Tutorial: IP/TCP Troubleshooting

IP IPv4 IPv6 layer 3 layer 4 TCP troubleshooting

IP/TCP header features

In this tutorial we will show you the hidden power of the layer 3/4 for troubleshooting, security and admin applications. All is integrated in one plugin: tcpFlags. Its name is a bit misleading, as it evolved during practical application from a simple TCP flags decoder to a full blown troubleshooting plugin for L3/4. Hence, it provides the following features:

  • TCP warning bits for troubleshooting, similar to Wireshark/TShark
  • OS and application fingerprinting (TTL, initial window size, flags)
  • Host load estimation (IPv4 IPID)
  • L3/4 options
  • Sequence/Acknowledge Number Tricks
  • NAT flow bundling: boot time estimation, host clock estimation (OS fingerprinting)
  • Multipath TCP (MPTCP)
  • Trip and Round Trip Time (RTT), jitter estimation
  • L3/4 checksum evaluation
  • Protocol anomalies
  • Fragmentation anomalies
  • Flow health: window size statistics, bytes in flight
  • Scan detection support

If you read the The Basics tutorial, you already had a glimpse of some basic features from tcpFlags. Here we will explain the application of such features. Note that you need a version of the tcpFlags plugin 0.8.14 or higher, so that the output in your command line matches to the website.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y

Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the core (tranalyzer2) and the following plugins:

t2build tranalyzer2 basicFlow tcpFlags tcpStates txtSink

...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAPs used in this tutorial can be downloaded here:

Please save them in your ~/data folder.

Now you are all set!

tcpFlags default

Let’s start with tcpFlags in minimal mode.

With the 0.8.14 version, tcpFlags anomaly bits moved a bit closer to Wireshark and the flags bits for the TCP header changed. And IP ToS can now be represented in different form.

A lot is different now, but a bit easier to interpret for the troubleshooter.

Nevertheless, the setting stayed the same. Open tcpFlags.h in the tcpFlags plugin folder:

tcpFlags

vi src/tcpFlags.h

...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define IPTOS            0 // IPv4 ToS / IPv6 Class:
                           //   0: IP ToS hex
                           //   1: DSCP_ECN dec
                           //   2: Precedence(1-7)_ECN

#define RTT_ESTIMATE     1 // 1: Round trip time estimation
#define IPCHECKSUM       2 // Checksum calculation
                           //   0: No checksum calculation
                           //   1: Calculation of L3 (IP) header checksum
                           //   2: Calculation of L3 (IP) and L4 (TCP, UDP, ...) checksum

#define WINDOWSIZE       1 // 1: Calculation of TCP window size parameters
#define WINMIN           1 // Minimal window size threshold defining a healthy communication
                           // (only packets below the threshold are counted)
#define SEQ_ACK_NUM      1 // 1: SEQ/ACK number feature analysis
#define FRAG_ANALYZE     1 // 1: Fragmentation analysis
#define NAT_BT_EST       1 // 1: NAT boot time estimation
#define SCAN_DETECTOR    1 // 1: Scan flow detector
#define MPTCP            1 // 1: Dissect MPTCP

// The following options require SEQ_ACK_NUM = 1

#define SPKTMD_SEQACKREL 0 // SEQ/ACK numbers representation (-s option):
                           //   0: absolute,
                           //   1: relative

#define SPKTMD_SEQACKHEX 0 // SEQ/ACK numbers representation (-s option):
                           //   0: uint32_t
                           //   1: hex32

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

The constants SPKTMD_SEQACKREL and SPKTMD_SEQACKHEX refer to the packet mode for absolute and relative SEQ/ACK number output and decimal/hex representation respectively, see the packet mode tutorial. All the other switches we will discuss in the following chapters. First, let’s look at the end report.

Now invoke t2 with the -s option.

t2 -r ~/data/annoloc2.pcap -w ~/results/ -s

================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 23548
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.14
    02: tcpFlags, 0.8.14
    03: tcpStates, 0.8.14
    04: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/faf-exercise.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1258544215.037210 sec (Wed 18 Nov 2009 11:36:55 GMT)
Dump stop : 1258594491.683288 sec (Thu 19 Nov 2009 01:34:51 GMT)
Total dump duration: 50276.646078 sec (13h 57m 56s)
Finished processing. Elapsed time: 0.035239 sec
Finished unloading flow memory. Time: 0.035283 sec
Percentage completed: 100.00%
Number of processed packets: 5902 (5.90 K)
Number of processed bytes: 4993414 (4.99 M)
Number of raw bytes: 4993414 (4.99 M)
Number of pcap bytes: 5087870 (5.09 M)
Number of IPv4 packets: 5902 (5.90 K) [100.00%]
Number of A packets: 1986 (1.99 K) [33.65%]
Number of B packets: 3916 (3.92 K) [66.35%]
Number of A bytes: 209315 (209.31 K) [4.19%]
Number of B bytes: 4784099 (4.78 M) [95.81%]
Average A packet load: 105.40
Average B packet load: 1221.68 (1.22 K)
--------------------------------------------------------------------------------
tcpFlags: Aggregated ipFlags=0x0044
tcpFlags: Aggregated tcpFStat=0x4ff1
tcpFlags: Aggregated tcpFlags=0x071f
tcpFlags: Aggregated tcpAnomaly=0x02cc
tcpFlags: Number of TCP SYN retries, seq retries: 0, 27
tcpFlags: Number WinSz below 1: 3 [0.05%]
tcpStates: Aggregated tcpStatesAFlags=0x4a
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 5902 (5.90 K) [100.00%]
Number of TCP bytes: 4993414 (4.99 M) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 72
Number of processed A flows: 36 [50.00%]
Number of processed B flows: 36 [50.00%]
Number of request     flows: 36 [50.00%]
Number of reply       flows: 36 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed   packets/flows: 81.97
Number of processed A packets/flows: 55.17
Number of processed B packets/flows: 108.78
Number of processed total packets/s: 0.12
Number of processed A+B   packets/s: 0.12
Number of processed A     packets/s: 0.04
Number of processed   B   packets/s: 0.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.00
Average full raw bandwidth: 795 b/s
Average full bandwidth : 792 b/s
Max number of flows in memory: 18 [0.01%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows

Between the dashed lines tcpFlags reports a summary of the flow variables tcpFStat, tcpFlags, ipFlags, tcpAnomaly and SYN retry, WinSize threshold counts.

Note the bits are now grouped strictly according to their topic: windows, flags, IP header and TCP anomalies. The scans moved now to the tcpFlags, which became a 16 bit field, so bit combinations, such as FIN ACK are now in the upper byte of tcpFlags status bit field.

Let’s have a look at them:

tawk -V tcpFStat=0x4ff1 -V ipFlags=0x0044 -V tcpFlags=0x071f -V tcpAnomaly=0x02cc

The tcpFStat column with value 0x4ff1 is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     6 | 0x0040   | Win 0 probe
     7 | 0x0080   | Win 0 probe ACK
     8 | 0x0100   | Min Window detected
     9 | 0x0200   | WS used
    10 | 0x0400   | Window full
    11 | 0x0800   | Window state-machine count up(1)/down(0)
    14 | 0x4000   | TCP Selective ACK Option


The ipFlags column with value 0x0044 is to be interpreted as follows:

   bit | ipFlags | Description
   =============================================================================
      | 0x0004  | IPv4 ID roll over
     6 | 0x0040  | IPv4: Don't Fragment bit, IPv6: reserve bit


The tcpFlags column with value 0x071f is to be interpreted as follows:

   bit | tcpFlags | Description
   =============================================================================
     0 | 0x0001     | FIN: No more data, finish connection
     1 | 0x0002     | SYN: Synchronize sequence numbers
     2 | 0x0004     | RST: Reset connection
     3 | 0x0008     | PSH: Push data
     4 | 0x0010     | ACK: Acknowledgement field value valid
     8 | 0x0100     | FIN_ACK: Acknowledgement of FIN
     9 | 0x0200     | SYN_ACK: Acknowledgement of SYN
    10 | 0x0400     | RST_ACK: Acknowledgement of RST


The tcpAnomaly column with value 0x02cc is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     2 | 0x0004     | SEQ Fast retransmission
     3 | 0x0008     | Duplicate ACK
     6 | 0x0040     | Sequence number out-of-order
     7 | 0x0080     | Sequence mess, rather spurious Retransmission
     9 | 0x0200     | Previous packet not captured

Some duplicate ACKs with SEQ fast retransmissions, so packets were lost and retransmitted. As the WINMIN=1, the warning Min Window detected denotes that the window size hit 0, indicating that there is some overflow on the receiver side buffer. Win 0 probe indicates that it happened longer, so that the sender tries to probe the receiver side. Window full denotes that the transmission Window of the TCP flow is full as advertised by the receiver.

OS Fingerprinting

The L3/4 Header provide still some information in order to estimate the Operating System of the sending host. All these parameters are included in the flow and packet file output, such as:

  • TTL (ipMinTTL, ipMaxTTL, ipTTLChg): Minimal/Maximal TTL, # TTL changes during flow life time
  • Initial Window Size (tcpInitWinSz): Init Winsize only valid if 3 way handshake is captured.
  • tcpOptions: aggregated or in the packet mode as hex or human readable interpreted

If you load the OS fingerprinting plugin tp0f, several other parameters will be used, and the calculation for the TTL to the next higher 2^n value is already done for you. If you are hard core, just use the parameters from tcpFlags and do the calculations by heart.

Host load estimation

I hate IPv6! Why? Because these bastards omitted the IP ID in the L3 header. And I hate OS which do not increment the IP ID by 1 for each packet being sent. Why? Because it is an excellent parameter to estimate the load of a server. If the IP ID increments by a large value, several other connections (flows) must exist beside the one I’m looking at, so the host has a lot of work to do.

  • IPv4 (ipMindIPID, ipMaxdIPID): Minimal/Maximal IP ID during flow life time.

There are still OS which increment the IP ID by 1, so if the ipMindIPID==2, ipMaxdIPID is an indicator of the host load.

Another indication are the number of flows per host. Have a look at the connStat plugin tutorial.

tcpFlags troubleshooting TCP connections

Basically the status bit fields tcpFStat and tcpAnomaly flag flows in trouble. Let’s have a look at all flows with duplicate ACKs and retransmissions. In the flow file you might notice, there is a new column tcpBFlgtMx. It denotes the maximum TCP bytes in flight of a certain flow. Why mostly B flows? Because the packet got lost in the A flow, right?

