3..4..u.\=EA../.....B...,....nk&.5....o........-.,@;. ...lb;Ix.....44P..-H../.......X.C.(G>Ee..voro....r..5...lb...t....L.~....]\\r..]......V. }......q...tZ.U^K....G...q!.....!.L.i1\r.D.TQNp.x..k}..m......n....\.u.$...v9.i1..#..`<.pB.D@<.!4)/..J...rA...PX(3..j....).w..)e...<...7=;....M.W.a.\=.._~;..o..qE........0'..\t}...g........T.C..:.n=..-e=..q\...u.S....x.a...\tr....8..\..............a. .<.n......aBX..=\na....BX.N.[.)Y..<Yn..US...-...qS.QY0..n{#0u.Qf.t.H./.ft...k0....[....>..:.b3k`..Zk....M...Q.........n....\n.F........:.....&.M...%....DYG b.KN5.fYo.}..n...T..kR..\t....6hp.....[...G.0}vu.....'3;p..3...T...........a.B.....?..$.is.j.]_W.O..|*...[..\n..o.8s.:..B..iTw..(9.....5 V8...k!..J}.a
1462 36 0x0400000000004001 1258594166.005560 0.000018 0.077857 2.518533 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11264 9 0x4000 111 0x7daa 0x7daa 0xff9e 0xff9e 0x0040 0 0 0 3177372770 3392384643 3177372770 15180 0 15180 0 276000 0 153182 15180 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 ..>s......^%'(......5...N\r...Lhn.t...q.......F..Q..6...R..%..3.`....m8yW...&M.z.....=.../#M...I..n....(....K..U-..gO...3M..CC(Y&{.H.0....&....bq....(.g.C.4.m.b..j...?...w....X.g..y...z.8.e...<e....2B#.F.....q.vV..e%.5V..h1....^...vg..\t.&.c....w...S..0......b.....y.n+...3JA.&#...{.pK..y^-'3.YC..F.0..7!.8`.kj....f.-MO.h..(#..gJ.0`.......C..!..,.......3...fh.......8.1.X.DPg...Y....Z".!O.....K...0..IN....^.......\........MC.*O...6 ..X.6`..MO..8..m.\3.1-..q9L.y...k..b[{P#;..O...Ku:.C....d"P..r\n.)C...&V\r.....w......m.+.w9. .!.'.....d.......r.\r.....p\nt5..<..^.e:.2SEb.@Z[d!...\..Nk;Q....6nXs.<...#3.`.)..O.%.......b..N.;.+..uC.d;="..........\t!... - .0i8.p.w....P.j......\h.g.&..}%.h...H`*..'O!..z...%...h*+P}.yt1.MWN1.Lt....q..PjP...y.8..ii.\nk.,..4*C.ge.+CY.......~.f.l.....U.....$....../..+.!.G`;...N"g.Jff......5fJq..G.vH.{.0V.R..."..^..(p.d.,.Q.R..\t.(.Z*g...`.hM..f.3jL&.Q.1CN\t#..8..)A....q.41.XJ.g..3..(....&..7n<c..`.B.w...5%..D5.#.\n.K'U..:...D..N.o..E..D.I.q..:..H.!u....F..<.. .Xg...k....\r..%_...L\rH..=..w8...":.......3ZJf.C.4....-...\......A...P../D..M.oe.]T..zr.pT-.}Q}.-...+\nY2.....u\/C....#.........F:4...G6..FRz.j?.....N<P...\t....!K*..d...8.+2.f2..0.K..a&..%....F...k\r<.u;9.....1....vY.....U.Z..@..0..$.w.?$....C....5......y.<\.]-x5....;5..&@...C.......g..m)q.5~xP!............2ar.......G......td...9..\r$..e....PS....%...X.$V\tz.[r......+@\t..T.......r.dO..){Bvq..;.6<.N.
1463 36 0x0400000000004001 1258594166.005704 0.000144 0.078001 2.518677 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11256 -8 0x4000 111 0x7e02 0x7e02 0x7cc1 0x7cc1 0x0044 0 0 0 3177358970 3392384643 3177374150 -13800 0 0 0 276000 0 154482 16480 0x0811 0x0010 0x00c0 64860 0 1380 0 0 0 0x00 ...lw..u.rC...~'....#...0D#.@`Pf.+....i9...J.f/.. .3..:T.5.....C...s...#..\n..ab....#.w=....p....IE.H(V"..R#.f\r2.:.\r=.n[6.. .nu5.a?\t.c..8...x.A..2.P.......<..j..6.......'8....@..N.Ta}.. /....:....?...QS................rn.6Bg..)...........P'..............q.[SX..hEE...W7@.m...R..F.Yu.7C....N.o...C.H.d8Q........7W.@s...K.RZ7.2...c..2...V......4.....$..R:....D..r.|.%\c.G.1cQu......|.aWlc.....{}]..:`X\r}..\t...~.j.D..E...^.U...P#.....c1..4..:..r~I|.{.qc.P..\t)...9.......4.F..4.t............n.Y.J#blam....cM\t...Lm.Xm@g.q.?.!..lEh...q......C.-...^.UI.<..\n@..Z..pE..l.Q\r....#..\nGL....o.....".U..F.'...BY}.S.">..P...K....^\r.t..3.5.(. ....$....D\n@.\.C.......F.$..4.V].AA.0.W....j.[r......A..bu...;........0......,.I...C..\t..w.IA..w..S`.AZ..0_.Y.&...`....y..S`~..50G.....BI.....0..#(...>.M...*...........*...V.7ToZ.~...j....U......'.........5.t>...0....\n....S.(...FX...\re..a.`.@{.@(h..........;...D........5.q:...:/...G<..r8..X.kQ...J.....d..KM}S..7.M}S..7.M}S.......8.J.....)..5`...G.)..'.......k.R.m.....9!....zI-WY.\t7[...YE.o..z.....r.G..w...W..u.wm.h.:.Y.m...LW^_...QTvMMVyma-.u..mA.hej.}..&TPOvQ.{.......J........(....E.&..C...W.m...[f........_.?......5......{d...y:...U.V... .{..k.j[....{..q..z.....&..........t....U.V.edP..../.L../.I.._.W.....3_}...'?....j.n.Em|x..s..g>...{4..7..3]TF............o.ZG5;C
1464 36 0x0400000000004001 1258594166.005713 0.000009 0.078010 2.518686 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11257 1 0x4000 111 0x82c5 0x82c5 0xc671 0xc671 0x0040 0 0 0 3177360270 3392384643 3177374150 1300 0 1300 0 277300 0 154562 16560 0x0811 0x0010 0x00c0 64860 0 1380 0 0 0 0x00 .....g..^....3O.......=.\t............D........h..O~....nk.R....s..>N..-...L(..QE
1465 36 0x0400000000004001 1258594166.005731 0.000018 0.078028 2.518704 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11258 1 0x4000 111 0x7db0 0x7db0 0xa552 0xa552 0x0040 0 0 0 3177367250 3392384643 3177374150 6980 0 6980 0 284280 0 155942 17940 0x0811 0x0010 0x0040 64860 0 1380 0 0 0 0x00 j........u.}6.5...~.......qBz.&$^.F.$.....j%\.....`...jUU$..>0...f.\r..^`..?-..O.fEo..W.Y..$s....9..P....a9.2?-.)jDSUd..*..8nX.C.%<..y...1.-.B..C.._.I.;...KU..x.h>...2m)(.........W^.&..Q...a....dt...='.^......^.!z/..b\r@.^.5 ....J.x.x{....O........Y.?P..HD..A.............|`@..8w*U...j.@.b..g58...8Y7.hi...,h.<.U._Hj.$:.[.."....J|.0....iP..D...bSU..p...{....T...H.l\1v.....e.TSp1..{.}......G.....vmM".+\n...[.............5.ip.GCi..W......?.B.w....H....^z...6...........d.C.kA...Z4.%.y.Y4...}.%.._..gn.=`/It.'@\r!.6..q....C+q.f.xk1.7 ..T,..\K.iS......n+..)..|....#....`-.!.IV..031..:.Mw[".A..8....-~]...).vW\r..IY.{.B}.+.}..?.!]2.9.V.C...3h.qm,s..8.~...../..2...z..h ........3.%(..c.a....R..o.d.4....X.z..!..Z>.#..O^>7.......o....[C!O....$L.d...\n((".........I.l..m......1.....Z./=...B.......>...G/.zS..5.....L..rD.I...\t+\t.qN.....\r.m.}..<.\t...\.u...b..n..d.=..(A.'h.j.x..V..[.,^&.771B..\.9.i.......J.....p .....y.....8...".x:.K#...b.....6S...85\t P......].|........MQ.E..o...rpP.....h.<A..Q....a.]dW.....5....T..8e.7...n2n...\R.)R|...).ng%%K.n*..._......7Eg..eT.x..'.v.7..!c.+rb$... ...M..-GL;.....\r..g.^J....H.>U..6.X.........i...K%t...~...iN.....b...{.=..`.H.%..B\n.X$.XsO....$86....I.....5...c...`...K=..l..1..........x...J.1.$.... 9.....98..\...m.r....5......9UF...E...m1..TNR.D.ah.R7.KN`.J.-03...wF.{.wLJ....5r..5...6`d.............6.,......T[MF.q...7..qX...m.............`O......(..a
1466 36 0x0400000000004001 1258594166.005740 0.000009 0.078037 2.518713 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11259 1 0x4000 111 0x7daf 0x7daf 0xd7ce 0xd7ce 0x0040 0 0 0 3177368630 3392384643 3177374150 1380 0 1380 0 285660 0 157322 19320 0x0811 0x0010 0x0040 64860 0 1380 0 0 0 0x00 ...i......#.1bb.fQ4........".D...HP.t+f..4$4.I...nv7..k...g7.lb.e\r..j..K6!..LL.dL.......S...^.}..}....?.j......S.S.NU...?.Y.0...V.s..]...v..s..tk&t...D...H..PJ.`5........G.=0|0.J....pW'2kX".P"..Lh./..m.$.....9............/P.....{.............4..1v..<...Q.q......?;.........N...g...c."...\):..-........\........y/...q![....KP<...R.".....A.q.......2..a.oa../>.I...\rdc...L...SC._.*!...).;..S.+dX......._....F.._\r.......!s.~...D.4..r...~(....y\..J..( ...Y.....x(..\r.9k..L.y..q......V .w...B..^....e..}....U..8.c.=].*.....wu.\r.Qb..Z.%.3.\y:......|.g..d...s^....y1...y1..s^...v.M%..?&}....*.q[bAs..N%0M..C..........BU>.\n..#4.y2..!..1L...\t.....W...\r..%......6.*..Y3....d....../c\F.h!.X...@...{........;...S.Y.I.4.V......R..I....dT8.1..d},.0?f.x......;....c........;b...A..i.t..\....8RJ.^k;.[..C&.=Pfi.s!#.r...`UN.T.....B.z..3U.kwe(\n...@.(.J....B..ySy.l...[....C...6.3i.=\t.....r.'..KXp..I:.3..A...2~..{Dk....>..;m._.....CB.. $...C..Wc.....w.%.*.j.j...x..9..N.[)l..0..j..A..A'."......B..5.q..3n...M1..d.H..=?.r..............q..P...R..3....]E.Z...\..(ZZ.)_....[.f....Ur...$G4.'..9.W'..,\....v.....i....Z...dZ..v...+A].3..Ut...H2\t..L..$4....=......?#.......\r.\n.Z.....l..fXT..nzb7.&......(D.S.\..L8[}_.S.......g'...k<njx.+<.L..C..7.D"..k.0\n..Y.".i6.$N.l8.G8/....@3.>..jj..*..0.KsO.`Qo....J5..(.m.....+u,..x._D.~....0.B\tZ.Zn.8.(.k'xYr.......EI.$.3.@w..a.....9<J.........g)K.yK..x.......F).j.B.
1467 36 0x0400000000004001 1258594166.005761 0.000021 0.078058 2.518734 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11260 1 0x4000 111 0x7dae 0x7dae 0x4103 0x4103 0x0040 0 0 0 3177370010 3392384643 3177374150 1380 0 1380 0 287040 0 158702 20700 0x0811 0x0010 0x0040 64860 0 1380 0 0 0 0x00 P..B..f*d..VLz.|S.|x.&j.cq.\t.e.(.`.m.J.....|/t~,.(Z..u0..l'....c\n..vC..@...8.DM...#I.4k75.COv.0......,dL.+...P+..d .*.....g..K6..3.e;.....3...(..\DB...Czl....H.^J].[.K......F...^...5.4.h......G..=.:Z..a9.Is...N....!-..Q... .)%..h..o..6.\r......%c4.~.45..m.........dP.U:....4`# .'..l.f..XQ.Q...3e[7..laJ. .H/...j....65".-?...>V....Zck..........@.`O.a...^..hT.v.:... .....qaMY.......8...hQkx..?....65~./.t..=:S..p.b..#..6k..f.A4V.].....`.8....$.........B....m6t.r.......9hc.#......x.....^T2....8..E...?..G.d..>.(..-......J..[f......Xlt.(..?.m.I.2.".&..........\n....S..._#..-c.....t..8..p...nf.....d&...f;.....).$.>....Dt.cD.6.=......9.......-.C.x?."... ...d......h,....'..?...3..>.Y..iz....[.......9..9B....\r...Q.....3..z.\.....+.'*0\.c.R.....L.S.-.'....9..].....{....O>......=;.X...:j.eg.D..QF.-eaM..y..l...o...]:...."z..u...N........I...5J<...Z.!.q...a.fC..;!...k6..0.`VtH...RV<.k;....D.<....Zk=5..Y..%3Sj m.r.ANbU.....`...:.B...\nJ4Y.(._@....O...\tJ.W.\r.V"0L.....!..#"Ug.^..;,.V.o..~...1.../c......t.F.e.........eAz.......TW,.V.{....y15.y.u..........3.+.j...vQ..LL..V.Y....v.,......,I......V.m`Bk....r.d..N......>..I............:a...d.....\t=...g...\n...k....p..TWy..X._.......\tM.A.b>.-...h.....................n..I....B2+..D&.r..A.GR....<.#.."...._GU...:...Ig\n..q...q..SM..%.U2....<........;q.....y.&........1..5.Q..%?.2n.2.H.-D.*.*..(.. ;[!OChlk..a...X.v#.....<A...fm.*X..A...2.>=wo
1468 36 0x0400000000004001 1258594166.005770 0.000009 0.078067 2.518743 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell 64334 192.168.1.105 07 Private network 49330 6 0x00 11265 5 0x4000 111 0x7da9 0x7da9 0xcd5b 0xcd5b 0x0040 0 0 0 3177374150 3392384643 3177374150 4140 0 4140 0 291180 0 160082 22080 0x0811 0x0010 0x0000 64860 0 1380 0 0 0 0x00 ...G.%T}.*......r.l.J.5.gq..\.K4..2.`.I....,...P...e+....g=..=r..8(.....t+e.H..I....?...{.sD4....8..g.E..... ..... .......jd.A.;...Q(.)...wMh-.6.6B..hQ..yG..._J.(.k.J.eoI.i...f...EZ0.B;.....i....'J........\tJ....=...3...+ -A..E.5.R....}.).7..\t......1P7yD.^Y;......Q..."..v..E#Gr.w.....(\n..D.o.,N_..".[7./......JV.A.;m.\n!..g..k.C...\.d:.B.FG..w.........a...i6...9......j4..J.f5.y...N.D...<...\....H.N...\). ;-...G..iSr......s-1*..1xz..[..7...........=..........g...2..4'..b..HJH......W..\r...#.C~..u.P..G....wi. .......<.[$..`..g.&Cx..!..)j..f...m..}.V^ m.....rp......%..8.i[y.......g..i...L.7X.....r...;.k.......c...`9G..J8vM..^O..c...?`..K..&..bJ't..b\tgc.7.9...30^..NP..'J...w}..f`0.^...Ql...@.<.K,.\nw.....Fy...a@.&3\n...y..R.5..TS..7..?.QA...m.......].$.Q.a...Y\n-.z$C.D....J..o.r...2S.C.s.....8.......F.<..O............a.\r.I..bB....q5..j....e...........V.6R....OjU..\n../@....@....0.9....N...e...VY..U...m..M.m........x.lv.=.+.R..i.....Wc.`.:m.t..$.a\.......8b.Y.e.^..#..b.....7X{rn. a.....[....D\r.(.......0.. ..\tQ..n.e...Q..#.f.K)@^\t...#D@.WG1B0...Qq..|l4..C.um...Z.....~..r.l...3H....j..+...t`5d.......".b.Z?k.W...d....."!...x&&#,E.\t.^IgM5nf.....:..8.......!Z.,d5J._I4..^d.\lC......D......../(Z.|.....v.%.Qf{...]..P...-....&GY...\a...w[..(~.k.&..7)=....b..XF.]...r..8.j.+......B....x. ..P&.N....../3.....8..t$+...6... ........J..s.;9t.T...eG.@...l.........o....iw(?..4gE.pz.b...k.
1469 36 0x0400000000004000 1258594166.005912 0.078209 0.000142 2.597627 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell 64334 6 0x00 16451 1 0x4000 128 0x5dbf 0x5dbf 0xefd1 0xefd1 0x0040 0 0 0 3392384643 3177367250 3392384643 0 2760 0 2760 0 140760 0 0 0x4811 0x0010 0x0000 64860 0 1460 0 0 12 0x01;0x01;0x05;0x0a;0xbd;0x62;0x7b;0x5a;0xbd;0x62;0x80;0xbe 0x00
1470 36 0x0400000000004000 1258594166.005914 0.000002 0.000144 2.597629 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49330 143.166.11.10 us Dell 64334 6 0x00 16452 1 0x4000 128 0x5dbe 0x5dbe 0xda41 0xda41 0x0040 0 0 0 3392384643 3177367250 3392384643 0 0 0 0 0 140760 0 0 0x4811 0x0010 0x0008 64860 0 1460 0 0 12 0x01;0x01;0x05;0x0a;0xbd;0x62;0x86;0x22;0xbd;0x62;0x8b;0x86 0x00
...In the following a chapters we will discuss window size, sequence number and other features useful in troubleshooting and security analysis.
Window size features
The TCP window size is part of TCP flow control receiving buffer and gives an indication about the digestive performance of the destination host. As indicated in the previous chapter all anomaly window bits are situated in tcpFStat now:
The tcpFStat column is to be interpreted as follows: bit | tcpFStat | Description ============================================================================= 0 | 0x0001 | Packet good for inter-distance assessment 1 | 0x0002 | TCP option init 2 | 0x0004 | Timestamp option decreasing 3 | 0x0008 | L4 option field corrupt or not acquired 4 | 0x0010 | Window state-machine initialized 5 | 0x0020 | Window update 6 | 0x0040 | Win 0 probe 7 | 0x0080 | Win 0 probe ACK 8 | 0x0100 | Min Window detected 9 | 0x0200 | WS used 10 | 0x0400 | Window full 11 | 0x0800 | Window state-machine count up(1)/down(0) 12 | 0x1000 | L4 Checksum calculation if present 13 | 0x2000 | UDPLITE Checksum coverage error 14 | 0x4000 | TCP Selective ACK Option 15 | 0x8000 | MPTCP detected
So Windows Scaling was used at the beginning. Then after a Min Window detected a sender Window full followed, then a Win 0 probe was issued in order to test the acceptance of more bytes. Makes sense, and can be investigated in the packet file in the previous chapter.