tawk 'bitsanyset($tcpAnomaly, 0x000c)' ~/results/faf-exercise_flows.txt | tcol

%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP          srcIPCC  srcIPOrg           srcPort  dstIP           dstIPCC  dstIPOrg                       dstPort  l4Proto  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipToS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPdssF  tcpTmS  tcpTmER  tcpEcI  tcpUtm    tcpBtm    tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStatesAFlags
B     12       0x0400000000004001  1258563573.941709  1258563576.594045  2.652336   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1397     6        0x0011    14578       41494       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1702698086  29          1440            0               30          2943                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    0      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000452       0.000295          2.176203          0.1305968         0.4659222            0.1459511     0.4690861        0x08
B     13       0x0400000000004001  1258565030.304696  1258565030.420877  0.116181   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1749     6        0x0011    16590       55298       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  645942508   29          1405            0               30          5679                   2               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    0      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000205       0.000205          0.002954          0.000904579       0.0007303541         0.004287212   0.01039787       0x08
B     14       0x0400000000004001  1258565174.919179  1258565175.037828  0.118649   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1755     6        0x0011    33510       47342       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  328872932   27          1405            0               28          2357                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    0      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000454       0.000212          0.005176          0.001105353       0.001147219          0.004723745   0.01078533       0x08
B     15       0x0400000000004001  1258565820.302128  1258565821.898612  1.596484   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49218    6        0x0a11    811         52183       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  652739796   29          1519            0               29          4899                   2               852         65535         524219.4     65535        524280       1               2              2                  0             0x031b    0x0008      1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.0002         0.0002            1.393001          0.08960117        0.2993275            0.09602135    0.3002903        0x00
B     16       0x0400000000004001  1258565880.189338  1258565880.212279  0.022941   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49219    6        0x0a11    11001       47310       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1405763652  30          799             0               30          4429                   2               166         65535         524225.7     65535        524280       1               2              2                  0             0x031b    0x0008      1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000152       0.000152          0.002171          0.0006970555      0.0005016186         0.001095556   0.001520281      0x00
B     17       0x0400000000004001  1258566050.124650  1258566050.238828  0.114178   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49220    6        0x0a11    19206       47121       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  916601873   27          1466            0               27          2750                   2               852         65535         524220.3     65535        524280       1               2              2                  0             0x031b    0x0008      1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000189       0.000189          0.003915          0.0009691875      0.0009807491         0.004689854   0.01158726       0x00
B     18       0x0400000000004001  1258566123.706462  1258566123.739692  0.033230   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1806     6        0x0011    63527       61713       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  925488549   28          1370            0               28          4371                   2               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000206       0.000174          0.003023          0.0009781176      0.0006968529         0.001666868   0.00209575       0x00
B     19       0x0400000000004001  1258567109.383558  1258567113.574642  4.191084   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1400     6        0x0011    25388       44643       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1816175150  25          1370            0               26          1522                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000202       0.000102          3.94484           0.2614954         0.8918523            0.2686044     0.8921642        0x08
B     20       0x0400000000004001  1258567248.261635  1258567248.374809  0.113174   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1404     6        0x0011    28675       64081       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  113675184   28          1370            0               28          5247                   2               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000201       0.000201          0.002394          0.0008873334      0.0005642879         0.004495226   0.010784         0x00
B     21       0x0400000000004001  1258567289.262156  1258567289.283642  0.021486   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1405     6        0x0011    58923       49123       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  6599705     28          632             0               28          5796                   1               166         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000206       0.000206          0.001728          0.0006774737      0.0003368751         0.001090795   0.001555589      0x00
B     22       0x0400000000004001  1258567757.457805  1258567757.572984  0.115179   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49336    6        0x0a11    52210       51969       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  226877106   27          1466            0               27          2430                   2               852         65535         524228.2     65535        524280       1               2              2                  0             0x031b    0x0008      1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000196       0.000196          0.004918          0.0009666248      0.001149992          0.004713143   0.01161447       0x00
B     23       0x0400000000004001  1258568036.508400  1258568036.620325  0.111925   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49353    6        0x0a11    60435       51877       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1304812153  26          1466            0               27          2462                   2               852         65535         524227.5     65535        524280       1               2              2                  0             0x031b    0x0008      1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.00021        0.000141          0.003169          0.0008697333      0.0008035267         0.00472135    0.01157178       0x08
B     24       0x0400000000004001  1258568059.128711  1258568059.160696  0.031985   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1836     6        0x0011    25036       31267       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1667500374  26          1370            0               26          3372                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000443       0.000247          0.003048          0.000927125       0.0006814631         0.00164151    0.002140057      0x00
B     25       0x0400000000004001  1258568667.549083  1258568667.662999  0.113916   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1709     6        0x0011    13070       63071       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1075440067  25          1370            0               26          2374                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000447       0.000219          0.002757          0.001155533       0.0007415987         0.005134013   0.01097302       0x08
B     26       0x0400000000004001  1258568738.108301  1258568738.141266  0.032965   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49561    6        0x0a11    20209       59196       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1983906088  28          1466            0               28          4334                   2               852         65535         524166.4     65535        524280       2               2              3                  0             0x031b    0x0008      1             4          0x0000001e  1460    8      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000203       0.000196          0.002545          0.0008933531      0.0007415114         0.001596996   0.002200871      0x00
B     27       0x0400000000004001  1258574141.027497  1258574141.466226  0.438729   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.104   07       "Private network"              1572     6        0x0011    1033        49706       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1684028818  17          308             0               17          1021                   1               166         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000464       0.000308          0.210095          0.0226374         0.05931785           0.03517511    0.0687353        0x00
B     28       0x0400000000004001  1258577484.692644  1258577484.971707  0.279063   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.104   07       "Private network"              1604     6        0x0011    12132       53911       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1644748927  17          308             0               17          761                    1               166         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000445       0.000263          0.164624          0.0189601         0.04624642           0.02426969    0.04818752       0x00
B     29       0x0400000000004001  1258577840.949804  1258577841.204644  0.254840   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.104   07       "Private network"              1665     6        0x0011    35109       30475       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1401071890  17          308             0               17          574                    1               166         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.00045        0.000265          0.135147          0.0165157         0.03776046           0.02183446    0.0401205        0x00
B     30       0x0400000000004001  1258581757.587891  1258581758.358901  0.771010   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1934     6        0x0011    5853        51672       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  18417741    26          1370            0               27          5732                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000199       0.000171          0.018873          0.002281166       0.004088756          0.02947946    0.09640119       0x08
B     31       0x0400000000004001  1258582107.588266  1258582108.822724  1.234458   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              2008     6        0x0011    61421       45039       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2088358893  25          1370            0               26          3460                   1               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000198       0.000192          0.333958          0.05834953        0.08417293           0.07774249    0.1057726        0x08
B     32       0x0400000000004001  1258583614.298161  1258583615.323218  1.025057   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1911     6        0x0011    60719       59161       64        64        0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  398501520   28          1370            0               29          7079                   2               852         65535         65535        65535        65535        0               0              0                  0             0x031b    0x0008      1             2          0x00000014  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000395       0.000195          0.139913          0.03019411        0.04022271           0.05901732    0.1140707        0x08
A     33       0x0400000000004000  1258587444.865917  1258587445.631435  0.765518   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104  07       "Private network"  1908     198.189.255.75  us       "California State University"  80       6        0x0011    1           2           128       128       0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3626872219  23          319             0               23          95699                  1               319         65535         65535        65535        65535        0               0              0                  0             0x011b    0x0008      1             4          0x00000016  1460    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.007304       0.007047          0.573488          0.01674978        0.06118462           0.007744      0                0x02
A     36       0x0400000000004000  1258594163.408285  1258594191.015208  27.606923  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  07       "Private network"  49330    143.166.11.10   us       "Dell"                         64334    6        0x49b1    1           223         128       128       0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3392384642  1511        0               0               1511        4255056                437             0           8192          45402        0            64860        253             194            254                0.001981506   0x0416    0x0008      511           1536       0x0000003e  1460    4      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.078742       1e-06             0.67088           0.03865783        0.04056465           0.07920299    0                0x42
B     36       0x0400000000004001  1258594163.487027  1258594185.427506  21.940479  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              143.166.11.10  us       "Dell"             64334    192.168.1.105   07       "Private network"              49330    6        0x0c51    1           6365        111       111       0         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3177226489  2866        5233476         27              3099        0                      0               28980       8192          64860        8192         64860        0               1              1                  0             0x031b    0x02c4      1             4          0x00000016  1380    1      0x0000    0x00    0         0x00       0       0        0       0.000000  0.000000  0.000461       2e-06             5.587702          0.004777641       0.1447472            0.04343547    0.1503238        0x02

Have a look at flow 36, which is lit up like a Xmas tree. Here we have a lot of reasons why there is a major mess:

tawk -V tcpFStat=0x49b1 -V tcpFStat=0x0c51 -V tcpAnomaly=0x02c4

The tcpFStat column with value 0x49b1 is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     7 | 0x0080   | Win 0 probe ACK
     8 | 0x0100   | Min Window detected
    11 | 0x0800   | Window state-machine count up(1)/down(0)
    14 | 0x4000   | TCP Selective ACK Option


The tcpFStat column with value 0x0c51 is to be interpreted as follows:
   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     4 | 0x0010   | Window state-machine initialized
     6 | 0x0040   | Win 0 probe
    10 | 0x0400   | Window full
    11 | 0x0800   | Window state-machine count up(1)/down(0)


The tcpAnomaly column with value 0x02c4 is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     2 | 0x0004     | SEQ Fast retransmission
     6 | 0x0040     | Sequence number out-of-order
     7 | 0x0080     | Sequence mess, rather spurious Retransmission
     9 | 0x0200     | Previous packet not captured

So flow A had a full buffer, reduced winsize to 0, B hit a window full alarm, since then B probes whether the win is non-zero to send more data. Therefore you have retransmissions, fast and spurious, and we have a case of a missing packet in the pcap.

You can follow that in the corresponding packet file:

tawk 'flow(36)' ~/results/faf-exercise_packets.txt | tcol

%pktNo  flowInd  flowStat            time               pktIAT    pktTrip   flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPOrg         srcPort  dstIP          dstIPCC  dstIPOrg         dstPort  l4Proto  ipToS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq         ack         seqMax      seqDiff  ackDiff  seqLen  ackLen  seqFlowLen  ackFlowLen  tcpMLen  tcpBFlgt  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpWS  tcpMSS  tcpTmS  tcpTmER  tcpOptLen  tcpOpts                                                      tcpStatesAFlags  l7Content
1280    36       0x0400000000004000  1258594163.408285  0.000000  0.000000  0.000000      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network  49330    143.166.11.10  us       Dell             64334    6        0x00   16259  0         0x4000  128    0x5e7f       0x5e7f       0xbd9c       0xbd9c       0x0040   0                       0                     0                 3392384642  0           3392384642  0        0        0       0       0           0           0        0          0x0010    0x0002    0x0000      8192    0      1460    0       0        12         0x02;0x04;0x05;0xb4;0x01;0x03;0x03;0x02;0x01;0x01;0x04;0x02  0x00
1281    36       0x0400000000004001  1258594163.487027  0.000000  0.078742  0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   17228  0         0x4000  111    0x6bba       0x6bba       0x738a       0x738a       0x0040   0                       0                     0                 3177226489  3392384643  3177226489  0        0        0       0       0           0           0        0          0x0010    0x0212    0x0000      8192    0      1380    0       0        8          0x02;0x04;0x05;0x64;0x01;0x01;0x04;0x02                      0x00
1282    36       0x0400000000004000  1258594163.487488  0.079203  0.000461  0.079203      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network  49330    143.166.11.10  us       Dell             64334    6        0x00   16266  7         0x4000  128    0x5e84       0x5e84       0xc2a1       0xc2a1       0x0040   0                       0                     0                 3392384643  3177226490  3392384643  1        0        0       0       0           0           0        0          0x0811    0x0010    0x0000      64860   0      1460    0       0        0                                                                       0x00
1287    36       0x0400000000004001  1258594163.644682  0.157655  0.157194  0.157655      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   18966  1738      0x4000  111    0x5f94       0x5f94       0x153a       0x153a       0x0040   0                       0                     0                 3177226490  3392384643  3177226490  1        0        0       0       0           0           1380     1380       0x0811    0x0010    0x0000      64860   0      1380    0       0        0                                                                       0x00             MZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\r\n$.......PE..L....IV:.................&...*...............@....@.................................Z.A...................................... .......@...$............@......p..t....................................................#...............................text....$.......&.................. ..`.rdata..\t....@.......*..............@..@.data...|....P.......,..............@....idata....... .......H..............@....rsrc....$...@...&...\..............@..@.reloc...!...p..."..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................U....X...SVWh....3.W...%C.P...%C.W.u.W.E.h....V...%C..u.......Q.l............hhPA.Q.`......Wj.V...%C.P...%C.............PQ..h$C......ubj.V...%C.P...%C.f=..w7.u..T).......u4.u.......Q..............hhPA.Q...........E..@................V...%C..E....C...\g..k.....................P..!.....H......PQ...............uA.......u/.......u&.u............r`hdPA.......
1288    36       0x0400000000004001  1258594163.644692  0.000010  0.157204  0.157665      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   18967  1         0x4000  111    0x5f93       0x5f93       0x77eb       0x77eb       0x0040   0                       0                     0                 3177227870  3392384643  3177227870  1380     0        1380    0       1380        0           2760     2760       0x0811    0x0010    0x0000      64860   0      1380    0       0        0                                                                       0x00             P.F.......\t.......tA.E.......PQ..............PQ.u....#C.;].}..].......Pj.h....V...%C.......PW..l$C.....2...j.Sh....V...%C.W...%C.j.j.h....V...%C..u....%C._^[..].U3.....(V.E..M..M..E..M..u..M..E..u.P.M..E...@..E.6....\r\PA..M....%C.f.......tD3....C..M..M..E..M..M..u...`PA..M..M..U..E...@..E.....Q...%C.f=....@^..].V......t$..5\PA....%C...u.3..t$..5`PA....%C...u.3...^.U........SVW.xPA..}...E....tS.....3........1........D.....+........,......=...........u..u..u..u...|%C._^[..]....u.j.3..v..v..v..v..u....%C.S....C..5..C.S...Dg...u.k.....P.F....Pj.j.h.. P.v$hlPA.S...%C.P.E.S.u....%C.S.5XZA.j0.u....%C..u..}..].......:...... .E.........Ha.A.......E..E.P..d$C..E....t#...t4..............w....E......|......C....g.....g...f......C.hhPA..........g.....g..Q......\.X........X.........PQ..h$C.hdPA.......Q.E..%............Q..#...........PQ.........u....%C.......E.......P..............E.....QR.@...........j\......P...........@P. #...........Pjs...C..2...PQ.Z%...........Q..".................PjcQR.2%.................QR.R.......\r..C....... ...g.....g...!=....t\t.E..........C....g.....g...}..t2......Pj.hC....u....%C............QPhQ....u....%C..E..}...........C.......:u\n......$.........@...................Pj.hM....u....%C.3......3......j..u....%C....P...%C.3............P.u...h&C..M.Q.u...p&C.j..u..u..u..u........pE...........Q.u....&C.3.......u..~..u.V.\nD................F...t"V.AB..
...
1417    36       0x0400000000004001  1258594164.283560  0.000010  0.009815  0.796533      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   25964  1         0x4000  111    0x443e       0x443e       0xb0e2       0xb0e2       0x0040   0                       0                     0                 3177343790  3392384643  3177343790  1380     0        1380    0       171120      0           118680   6900       0x0811    0x0010    0x0000      64860   0      1380    0       0        0                   0x00             mH6..\t..0...4..i.Rk..xy_?..o....f7[~.E.\tC.hu.C.-. ..M=...b.E.a......&...#"......|......'m..=0.AU9RV*~X.a...z.....2.V..w.DI.=...A@:...:.,Y.Rwm..1v.....N`d.`q.p1{.K].1..*M..w......\nLX@.......jV.-?.(w"<.....v..b..2~z3.. U.f.......r..d"...o.......(..cE.....p....L(...0..L..V.......t..di.\t......C.c<;.F.IB^../"..sn.|..K.|.j.4......|~.............4..._..R.xUBs./......\P>..Jz.Fv..?..!@ul.8%Z..c....\.5.._...0...nB..C......X. W...........y.M.......L.`q\n6....C.....a..7Q...%.......%..n~..v._...4r.B..%. ..~.?HG....*.2..u.?.[TG.b...N.\n@2.\t\t.G.b7g.....A.}.B.#.C.......U.e...u.9..9]..0.$......aG.c.C..i.p:?pz...%..v...>......a@.......OScwP..U.OO....>...._..H....w..0.....]../.@.0.X ..j.!R$..b..W..Ig..x~.DgL.@;.;bs:c;.;...9m....d`u. .L.!...0.t..2 v.........]t.....5e(...r}i)..4+g......v...\r.l.R.g3.HU..&..kq....;..D..T..]\,....m.B.}.[.[.D.....sH#.M.....S50..k?.>LH.e...$.......S..-.'.R...[~.7.1.^+...\n;HD.8..>...}..R..K....xPB..W..R..K...t!.;....!7..c1..^..'..i...Z.w:.R...*.5Bw0...[...`y.o.3....w..K/.B..XS...Bp&Rq.XJ...6r\nw....M..nO./KGF).....Q....".Q...b..:.....D..p.D.!S.8.LvP.~.0D..dY...(..h......8..i.......U.jo...*.."...2..t..#.9......r.!z"R.W*FS...[.1.F..\n.U..!6.+.U7'.L........9s.I@..\$....OJ.L-..>.O........]Y....>Cb.U.W'.\. ..H.U..-&.6hy....M7.....N..........r.id..#..W....y...=....5.@C.8.lu.....]..+q1$N.c\n..sIwH.!..`.+.&..\tNkI7.r.Uv&r.P.J.Cg8\.....$"...i..b..e..)36$e.\r......_..
1418    36       0x0400000000004001  1258594164.283567  0.000007  0.009822  0.796540      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   25965  1         0x4000  111    0x443d       0x443d       0xd898       0xd898       0x0040   0                       0                     0                 3177345170  3392384643  3177345170  1380     0        1380    0       172500      0           120060   8280       0x0c11    0x0010    0x0000      64860   0      1380    0       0        0                   0x00             ...;......u...!a<.R..\n........nu.._.B..1...............c#.@#.N2.}\...pQZ..e>:p.../.....2rA...H.....F>3.....n.....l.. ...Sz.A+5.......$.l.....S.)...^K5c....Avq?..V=/3...y1.L2.}...8....#....?.&f..9_k..1.!.S|...7......."..F.N.......2........s\n......1.1....p.w.iv.4.H/9)0..Z.:...p_jIk b.w..R.WY.p\r.K....\n98.n:.....W.=.o.9..........F....X3.0tz.k...O.15p...".:.......F.v\t....@...P.............,h.(Z.N1K>.!../~.<n.>u..&.b...i.l..WIS|..W2TONX.N..{..0^.H...)/.S^%....1G\t.:....:..\r.D.@b.G1.1.d....0.f....L+S...[....V.!\. E.7$.6B.....E....c...V?)@?.M....^.EW.p......2.E.M.4=k`.>.p.k....d.....{.....9.Y.:It.D..L&F\nLgtG....tN.m....Sb..s._..J.Z...S=9t+.....D...d....x.b'\n.......eh&...;q.1.W@g(.\...'......_65....)..L..Cf.....c.d#..1@.o.4..........Tg...1......N.......7...t.... T....a.L.....".L.\rt*q1..JU;..t....c\r+].K(.Hl.A.%.u..r.._..c. ,...U....).x.!..9lza.....\l.-_.^_(....[w..N..N.!.v9..:(Z....9.....B.b.0...ue..a....{4Idr.?..n.SP.*.6..b...;erJ......x..3.....i#......Dw8......F......_..J....$.?v...kH. L........v...M.b~.h.s...8c..M/j`.........)4.}i.s. rd..].....86..v....@#\t..v\..A..&n.m..}7P9. 'C."!a$...a...0?.IXg|.u9.K".\t.D..Ero...L.\nCPU.....|i0j....V.\rC8....p\@.Xx.0N5...E..S..{9:#K.."-...A>UMo..qs..z.a.h..b... F....x........x|U.166....~o.j..........)..P..P.v\t.....x..*.k..hc.@@......\r*9=G.....A......9p.W....kw.....B..$...z*u8.:*...Y..]`..........>.....6....P....o...\n..Cf-..\rYwe.ub..
1419    36       0x0400000000004000  1258594164.283986  0.010241  0.000419  0.875701      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network  49330    143.166.11.10  us       Dell             64334    6        0x00   16348  1         0x4000  128    0x5e32       0x5e32       0xeb00       0xeb00       0x0040   0                       0                     0                 3392384643  3177343790  3392384643  0        5520     0       5520    0           117300      0        0          0x0011    0x0010    0x0000      2760    0      1460    0       0        0                   0x00
1420    36       0x0400000000004000  1258594164.283988  0.000002  0.000421  0.875703      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network  49330    143.166.11.10  us       Dell             64334    6        0x00   16349  1         0x4000  128    0x5e31       0x5e31       0xeb00       0xeb00       0x0040   0                       0                     0                 3392384643  3177346550  3392384643  0        2760     0       2760    0           120060      0        0          0x0111    0x0010    0x0000      0       0      1460    0       0        0                   0x00
1421    36       0x0400000000004001  1258594164.647545  0.363978  0.363557  1.160518      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   30033  4068      0x4000  111    0x39bc       0x39bc       0x52a2       0x52a2       0x0040   0                       0                     0                 3177346550  3392384643  3177346550  0        0        0       0       172500      0           120061   1          0x0851    0x0010    0x0000      64860   0      1380    0       0        0                   0x00             .
1422    36       0x0400000000004000  1258594164.647755  0.363767  0.000210  1.239470      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network  49330    143.166.11.10  us       Dell             64334    6        0x00   16364  15        0x4000  128    0x5e22       0x5e22       0xeb00       0xeb00       0x0040   0                       0                     0                 3392384643  3177346550  3392384643  0        0        0       0       0           120060      0        0          0x0991    0x0010    0x0000      0       0      1460    0       0        0                   0x00
1423    36       0x0400000000004001  1258594165.318635  0.671090  0.670880  1.831608      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   4104   -25929    0x4000  111    0x9f05       0x9f05       0x52a2       0x52a2       0x0044   0                       0                     0                 3177346550  3392384643  3177346550  0        0        0       0       172500      0           120062   1          0x0851    0x0010    0x0000      64860   0      1380    0       0        0                   0x00             .
1424    36       0x0400000000004000  1258594165.319087  0.671332  0.000452  1.910802      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network  49330    143.166.11.10  us       Dell             64334    6        0x00   16401  37        0x4000  128    0x5dfd       0x5dfd       0xeb00       0xeb00       0x0040   0                       0                     0                 3392384643  3177346550  3392384643  0        0        0       0       0           120060      0        0          0x0991    0x0010    0x0000      0       0      1460    0       0        0                   0x00
1425    36       0x0400000000004000  1258594165.848253  0.529166  0.529618  2.439968      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network  49330    143.166.11.10  us       Dell             64334    6        0x00   16432  31        0x4000  128    0x5dde       0x5dde       0x94c0       0x94c0       0x0040   0                       0                     0                 3392384643  3177346550  3392384643  0        0        0       0       0           120060      0        0          0x0831    0x0010    0x0000      22080   0      1460    0       0        0                   0x00
1426    36       0x0400000000004000  1258594165.848753  0.000500  0.530118  2.440468      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network  49330    143.166.11.10  us       Dell             64334    6        0x00   16433  1         0x4000  128    0x5ddd       0x5ddd       0xeda3       0xeda3       0x0040   0                       0                     0                 3392384643  3177346550  3392384643  0        0        0       0       0           120060      0        0          0x0831    0x0010    0x0000      64860   0      1460    0       0        0                   0x00