In the flow file the initial window size tcpInitWinSz in combination with the TTL is still a reasonable feature to estimate the type of OS. If tcpMinWinSz hits 0 the buffer of the receiving host is full, and the sender has to wait. As in the end report the variable tcpWinSzThRt counts the occurrences where the window size drops below a configurable threshold WINMIN in tcpFlags.h; default 1. So it counts how often the receiver performs back-pressure to the sender. The parameters tcpWinSzDwnCnt, tcpWinSzUpCnt, tcpWinSzChgDirCnt are experimental, trying to aggregate the evolution of the window size, which is governed by several algorithms. They denote the up or down count/packet of the window size and how often these counts reverse the direction. Giving an indication about irregularities in flow control. As you can see, the counts are increased in flow 36, which has a lot of flow and error control problems.
tawk 'bitsanyset($tcpFStat, 0x0700) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $tcpInitWinSz, $tcpAveWinSz, $tcpMinWinSz, $tcpMaxWinSz, $tcpWinSzDwnCnt, $tcpWinSzUpCnt, $tcpWinSzChgDirCnt, $tcpWinSzThRt }' ~/results/faf-exercise_flows.txt | tcol
%dir flowInd flowStat srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpFStat ipFlags tcpFlags tcpAnomaly tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt
A 15 0x0400000000004000 192.168.1.105 07 "Private network" 49218 192.168.1.1 07 "Private network" 25 6 0x0a11 0x0040 0x011b 0x0000 8192 64982.55 8192 65536 3 2 4 0
B 15 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49218 6 0x0a11 0x0044 0x031b 0x0008 65535 524219.4 65535 524280 1 2 2 0
A 16 0x0400000000004000 192.168.1.105 07 "Private network" 49219 192.168.1.1 07 "Private network" 25 6 0x0a11 0x0040 0x011b 0x0000 8192 64673.17 8192 65536 3 1 4 0
B 16 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49219 6 0x0a11 0x0044 0x031b 0x0008 65535 524225.7 65535 524280 1 2 2 0
A 17 0x0400000000004000 192.168.1.105 07 "Private network" 49220 192.168.1.1 07 "Private network" 25 6 0x0a11 0x0040 0x011b 0x0000 8192 64668.98 8192 65536 3 2 4 0
B 17 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49220 6 0x0a11 0x0044 0x031b 0x0008 65535 524220.3 65535 524280 1 2 2 0
A 22 0x0400000000004000 192.168.1.105 07 "Private network" 49336 192.168.1.1 07 "Private network" 25 6 0x0a11 0x0040 0x011b 0x0000 8192 64668.98 8192 65536 3 2 4 0
B 22 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49336 6 0x0a11 0x0044 0x031b 0x0008 65535 524228.2 65535 524280 1 2 2 0
A 23 0x0400000000004000 192.168.1.105 07 "Private network" 49353 192.168.1.1 07 "Private network" 25 6 0x0a11 0x0040 0x011b 0x0000 8192 64668.98 8192 65536 3 2 4 0
B 23 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49353 6 0x0a11 0x0044 0x031b 0x0008 65535 524227.5 65535 524280 1 2 2 0
A 26 0x0400000000004000 192.168.1.105 07 "Private network" 49561 192.168.1.1 07 "Private network" 25 6 0x0a11 0x0040 0x011b 0x0000 8192 64740.93 8192 65536 3 2 4 0
B 26 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49561 6 0x0a11 0x0044 0x031b 0x0008 65535 524166.4 65535 524280 2 2 3 0
A 36 0x0400000000004000 192.168.1.105 07 "Private network" 49330 143.166.11.10 us "Dell" 64334 6 0x49b1 0x0040 0x0416 0x0008 8192 45402 0 64860 253 194 254 0.001981506
B 36 0x0400000000004001 143.166.11.10 us "Dell" 64334 192.168.1.105 07 "Private network" 49330 6 0x0c51 0x0044 0x031b 0x02c4 8192 64860 8192 64860 0 1 1 0Have a look at the packet file and identify the flow control problems in flow 36. Is this flow benign or part of malicious activity?
Sequence and Acknowledge numbers
I added some more columns for the packet mode to track faults and to make counts more consistent. seqDiff and ackDiff are now the real difference of the seq or ack numbers, so they could also be negative. seqLen and ackLen denote the positive difference, hence an indication for the payload length. seqFlowLen and ackFlowLen are aggregated seqLen and ackLen. tcpMLen is the real l7Len, just like in basicStats. tcpBFlgt denotes the bytes in time of flight. Similar columns exist in the flow file.
TCP error control is achieved by Seq and Ack numbers which are a formidable tool for troubleshooting and contain information about network or host problems. The differences between these parameters denote the bytes being transferred between both peers. The packet ACK count is only correct if each packet being sent is acknowledged, so Idle Repeat Request mode, which would actually defeat the purpose of an efficient TCP communication. So in general only a lower limit.
The fault counts from both directions are an indicator for the health of the connection. If divided by the packet sent from basicStats you have a good performance measure.
The initial sequence number tcpISeqN is used for covert channels and it can help to identify crafting tools if more than one flow from the same IP is available. Make sure that the flow is complete by checking the tcpFlags for a SYN, otherwise tcpISeqN denotes just the sequence number of the first packet being seen.
As in earlier versions the column tcpFlwLssAckRcvdBytes denotes the amount of content being transmitted of the opposite flow. So if you have only one flow, you have a number to estimate the amount of traffic not being seen by that pcap. Some magic to impress customers.
tawk 'bitsanyset($tcpAnomaly, 0x0008) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $ipFlags, $tcpFStat, $tcpFlags, $tcpAnomaly, $tcpISeqN, $tcpSeqSntBytes, $tcpSeqFaultCnt, $tcpPAckCnt, $tcpFlwLssAckRcvdBytes, $tcpAckFaultCnt, $tcpBFlgtMx }' ~/results/faf-exercise_flows.txt | tcol
%dir flowInd flowStat srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto ipFlags tcpFStat tcpFlags tcpAnomaly tcpISeqN tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpBFlgtMx
B 12 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1397 6 0x0044 0x0011 0x031b 0x0008 1702698086 1440 0 30 2943 1 852
B 13 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1749 6 0x0044 0x0011 0x031b 0x0008 645942508 1405 0 30 5679 2 852
B 14 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1755 6 0x0044 0x0011 0x031b 0x0008 328872932 1405 0 28 2357 1 852
B 15 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49218 6 0x0044 0x0a11 0x031b 0x0008 652739796 1519 0 29 4899 2 852
B 16 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49219 6 0x0044 0x0a11 0x031b 0x0008 1405763652 799 0 30 4429 2 166
B 17 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49220 6 0x0044 0x0a11 0x031b 0x0008 916601873 1466 0 27 2750 2 852
B 18 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1806 6 0x0044 0x0011 0x031b 0x0008 925488549 1370 0 28 4371 2 852
B 19 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1400 6 0x0044 0x0011 0x031b 0x0008 1816175150 1370 0 26 1522 1 852
B 20 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1404 6 0x0044 0x0011 0x031b 0x0008 113675184 1370 0 28 5247 2 852
B 21 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1405 6 0x0044 0x0011 0x031b 0x0008 6599705 632 0 28 5796 1 166
B 22 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49336 6 0x0044 0x0a11 0x031b 0x0008 226877106 1466 0 27 2430 2 852
B 23 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49353 6 0x0044 0x0a11 0x031b 0x0008 1304812153 1466 0 27 2462 2 852
B 24 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1836 6 0x0044 0x0011 0x031b 0x0008 1667500374 1370 0 26 3372 1 852
B 25 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1709 6 0x0044 0x0011 0x031b 0x0008 1075440067 1370 0 26 2374 1 852
B 26 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49561 6 0x0044 0x0a11 0x031b 0x0008 1983906088 1466 0 28 4334 2 852
B 27 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1572 6 0x0044 0x0011 0x031b 0x0008 1684028818 308 0 17 1021 1 166
B 28 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1604 6 0x0044 0x0011 0x031b 0x0008 1644748927 308 0 17 761 1 166
B 29 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1665 6 0x0044 0x0011 0x031b 0x0008 1401071890 308 0 17 574 1 166
B 30 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1934 6 0x0044 0x0011 0x031b 0x0008 18417741 1370 0 27 5732 1 852
B 31 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 2008 6 0x0044 0x0011 0x031b 0x0008 2088358893 1370 0 26 3460 1 852
B 32 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1911 6 0x0044 0x0011 0x031b 0x0008 398501520 1370 0 29 7079 2 852
A 33 0x0400000000004000 192.168.1.104 07 "Private network" 1908 198.189.255.75 us "California State University" 80 6 0x0040 0x0011 0x011b 0x0008 3626872219 319 0 23 95699 1 319
A 36 0x0400000000004000 192.168.1.105 07 "Private network" 49330 143.166.11.10 us "Dell" 64334 6 0x0040 0x49b1 0x0416 0x0008 3392384642 0 0 1511 4255056 437 0If you look at the packet mode from packet 4188 on you will notice during the fast retransmit the seqDiff is negative and seqLen is 0, denoting, no new L7 content is sent. You can follow now the process of sending and acknowledging data. If you got only one flow, you are now able to estimate the payload of the other flow via ackLen and ackFlowLen for each packet.
tawk 'packet("4188-4211")' ~/results/faf-exercise_packets.txt | tcol
%dir flowInd flowStat srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto ipFlags tcpFStat tcpFlags tcpAnomaly tcpISeqN tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpBFlgtMx
B 12 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1397 6 0x0044 0x0011 0x031b 0x0008 1702698086 1440 0 30 2943 1 852
B 13 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1749 6 0x0044 0x0011 0x031b 0x0008 645942508 1405 0 30 5679 2 852
B 14 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1755 6 0x0044 0x0011 0x031b 0x0008 328872932 1405 0 28 2357 1 852
B 15 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49218 6 0x0044 0x0a11 0x031b 0x0008 652739796 1519 0 29 4899 2 852
B 16 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49219 6 0x0044 0x0a11 0x031b 0x0008 1405763652 799 0 30 4429 2 166
B 17 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49220 6 0x0044 0x0a11 0x031b 0x0008 916601873 1466 0 27 2750 2 852
B 18 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1806 6 0x0044 0x0011 0x031b 0x0008 925488549 1370 0 28 4371 2 852
B 19 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1400 6 0x0044 0x0011 0x031b 0x0008 1816175150 1370 0 26 1522 1 852
B 20 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1404 6 0x0044 0x0011 0x031b 0x0008 113675184 1370 0 28 5247 2 852
B 21 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1405 6 0x0044 0x0011 0x031b 0x0008 6599705 632 0 28 5796 1 166
B 22 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49336 6 0x0044 0x0a11 0x031b 0x0008 226877106 1466 0 27 2430 2 852
B 23 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49353 6 0x0044 0x0a11 0x031b 0x0008 1304812153 1466 0 27 2462 2 852
B 24 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1836 6 0x0044 0x0011 0x031b 0x0008 1667500374 1370 0 26 3372 1 852
B 25 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1709 6 0x0044 0x0011 0x031b 0x0008 1075440067 1370 0 26 2374 1 852
B 26 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49561 6 0x0044 0x0a11 0x031b 0x0008 1983906088 1466 0 28 4334 2 852
B 27 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1572 6 0x0044 0x0011 0x031b 0x0008 1684028818 308 0 17 1021 1 166
B 28 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1604 6 0x0044 0x0011 0x031b 0x0008 1644748927 308 0 17 761 1 166
B 29 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1665 6 0x0044 0x0011 0x031b 0x0008 1401071890 308 0 17 574 1 166
B 30 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1934 6 0x0044 0x0011 0x031b 0x0008 18417741 1370 0 27 5732 1 852
B 31 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 2008 6 0x0044 0x0011 0x031b 0x0008 2088358893 1370 0 26 3460 1 852
B 32 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1911 6 0x0044 0x0011 0x031b 0x0008 398501520 1370 0 29 7079 2 852
A 33 0x0400000000004000 192.168.1.104 07 "Private network" 1908 198.189.255.75 us "California State University" 80 6 0x0040 0x0011 0x011b 0x0008 3626872219 319 0 23 95699 1 319
A 36 0x0400000000004000 192.168.1.105 07 "Private network" 49330 143.166.11.10 us "Dell" 64334 6 0x0040 0x49b1 0x0416 0x0008 3392384642 0 0 1511 4255056 437 0SPKTMD_SEQACKREL in tcpFlags.h controls the output of the seq/ack numbers in the packet mode. Switching to relative it facilitates the analysis of irregularities in throughput. Look into the packet mode tutorial to see an example of Absolute Relative Seq Ack Numbers.
RTT estimate
The Round Trip Time (RTT) estimate is a vital tool for troubleshooting. The mode is controlled by RTT_ESTIMATE in tcpFlags.h. The RTT features are estimated for all L4 protocols and gives additional information about TCP connection anomalies such as ACK retries and SYN connection timeout retries.
tcpSSASAATripdenotes the RTT during the TCP connection phase, which has no influence of the src and dst host.tcpSSASAATripdenotes the Time from the measurement point to the dst host and back.tcpRTTAckTripMin,tcpRTTAckTripMax,tcpRTTAckTripAvedenote the minimal, maximal and average Trip timetcpRTTSseqAAdenotes the total RTT, which also includes delays at the hoststcpRTTAckJitAvedenotes the average jitter, useful for voice communication, see also the voipDetector plugin
RTT can also be estimated from the TCP timestamp option. Using the MSS, which is supplied in the TCP options part and the RTT a bandwidth / flow can be calculated.
Let’s look for flows which have a
tawk '$tcpRTTAckTripJitAve > 0.5 || $tcpRTTSseqAA > 0.5 { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $tcpSSASAATrip, $tcpRTTAckTripMin, $tcpRTTAckTripMax, $tcpRTTAckTripAve, $tcpRTTAckTripJitAve, $tcpRTTSseqAA, $tcpRTTAckJitAve }' ~/results/faf-exercise_flows.txt | tcol
%dir flowInd flowStat srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpFStat ipFlags tcpFlags tcpAnomaly tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve
A 11 0x0400000000004000 192.168.1.104 07 "Private network" 1384 63.245.221.11 us "Mozilla Corporation" 80 6 0x0011 0x0040 0x011b 0x0000 0.061556 0.020611 23.03958 2.930275 7.038339 0.061967 0
B 11 0x0400000000004001 63.245.221.11 us "Mozilla Corporation" 80 192.168.1.104 07 "Private network" 1384 6 0x0811 0x0044 0x031b 0x0000 0.000411 0.000406 8.196325 1.171333 2.655198 4.101608 7.522519
A 10 0x0400000000004000 192.168.1.104 07 "Private network" 1379 63.245.221.11 us "Mozilla Corporation" 80 6 0x0811 0x0040 0x011b 0x0000 0.005547 7.1e-05 22.97788 1.313044 5.097706 0.005754 0
B 10 0x0400000000004001 63.245.221.11 us "Mozilla Corporation" 80 192.168.1.104 07 "Private network" 1379 6 0x0811 0x0044 0x031b 0x0000 0.000207 0.000186 9.952202 1.338241 2.93412 2.651285 5.881808
B 19 0x0400000000004001 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1400 6 0x0011 0x0044 0x031b 0x0008 0.000202 0.000102 3.94484 0.2614954 0.8918523 0.2686044 0.8921642
A 35 0x0400000000004000 192.168.1.105 07 "Private network" 49329 143.166.11.10 us "Dell" 21 6 0x0811 0x0040 0x001a 0x0000 0.080252 0.077494 306.0649 29.85102 83.48595 0.08095 0
B 35 0x0400000000004001 143.166.11.10 us "Dell" 21 192.168.1.105 07 "Private network" 49329 6 0x0811 0x0044 0x061e 0x0000 0.000698 0.00045 0.194089 0.04303964 0.07018124 29.89405 83.48597L3/4 Checksums
Looking at checksums reveals whether there are manipulations of the L4 header or the content. Moreover you can determine whether a pcap is acquired on a computer itself or at a network intercept, such as a span port. Only works, if the checksum off load option is present and activated on the HW. Think how a checksum would look like if a pcap is acquired on a computer.
Another reason can be snapped payload during traffic capture.
annoloc2.pcap was acquired in 2002 and it is very murky.
t2 -r ~/data/annoloc2.pcap -w ~/results -s================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 11785 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: tcpFlags, 0.8.14 03: tcpStates, 0.8.14 04: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/annoloc2.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1022171701.691172 sec (Thu 23 May 2002 16:35:01 GMT) [WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500 Dump stop : 1022171726.640398 sec (Thu 23 May 2002 16:35:26 GMT) Total dump duration: 24.949226 sec ... -------------------------------------------------------------------------------- tcpFlags: Aggregated ipFlags=0x3964 tcpFlags: Aggregated tcpFStat=0x5fff tcpFlags: Aggregated tcpFlags=0xffdf tcpFlags: Aggregated tcpAnomaly=0x33ff tcpFlags: Aggregated ipToS=0xff tcpFlags: Number of TCP scans attempted, successful: 1540 (1.54 K), 1421 (1.42 K) [92.27%] tcpFlags: Number of TCP SYN retries, seq retries: 147, 5252 (5.25 K) tcpFlags: Number WinSz below 1: 1443 (1.44 K) [0.15%] tcpStates: Aggregated tcpStatesAFlags=0xdf -------------------------------------------------------------------------------- ... Aggregated flowStat=0x0c0098fa0222d044 [WRN] L3 SnapLength < Length in IP header [WRN] L4 header snapped [WRN] Consecutive duplicate IP ID [WRN] IPv4/6 payload length > framing length [WRN] IPv4/6 fragmentation header packet missing [WRN] IPv4/6 packet fragmentation sequence not finished [INF] Stop dissecting: Clipped packet, unhandled protocol or subsequent fragment [INF] Layer 2 flows [INF] IPv4 flows [INF] IPv6 flows [INF] ARP [INF] IPv4/6 fragmentation [INF] IPv4/6 in IPv4/6 [INF] GRE encapsulation [INF] GTP tunnel [INF] SSDP/UPnP
As the end report ipFlags=0x3964 and tcpAnomaly=0x33ff indicate, there are lots of broken packets, due to anonymization. And there are scans detected.
The flowStat in the rend report and all flows have a L3 packet length field warning, resulting in wrong L4 checksums. Just select all L3/4 checksum errors and display the first 20, as all flows have the problem.
tawk 'bitsanyset($ipFlags, 0x0c00) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly }' ~/results/annoloc2_flows.txt | head -n 20 | tcol
%dir flowInd flowStat srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpFStat ipFlags tcpFlags tcpAnomaly
A 265 0x0400000000004000 209.171.12.143 ca "TELUS Communications Inc" 4987 138.212.185.230 jp "ASAHI KASEI CORPORATION" 41250 6 0x0011 0x0840 0xffc4 0x1000
A 447 0x0400000000004000 217.41.129.13 gb "BT Infrastructure Layer" 58872 138.212.187.186 jp "ASAHI KASEI CORPORATION" 80 6 0x0011 0x0840 0x0044 0x0000
A 392 0x0400000000004000 36.242.181.230 jp "SoftBank Corp" 4685 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0840 0xffc2 0x3000
B 392 0x0400000000004001 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 36.242.181.230 jp "SoftBank Corp" 4685 6 0x0011 0x0800 0xffd4 0x2000
A 906 0x0400000000004000 161.135.53.11 us "Federal Express Corp" 5001 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 6 0x0011 0x0840 0xffc2 0x3000
B 906 0x0400000000004001 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 161.135.53.11 us "Federal Express Corp" 5001 6 0x0011 0x0800 0xffd4 0x2000
A 1027 0x0400000000004000 146.162.158.230 gb "Norwich Union Insurance Limite" 2849 138.212.184.193 jp "ASAHI KASEI CORPORATION" 6346 6 0x0011 0x0840 0x0042 0x3000
B 1027 0x0400000000004001 138.212.184.193 jp "ASAHI KASEI CORPORATION" 6346 146.162.158.230 gb "Norwich Union Insurance Limite" 2849 6 0x0011 0x0840 0x0454 0x2000
A 1154 0x0400000000004000 193.133.224.57 gb "Verizon UK Limited" 3286 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0840 0x0002 0x3000
B 1154 0x0400000000004001 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 193.133.224.57 gb "Verizon UK Limited" 3286 6 0x0011 0x0800 0x0414 0x2000
A 867 0x0400000200004000 138.212.184.48 jp "ASAHI KASEI CORPORATION" 6666 36.74.248.27 id "Telekomunikasi Indonesia" 1108 6 0x0011 0x1840 0x0058 0x0000
B 867 0x0400000000004001 36.74.248.27 id "Telekomunikasi Indonesia" 1108 138.212.184.48 jp "ASAHI KASEI CORPORATION" 6666 6 0x0011 0x0840 0x0044 0x0000
A 864 0x0400000200004000 19.54.241.65 us "Ford Motor Company" 6667 138.212.191.209 jp "ASAHI KASEI CORPORATION" 45891 6 0x0011 0x1840 0xffd8 0x3000
B 864 0x0400000000004001 138.212.191.209 jp "ASAHI KASEI CORPORATION" 45891 19.54.241.65 us "Ford Motor Company" 6667 6 0x0011 0x0844 0xffd5 0x2000
A 1336 0x0400000000004000 216.21.10.20 ca "XNS Technology Group Inc" 1305 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 6 0x0011 0x0840 0x0002 0x3000
B 1336 0x0400000000004001 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 216.21.10.20 ca "XNS Technology Group Inc" 1305 6 0x0011 0x0800 0x0414 0x2000
A 1512 0x0400000000004000 19.150.217.57 us "Ford Motor Company" 1678 138.212.189.66 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0800 0x0004 0x0000
A 1534 0x0400000000004000 216.233.229.167 us "MCI Communications Services" 3782 138.212.185.86 jp "ASAHI KASEI CORPORATION" 1058 6 0x0011 0x0840 0x0042 0x3000
B 1534 0x0400000000004001 138.212.185.86 jp "ASAHI KASEI CORPORATION" 1058 216.233.229.167 us "MCI Communications Services" 3782 6 0x0011 0x0800 0x0454 0x2000Below the flow with flowInd 1336 is extracted to indicate that each packet has a wrong checksum, compare l4HdrChkSum and l4CalChkSum. The L3 checksums add up, why?