1427    36       0x0400000000004001  1258594165.926021  0.607386  0.077268  2.438994      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   10469  6365      0x4000  111    0x80c5       0x80c5       0x92e7       0x92e7       0x0040   0                       0                     0                 3177346550  3392384643  3177346550  0        0        0       0       172500      0           121442   1380       0x0811    0x0010    0x0000      64860   0      1380    0       0        0                   0x00             ..Q...]....=.2..>.p:3.N..........Ma.../|.\r....<.....II.E.....*.u..\t..`@.H..u+Nd1.m...c%f....{....x.2..N....B9.3}8..\n..E...O.c.u.c...,..d../....hjOekZ..\.........3wfGlg.....Qm.-...=..J.U.z....x.I..ZS.f..o.0#7...........xs_j?.7U..a..S.....u.v........i.....:\rK.....m..$v.2.....a.\.....r....=..(yR{..s.y8t.../.$I..;.b.CC........n.N..........M........m..q.B...D9..'..5..;...6..j^..F..(n....@u..,.y(.2..w4A....4....Nbo....h...7.....^&-E]G....O.~.*[B.Pq@CP.P.#;j.H].U.......n..%c.V.x...G.7WQ....VJ.]}....."t..........,.A.............E..@...xD........aN........ZV.....t....c.s...U./..|..$....\r.pe....!..dY...}..)...F.]L.2,...K<...d.9FY..-.Pf.6\..k.z.... ....ji..\nR..c}..d.H.pW.....[)..........h..o.M...,m.Y.q..........c2.......w....R.F.&U...=...."..3..\n...?A...5.....wAH.5...;A......L.A.3.I..q.."....!M..6....C.U.....65.Kb{........h.|.......<..n"rf...{...1Z2.H_... ...A';.....y#..8E..!..x#..Z..i...=..mf.W....C4..}..\r%......a.A..Z...........!...\n.b...A.Pb.Z.....K..M..w..h.*.[._Jl..U(.O<|\.V....s...=....%.{.2W.....E?..\r..D8B..(L.....NF..6..\tw.b..\n%.c.#@..I.........#.L.....L{..&....Q.Q........Lh{.B..}.n.......A.../'6$.'.....#..e...M4w...6e....D....rc<)..4A..y.P..i1..\n. ;T.Om.Q.c....3.....(-..\n.........A.m+`...@. hG.e.......f......r..v.....#...\t.u...UL.....Bj#....P&...)A.>.2...d...p.8.%..BN.......)..*.....k.w.x.D...`.WO.a.ww`f.^...fi.\.o[..E...Q..oeT..O....wI.Z?....t.......>..Q.#..}
1428    36       0x0400000000004001  1258594165.926514  0.000493  0.077761  2.439487      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   10481  12        0x4000  111    0x80b9       0x80b9       0x07ce       0x07ce       0x0040   0                       0                     0                 3177363110  3392384643  3177347930  16560    0        16560   0       189060      0           122822   2760       0x0811    0x0010    0x0200      64860   0      1380    0       0        0                   0x00             .A%..]p.<..+.Jm:....4.V.:.z&.V.f.Y\n+..k....=.7...L..k.:.>...y9w..Y.[..^..X.......m8..q.....@.....|....@....)+b.>...z...H..'s.zr...g.#9GX^.l.3U...s..V...1tG-P;..\r.A.h..^..D.(.ELSQ...v......F..p...$W..?!,.E..d...6........hn....P.q?..\n..;..M@.......@!..^D....v....3...8D...8...8. k;W...|.....\n?....x......B....$}.?\t .+/...$#.*9...t.....vA...j7..Z.V.UkO4.w.....s............p...r...=y.....P>.......y...\t<.....].=+x*_.7sW..\fZ.p.\t'.p.\t'.p.\t'.p.\t'.p.\t'.p...3..PK........!Z....M.,...........PCIUtil.dll.Z.wT..?w.&..\t.@"( ....6..W..Pr...'...!\t*.\rS\n....+I.C.L...Z..ou.=..b.U.m.......xP.....FK.....4.$p.o.;...x..rtf..>....>{..\t...ev....i2.gV)a.@...7..q..1..%....-...w8..}.?o....G...u[..p.s....y........6.......,...J..[O..|Vm?...~_{.............8...i...|.......k.........\r...O....s..h....j.#A.{.\n^...R..hZ..L_'.w.X).........K..L.T.-..d~.s.E.bK.Zmu._.d..)....... .]..O....2.S......y.....u...}.8..:.....'.*.....C....Y..f......_d..\r+..J...#.@W[.....A].\n..?.'.J...m..B.d&l@...O.}....2ZF.h.-.e....2ZF.h...........K..9....\r)$.j.(u)F^..L.(....=T[..S...QUt..{BT.zVHZ..........l7..(,.z..|.}.E.T........u.+....:...6.........^.v...O.h...m@.m...7?....s....)...x..Hn._.c.G.0t.......<Rq.a.cTt.g...Dnn...2...*.|./.E=.)6In....>aTp..g.....a..... >'\tb6H._D61......C.>q9.6.E+.#u....5u..S.....0..`....r...%d.KFGF...d.F.8.Tx1z"_`5\tt.a...$.d.B.f..ya.h...ck.i..E.;j,6.X..0.;;.R...'<.8..a........R6#.V,.i..>........
1429    36       0x0400000000004001  1258594165.926523  0.000009  0.077770  2.439496      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   10479  -2        0x4000  111    0x80bb       0x80bb       0x8a59       0x8a59       0x0044   0                       0                     0                 3177360350  3392384643  3177364490  -2760    0        0       0       189060      0           124202   4140       0x0811    0x0010    0x0040      64860   0      1380    0       0        0                   0x00             }......R..{(....l.E..`c..=.ov.`O...n..'._..*.....a[\r6v.$.g.}v.e....`'..(.86..........^...6......6>..f.nT....s..7.M}S..7.M}S..7.M}S..7.M}S..7.M}S..7.M}S..7.M}S..7.M}._..l.>\.FQ].z.lp.................;&..2..O..?...w2"..y.<#..Vn....RV4.............\@.}.m..7..u.........\t..../.6...(........f#Ee.QM...VUU.....D0..d.......2....jJ;.....8..v.,h.E._Sxf\t....hj.......'.]..E.....ax.i.n0|...X.g..,.........]../.....7SZ.....Qx.......(..........m:..U..`~..wRZyv..........m=.==>>B.E..#..NQ......s...0o...........y0O.y...`|`..l.....S..\nL...`.....z0.0.`..Y.f....&.L....T.:..e.........w.AQ.k|c...A....*...}MOO....x=/T|*.E.....0.....x.U.=%x.Q.W....(...`......J"..W..T.......W..|[.3.].......I...........}K........w....2........C...Z..p{...|...U.....tY.W.gVv.........C_u..x.....<+R~.............e...oZ>.6yi....k.o.)..p_.......g.....M;...{..N.&.].w3.....3:g..0..6.A....Y..\z..q.......>.Z........k.....L.k.r..........?b....Zpxq.......t....[T...).=...R....+;....7.,.8...MI\n|..V..3'`.<u...s.......a...K......H.......;......s.....+8......d.N....G..../....q......}C...}w..JQ.v....{l<.~W......Ts.:.\`#.KL.Y...~...>=>*..g..JE.>.^...m_r=_$......yd.k..4n.]..].-'...M^I.n....#F\r.....A.\r...Ew;....4..c?.%......5=....qUiVHl.....1_.*h..........x..1.]a.Fk./O..=.wZ.......6.r....7...n]...<J-.............jis.s.._7#m...$lk.....\r........J...<>.{.0..9..L}|#.e./..C.[...l.._...Og..T.>.A....9~.....su."^.eE......,...~....;
1430    36       0x0400000000004001  1258594165.926532  0.000009  0.077779  2.439505      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   10471  -8        0x4000  111    0x80c3       0x80c3       0xf25d       0xf25d       0x0044   0                       0                     0                 3177349310  3392384643  3177364490  -11040   0        0       0       189060      0           125582   5520       0x0811    0x0010    0x0040      64860   0      1380    0       0        0                   0x00             .....w.C........"=..H....BN.../.....bR..2j@..........w..+...I._S4E5..D."9j&Qy....m..Y....r.........jh..B+....F]',.t..Q,+k..f..0.-K...F..$}q..\..\n.B.."..b,...1...\z"..n>.4...A. T(.[..6Y..a?...J\r..Z.c..t......+.....&:...j...HJ<.N.z.MB....5.acZ....b.O5..Y....H...m.*...2..F1...)z.P.+.........B.Q.Vfy....]...W.....-...f...2b..0{......6q..\.l.L..n;.M..)!.....l...L.....K..Z.f.r.C...e.s...f)..7u.....V.\.5\r\t..Ac...Q....2.......x.L_...b......,mx[Bla.....bor./...&...t.v....%......M3.....N.._6..u8T..h.W.@&,....IA9..X..x.jm....R..[w...,...R..1t7..V{..O/ck.x.iXn..b.3.......<Gha.n2.#M....*..o7S......e.E.........<.....5.?3..Xy..M..`m..\t<&..._A.`Z...t..\n...=.v.U..n.p....$.A,.1....\t.ma..1D......W.a`lN..$.C....5?...*.TBz..f.k0..*....y[...y~a%......e....sh....c.=B..H^t..o..A..(f...2d.\t.H...A...=~.#^j.4...6...#....jf........<.)b/..s%...kl.\r..i7...H....LF0...........k.{.EV.......S\\n..\r.R......e.v...f.ra0C(0m.........N..J.e.....1......HC.D_m.3\r..-...Xj....ge(#R....Kd.y.ZD...AF...\n-..n;.p..v...H.......4....p... ...X.......C..?...L# ..q...(<.@zPw.J.?`...IM....E{\r_..`.~.\r.llpC...(....[\n%z...!..F.*....[.i..0.&..-.....C.\rq.]BjZ8...[.N...,,.&(j.#.... #.d.=._.ve-L....B.9.c.q\t.z.H.y....0E..!O..%{@.\n.\rf.G...Q......i...\n........R.....n]\nPN9.5\..!...W....<.1.qF.O.....,3.e .D...Wv._.R..+...D.Q..QK.=..z0....v.....3.....j@...xI....%/...G.....uswJ.3....E.....m..@..7..\.=C.:..)m..;...a.....$.....
...
1450    36       0x0400000000004000  1258594165.927471  0.000002  0.000223  2.519186      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network  49330    143.166.11.10  us       Dell             64334    6        0x00   16449  1         0x4000  128    0x5dc1       0x5dc1       0xda41       0xda41       0x0040   0                       0                     0                 3392384643  3177352070  3392384643  0        0        0       0       0           125580      0        0          0x4811    0x0010    0x0008      64860   0      1460    0       0        12         0x01;0x01;0x05;0x0a;0xbd;0x62;0x90;0xea;0xbd;0x62;0xbc;0x0a  0x00
1451    36       0x0400000000004000  1258594165.927703  0.000232  0.000455  2.519418      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network  49330    143.166.11.10  us       Dell             64334    6        0x00   16450  1         0x4000  128    0x5dcc       0x5dcc       0xa78f       0xa78f       0x0040   0                       0                     0                 3392384643  3177364490  3392384643  0        12420    0       12420   0           138000      0        0          0x0811    0x0010    0x0000      64860   0      1460    0       0        0                                                                       0x00
1452    36       0x0400000000004001  1258594166.005251  0.078003  0.077548  2.518224      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11247  774       0x4000  111    0x7dbb       0x7dbb       0x2871       0x2871       0x0040   0                       0                     0                 3177364490  3392384643  3177364490  12420    0        12420   0       233220      0           139382   1380       0x0811    0x0010    0x0000      64860   0      1380    0       0        0                                                                       0x00             ........r.[&.J...s.f.s.....7...N.k..R.._..K.0.....\\t4.....L}.!.z.....^.....SXT..>Of...%.LO..0...O.I..K....".P.=zuBz..|.q...PA._K..A...H]7..u...\re..{.....U(\'....5dC...6..J....\nP....^C1+a.....U...a0.k..#..+.}.9.Q...\n...\n....._3M.e.{....Oh.....i.w.g.\...].:..?../...J<....j...JzNS..\ ^...@...@\t_.z...=\t[..O....1.\.r.....IH.../]B.'kS.p.......N..Q.N.....az..t.S...j..*{..o..........+\.JoS.z}..Z.\n.h....7.7c.U.^.Mc.Km.w}8.....o..|. .1.8...=QU....!.R.LR.L_.I;i..R.\r_*.zO..22...<Q\tI...@...;m...1....`.b...l...p|.]Z.k..z...h.b.*.........7[...~.E.[..1\n.-..@..i..c^t.p../Xz.....D..$...i.....bQ....j.e.n..G..m.....|.f\t......_.........)^.'bKU|.\tl..+u9.....-...z.K.....0......!...\rbY.^^..#.U...t-.......P".Ng..n3....8~<.hkA.hQd............`.\r..W..."....\rx..G_...>"...D.5...B..>....v....<.hw.....\n...Z.h.F#...D: .}.&..d..D...'.h...y....^......~C.....l..(..eqnxLk...|QB.......^.7.7u.;.y..M.....;d.....ce.o._...Sh....."_.......h._.JqH.;8.....\nM..C^......bS.....[..`...I...b+U^F.Ch\n....\r.V+.9..I..K\r.A.....#..(.),$Y....%.X.V.'..)..fk...-....g_;.".r*.;....."...69....\n.!\t...`.I7.hA.^...".a...J.k!#...b..\t..Z......J........K.E..7b.BO.....U-KMh........Y.p.K\r.!)..f.%.WZ...(:'.e.H....'.c2.:.....*nt.P.P9... .._"K..^.f}..A.....B...].v...*.5.5..UO):.)......#m.C.0...x.M.2.....eJs[.$O..N...*%^^..|.a.(B.....R.....d.w....6......M7<..n..%.....E}?..c]Oa.\n..W....}.....V.$E.....\n.n........&.'.I.D.9Bq\t..wi..R
1453    36       0x0400000000004001  1258594166.005261  0.000010  0.077558  2.518234      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11248  1         0x4000  111    0x7dba       0x7dba       0x0539       0x0539       0x0040   0                       0                     0                 3177365870  3392384643  3177365870  1380     0        1380    0       234600      0           140762   2760       0x0811    0x0010    0x0000      64860   0      1380    0       0        0                                                                       0x00             =..!$.. .$..J.)8.4...+..u..,..5Lp....Y..p..u}>..8#./O......d=H.".m.o./.+.KJ.....B.A..!..D...LH;>.@....a...J.1..qd(....g-..1..g...X....\r...*...,.e...L .ya0.P....N..<.'N4....V....y..,..D.....u.K.cM.....yo..vt8.;...rD]m.T.{.*..m..{...A.......\n.:.~.b_...g....D....d6..U.X..J9......e..+06...-X.......[..H..ZL.].....s..3Uq(..].C.h'.....g....W+p.p)..*:[.N..+.._..z.I..R..:c.'(M....S...%.T=...x.........k.v.N.l..)..o..Z.....m....a....L.#.......!..K...v.p.v.My........H...c....>n..K......l. ?.Ny.3.I.{^`.......^......s....;&...#.n..e..R..=.t..........:jHL$T.}db..+..N.RS.....6....4..p9..>.....B.X.>S?.g^!....^$Ik......,....r..p...b.q.}.5.g!.\t.`.[K.|...y...U...!.v...?.....U.H.y..\t..;#Ig..Id.....AR.....p..aW.`)(.%......r...w2\nV.;....4ds..N...Q.p&,.I"...`.......8...'=.\..Y.......)...}..EBR...|.....^x...F.\nt./ P....GE{...=..y.o.:...%...l.u..6.....h.b.#.........|......bhzA...sa,6=..6....b..H...SV......8U.. ..Zupy.......|....._...y..+".\r.1a.....w..Z..V.....-..VM......"X..j.-Z..(.......5..\r.&B.....!......mB..."......!%..t.oe.u.Y..2..H......|....0...#...o.....9..@p1.@a4....8........j.o..n..1w[.0.=\t.9`....0.|T..K..44...Vpv../Svd...Q...u...u.XWw.\r]...7[.o.h..}....q<...)./.=..z.u..l...i.ym..B.oQ..6.-.......q.#...Z.......<.J.....!....5w...g.(. s'..l..p..j$]....E..Z.]....'pq...m...;e{.L..G.c....T.c6...F:.....U0....a3.4....x@...........*...S...>&...fK.\.%$..$..7.k.V5...\...$.d~..\t..|8<.H.
1454    36       0x0400000000004001  1258594166.005270  0.000009  0.077567  2.518243      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11249  1         0x4000  111    0x7db9       0x7db9       0xdab8       0xdab8       0x0040   0                       0                     0                 3177347930  3392384643  3177367250  -17940   0        0       0       234600      0           142142   4140       0x0811    0x0010    0x00c0      64860   0      1380    0       0        0                                                                       0x00             ..ig.J.qk.ro...a.Pc.... .4...#...)<......c..0..M....\....#psP....d....".._Ll...V.....T..R.....SS........$........Z.".m^~`.h.;\4..g+\tB..s..m.....6c.X..)..Nr...0........R....!....../.>VN..{...D.qN.....UV. fY.4..H...@.0..2.*Z.K.P.d..Gw`..M;.C..C........qC..-.fG.+rC.5.O. R..!............0(.NU.`0C.j..6..g.I.L...5...d.2"........................x>1....h.].W.......x.;zPjJ.."...woG..f.....r.....m...AA`.GI...t....q.:.*..X..F|........\...a.ci{...!.....s.C.p.#.E.a-....su8.....n.y..k..: ..>@\n...."mcN(OdSG...\t.1RA?....![.^#..`..E.!..@.........3."7h:*..0ha..G.m?$m3.wr3m...s.....P.B.op-..V.d hC .g...U..K.....7.&.\q..-....LdzjtV..\t\r..(..H.Z.9..+.X..x.**Q..@r.....8.q<....].5|..\nw\n-..F.....y..(.d.+.....L.....O..d.....].....RH.......4.1w.y.{h....63...T....^...xVJ.g....K[.J+.|n@.;...*u........$..~..B....!......;h;...Z..sX.@......Hw..\F...._gS.k..6........u...(..L.[i.caf.b..\.#v.3-3T^.[......T.M.Z......_X.....k.y6.\....8H.F..<V....Z.....>hb..q...I..r.......`.e....r.\r6...S.i....;p.O.f.$....xr......P\n....8..|k.... ^..<..+.. ..~.^#..-..d./.K....B..$.L_b.....h1-.b.......\.A.....\n....a........}...wdkT~G.O...Y..G.H.!84.YA2...............+.B.....2.n...EZ..-1...a..\nJ... ..D......a.J..Ah.v.7... ..\n..0.J`-!Y.m......c.e..qY+.[.^bF.o.Q...oaP...&.(p.I..s..!a.........;.....N(......D..S.me....q9..6F..\t..[.......N...\r....R....u.evUb...5.T[..H.[p@.........C...l<....IX..H{.....C..A.:.h<0..B._....v