tawk 'flow(1336)' ~/results/annoloc2_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto ipToS ipID ipIDDiff ipFrag ipTTL ipHdrChkSum ipCalChkSum l4HdrChkSum l4CalChkSum ipFlags ip6HHOptLen ip6HHOpts ip6DOptLen ip6DOpts ipOptLen ipOpts seq ack seqMax seqDiff ackDiff seqLen ackLen seqFlowLen ackFlowLen tcpMLen tcpBFlgt tcpFStat tcpFlags tcpAnomaly tcpWin tcpWS tcpMSS tcpTmS tcpTmER tcpOptLen tcpOpts tcpStatesAFlags l7Content
19221 1336 0x0400000000004000 1022171702.098369 0.000000 0.000000 0.000000 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:60:08:69:80:dd 0x0800 216.21.10.20 ca XNS Technology Group Inc 1305 138.212.191.94 jp ASAHI KASEI CORPORATION 80 6 0x00 11025 0 0x4000 119 0xac5a 0xac5a 0xa8c3 0x0150 0x0840 0 0 0 1389457 0 1389457 0 0 0 0 0 0 0 0 0x0010 0x0002 0x0000 8192 0 536 0 0 8 0x02;0x04;0x02;0x18;0x01;0x01;0x04;0x02 0x00
19247 1336 0x0400000000004001 1022171702.098389 0.000000 0.000020 0.000000 3 eth:ipv4:tcp 00:60:08:69:80:dd 00:d0:02:6d:78:00 0x0800 138.212.191.94 jp ASAHI KASEI CORPORATION 80 216.21.10.20 ca XNS Technology Group Inc 1305 6 0x00 22725 0 0x0000 128 0xb5ae 0xb5ae 0xf1d7 0x4a64 0x0800 0 0 0 0 1389458 0 0 0 0 0 0 0 0 0 0x0010 0x0414 0x0000 0 0 0 0 0 0 0x40TCP Options
TCP options contain vital information about connection characteristics and even let us guess something about the type of application being involved. Let us select MSS and WSC options to see whether the decoding works, so bit position 2 and 3 in tcpOptions.
tawk 'bitsanyset($tcpOptions, 0x0000000c) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $tcpFlags, $ipFlags, $tcpAnomaly, $tcpOptCnt, $tcpOptions, $tcpMSS, $tcpWS }' ~/results/annoloc2_flows.txt | head -n 20 | tcol
%dir flowInd flowStat srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpFStat tcpFlags ipFlags tcpAnomaly tcpOptCnt tcpOptions tcpMSS tcpWS
A 392 0x0400000000004000 36.242.181.230 jp "SoftBank Corp" 4685 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0xffc2 0x0840 0x3000 4 0x00000016 1436 0
A 906 0x0400000000004000 161.135.53.11 us "Federal Express Corp" 5001 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 6 0x0011 0xffc2 0x0840 0x3000 3 0x0000000e 1460 0
A 1027 0x0400000000004000 146.162.158.230 gb "Norwich Union Insurance Limite" 2849 138.212.184.193 jp "ASAHI KASEI CORPORATION" 6346 6 0x0011 0x0042 0x0840 0x3000 4 0x00000016 1460 0
A 1154 0x0400000000004000 193.133.224.57 gb "Verizon UK Limited" 3286 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0002 0x0840 0x3000 4 0x00000016 1460 0
A 1336 0x0400000000004000 216.21.10.20 ca "XNS Technology Group Inc" 1305 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 6 0x0011 0x0002 0x0840 0x3000 4 0x00000016 536 0
A 1534 0x0400000000004000 216.233.229.167 us "MCI Communications Services" 3782 138.212.185.86 jp "ASAHI KASEI CORPORATION" 1058 6 0x0011 0x0042 0x0840 0x3000 4 0x00000016 1460 0
A 1586 0x0400000200004000 130.92.198.110 ch "Universitaet Bern" 1249 138.212.191.248 jp "ASAHI KASEI CORPORATION" 1214 6 0x4811 0xffdb 0x1840 0x0088 16 0x00000036 1460 0
B 1586 0x0400000200004001 138.212.191.248 jp "ASAHI KASEI CORPORATION" 1214 130.92.198.110 ch "Universitaet Bern" 1249 6 0x0011 0xffdf 0x3840 0x0044 4 0x00000016 1460 0
A 1836 0x0400000000004000 209.114.247.93 us "Ideal Technology Solutions US " 1335 138.212.187.11 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0042 0x0840 0x3000 4 0x00000016 536 0
A 1909 0x0400000000004000 19.27.88.236 us "Ford Motor Company" 4045 138.212.186.88 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0xff82 0x0840 0x3000 4 0x00000016 1452 0
A 1959 0x0400000000004000 216.21.10.20 ca "XNS Technology Group Inc" 1305 138.212.191.94 jp "ASAHI KASEI CORPORATION" 80 6 0x0011 0x0002 0x0840 0x3000 4 0x00000016 536 0
A 1904 0x0400000000004000 138.212.186.27 jp "ASAHI KASEI CORPORATION" 1396 83.220.134.126 de "PlusServer GmbH" 4661 6 0x0011 0x0002 0x0840 0x3000 4 0x00000016 1452 0
A 1969 0x0400000000004000 83.0.129.97 pl "Orange Polska Spolka Akcyjna" 1395 138.212.187.11 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0xffc2 0x0840 0x3000 4 0x00000016 1460 0
A 2060 0x0400000000004000 18.97.211.233 us "Amazon Technologies Inc" 3448 138.212.187.247 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0xffc2 0x0840 0x3000 4 0x00000016 1460 0
A 2113 0x0400000000004000 36.92.31.200 id "Telekomunikasi Indonesia" 48337 138.212.185.86 jp "ASAHI KASEI CORPORATION" 1052 6 0x0011 0x0042 0x0800 0x3000 4 0x00000016 1460 0
A 2183 0x0400000000004000 201.133.193.218 mx "Uninet SA de CV" 3134 138.212.187.11 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0002 0x0840 0x3000 4 0x00000016 1440 0
A 2236 0x0400000000004000 83.45.182.68 es "Telefonica de Espana SAU" 1322 138.212.187.10 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0xff82 0x0840 0x3000 4 0x00000016 1460 0
A 2274 0x0400000000004000 201.53.22.207 br "CLARO SA" 4810 138.212.187.11 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0x0002 0x0840 0x3000 4 0x00000016 1460 0
A 2333 0x0400000000004000 193.99.26.18 de "Verizon Deutschland GmbH" 1925 138.212.188.67 jp "ASAHI KASEI CORPORATION" 1214 6 0x0011 0xff82 0x0840 0x3000 6 0x0000001e 1452 0Time stamp options are a formidable tool for RTT estimation and for revealing the boot time of the src host, if the RTT measurements are influenced by L7 protocol reaction times.
Boot time estimation
The TCP timestamp option originally being created for Round Trip Time (RTT) measurements can be abused for boot time estimation, because OS used the uptime as a derivative for the TCP timestamp.
As different machines boot at different times this measure separates these machines even behind a NAT where you normally see only one IP address. The only problem is that different OS have different incremental clocks, which can be calculated if several packets / flow are available, otherwise it comes down to OS guessing. The column tcpEcI below denotes this increment.
Unfortunately, newer version of different OS use a random value per connection, aka flow. Hence, a comparison of different flows from the same machine will yield in different up or boot times, becoming useless. Nevertheless, the estimation of tcpEcI is still useful for newer OS.
annoloc2.pcap was acquired in 2002, so if you look at the boot time below you will see a correlation; it works.
tawk '{ print $srcIP, $tcpTmS, $tcpTmER, $tcpEcI, $tcpUtm, $tcpBtm }' ~/results/annoloc2_flows.txt | sort -V | uniq | awkf '$2' | head -n 40 | tcol
18.2.89.211 7748617 849533919 0.01 77486.168268 1022094226.113857
18.2.89.211 7748924 849534263 0.01 77489.238268 1022094226.117551
18.2.89.211 7749342 849534680 0.01 77493.418268 1022094226.112002
18.2.89.211 7749343 849534252 0.01 77493.428268 1022094226.110962
18.2.89.211 7749424 204508834 0.01 77494.238268 1022094226.109821
18.2.89.211 7749524 849534270 0.01 77495.238268 1022094226.114326
18.2.89.211 7749624 849534698 0.01 77496.238268 1022094226.112043
18.2.89.211 7749726 849535064 0.01 77497.258268 1022094226.108770
18.2.89.211 7749831 849534861 0.01 77498.308268 1022094226.110499
18.2.89.211 7749831 849535169 0.01 77498.308268 1022094226.106990
18.2.89.211 7749838 849535176 0.01 77498.378268 1022094226.108500
18.2.89.211 7749938 849535064 0.01 77499.378268 1022094226.111827
18.2.89.211 7749967 849535305 0.01 77499.668268 1022094226.108143
18.85.17.135 22846249 826368 0.01 228462.484893 1021943255.914858
18.85.17.135 22846930 826851 0.01 228469.294893 1021943255.920749
18.107.26.21 103819943 373699105 0.01 1038199.406794 1021133503.026880
18.155.23.221 33847443 43376223 0.01 338474.422435 1021833231.196510
18.155.23.221 33848762 248428209 0.01 338487.612434 1021833231.192676
18.155.23.221 33848960 182165005 0.01 338489.592434 1021833231.189961
18.155.23.221 33849237 6322419 0.01 338492.362434 1021833231.189718
19.24.4.45 1693583440 72029656 0.01 16935834.021455 1005235877.235269
19.24.4.45 1693583872 793132504 0.01 16935838.341455 1005235877.273548
19.29.161.16 19986317 34285718 0.01 199863.165533 1021971858.270386
19.55.36.202 1098236 390486740 0.01 10982.359755 1022160744.225946
19.55.36.202 1098240 8297346 0.01 10982.399755 1022160744.232882
19.59.134.250 199361062 113909808 0.01 1993610.575439 1020178116.063283
19.67.192.174 35424473 785167233 0.01 354244.722082 1021817463.220258
19.67.210.218 4323074 689732 0.1 432307.406442 1021739419.180875
19.114.68.45 78574708 17008889 0.01 785747.062437 1021385960.390762
19.114.68.45 78574918 34284567 0.01 785749.162437 1021385960.391068
19.114.68.45 78575088 72029658 0.01 785750.862437 1021385960.391782
19.139.46.124 29251 785168750 0.1 2925.100044 1022168799.345162
19.169.122.89 1806691 853448585 0.01 18066.909596 1022153659.006621
19.173.18.204 17719695 785166685 0.1 1771969.526404 1020399734.567682
19.173.18.204 17719720 785168065 0.01 177197.196039 1021994520.359783
19.173.18.204 17719731 785168629 0.01 177197.306039 1021994526.080392
19.182.177.87 49516646 34285659 0.01 495166.448932 1021676554.013431
19.182.177.87 144345608 34285961 0.01 1443456.047736 1020728267.433657
19.182.178.138 23254415 34285407 0.01 232544.144802 1021939173.792873
19.182.178.197 139712 853446502 0.1 13971.200208 1022157733.965144The plugin will evolve, as soon we find something else for this feature it will be implemented in tcpFlags. So if you have an idea, please contact are happy to cooperate with you doing research of such things.