1455    36       0x0400000000004001  1258594166.005476  0.000206  0.077773  2.518449      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11250  1         0x4000  111    0x7db8       0x7db8       0xeab0       0xeab0       0x0040   0                       0                     0                 3177350690  3392384643  3177367250  2760     0        2760    0       237360      0           143522   5520       0x0811    0x0010    0x00c0      64860   0      1380    0       0        0                                                                       0x00             v......T;.4..4...NO.%.cW\n..N\rX.'N.R..]...L..&.....k..y.r2.n....EN..^{.h...n..Q0...f..wi..B...Pb!.<\n......~..n...k.......k.@.-...@...&..o...OD|...... !..o...\n.l........EB...../.5..F..`..o5.........&.".....5.g}..u.......5..&S...._..O.NB....E{......f........C.JCg...v.4.=&.. .k...G...(..c.{.......\r&. Vb.......y0..<\t.\t0..i.....~.......e.e...}..A.....{......A..<(..6.i...QB.\n..9...%.M.e..w`.&....!P.I..R.`%.6....O........!..u....@ek..o.=.j....QUK...wl../.t...1.;...T... ....b....6....E.........h...4._aq-..\r3.d.q`%.I...."0K.d.).#...tN.;..x......\n6...6.....M.MOn..>...+..0O.Mh....zB;...6..6..\...6+13..8.1u..#.......x.'.O...w.....}<.....zP..g.......s........=.......~\rXK.,...L...0q`...w.GB\t.+\..\t......8....Oy.s<..$...;..w....{...............\r..`^....7.........].Q...@Y.0.`.4.7.GM...>aC....sf.....k.q v\.|..&.Sx....?KMx.'Sl>c[F.S7y"..W.<AI.H~\r...|@.}[.T......%7...b.n~%t.2S.......|...U.'.Z....W....H"]@.w...L.....7..&.l..d.......r.2T.......W.....?...ym.n.zLrA...,.....AT....A.n.92.,f...=.....Pds......."..W...A...C....o.3.]...."...n...Y....f.....`.....2.w..0(.(./........u..#u....;...M.g..f.fl.r...JD..*&.[.y........1... 2#UV2.k..`..P.\.5^..+.^.#XV(.X.#.X.,...+.....r..n...mo....\..-....b....f.'x..5...q..=.1.`)...{X.....zJ..\r...v.........@.G...............G...`..k.Q.....:..N&.Gi.*.%..<..q(tq.x....=\n...v.\r.d.*.....b>p...|W.=.....s......C.....e..fc].{..........r..:\n.....DA....\t... <D
1456    36       0x0400000000004001  1258594166.005486  0.000010  0.077783  2.518459      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11251  1         0x4000  111    0x7db7       0x7db7       0x7ab2       0x7ab2       0x0040   0                       0                     0                 3177352070  3392384643  3177367250  1380     0        1380    0       238740      0           144902   6900       0x0811    0x0010    0x00c0      64860   0      1380    0       0        0                                                                       0x00             .u..a~.%...S...<......q.....Q1K..H....qi....x..%.4....R.D....o.../..>..g`..........2.X.....A...%...J.TG\t#..<......F..H]...._AB.[...M/....Tb......A.?...-.1.O./.G.z...`..r.b1.'.....?.9...........I..<...9|.\r.M...JCKC..y...0.#.......E.9.vZ.......y[4...[. ./P...q.|....E..7...4.|...V..H.yKe........}..z................>.i........q*a!.\,..Y....,.3..U........d..x..I...>..u....+..M.<0..-....@......S.0...A.F.z.....T..Q.;t...U.j.......R|..&N.#....f....(.>.Y..#...b...q...q9.n."....|/}._....q...!...q....?3.>n.@\rD.r.H[.z.....d.V.(...|.%...0..r...ax.pk..s.q.%.hy......Q.ST.........z....... ..R..r.J..j7...DY..\r..._.....Kxsi.C .h................l&.....R......E."7.7..,...!.~....<.Js....A..:<.. .9M7.`.I`......3..-q..Lwx...T.\r!>..v.0]....M......,n...L.gF..u..!..>..\r.j....%\n....0M...D..........9e\r.....-....&....Z'!......0k..k$......J~ ..w......\t...$|w..s..b.\tOi?%....J..S.f..n..,S1yR...f...7..|........7........*E..(...6.L]A+..d..o7............9.i.[...d?Y,qC..Y.pP.....#...."P..........n9..zi|..H~.....B...LC.c8.*....T|K.o>vc..=..|.q.-N...>.m....... {..c..^..........d.f..8...%6.B|...QVI/....#...`..?:......~.......a........9..K....o..3...........r.o.....x..\tE.YL...\-.t..\rN......ry@.:..........ymg...%W.b..T.....MUb.m.\n#m.Z1I...d....sZ&4xE.5+.,.T.......!tIa.X^.....a.F...t...d.+\.]t...=+AH\ty..;t.\.X..2.+.......%.{....'&.I>..*.Kb.y..-+X.A;...\r...$..f.]......B.$o.j......"_.....p!.0I..U.4.$.
1457    36       0x0400000000004001  1258594166.005495  0.000009  0.077792  2.518468      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11252  1         0x4000  111    0x7db6       0x7db6       0xcad4       0xcad4       0x0040   0                       0                     0                 3177353450  3392384643  3177367250  1380     0        1380    0       240120      0           146282   8280       0x0811    0x0010    0x00c0      64860   0      1380    0       0        0                                                                       0x00             ....2G.\_.....c...G...OmZCF.....V'>....L..i..:........F.0..,.....\..[.a...(G|.o.T\8..gT.|...p.. .....\n.mY..G.I.....b../.w9....[...eag...l..\r$...U.....|+w\r.r.I<.t..t..r0.<........`...o.{....].....G.RM=....`~..HQ....\r\..D.J......wY.w;.M...>~..[...v..@m..7.....2..7".h%.T!.....`.V.....\n`{.=N%'..e8k.)6...=.\r..z... ..Y...;.~#.......-. .-H...7..A&....z...G..A)....$...Y]#'M=.=...p....F|.)0r..t..h..q]DH._./r9.|._n........9....GA...Lg..zh.Ju...yy#GE.=...... ....j.3..%..0..._\L~..\rO.....BH.Q.j.U.........:...~m..j....bcw........6>d....VF..V.!)..D.:].E....l......&v).~...l|.K...@W.g.....OY!.>....,.g....)7....\..H.,..\t..|/S,.Qf..e....C.2....3.L1...]MNZ........Q<...R........,.:.k..Ja........Q| .\r..47Kt........\........2.\n. ..C.....<..L~[_.M.....\....W...8.!.e..i.d{..S.(X.k...R..of..Zm....q...q..8.F.C/kfhn:t...r.s.q...\rz."o......].J..t.x...-........6......d....6?..dS\t...2bj.d^h;..mo7.....J.(mO.g%.K.C.]~.......rhP......0...`0tW...........h.e..20..q+-.m..R.E...s.......PO...s....e0Y.A;@$....E.gs..D.\r....?.../..).......\t.x-.XS.......d@.]%8i..4.-..V...<.g.s.\..r..U%/.8e#...j.B..........\t...T|....M=V..d....../[.,F4.../..O...PP.....^.-....Q0io.^........P.(..=J+....`~/9.e...A.....n...B..~....i../.O..#......~Vh.vZ|..AS...F..F.a..1.i.........:...- ..I..\n..w..&..r....i`6./...z..O.@.x...r2{...X...v.."r..c.....lP...$..|...N(.l.\t)....*.1\....`.b.....w9...`.p{.t..M..~D|n..^px...`d..D.t.0..
1458    36       0x0400000000004001  1258594166.005506  0.000011  0.077803  2.518479      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11263  11        0x4000  111    0x7dab       0x7dab       0x6121       0x6121       0x0040   0                       0                     0                 3177371390  3392384643  3177367250  17940    0        17940   0       258060      0           147662   9660       0x0811    0x0010    0x0200      64860   0      1380    0       0        0                                                                       0x00             .......@..A..v.3\y.c(...........$..B.q.5I....3..V.'.....&..B3\na........:.&pr......Z...Ua.....*n#.H..dq3.2....D...\...X........F..e..?C...3.....xs.)hhQ."....:.].0.aM.<.4.5K...a.\n.n......0.~+..."...\n..Q.pg......c..J....R.Q.U6[.\tsd;k.f.....fs.T9.hM5\n...:.nu...*....d<.3`.;..%ab.....[..!M,#ob\r......R,t./...&-...]K8._.........Y.........2j..t..f...aV|...... ....`..a..#....o....Qqf...."....\n.+?A].^h*...A~8\n..9.7G..m"l.)...)V..*.<....X.p.(...~....\tn.e..#.Y6......ly>.U)....)/..6.....i.."..\)......r.Y.+.^.H).Iy..W#.UK.9..|D.$>.T.f[.........Z..r+D8rc..."P.,.E.l.X.y$og .H.,......!...Ul..a...+......op... ...o.3.b.,.n...qB....V.@.-....v..h.6...\.jG.. vD..........,Ls=.........]2.4.0.U..A.}............,...&Z.|!....JFF.X'.;m..p..x..7.}C5W.v\t.|.L+:J`.......;..S.TXa.....q.R....'.....q.\tksDU..Z.D.(..'.s...C...#_...y.....2...W-.x\t.E`?..juv...Tk.....)B.W~lk.QZ..WGq.>Hfq..!W..A .}.&..F..S".5N=.6..Q%..4.N.'.Yo...`.(3...(.1....G......D..j.~... .Xi..2...D.Iw.a....`q8\n........k...z....#,I;.z(..8......u....\nf.k..(>._)W.....;q=.s'...V.+.[..C^.........uY$Y.....6L..X.vl...-. .V...#.o."F.....2.~......C......e..."...1..c.z.~k&..~!..h9%. .3..H.vl..5b.....= ....2..v.tnB.'....z......+\n...(.....Ngg...j.%.D.....\t#|....r..-...QxFI.x8...)[9....pX.....a.r.#./S.;.F.....e1y.pRe$.T.pF;.C.n_..L.......fF.....2";."4.QT..0..L...#K....Wn..%..d...*%......9^....2......#.,e23..It)........1&...j&...}s..1P.v...{
1459    36       0x0400000000004001  1258594166.005525  0.000019  0.077822  2.518498      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11253  -10       0x4000  111    0x7db5       0x7db5       0x4ace       0x4ace       0x0044   0                       0                     0                 3177354830  3392384643  3177372770  -16560   0        0       0       258060      0           149042   11040      0x0811    0x0010    0x00c0      64860   0      1380    0       0        0                                                                       0x00             .H.iy..-..[.n.fi.......q;.p0}.Q....\t*B.W8.x.w+...RT...`<^...e........:...j.....tR./....V.......\.N.........~...&...M...t.#...D..(R.[,m.p......C......3.^..{."i.(.E.Uk.l..Yh.\n.......-..ce........y.\....P..B..b...DnX3..kBt.[..[E.....F.......ki'/....'b....h....f......S..u..5[..i.^{?....Ib.....o.&..4....D....#...8..N....Zp.r.....NL$..5.Q..K.....fi{..x..t{.q.....&...U...P.t.....q.......-u<K.Q.%{..9.U...=....3..p.3_n6..`....s&.=>=.4gJ.',......O....+j@..\n..I......~B4..c.v|..RJ....j3.mG..v/..b.2.ZPa.XrP.zD.a...S.......S.s!. B.T..7..UcB0)F>.m?Y&<....+..(.~.8.4`P..S.K`........`....<....<..:(.,0.?.....%..N|.J..O...b.....CE=.3o...\n.30...........,.....r.....e.#lxO.......b.....w]...Lof....<\n#z.L..,:e`..?X.......U...k.p....e...*...z.$%%....h.{Dx.. .[.....$.G.fW...)..W..tC>ad}j..2.z2.9K../V>..tP|.f.....k>.&$S.. .1H..J........a.E..o..+..Q.`?o9.3r.<. ..F..*[./...0A...".......xC...N...R....vf...t4......gF..%.R..............\t.......b.\.p.5#..~.4h.!...YP.]....f...{B.C....A........3..|*O#.F+.3#z.ept./..\t>.e|\r..N....u....=.3W...]\,...Rl~.....{..\..H2tF.j..~.....e....U..c.P...KK...C....>`H.m\n#?.s\......|s...W.........c...Y9v....c}....(.....~..t....&|.i.....7....ct...'.W.@s......e.X\6.....u.jL...dm]_7._.'k..w.....?..m.....P%.........:.Q]l.\n.st.r.ds...#.3..s,.......2(E$.Hz.4JKzA.Q....$...*.UQ.]E(.....J1'J..\n.........~.L.r..].3......?.............,.<.9.,../.-.l.z.... ...@~K.J.....p.b..
1460    36       0x0400000000004001  1258594166.005533  0.000008  0.077830  2.518506      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11254  1         0x4000  111    0x7db4       0x7db4       0x7295       0x7295       0x0040   0                       0                     0                 3177356210  3392384643  3177372770  1380     0        1380    0       259440      0           150422   12420      0x0811    0x0018    0x00c0      64860   0      1380    0       0        0                                                                       0x00             .G.+m}.u.\r....Y47-....9...\r.x.(. FB...v3.E..AS.yU%..#.b._..."?.....,/Q..@....A..\.Po....DlP\n.x...0....j......Q......B.?.jg.]8..c........q)Mf.P.d..Ib...Y.z(.5'[......;#....6.\o?K....U...|.Y..}..\r..N..l.......ZF.....o.H.....(..S....?..6........^.g.O..T..).j..e..`h`35....?....b....#>.W.^).D).*G>....4..\n.........(...p...j....3..1=..njF\r......ut3\t....T\n.Bdj......l6...6?{..l.u)O..E..,5....G....!<.${.&... 9.}.......\t.....-1.....*..[;.s:o\...{~A...3..>I4.....O.....fv%......j..%~..#j;..I|P..0.:MO.j/M~.k.2..S; ..1.9+.N..A.Y.W..N.o.r._....n..Y].I.....E...dc.>I@..{..im."...\r.D\Kn6O.Z.K...{o".....tF.s!..9+......[......:\t...7..<...CioX.~..^.Ux..;.9.>.U.o...z....x.....&.0.D.3<..s.;/..;'g.Z.p..P....'.b[7....9.....$.z.#.O.|,./.J....B.[.?}[......\$..#....?.\tyU..'lL....q|.F.Tq.nP.0(V..........Ai......f\nX.....I...\r0.6...9.,.._`...2.oj...g.w..I\r....\r.h....hh...\r.DD4".s.Pvz.#6...m.3..qy.....'...$O....I.DF*4....%^.....t.D..A..L....zo..........'ShD......]..B.Y..t.....)......K`.....\tp.....V....).Ss.C^..$......<.[B.(.".+r.~....P=.*....T.7R...j?..]/.&.......w.#.......r....v.N.Vr..J..(.J@3..*y..^\r....h6....c....P...7<.R.0....])...7..1..bM..f....A.zK........|z .SU.........\S..7.M}S..7.M}S.....;.<E..y.L..QT..i.O?GQ..y...`....&...........f=......B.c`Z....7.;E-y...`.......y.....|.v.?(....`....!_0.`......f#...{..z0-`:..C...n.\..>.+t..9...s+..!.R.=`X0.....'0/.9....Z........R0..C.I8E."...W..k
1461    36       0x0400000000004001  1258594166.005542  0.000009  0.077839  2.518515      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11255  1         0x4000  111    0x7db3       0x7db3       0x84c4       0x84c4       0x0040   0                       0                     0                 3177357590  3392384643  3177372770  1380     0        1380    0       260820      0           151802   13800      0x0811    0x0010    0x00c0      64860   0      1380    0       0        0                                                                       0x00             S....z.L....2...`j.<..2C._.z<....5....c0..5.\n.....].......o....l(.?<*..................Y..?J...S.........a..c..\...6}.=0..?....u.r'e...Z....24.......^XAY_\1.7=............f..y}....}.....r...bp.b.S...y\r.o.&wCC.7.].r^...np....U.u......\t.;9%%.........\].k.t.9...Y......te.[?1..y.Z.z.;....y.A...~.z......r.........g......=eaZL.-.\m.}5.D..........~..X.....!...W[.&.k........7..+!...-......u...n..t\rl...[....|...^.+.I..j7!L.......p....Y].{k5..r..D..8........w.....:.W...7M..i..Z....+.e&..a...f3W.V.U^wy.Ph..W..7].D..l9..D..W[.........-.......k'.+%.;..k..u.....8..}'l..~...B.MY...5u.]....u..,I\n!..\n-...M....J6.U..M.....N.......{.!\..9=........*...0u...RKC..-.(.....-.wj........L...7....X......o`3..4..u.\=EA../.....B...,....nk&.5....o........-.,@;. ...lb;Ix.....44P..-H../.......X.C.(G>Ee..voro....r..5...lb...t....L.~....]\\r..]......V. }......q...tZ.U^K....G...q!.....!.L.i1\r.D.TQNp.x..k}..m......n....\.u.$...v9.i1..#..`<.pB.D@<.!4)/..J...rA...PX(3..j....).w..)e...<...7=;....M.W.a.\=.._~;..o..qE........0'..\t}...g........T.C..:.n=..-e=..q\...u.S....x.a...\tr....8..\..............a. .<.n......aBX..=\na....BX.N.[.)Y..<Yn..US...-...qS.QY0..n{#0u.Qf.t.H./.ft...k0....[....>..:.b3k`..Zk....M...Q.........n....\n.F........:.....&.M...%....DYG b.KN5.fYo.}..n...T..kR..\t....6hp.....[...G.0}vu.....'3;p..3...T...........a.B.....?..$.is.j.]_W.O..|*...[..\n..o.8s.:..B..iTw..(9.....5 V8...k!..J}.a