Multipath TCP (MPTCP)
Multipath TCP was developed in order to allow a TCP connection to use multiple paths to optimize resource usage and to increase redundancy. There are several other protocols such as
- SCTP
- Multipath QUIC from Google
MPTCP in tcpFlags.h controls the MPTCP dissection. It is enabled by default and decodes the subtype and the different flags. More will be added in future.
Download the sample pcap iperf-mptcp-0-0.pcap and store it under your ~/data folder. More pcaps are available under https://wiki.wireshark.org/SampleCaptures#MPTCP
t2 -r ~/data/iperf-mptcp-0-0.pcap -w ~/results/ -s================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 11470 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: tcpFlags, 0.8.14 03: tcpStates, 0.8.14 04: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/iperf-mptcp-0-0.pcap Link layer type: PPP [PPP/9] Dump start: 0.000000 sec (Thu 01 Jan 1970 00:00:00 GMT) Dump stop : 12.319482 sec (Thu 01 Jan 1970 00:00:12 GMT) Total dump duration: 12.319482 sec Finished processing. Elapsed time: 0.117536 sec Finished unloading flow memory. Time: 0.117741 sec Percentage completed: 100.00% Number of processed packets: 2560 (2.56 K) Number of processed bytes: 2538100 (2.54 M) Number of raw bytes: 2538100 (2.54 M) Number of pad bytes: 240 Number of pcap bytes: 2579084 (2.58 M) Number of IPv4 packets: 2554 (2.55 K) [99.77%] Number of IPv6 packets: 6 [0.23%] Number of A packets: 1680 (1.68 K) [65.62%] Number of B packets: 880 [34.38%] Number of A bytes: 2483492 (2.48 M) [97.85%] Number of B bytes: 54608 (54.61 K) [2.15%] Average A packet load: 1478.27 (1.48 K) Average B packet load: 62.05 -------------------------------------------------------------------------------- tcpFlags: Aggregated ipFlags=0x0040 tcpFlags: Aggregated tcpFStat=0x8a33 tcpFlags: Aggregated tcpFlags=0x031b tcpFlags: Aggregated tcpAnomaly=0x0009 tcpFlags: Number of TCP SYN retries, seq retries: 4, 0 tcpFlags: Aggregated MPTCP subtypes: tcpMPTBF=0x000f tcpFlags: Aggregated MPTCP flags: tcpMPF=0x81 tcpFlags: Number of MPTCP packets: 2557 (2.56 K) [99.88%] tcpStates: Aggregated tcpStatesAFlags=0x03 -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, average: 3.00 Number of ICMPv6 packets: 6 [0.23%] Number of TCP packets: 2554 (2.55 K) [99.77%] Number of TCP bytes: 2537752 (2.54 M) [99.99%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 8 Number of processed A flows: 6 [75.00%] Number of processed B flows: 2 [25.00%] Number of request flows: 6 [75.00%] Number of reply flows: 2 [25.00%] Total A/B flow asymmetry: 0.50 Total req/rply flow asymmetry: 0.50 Number of processed packets/flows: 320.00 Number of processed A packets/flows: 280.00 Number of processed B packets/flows: 440.00 Number of processed total packets/s: 207.80 Number of processed A+B packets/s: 207.80 Number of processed A packets/s: 136.37 Number of processed B packets/s: 71.43 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 0.65 Average full raw bandwidth: 1648186 b/s (1.65 Mb/s) Average full bandwidth : 1648186 b/s (1.65 Mb/s) Max number of flows in memory: 8 [0.00%] Memory usage: 0.01 GB [0.02%] Aggregated flowStat=0x0c0000000000e002 [INF] IPv4 flows [INF] IPv6 flows [INF] No Ethernet header [INF] PPP/HDLC encapsulation
tcpFStat flags MPTCP, 2557 packets of 2560.
The tcpFStat column with value 0x8a33 is to be interpreted as follows:
bit | tcpFStat | Description
=============================================================================
0 | 0x0001 | Packet good for inter-distance assessment
1 | 0x0002 | TCP option init
4 | 0x0010 | Window state-machine initialized
5 | 0x0020 | Window update
9 | 0x0200 | WS used
11 | 0x0800 | Window state-machine count up(1)/down(0)
15 | 0x8000 | MPTCP detected
The subtypes are coded in a T2 bit field:
tawk -V tcpMPTBF=0x000f
The tcpMPTBF column with value 0x000f is to be interpreted as follows:
bit | tcpMPTBF | Description
=============================================================================
0 | 0x0001 | Multipath Capable
1 | 0x0002 | Join Connection
2 | 0x0004 | Data Sequence Signal (Data ACK and data sequence mapping)
3 | 0x0008 | Add Address
So in the flow file you will see the subType bit field, flags, address ID and the DSS flags e.g. for subtype 2.
tawk '{ print $srcIP, $srcPort, $dstIP, $dstPort, $l4Proto, $tcpFStat, $tcpMPTBF, $tcpMPF, $tcpMPAID, $tcpMPDSSF }' ~/results/iperf-mptcp-0-0_flows.txt | tcol
srcIP srcPort dstIP dstPort l4Proto tcpFStat tcpMPTBF tcpMPF tcpMPAID tcpMPdDSSF
fe80::200:ff:fe00:1 0 ff02::2 0 58 0x0001 0x0000 0x00 0 0x00
fe80::200:ff:fe00:2 0 ff02::2 0 58 0x0001 0x0000 0x00 0 0x00
10.1.1.1 43376 10.2.0.1 5001 6 0x8013 0x0002 0x00 3 0x00
10.1.1.1 57841 10.2.1.1 5001 6 0x8013 0x0002 0x00 3 0x00
10.1.0.1 49078 10.2.1.1 5001 6 0x8213 0x0006 0x00 2 0x15
10.2.1.1 5001 10.1.0.1 49078 6 0x8a33 0x0006 0x00 3 0x15
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 0x000d 0x81 3 0x05
10.2.0.1 5001 10.1.0.1 5001 6 0x8a13 0x000d 0x81 3 0x01Same for the packet file, except the subType is the actual value instead of a T2 bit field:
tawk '{ print $srcIP, $srcPort, $dstIP, $dstPort, $l4Proto, $tcpFStat, $tcpMPTyp, $tcpMPF, $tcpMPAID, $tcpMPDSSF }' ~/results/iperf-mptcp-0-0_packets.txt | tcol
srcIP srcPort dstIP dstPort l4Proto tcpFStat tcpMPTyp tcpMPF tcpMPAID tcpMPDSSF
fe80::200:ff:fe00:1 ff02::2 58
fe80::200:ff:fe00:2 ff02::2 58
fe80::200:ff:fe00:1 ff02::2 58
fe80::200:ff:fe00:2 ff02::2 58
10.1.0.1 5001 10.2.0.1 5001 6 0x8012 0 0x81 0 0x00
10.2.0.1 5001 10.1.0.1 5001 6 0x8012 0 0x81 0 0x00
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x81 0 0x01
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 3 0x01
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.1.0.1 5001 10.2.0.1 5001 6 0x8213 2 0x00 0 0x05
10.2.0.1 5001 10.1.0.1 5001 6 0x8213 2 0x00 3 0x01In future more features will be added.
Fragmentation
Fragmentation is a diverse subject. In IPv4 it should not occur anymore, because the MTU today is generally large enough throughout the whole networks. If you see it in your corporate network, it should be investigated. IPv6 different story, here fragmentation is an established tool.
The constant FRAG_ANALYZE in tcpFLags.h controls the fragmentation analysis. Moreover the constant FRAGMENTATION has to be enabled in tranalyzer.h under the tranalyzer2/src directory, actually being the default.
I prepared a pcap which illustrates a pitfall of flow based representation when fragmentation is present. So download frag.pcap and add basicStats so that we can look at the packet and payload statistics.
t2build basicStats
Then rerun t2 using the -s option, as we also want to look at the packets.
================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 13607 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: basicStats, 0.8.14 03: tcpFlags, 0.8.14 04: tcpStates, 0.8.14 05: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/frag.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1294260264.274530 sec (Wed 05 Jan 2011 20:44:24 GMT) Dump stop : 1294260291.961272 sec (Wed 05 Jan 2011 20:44:51 GMT) Total dump duration: 27.686742 sec Finished processing. Elapsed time: 0.001058 sec Finished unloading flow memory. Time: 0.001428 sec Percentage completed: 100.00% Number of processed packets: 82 Number of processed bytes: 14857 (14.86 K) Number of raw bytes: 14857 (14.86 K) Number of pad bytes: 124 Number of pcap bytes: 16193 (16.19 K) Number of IPv4 packets: 38 [46.34%] Number of A packets: 80 [97.56%] Number of B packets: 2 [2.44%] Number of A bytes: 14737 (14.74 K) [99.19%] Number of B bytes: 120 [0.81%] Average A packet load: 184.21 Average B packet load: 60.00 -------------------------------------------------------------------------------- basicStats: Biggest L2 talker: 00:0d:65:4f:38:94: 14 [17.07%] packets basicStats: Biggest L2 talker: 00:1e:13:0c:02:07: 780 [5.25%] bytes basicStats: Biggest L3 talker: 192.168.203.131: 26 [31.71%] packets basicStats: Biggest L3 talker: 192.168.203.131: 10904 (10.90 K) [73.39%] bytes tcpFlags: Aggregated ipFlags=0x0860 tcpFlags: Aggregated tcpFStat=0x1011 tcpFlags: Aggregated tcpFlags=0x0c14 tcpFlags: Aggregated tcpAnomaly=0x3180 tcpFlags: Aggregated ipToS=0xc0 tcpFlags: Number of TCP scans attempted, successful: 0, 1 [inf%] tcpStates: Aggregated tcpStatesAFlags=0xc3 -------------------------------------------------------------------------------- Headers count: min: 2, max: 4, average: 2.67 Number of LLC packets: 16 [19.51%] Number of ICMP packets: 3 [3.66%] Number of TCP packets: 27 [32.93%] Number of TCP bytes: 10964 (10.96 K) [73.80%] Number of UDP packets: 5 [6.10%] Number of UDP bytes: 763 [5.14%] Number of IPv4 fragmented packets: 26 [68.42%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 20 Number of processed A flows: 18 [90.00%] Number of processed B flows: 2 [10.00%] Number of request flows: 18 [90.00%] Number of reply flows: 2 [10.00%] Total A/B flow asymmetry: 0.80 Total req/rply flow asymmetry: 0.80 Number of processed packets/flows: 4.10 Number of processed A packets/flows: 4.44 Number of processed B packets/flows: 1.00 Number of processed total packets/s: 2.96 Number of processed A+B packets/s: 2.96 Number of processed A packets/s: 2.89 Number of processed B packets/s: 0.07 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 0.72 Average full raw bandwidth: 4293 b/s (4.29 Kb/s) Average full bandwidth : 3515 b/s (3.52 Kb/s) Max number of flows in memory: 18 [0.01%] Memory usage: 0.01 GB [0.02%] Aggregated flowStat=0x0400081000004044 [INF] Layer 2 flows [INF] IPv4 flows [INF] ARP [INF] IPv4/6 fragmentation
We see that 26 [68.42%] packets are fragmented. Two warnings about fragmentation in the end report indicate abnormalities of the IPv4 fragmented traffic. Below is fragmented traffic including abnormalities are selected from the flow file. We have a perfect fragmented packet, all packets sum up in the numBytesSnt and numBytesRcvd columns.
tawk 'bitsanyset($ipFlags, 0x03b8) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $numPktsSnt, $numPktsRcvd, $numBytesSnt, $numBytesRcvd }' ~/results/frag_flows.txt | tcol
%dir flowInd flowStat srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort tcpFStat ipFlags tcpFlags tcpAnomaly numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd
A 4 0x0400081000004000 192.168.203.131 07 "Private network" 1509 192.168.203.134 07 "Private network" 0 0x1011 0x0820 0x0800 0x3000 26 1 10000 0Looking at the packet file the first packet contains a layer 4 header with the checksum. At the last fragment T2 adds the IP pseudo header and calculates the final checksum which matches 0x7366 from the TCP header of the initial packet.
tawk 'flow(4)' ~/results/frag_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktLen l7Len ipToS ipID ipIDDiff ipFrag ipTTL ipHdrChkSum ipCalChkSum l4HdrChkSum l4CalChkSum ipFlags ip6HHOptLen ip6HHOpts ip6DOptLen ip6DOpts ipOptLen ipOpts seq ack seqMax seqDiff ackDiff seqLen ackLen seqFlowLen ackFlowLen tcpMLen tcpBFlgt tcpFStat tcpFlags tcpAnomaly tcpWin tcpWS tcpMSS tcpTmS tcpTmER tcpOptLen tcpOpts tcpStatesAFlags l7Content
4 4 0x0400009000004000 1294260266.528280 0.000000 0.000000 0.000000 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 1509 192.168.203.134 07 Private network 0 6 434 380 0x00 249 0 0x2000 64 0x4000 0x4000 0x7366 0x0000 0x0020 0 0 0 280548844 777151161 280548844 0 0 0 0 0 0 380 0 0x1010 0x0800 0x1000 512 0 0 0 0 0 0x81 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 4 0x0400089000004000 1294260266.528318 0.000038 0.000000 0.000038 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x2032 64 0x3fce 0x3fce 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6 4 0x0400089000004000 1294260266.528335 0.000017 0.000000 0.000055 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x2064 64 0x3f9c 0x3f9c 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7 4 0x0400089000004000 1294260266.528348 0.000013 0.000000 0.000068 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x2096 64 0x3f6a 0x3f6a 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8 4 0x0400089000004000 1294260266.528363 0.000015 0.000000 0.000083 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x20c8 64 0x3f38 0x3f38 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9 4 0x0400089000004000 1294260266.528383 0.000020 0.000000 0.000103 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x20fa 64 0x3f06 0x3f06 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10 4 0x0400089000004000 1294260266.528404 0.000021 0.000000 0.000124 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x212c 64 0x3ed4 0x3ed4 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
11 4 0x0400089000004000 1294260266.528424 0.000020 0.000000 0.000144 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x215e 64 0x3ea2 0x3ea2 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
12 4 0x0400089000004000 1294260266.528443 0.000019 0.000000 0.000163 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x2190 64 0x3e70 0x3e70 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
13 4 0x0400089000004000 1294260266.528462 0.000019 0.000000 0.000182 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x21c2 64 0x3e3e 0x3e3e 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14 4 0x0400089000004000 1294260266.528480 0.000018 0.000000 0.000200 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x21f4 64 0x3e0c 0x3e0c 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
15 4 0x0400089000004000 1294260266.528497 0.000017 0.000000 0.000217 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x2226 64 0x3dda 0x3dda 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
16 4 0x0400089000004000 1294260266.528512 0.000015 0.000000 0.000232 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x2258 64 0x3da8 0x3da8 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
17 4 0x0400089000004000 1294260266.528526 0.000014 0.000000 0.000246 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x228a 64 0x3d76 0x3d76 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
18 4 0x0400089000004000 1294260266.528544 0.000018 0.000000 0.000264 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x22bc 64 0x3d44 0x3d44 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
19 4 0x0400089000004000 1294260266.528561 0.000017 0.000000 0.000281 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x22ee 64 0x3d12 0x3d12 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
20 4 0x0400089000004000 1294260266.528575 0.000014 0.000000 0.000295 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x2320 64 0x3ce0 0x3ce0 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
21 4 0x0400089000004000 1294260266.528588 0.000013 0.000000 0.000308 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x2352 64 0x3cae 0x3cae 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
22 4 0x0400089000004000 1294260266.528601 0.000013 0.000000 0.000321 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x2384 64 0x3c7c 0x3c7c 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
23 4 0x0400089000004000 1294260266.528613 0.000012 0.000000 0.000333 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x23b6 64 0x3c4a 0x3c4a 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
24 4 0x0400089000004000 1294260266.528626 0.000013 0.000000 0.000346 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x23e8 64 0x3c18 0x3c18 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
25 4 0x0400089000004000 1294260266.528776 0.000150 0.000000 0.000496 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x241a 64 0x3be6 0x3be6 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
26 4 0x0400089000004000 1294260266.528818 0.000042 0.000000 0.000538 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x244c 64 0x3bb4 0x3bb4 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
27 4 0x0400089000004000 1294260266.528854 0.000036 0.000000 0.000574 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x247e 64 0x3b82 0x3b82 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
28 4 0x0400089000004000 1294260266.528889 0.000035 0.000000 0.000609 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 434 400 0x00 249 0 0x24b0 64 0x3b50 0x3b50 0x0000 0x0000 0x0020 0 0 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
29 4 0x0400081000004000 1294260266.528923 0.000034 0.000000 0.000643 3 eth:ipv4:tcp 00:24:e8:ed:3f:10 00:0f:ea:e8:f5:51 0x0800 192.168.203.131 07 Private network 0 192.168.203.134 07 Private network 0 6 54 20 0x00 249 0 0x04e2 64 0x5c9a 0x5c9a 0x7366 0x5f52 0x0800 0 0 0 XXXXXXXXXXXXXXXXXXXX
30 4 0x0400000000004001 1294260266.529423 0.000000 0.000500 0.000000 3 eth:ipv4:tcp 00:0f:ea:e8:f5:51 00:24:e8:ed:3f:10 0x0800 192.168.203.134 07 Private network 0 192.168.203.131 07 Private network 1509 6 60 0 0x00 14196 0 0x4000 64 0xeb00 0xeb00 0x83db 0x83db 0x0040 0 0 0 0 280558844 0 0 0 0 0 0 0 0 0 0x0010 0x0414 0x0180 0 0 0 0 0 0 0x40Detecting Scans
Scans are normally an initiation of some serious attacks. Nevertheless, a lot of normal TCP traffic looks like scanning. Anybody who used SNORT, the de facto standard of an IDS, might have suffered from interpreting all the scan alarms. So it needs filtering.
I needed once an indication in the end report and the flow/packet file whether there is a TCP malicious scan around. It is not perfect, but often served its purpose.
To see its effect clearly please download nmap_v_sT.pcap, copy it under your data folder and rerun t2. The pcap is generated by the nmap scanning tool.
================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 27141 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: basicStats, 0.8.14 03: tcpFlags, 0.8.14 04: tcpStates, 0.8.14 05: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/nmap_v_sT.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1416313200.358106 sec (Tue 18 Nov 2014 12:20:00 GMT) Dump stop : 1416313214.101341 sec (Tue 18 Nov 2014 12:20:14 GMT) Total dump duration: 13.743235 sec Finished processing. Elapsed time: 0.017391 sec Finished unloading flow memory. Time: 0.041641 sec Percentage completed: 100.00% Number of processed packets: 1081 (1.08 K) Number of processed bytes: 83786 (83.79 K) Number of raw bytes: 83786 (83.79 K) Number of pcap bytes: 101106 (101.11 K) Number of IPv4 packets: 1081 (1.08 K) [100.00%] Number of A packets: 1081 (1.08 K) [100.00%] Number of A bytes: 83786 (83.79 K) [100.00%] Average A packet load: 77.51 Average B packet load: 0.00 -------------------------------------------------------------------------------- basicStats: Biggest L3 talker: 10.20.6.125: 16 [1.48%] packets basicStats: Biggest L3 talker: 10.20.6.125: 2832 (2.83 K) [3.38%] bytes tcpFlags: Aggregated ipFlags=0x0044 tcpFlags: Aggregated tcpFStat=0x0013 tcpFlags: Aggregated tcpFlags=0x803b tcpFlags: Aggregated tcpAnomaly=0x1008 tcpFlags: Aggregated ipToS=0x04 tcpFlags: Number of TCP scans attempted, successful: 1039 (1.04 K), 0 [0.00%] tcpStates: Aggregated tcpStatesAFlags=0x83 -------------------------------------------------------------------------------- Headers count: min: 3, max: 4, average: 3.00 Number of ICMP packets: 16 [1.48%] Number of TCP packets: 1057 (1.06 K) [97.78%] Number of TCP bytes: 78218 (78.22 K) [93.35%] Number of UDP packets: 8 [0.74%] Number of UDP bytes: 2736 (2.74 K) [3.27%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 1042 (1.04 K) Number of processed A flows: 1042 (1.04 K) [100.00%] Number of request flows: 1042 (1.04 K) [100.00%] Total A/B flow asymmetry: 1.00 Total req/rply flow asymmetry: 1.00 Number of processed packets/flows: 1.04 Number of processed A packets/flows: 1.04 Number of processed total packets/s: 78.66 Number of processed A+B packets/s: 78.66 Number of processed A packets/s: 78.66 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 75.82 Average full raw bandwidth: 48772 b/s (48.77 Kb/s) Average full bandwidth : 48772 b/s (48.77 Kb/s) Max number of flows in memory: 1042 (1.04 K) [0.40%] Memory usage: 0.02 GB [0.02%] Aggregated flowStat=0x0400100002004000 [WRN] Consecutive duplicate IP ID [INF] IPv4 flows [INF] SSDP/UPnPtawk -V tcpFlags=0x803b -V tcpAnomaly=0x1008 -V ipToS=0x04
The tcpFlags column with value 0x803b is to be interpreted as follows: bit | tcpFlags | Description ============================================================================= 0 | 0x0001 | FIN: No more data, finish connection 1 | 0x0002 | SYN: Synchronize sequence numbers 3 | 0x0008 | PSH: Push data 4 | 0x0010 | ACK: Acknowledgement field value valid 5 | 0x0020 | URG: Urgent pointer valid 15 | 0x8000 | Potential Xmas scan packet or malicious channel The tcpAnomaly column with value 0x1008 is to be interpreted as follows: bit | tcpAnomaly | Description ============================================================================= 3 | 0x0008 | Duplicate ACK 12 | 0x1000 | Scan detected in flow The ipToS column with value 0x04 is to be interpreted as follows: bit | ipToS | Description ============================================================================= 2 | 0x04 | Precedence 0
Below the first 20 rows of the flow file containing scans are printed.