1462    36       0x0400000000004001  1258594166.005560  0.000018  0.077857  2.518533      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11264  9         0x4000  111    0x7daa       0x7daa       0xff9e       0xff9e       0x0040   0                       0                     0                 3177372770  3392384643  3177372770  15180    0        15180   0       276000      0           153182   15180      0x0811    0x0010    0x0000      64860   0      1380    0       0        0                                                                       0x00             ..>s......^%'(......5...N\r...Lhn.t...q.......F..Q..6...R..%..3.`....m8yW...&M.z.....=.../#M...I..n....(....K..U-..gO...3M..CC(Y&{.H.0....&....bq....(.g.C.4.m.b..j...?...w....X.g..y...z.8.e...<e....2B#.F.....q.vV..e%.5V..h1....^...vg..\t.&.c....w...S..0......b.....y.n+...3JA.&#...{.pK..y^-'3.YC..F.0..7!.8`.kj....f.-MO.h..(#..gJ.0`.......C..!..,.......3...fh.......8.1.X.DPg...Y....Z".!O.....K...0..IN....^.......\........MC.*O...6 ..X.6`..MO..8..m.\3.1-..q9L.y...k..b[{P#;..O...Ku:.C....d"P..r\n.)C...&V\r.....w......m.+.w9. .!.'.....d.......r.\r.....p\nt5..<..^.e:.2SEb.@Z[d!...\..Nk;Q....6nXs.<...#3.`.)..O.%.......b..N.;.+..uC.d;="..........\t!... - .0i8.p.w....P.j......\h.g.&..}%.h...H`*..'O!..z...%...h*+P}.yt1.MWN1.Lt....q..PjP...y.8..ii.\nk.,..4*C.ge.+CY.......~.f.l.....U.....$....../..+.!.G`;...N"g.Jff......5fJq..G.vH.{.0V.R..."..^..(p.d.,.Q.R..\t.(.Z*g...`.hM..f.3jL&.Q.1CN\t#..8..)A....q.41.XJ.g..3..(....&..7n<c..`.B.w...5%..D5.#.\n.K'U..:...D..N.o..E..D.I.q..:..H.!u....F..<.. .Xg...k....\r..%_...L\rH..=..w8...":.......3ZJf.C.4....-...\......A...P../D..M.oe.]T..zr.pT-.}Q}.-...+\nY2.....u\/C....#.........F:4...G6..FRz.j?.....N<P...\t....!K*..d...8.+2.f2..0.K..a&..%....F...k\r<.u;9.....1....vY.....U.Z..@..0..$.w.?$....C....5......y.<\.]-x5....;5..&@...C.......g..m)q.5~xP!............2ar.......G......td...9..\r$..e....PS....%...X.$V\tz.[r......+@\t..T.......r.dO..){Bvq..;.6<.N.
1463    36       0x0400000000004001  1258594166.005704  0.000144  0.078001  2.518677      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11256  -8        0x4000  111    0x7e02       0x7e02       0x7cc1       0x7cc1       0x0044   0                       0                     0                 3177358970  3392384643  3177374150  -13800   0        0       0       276000      0           154482   16480      0x0811    0x0010    0x00c0      64860   0      1380    0       0        0                                                                       0x00             ...lw..u.rC...~'....#...0D#.@`Pf.+....i9...J.f/.. .3..:T.5.....C...s...#..\n..ab....#.w=....p....IE.H(V"..R#.f\r2.:.\r=.n[6.. .nu5.a?\t.c..8...x.A..2.P.......<..j..6.......'8....@..N.Ta}.. /....:....?...QS................rn.6Bg..)...........P'..............q.[SX..hEE...W7@.m...R..F.Yu.7C....N.o...C.H.d8Q........7W.@s...K.RZ7.2...c..2...V......4.....$..R:....D..r.|.%\c.G.1cQu......|.aWlc.....{}]..:`X\r}..\t...~.j.D..E...^.U...P#.....c1..4..:..r~I|.{.qc.P..\t)...9.......4.F..4.t............n.Y.J#blam....cM\t...Lm.Xm@g.q.?.!..lEh...q......C.-...^.UI.<..\n@..Z..pE..l.Q\r....#..\nGL....o.....".U..F.'...BY}.S.">..P...K....^\r.t..3.5.(. ....$....D\n@.\.C.......F.$..4.V].AA.0.W....j.[r......A..bu...;........0......,.I...C..\t..w.IA..w..S`.AZ..0_.Y.&...`....y..S`~..50G.....BI.....0..#(...>.M...*...........*...V.7ToZ.~...j....U......'.........5.t>...0....\n....S.(...FX...\re..a.`.@{.@(h..........;...D........5.q:...:/...G<..r8..X.kQ...J.....d..KM}S..7.M}S..7.M}S.......8.J.....)..5`...G.)..'.......k.R.m.....9!....zI-WY.\t7[...YE.o..z.....r.G..w...W..u.wm.h.:.Y.m...LW^_...QTvMMVyma-.u..mA.hej.}..&TPOvQ.{.......J........(....E.&..C...W.m...[f........_.?......5......{d...y:...U.V... .{..k.j[....{..q..z.....&..........t....U.V.edP..../.L../.I.._.W.....3_}...'?....j.n.Em|x..s..g>...{4..7..3]TF............o.ZG5;C
1464    36       0x0400000000004001  1258594166.005713  0.000009  0.078010  2.518686      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11257  1         0x4000  111    0x82c5       0x82c5       0xc671       0xc671       0x0040   0                       0                     0                 3177360270  3392384643  3177374150  1300     0        1300    0       277300      0           154562   16560      0x0811    0x0010    0x00c0      64860   0      1380    0       0        0                                                                       0x00             .....g..^....3O.......=.\t............D........h..O~....nk.R....s..>N..-...L(..QE
1465    36       0x0400000000004001  1258594166.005731  0.000018  0.078028  2.518704      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11258  1         0x4000  111    0x7db0       0x7db0       0xa552       0xa552       0x0040   0                       0                     0                 3177367250  3392384643  3177374150  6980     0        6980    0       284280      0           155942   17940      0x0811    0x0010    0x0040      64860   0      1380    0       0        0                                                                       0x00             j........u.}6.5...~.......qBz.&$^.F.$.....j%\.....`...jUU$..>0...f.\r..^`..?-..O.fEo..W.Y..$s....9..P....a9.2?-.)jDSUd..*..8nX.C.%<..y...1.-.B..C.._.I.;...KU..x.h>...2m)(.........W^.&..Q...a....dt...='.^......^.!z/..b\r@.^.5 ....J.x.x{....O........Y.?P..HD..A.............|`@..8w*U...j.@.b..g58...8Y7.hi...,h.<.U._Hj.$:.[.."....J|.0....iP..D...bSU..p...{....T...H.l\1v.....e.TSp1..{.}......G.....vmM".+\n...[.............5.ip.GCi..W......?.B.w....H....^z...6...........d.C.kA...Z4.%.y.Y4...}.%.._..gn.=`/It.'@\r!.6..q....C+q.f.xk1.7 ..T,..\K.iS......n+..)..|....#....`-.!.IV..031..:.Mw[".A..8....-~]...).vW\r..IY.{.B}.+.}..?.!]2.9.V.C...3h.qm,s..8.~...../..2...z..h ........3.%(..c.a....R..o.d.4....X.z..!..Z>.#..O^>7.......o....[C!O....$L.d...\n((".........I.l..m......1.....Z./=...B.......>...G/.zS..5.....L..rD.I...\t+\t.qN.....\r.m.}..<.\t...\.u...b..n..d.=..(A.'h.j.x..V..[.,^&.771B..\.9.i.......J.....p .....y.....8...".x:.K#...b.....6S...85\t P......].|........MQ.E..o...rpP.....h.<A..Q....a.]dW.....5....T..8e.7...n2n...\R.)R|...).ng%%K.n*..._......7Eg..eT.x..'.v.7..!c.+rb$... ...M..-GL;.....\r..g.^J....H.>U..6.X.........i...K%t...~...iN.....b...{.=..`.H.%..B\n.X$.XsO....$86....I.....5...c...`...K=..l..1..........x...J.1.$.... 9.....98..\...m.r....5......9UF...E...m1..TNR.D.ah.R7.KN`.J.-03...wF.{.wLJ....5r..5...6`d.............6.,......T[MF.q...7..qX...m.............`O......(..a
1466    36       0x0400000000004001  1258594166.005740  0.000009  0.078037  2.518713      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11259  1         0x4000  111    0x7daf       0x7daf       0xd7ce       0xd7ce       0x0040   0                       0                     0                 3177368630  3392384643  3177374150  1380     0        1380    0       285660      0           157322   19320      0x0811    0x0010    0x0040      64860   0      1380    0       0        0                                                                       0x00             ...i......#.1bb.fQ4........".D...HP.t+f..4$4.I...nv7..k...g7.lb.e\r..j..K6!..LL.dL.......S...^.}..}....?.j......S.S.NU...?.Y.0...V.s..]...v..s..tk&t...D...H..PJ.`5........G.=0|0.J....pW'2kX".P"..Lh./..m.$.....9............/P.....{.............4..1v..<...Q.q......?;.........N...g...c."...\):..-........\........y/...q![....KP<...R.".....A.q.......2..a.oa../>.I...\rdc...L...SC._.*!...).;..S.+dX......._....F.._\r.......!s.~...D.4..r...~(....y\..J..( ...Y.....x(..\r.9k..L.y..q......V .w...B..^....e..}....U..8.c.=].*.....wu.\r.Qb..Z.%.3.\y:......|.g..d...s^....y1...y1..s^...v.M%..?&}....*.q[bAs..N%0M..C..........BU>.\n..#4.y2..!..1L...\t.....W...\r..%......6.*..Y3....d....../c\F.h!.X...@...{........;...S.Y.I.4.V......R..I....dT8.1..d},.0?f.x......;....c........;b...A..i.t..\....8RJ.^k;.[..C&.=Pfi.s!#.r...`UN.T.....B.z..3U.kwe(\n...@.(.J....B..ySy.l...[....C...6.3i.=\t.....r.'..KXp..I:.3..A...2~..{Dk....>..;m._.....CB.. $...C..Wc.....w.%.*.j.j...x..9..N.[)l..0..j..A..A'."......B..5.q..3n...M1..d.H..=?.r..............q..P...R..3....]E.Z...\..(ZZ.)_....[.f....Ur...$G4.'..9.W'..,\....v.....i....Z...dZ..v...+A].3..Ut...H2\t..L..$4....=......?#.......\r.\n.Z.....l..fXT..nzb7.&......(D.S.\..L8[}_.S.......g'...k<njx.+<.L..C..7.D"..k.0\n..Y.".i6.$N.l8.G8/....@3.>..jj..*..0.KsO.`Qo....J5..(.m.....+u,..x._D.~....0.B\tZ.Zn.8.(.k'xYr.......EI.$.3.@w..a.....9<J.........g)K.yK..x.......F).j.B.
1467    36       0x0400000000004001  1258594166.005761  0.000021  0.078058  2.518734      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11260  1         0x4000  111    0x7dae       0x7dae       0x4103       0x4103       0x0040   0                       0                     0                 3177370010  3392384643  3177374150  1380     0        1380    0       287040      0           158702   20700      0x0811    0x0010    0x0040      64860   0      1380    0       0        0                                                                       0x00             P..B..f*d..VLz.|S.|x.&j.cq.\t.e.(.`.m.J.....|/t~,.(Z..u0..l'....c\n..vC..@...8.DM...#I.4k75.COv.0......,dL.+...P+..d .*.....g..K6..3.e;.....3...(..\DB...Czl....H.^J].[.K......F...^...5.4.h......G..=.:Z..a9.Is...N....!-..Q... .)%..h..o..6.\r......%c4.~.45..m.........dP.U:....4`# .'..l.f..XQ.Q...3e[7..laJ. .H/...j....65".-?...>V....Zck..........@.`O.a...^..hT.v.:... .....qaMY.......8...hQkx..?....65~./.t..=:S..p.b..#..6k..f.A4V.].....`.8....$.........B....m6t.r.......9hc.#......x.....^T2....8..E...?..G.d..>.(..-......J..[f......Xlt.(..?.m.I.2.".&..........\n....S..._#..-c.....t..8..p...nf.....d&...f;.....).$.>....Dt.cD.6.=......9.......-.C.x?."... ...d......h,....'..?...3..>.Y..iz....[.......9..9B....\r...Q.....3..z.\.....+.'*0\.c.R.....L.S.-.'....9..].....{....O>......=;.X...:j.eg.D..QF.-eaM..y..l...o...]:...."z..u...N........I...5J<...Z.!.q...a.fC..;!...k6..0.`VtH...RV<.k;....D.<....Zk=5..Y..%3Sj m.r.ANbU.....`...:.B...\nJ4Y.(._@....O...\tJ.W.\r.V"0L.....!..#"Ug.^..;,.V.o..~...1.../c......t.F.e.........eAz.......TW,.V.{....y15.y.u..........3.+.j...vQ..LL..V.Y....v.,......,I......V.m`Bk....r.d..N......>..I............:a...d.....\t=...g...\n...k....p..TWy..X._.......\tM.A.b>.-...h.....................n..I....B2+..D&.r..A.GR....<.#.."...._GU...:...Ig\n..q...q..SM..%.U2....<........;q.....y.&........1..5.Q..%?.2n.2.H.-D.*.*..(.. ;[!OChlk..a...X.v#.....<A...fm.*X..A...2.>=wo
1468    36       0x0400000000004001  1258594166.005770  0.000009  0.078067  2.518743      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell             64334    192.168.1.105  07       Private network  49330    6        0x00   11265  5         0x4000  111    0x7da9       0x7da9       0xcd5b       0xcd5b       0x0040   0                       0                     0                 3177374150  3392384643  3177374150  4140     0        4140    0       291180      0           160082   22080      0x0811    0x0010    0x0000      64860   0      1380    0       0        0                                                                       0x00             ...G.%T}.*......r.l.J.5.gq..\.K4..2.`.I....,...P...e+....g=..=r..8(.....t+e.H..I....?...{.sD4....8..g.E..... ..... .......jd.A.;...Q(.)...wMh-.6.6B..hQ..yG..._J.(.k.J.eoI.i...f...EZ0.B;.....i....'J........\tJ....=...3...+ -A..E.5.R....}.).7..\t......1P7yD.^Y;......Q..."..v..E#Gr.w.....(\n..D.o.,N_..".[7./......JV.A.;m.\n!..g..k.C...\.d:.B.FG..w.........a...i6...9......j4..J.f5.y...N.D...<...\....H.N...\). ;-...G..iSr......s-1*..1xz..[..7...........=..........g...2..4'..b..HJH......W..\r...#.C~..u.P..G....wi. .......<.[$..`..g.&Cx..!..)j..f...m..}.V^ m.....rp......%..8.i[y.......g..i...L.7X.....r...;.k.......c...`9G..J8vM..^O..c...?`..K..&..bJ't..b\tgc.7.9...30^..NP..'J...w}..f`0.^...Ql...@.<.K,.\nw.....Fy...a@.&3\n...y..R.5..TS..7..?.QA...m.......].$.Q.a...Y\n-.z$C.D....J..o.r...2S.C.s.....8.......F.<..O............a.\r.I..bB....q5..j....e...........V.6R....OjU..\n../@....@....0.9....N...e...VY..U...m..M.m........x.lv.=.+.R..i.....Wc.`.:m.t..$.a\.......8b.Y.e.^..#..b.....7X{rn. a.....[....D\r.(.......0.. ..\tQ..n.e...Q..#.f.K)@^\t...#D@.WG1B0...Qq..|l4..C.um...Z.....~..r.l...3H....j..+...t`5d.......".b.Z?k.W...d....."!...x&&#,E.\t.^IgM5nf.....:..8.......!Z.,d5J._I4..^d.\lC......D......../(Z.|.....v.%.Qf{...]..P...-....&GY...\a...w[..(~.k.&..7)=....b..XF.]...r..8.j.+......B....x. ..P&.N....../3.....8..t$+...6... ........J..s.;9t.T...eG.@...l.........o....iw(?..4gE.pz.b...k.
1469    36       0x0400000000004000  1258594166.005912  0.078209  0.000142  2.597627      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network  49330    143.166.11.10  us       Dell             64334    6        0x00   16451  1         0x4000  128    0x5dbf       0x5dbf       0xefd1       0xefd1       0x0040   0                       0                     0                 3392384643  3177367250  3392384643  0        2760     0       2760    0           140760      0        0          0x4811    0x0010    0x0000      64860   0      1460    0       0        12         0x01;0x01;0x05;0x0a;0xbd;0x62;0x7b;0x5a;0xbd;0x62;0x80;0xbe  0x00
1470    36       0x0400000000004000  1258594166.005914  0.000002  0.000144  2.597629      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network  49330    143.166.11.10  us       Dell             64334    6        0x00   16452  1         0x4000  128    0x5dbe       0x5dbe       0xda41       0xda41       0x0040   0                       0                     0                 3392384643  3177367250  3392384643  0        0        0       0       0           140760      0        0          0x4811    0x0010    0x0008      64860   0      1460    0       0        12         0x01;0x01;0x05;0x0a;0xbd;0x62;0x86;0x22;0xbd;0x62;0x8b;0x86  0x00
...