tawk 'bitsanyset($tcpAnomaly, 0x1000)' ~/results/nmap_v_sT_flows.txt | head -n 10 | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpFStat ipMindIPID ipMaxdIPID ipMinTTL ipMaxTTL ipTTLChg ipToS ipFlags ipOptCnt ipOptCpCl_Num ip6OptCntHH_D ip6OptHH_D tcpISeqN tcpPSeqCnt tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpBFlgtMx tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt tcpFlags tcpAnomaly tcpOptPktCnt tcpOptCnt tcpOptions tcpMSS tcpWS tcpMPTBF tcpMPF tcpMPAID tcpMPdssF tcpTmS tcpTmER tcpEcI tcpUtm tcpBtm tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve tcpStatesAFlags
A 1 0x0400000000004000 1416313200.358106 1416313200.358106 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 54118 10.20.0.125 04 "Private network" 587 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2868435842 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3992845 0 0.004 15971.380759 1416297228.977348 0 65535 0 0 0 0 0 0x03
A 2 0x0400000000004000 1416313200.457149 1416313200.457149 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 33056 10.20.0.125 04 "Private network" 1720 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2506148143 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3992875 0 0.004 15971.500759 1416297228.956391 0 65535 0 0 0 0 0 0x03
A 3 0x0400000000004000 1416313201.458313 1416313201.458313 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 45750 10.20.0.125 04 "Private network" 1720 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 1770850395 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993175 0 0.004 15972.700759 1416297228.757555 0 65535 0 0 0 0 0 0x03
A 4 0x0400000000004000 1416313201.458361 1416313201.458361 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 38704 10.20.0.125 04 "Private network" 587 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3336324932 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993175 0 0.004 15972.700759 1416297228.757603 0 65535 0 0 0 0 0 0x03
A 5 0x0400000000004000 1416313201.557900 1416313201.557900 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 50322 10.20.0.125 04 "Private network" 995 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3712758514 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993205 0 0.004 15972.820759 1416297228.737142 0 65535 0 0 0 0 0 0x03
A 6 0x0400000000004000 1416313201.558981 1416313201.558981 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 45384 10.20.0.125 04 "Private network" 135 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2792320487 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993206 0 0.004 15972.824759 1416297228.734223 0 65535 0 0 0 0 0 0x03
A 7 0x0400000000004000 1416313201.559756 1416313201.559756 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 55726 10.20.0.125 04 "Private network" 443 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 742007355 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993206 0 0.004 15972.824759 1416297228.734998 0 65535 0 0 0 0 0 0x03
A 8 0x0400000000004000 1416313201.759706 1416313201.759706 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 55879 10.20.0.125 04 "Private network" 443 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3280881276 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993266 0 0.004 15973.064759 1416297228.694948 0 65535 0 0 0 0 0 0x03
A 9 0x0400000000004000 1416313201.759861 1416313201.759861 0.000000 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 45598 10.20.0.125 04 "Private network" 135 6 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0x0013 65535 0 64 64 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3916203706 0 0 0 0 0 0 0 29200 29200 29200 29200 0 0 0 0 0x0002 0x1000 1 5 0x0000011e 1460 0 0x0000 0x00 0 0x00 3993266 0 0.004 15973.064759 1416297228.695103 0 65535 0 0 0 0 0 0x03
...tawk '$numPktsSnt > 1' ~/results/nmap_v_sT_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpFStat ipMindIPID ipMaxdIPID ipMinTTL ipMaxTTL ipTTLChg ipToS ipFlags ipOptCnt ipOptCpCl_Num ip6OptCntHH_D ip6OptHH_D tcpISeqN tcpPSeqCnt tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpBFlgtMx tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt tcpFlags tcpAnomaly tcpOptPktCnt tcpOptCnt tcpOptions tcpMSS tcpWS tcpMPTBF tcpMPF tcpMPAID tcpMPdssF tcpTmS tcpTmER tcpEcI tcpUtm tcpBtm tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve tcpStatesAFlags
A 1035 0x0400100000004000 1416313207.526140 1416313209.202341 1.676201 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56907 10.20.0.125 04 "Private network" 41661 17 4 0 1200 0 300 300 300 0 0 0.571979 0.4190502 0.1840924 2.386349 715.9046 1 1 0x0001 0 0 51 51 0 0x00 0x0000 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x0000 0x0000 0 0 0x00000000 0 0 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 0 0x00
A 1036 0x0400000000004000 1416313207.600509 1416313209.299168 1.698659 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56862 10.20.0.125 04 "Private network" 41089 6 4 0 0 0 0 0 0 0 0 0.58213 0.4246647 0.1861713 2.354799 0 1 0 0x0013 14560 41214 40 53 3 0x00 0x0004 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2449289213 0 0 0 0 0 0 0 31337 31337 31337 31337 0 0 0 0 0x0002 0x1000 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363537.309168 0 65535 0 0 0 0 0 0x03
A 1037 0x0400000000004000 1416313207.670968 1416313209.394928 1.723960 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56863 10.20.0.125 04 "Private network" 41089 6 4 0 0 0 0 0 0 0 0 0.582315 0.43099 0.187417 2.320239 0 1 0 0x0013 723 11955 50 54 2 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2449289213 4 0 0 4 0 3 0 32768 32768 32768 32768 0 0 0 0 0x0010 0x0008 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363537.404928 0 65535 0 0 0 0 0 0x03
A 1038 0x0400000000004000 1416313207.768806 1416313209.490977 1.722171 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56864 10.20.0.125 04 "Private network" 41089 6 4 0 0 0 0 0 0 0 0 0.579505 0.4305428 0.1871625 2.32265 0 1 0 0x0013 5943 47665 43 56 3 0x00 0x0004 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2449289213 0 0 0 0 0 0 0 65535 65535 65535 65535 0 0 0 0 0x8029 0x1000 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363537.500977 0 65535 0 0 0 0 0 0x83
A 1034 0x0400000000004000 1416313207.399029 1416313213.771996 6.372967 1 3 eth:ipv4:icmp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 0 10.20.0.125 04 "Private network" 0 1 16 0 2160 0 120 150 135 13.60319 0 3.084397 0.3983104 0.6733372 2.510605 338.9316 1 1 0x0001 24122 39230 37 59 14 0x04 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x0000 0x0000 0 0 0x00000000 0 0 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 0 0x00
A 1039 0x0400100000004000 1416313212.383429 1416313213.855100 1.471671 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56907 10.20.0.125 04 "Private network" 44093 17 4 0 1200 0 300 300 300 0 0 0.497902 0.3679178 0.1605711 2.717999 815.3997 1 1 0x0001 0 0 56 56 0 0x00 0x0000 0 0x00_0x00000000 0_0 0x00000000_0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0x0000 0x0000 0 0 0x00000000 0 0 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0 65535 0 0 0 0 0 0x00
A 1040 0x0400000000004000 1416313212.449125 1416313213.938839 1.489714 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56862 10.20.0.125 04 "Private network" 36508 6 4 0 0 0 0 0 0 0 0 0.50196 0.3724285 0.1617426 2.685079 0 1 0 0x0013 3237 53852 43 57 3 0x00 0x0004 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3748830669 0 0 0 0 0 0 0 31337 31337 31337 31337 0 0 0 0 0x0002 0x1000 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363541.948839 0 65535 0 0 0 0 0 0x03
A 1041 0x0400000000004000 1416313212.530015 1416313214.021189 1.491174 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56863 10.20.0.125 04 "Private network" 36508 6 4 0 0 0 0 0 0 0 0 0.498118 0.3727935 0.1617746 2.68245 0 1 0 0x0013 10342 29962 41 52 3 0x00 0x0044 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3748830669 4 0 0 4 0 3 0 32768 32768 32768 32768 0 0 0 0 0x0010 0x0008 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363542.031189 0 65535 0 0 0 0 0 0x03
A 1042 0x0400000000004000 1416313212.619118 1416313214.101341 1.482223 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.125 04 "Private network" 56864 10.20.0.125 04 "Private network" 36508 6 4 0 0 0 0 0 0 0 0 0.494521 0.3705558 0.1608062 2.698649 0 1 0 0x0013 3455 6768 47 56 3 0x00 0x0004 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3748830669 0 0 0 0 0 0 0 65535 65535 65535 65535 0 0 0 0 0x8029 0x1000 4 20 0x0000011e 265 0 0x0000 0x00 0 0x00 4294967295 0 0.01 42949671.990000 1373363542.111341 0 65535 0 0 0 0 0 0x83If you look at the bit tcpFlags=0x0002 it is also a measure to select unsuccessful SYN scan flows. The aggregated TCP flags indicate that these flows are unanswered SYN scans.
Odd is the high window scale factor, the random initial Window size and the TTL indicate a Linux platform. Is it malicious?
Conclusion
You may now reset the whole configuration of T2 to ensure that in the next tutorial all flags are properly set to default.
t2conf --reset -a
Look at the other pcaps and checkout the scan alarms.
Have fun!