In the following a chapters we will discuss window size, sequence number and other features useful in troubleshooting and security analysis.

Window size features

The TCP window size is part of TCP flow control receiving buffer and gives an indication about the digestive performance of the destination host. As indicated in the previous chapter all anomaly window bits are situated in tcpFStat now:

tawk -V tcpFStat

The tcpFStat column is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     1 | 0x0002   | TCP option init
     2 | 0x0004   | Timestamp option decreasing
     3 | 0x0008   | L4 option field corrupt or not acquired

     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     6 | 0x0040   | Win 0 probe
     7 | 0x0080   | Win 0 probe ACK

     8 | 0x0100   | Min Window detected
     9 | 0x0200   | WS used
    10 | 0x0400   | Window full
    11 | 0x0800   | Window state-machine count up(1)/down(0)

    12 | 0x1000   | L4 Checksum calculation if present
    13 | 0x2000   | UDPLITE Checksum coverage error
    14 | 0x4000   | TCP Selective ACK Option
    15 | 0x8000   | MPTCP detected

So Windows Scaling was used at the beginning. Then after a Min Window detected a sender Window full followed, then a Win 0 probe was issued in order to test the acceptance of more bytes. Makes sense, and can be investigated in the packet file in the previous chapter.

In the flow file the initial window size tcpInitWinSz in combination with the TTL is still a reasonable feature to estimate the type of OS. If tcpMinWinSz hits 0 the buffer of the receiving host is full, and the sender has to wait. As in the end report the variable tcpWinSzThRt counts the occurrences where the window size drops below a configurable threshold WINMIN in tcpFlags.h; default 1. So it counts how often the receiver performs back-pressure to the sender. The parameters tcpWinSzDwnCnt, tcpWinSzUpCnt, tcpWinSzChgDirCnt are experimental, trying to aggregate the evolution of the window size, which is governed by several algorithms. They denote the up or down count/packet of the window size and how often these counts reverse the direction. Giving an indication about irregularities in flow control. As you can see, the counts are increased in flow 36, which has a lot of flow and error control problems.

tawk 'bitsanyset($tcpFStat, 0x0700) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $tcpInitWinSz, $tcpAveWinSz, $tcpMinWinSz, $tcpMaxWinSz, $tcpWinSzDwnCnt, $tcpWinSzUpCnt, $tcpWinSzChgDirCnt, $tcpWinSzThRt }' ~/results/faf-exercise_flows.txt | tcol

%dir  flowInd  flowStat            srcIP          srcIPCC  srcIPOrg           srcPort  dstIP          dstIPCC  dstIPOrg           dstPort  l4Proto  tcpFStat  ipFlags  tcpFlags  tcpAnomaly  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt
A     15       0x0400000000004000  192.168.1.105  07       "Private network"  49218    192.168.1.1    07       "Private network"  25       6        0x0a11    0x0040   0x011b    0x0000      8192          64982.55     8192         65536        3               2              4                  0
B     15       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105  07       "Private network"  49218    6        0x0a11    0x0044   0x031b    0x0008      65535         524219.4     65535        524280       1               2              2                  0
A     16       0x0400000000004000  192.168.1.105  07       "Private network"  49219    192.168.1.1    07       "Private network"  25       6        0x0a11    0x0040   0x011b    0x0000      8192          64673.17     8192         65536        3               1              4                  0
B     16       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105  07       "Private network"  49219    6        0x0a11    0x0044   0x031b    0x0008      65535         524225.7     65535        524280       1               2              2                  0
A     17       0x0400000000004000  192.168.1.105  07       "Private network"  49220    192.168.1.1    07       "Private network"  25       6        0x0a11    0x0040   0x011b    0x0000      8192          64668.98     8192         65536        3               2              4                  0
B     17       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105  07       "Private network"  49220    6        0x0a11    0x0044   0x031b    0x0008      65535         524220.3     65535        524280       1               2              2                  0
A     22       0x0400000000004000  192.168.1.105  07       "Private network"  49336    192.168.1.1    07       "Private network"  25       6        0x0a11    0x0040   0x011b    0x0000      8192          64668.98     8192         65536        3               2              4                  0
B     22       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105  07       "Private network"  49336    6        0x0a11    0x0044   0x031b    0x0008      65535         524228.2     65535        524280       1               2              2                  0
A     23       0x0400000000004000  192.168.1.105  07       "Private network"  49353    192.168.1.1    07       "Private network"  25       6        0x0a11    0x0040   0x011b    0x0000      8192          64668.98     8192         65536        3               2              4                  0
B     23       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105  07       "Private network"  49353    6        0x0a11    0x0044   0x031b    0x0008      65535         524227.5     65535        524280       1               2              2                  0
A     26       0x0400000000004000  192.168.1.105  07       "Private network"  49561    192.168.1.1    07       "Private network"  25       6        0x0a11    0x0040   0x011b    0x0000      8192          64740.93     8192         65536        3               2              4                  0
B     26       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105  07       "Private network"  49561    6        0x0a11    0x0044   0x031b    0x0008      65535         524166.4     65535        524280       2               2              3                  0
A     36       0x0400000000004000  192.168.1.105  07       "Private network"  49330    143.166.11.10  us       "Dell"             64334    6        0x49b1    0x0040   0x0416    0x0008      8192          45402        0            64860        253             194            254                0.001981506
B     36       0x0400000000004001  143.166.11.10  us       "Dell"             64334    192.168.1.105  07       "Private network"  49330    6        0x0c51    0x0044   0x031b    0x02c4      8192          64860        8192         64860        0               1              1                  0

Have a look at the packet file and identify the flow control problems in flow 36. Is this flow benign or part of malicious activity?

Sequence and Acknowledge numbers

I added some more columns for the packet mode to track faults and to make counts more consistent. seqDiff and ackDiff are now the real difference of the seq or ack numbers, so they could also be negative. seqLen and ackLen denote the positive difference, hence an indication for the payload length. seqFlowLen and ackFlowLen are aggregated seqLen and ackLen. tcpMLen is the real l7Len, just like in basicStats. tcpBFlgt denotes the bytes in time of flight. Similar columns exist in the flow file.

TCP error control is achieved by Seq and Ack numbers which are a formidable tool for troubleshooting and contain information about network or host problems. The differences between these parameters denote the bytes being transferred between both peers. The packet ACK count is only correct if each packet being sent is acknowledged, so Idle Repeat Request mode, which would actually defeat the purpose of an efficient TCP communication. So in general only a lower limit.

The fault counts from both directions are an indicator for the health of the connection. If divided by the packet sent from basicStats you have a good performance measure.

The initial sequence number tcpISeqN is used for covert channels and it can help to identify crafting tools if more than one flow from the same IP is available. Make sure that the flow is complete by checking the tcpFlags for a SYN, otherwise tcpISeqN denotes just the sequence number of the first packet being seen.

As in earlier versions the column tcpFlwLssAckRcvdBytes denotes the amount of content being transmitted of the opposite flow. So if you have only one flow, you have a number to estimate the amount of traffic not being seen by that pcap. Some magic to impress customers.

tawk 'bitsanyset($tcpAnomaly, 0x0008) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $ipFlags, $tcpFStat, $tcpFlags, $tcpAnomaly, $tcpISeqN, $tcpSeqSntBytes, $tcpSeqFaultCnt, $tcpPAckCnt, $tcpFlwLssAckRcvdBytes, $tcpAckFaultCnt, $tcpBFlgtMx }' ~/results/faf-exercise_flows.txt | tcol

%dir  flowInd  flowStat            srcIP          srcIPCC  srcIPOrg           srcPort  dstIP           dstIPCC  dstIPOrg                       dstPort  l4Proto  ipFlags  tcpFStat  tcpFlags  tcpAnomaly  tcpISeqN    tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx
B     12       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1397     6        0x0044   0x0011    0x031b    0x0008      1702698086  1440            0               30          2943                   1               852
B     13       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1749     6        0x0044   0x0011    0x031b    0x0008      645942508   1405            0               30          5679                   2               852
B     14       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1755     6        0x0044   0x0011    0x031b    0x0008      328872932   1405            0               28          2357                   1               852
B     15       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49218    6        0x0044   0x0a11    0x031b    0x0008      652739796   1519            0               29          4899                   2               852
B     16       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49219    6        0x0044   0x0a11    0x031b    0x0008      1405763652  799             0               30          4429                   2               166
B     17       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49220    6        0x0044   0x0a11    0x031b    0x0008      916601873   1466            0               27          2750                   2               852
B     18       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1806     6        0x0044   0x0011    0x031b    0x0008      925488549   1370            0               28          4371                   2               852
B     19       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1400     6        0x0044   0x0011    0x031b    0x0008      1816175150  1370            0               26          1522                   1               852
B     20       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1404     6        0x0044   0x0011    0x031b    0x0008      113675184   1370            0               28          5247                   2               852
B     21       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1405     6        0x0044   0x0011    0x031b    0x0008      6599705     632             0               28          5796                   1               166
B     22       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49336    6        0x0044   0x0a11    0x031b    0x0008      226877106   1466            0               27          2430                   2               852
B     23       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49353    6        0x0044   0x0a11    0x031b    0x0008      1304812153  1466            0               27          2462                   2               852
B     24       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1836     6        0x0044   0x0011    0x031b    0x0008      1667500374  1370            0               26          3372                   1               852
B     25       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1709     6        0x0044   0x0011    0x031b    0x0008      1075440067  1370            0               26          2374                   1               852
B     26       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49561    6        0x0044   0x0a11    0x031b    0x0008      1983906088  1466            0               28          4334                   2               852
B     27       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.104   07       "Private network"              1572     6        0x0044   0x0011    0x031b    0x0008      1684028818  308             0               17          1021                   1               166
B     28       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.104   07       "Private network"              1604     6        0x0044   0x0011    0x031b    0x0008      1644748927  308             0               17          761                    1               166
B     29       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.104   07       "Private network"              1665     6        0x0044   0x0011    0x031b    0x0008      1401071890  308             0               17          574                    1               166
B     30       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1934     6        0x0044   0x0011    0x031b    0x0008      18417741    1370            0               27          5732                   1               852
B     31       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              2008     6        0x0044   0x0011    0x031b    0x0008      2088358893  1370            0               26          3460                   1               852
B     32       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1911     6        0x0044   0x0011    0x031b    0x0008      398501520   1370            0               29          7079                   2               852
A     33       0x0400000000004000  192.168.1.104  07       "Private network"  1908     198.189.255.75  us       "California State University"  80       6        0x0040   0x0011    0x011b    0x0008      3626872219  319             0               23          95699                  1               319
A     36       0x0400000000004000  192.168.1.105  07       "Private network"  49330    143.166.11.10   us       "Dell"                         64334    6        0x0040   0x49b1    0x0416    0x0008      3392384642  0               0               1511        4255056                437             0

If you look at the packet mode from packet 4188 on you will notice during the fast retransmit the seqDiff is negative and seqLen is 0, denoting, no new L7 content is sent. You can follow now the process of sending and acknowledging data. If you got only one flow, you are now able to estimate the payload of the other flow via ackLen and ackFlowLen for each packet.

tawk 'packet("4188-4211")' ~/results/faf-exercise_packets.txt | tcol

%dir  flowInd  flowStat            srcIP          srcIPCC  srcIPOrg           srcPort  dstIP           dstIPCC  dstIPOrg                       dstPort  l4Proto  ipFlags  tcpFStat  tcpFlags  tcpAnomaly  tcpISeqN    tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx
B     12       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1397     6        0x0044   0x0011    0x031b    0x0008      1702698086  1440            0               30          2943                   1               852
B     13       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1749     6        0x0044   0x0011    0x031b    0x0008      645942508   1405            0               30          5679                   2               852
B     14       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1755     6        0x0044   0x0011    0x031b    0x0008      328872932   1405            0               28          2357                   1               852
B     15       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49218    6        0x0044   0x0a11    0x031b    0x0008      652739796   1519            0               29          4899                   2               852
B     16       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49219    6        0x0044   0x0a11    0x031b    0x0008      1405763652  799             0               30          4429                   2               166
B     17       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49220    6        0x0044   0x0a11    0x031b    0x0008      916601873   1466            0               27          2750                   2               852
B     18       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1806     6        0x0044   0x0011    0x031b    0x0008      925488549   1370            0               28          4371                   2               852
B     19       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1400     6        0x0044   0x0011    0x031b    0x0008      1816175150  1370            0               26          1522                   1               852
B     20       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1404     6        0x0044   0x0011    0x031b    0x0008      113675184   1370            0               28          5247                   2               852
B     21       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1405     6        0x0044   0x0011    0x031b    0x0008      6599705     632             0               28          5796                   1               166
B     22       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49336    6        0x0044   0x0a11    0x031b    0x0008      226877106   1466            0               27          2430                   2               852
B     23       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49353    6        0x0044   0x0a11    0x031b    0x0008      1304812153  1466            0               27          2462                   2               852
B     24       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1836     6        0x0044   0x0011    0x031b    0x0008      1667500374  1370            0               26          3372                   1               852
B     25       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1709     6        0x0044   0x0011    0x031b    0x0008      1075440067  1370            0               26          2374                   1               852
B     26       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49561    6        0x0044   0x0a11    0x031b    0x0008      1983906088  1466            0               28          4334                   2               852
B     27       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.104   07       "Private network"              1572     6        0x0044   0x0011    0x031b    0x0008      1684028818  308             0               17          1021                   1               166
B     28       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.104   07       "Private network"              1604     6        0x0044   0x0011    0x031b    0x0008      1644748927  308             0               17          761                    1               166
B     29       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.104   07       "Private network"              1665     6        0x0044   0x0011    0x031b    0x0008      1401071890  308             0               17          574                    1               166
B     30       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1934     6        0x0044   0x0011    0x031b    0x0008      18417741    1370            0               27          5732                   1               852
B     31       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              2008     6        0x0044   0x0011    0x031b    0x0008      2088358893  1370            0               26          3460                   1               852
B     32       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1911     6        0x0044   0x0011    0x031b    0x0008      398501520   1370            0               29          7079                   2               852
A     33       0x0400000000004000  192.168.1.104  07       "Private network"  1908     198.189.255.75  us       "California State University"  80       6        0x0040   0x0011    0x011b    0x0008      3626872219  319             0               23          95699                  1               319
A     36       0x0400000000004000  192.168.1.105  07       "Private network"  49330    143.166.11.10   us       "Dell"                         64334    6        0x0040   0x49b1    0x0416    0x0008      3392384642  0               0               1511        4255056                437             0

SPKTMD_SEQACKREL in tcpFlags.h controls the output of the seq/ack numbers in the packet mode. Switching to relative it facilitates the analysis of irregularities in throughput. Look into the packet mode tutorial to see an example of Absolute Relative Seq Ack Numbers.

RTT estimate

The Round Trip Time (RTT) estimate is a vital tool for troubleshooting. The mode is controlled by RTT_ESTIMATE in tcpFlags.h. The RTT features are estimated for all L4 protocols and gives additional information about TCP connection anomalies such as ACK retries and SYN connection timeout retries.

  • tcpSSASAATrip denotes the RTT during the TCP connection phase, which has no influence of the src and dst host.
  • tcpSSASAATrip denotes the Time from the measurement point to the dst host and back.
  • tcpRTTAckTripMin, tcpRTTAckTripMax, tcpRTTAckTripAve denote the minimal, maximal and average Trip time
  • tcpRTTSseqAA denotes the total RTT, which also includes delays at the hosts
  • tcpRTTAckJitAve denotes the average jitter, useful for voice communication, see also the voipDetector plugin

RTT can also be estimated from the TCP timestamp option. Using the MSS, which is supplied in the TCP options part and the RTT a bandwidth / flow can be calculated.

Let’s look for flows which have a or Initial sequence RTT > 0.5 seconds.

tawk '$tcpRTTAckTripJitAve > 0.5 || $tcpRTTSseqAA > 0.5 { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $tcpSSASAATrip, $tcpRTTAckTripMin, $tcpRTTAckTripMax, $tcpRTTAckTripAve, $tcpRTTAckTripJitAve, $tcpRTTSseqAA, $tcpRTTAckJitAve }' ~/results/faf-exercise_flows.txt | tcol

%dir  flowInd  flowStat            srcIP          srcIPCC  srcIPOrg               srcPort  dstIP          dstIPCC  dstIPOrg               dstPort  l4Proto  tcpFStat  ipFlags  tcpFlags  tcpAnomaly  tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve
A     11       0x0400000000004000  192.168.1.104  07       "Private network"      1384     63.245.221.11  us       "Mozilla Corporation"  80       6        0x0011    0x0040   0x011b    0x0000      0.061556       0.020611          23.03958          2.930275          7.038339             0.061967      0
B     11       0x0400000000004001  63.245.221.11  us       "Mozilla Corporation"  80       192.168.1.104  07       "Private network"      1384     6        0x0811    0x0044   0x031b    0x0000      0.000411       0.000406          8.196325          1.171333          2.655198             4.101608      7.522519
A     10       0x0400000000004000  192.168.1.104  07       "Private network"      1379     63.245.221.11  us       "Mozilla Corporation"  80       6        0x0811    0x0040   0x011b    0x0000      0.005547       7.1e-05           22.97788          1.313044          5.097706             0.005754      0
B     10       0x0400000000004001  63.245.221.11  us       "Mozilla Corporation"  80       192.168.1.104  07       "Private network"      1379     6        0x0811    0x0044   0x031b    0x0000      0.000207       0.000186          9.952202          1.338241          2.93412              2.651285      5.881808
B     19       0x0400000000004001  192.168.1.1    07       "Private network"      25       192.168.1.102  07       "Private network"      1400     6        0x0011    0x0044   0x031b    0x0008      0.000202       0.000102          3.94484           0.2614954         0.8918523            0.2686044     0.8921642
A     35       0x0400000000004000  192.168.1.105  07       "Private network"      49329    143.166.11.10  us       "Dell"                 21       6        0x0811    0x0040   0x001a    0x0000      0.080252       0.077494          306.0649          29.85102          83.48595             0.08095       0
B     35       0x0400000000004001  143.166.11.10  us       "Dell"                 21       192.168.1.105  07       "Private network"      49329    6        0x0811    0x0044   0x061e    0x0000      0.000698       0.00045           0.194089          0.04303964        0.07018124           29.89405      83.48597

L3/4 Checksums

Looking at checksums reveals whether there are manipulations of the L4 header or the content. Moreover you can determine whether a pcap is acquired on a computer itself or at a network intercept, such as a span port. Only works, if the checksum off load option is present and activated on the HW. Think how a checksum would look like if a pcap is acquired on a computer.

Another reason can be snapped payload during traffic capture.

annoloc2.pcap was acquired in 2002 and it is very murky.

t2 -r ~/data/annoloc2.pcap -w ~/results -s

================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 11785
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.14
    02: tcpFlags, 0.8.14
    03: tcpStates, 0.8.14
    04: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/annoloc2.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1022171701.691172 sec (Thu 23 May 2002 16:35:01 GMT)
[WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500
Dump stop : 1022171726.640398 sec (Thu 23 May 2002 16:35:26 GMT)
Total dump duration: 24.949226 sec
...
--------------------------------------------------------------------------------
tcpFlags: Aggregated ipFlags=0x3964
tcpFlags: Aggregated tcpFStat=0x5fff
tcpFlags: Aggregated tcpFlags=0xffdf
tcpFlags: Aggregated tcpAnomaly=0x33ff
tcpFlags: Aggregated ipToS=0xff
tcpFlags: Number of TCP scans attempted, successful: 1540 (1.54 K), 1421 (1.42 K) [92.27%]
tcpFlags: Number of TCP SYN retries, seq retries: 147, 5252 (5.25 K)
tcpFlags: Number WinSz below 1: 1443 (1.44 K) [0.15%]
tcpStates: Aggregated tcpStatesAFlags=0xdf
--------------------------------------------------------------------------------
...
Aggregated flowStat=0x0c0098fa0222d044
[WRN] L3 SnapLength < Length in IP header
[WRN] L4 header snapped
[WRN] Consecutive duplicate IP ID
[WRN] IPv4/6 payload length > framing length
[WRN] IPv4/6 fragmentation header packet missing
[WRN] IPv4/6 packet fragmentation sequence not finished
[INF] Stop dissecting: Clipped packet, unhandled protocol or subsequent fragment
[INF] Layer 2 flows
[INF] IPv4 flows
[INF] IPv6 flows
[INF] ARP
[INF] IPv4/6 fragmentation
[INF] IPv4/6 in IPv4/6
[INF] GRE encapsulation
[INF] GTP tunnel
[INF] SSDP/UPnP

As the end report ipFlags=0x3964 and tcpAnomaly=0x33ff indicate, there are lots of broken packets, due to anonymization. And there are scans detected.

The flowStat in the rend report and all flows have a L3 packet length field warning, resulting in wrong L4 checksums. Just select all L3/4 checksum errors and display the first 20, as all flows have the problem.

tawk 'bitsanyset($ipFlags, 0x0c00) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly }' ~/results/annoloc2_flows.txt | head -n 20 | tcol

%dir  flowInd  flowStat            srcIP            srcIPCC  srcIPOrg                          srcPort  dstIP            dstIPCC  dstIPOrg                          dstPort  l4Proto  tcpFStat  ipFlags  tcpFlags  tcpAnomaly
A     265      0x0400000000004000  209.171.12.143   ca       "TELUS Communications Inc"        4987     138.212.185.230  jp       "ASAHI KASEI CORPORATION"         41250    6        0x0011    0x0840   0xffc4    0x1000
A     447      0x0400000000004000  217.41.129.13    gb       "BT Infrastructure Layer"         58872    138.212.187.186  jp       "ASAHI KASEI CORPORATION"         80       6        0x0011    0x0840   0x0044    0x0000
A     392      0x0400000000004000  36.242.181.230   jp       "SoftBank Corp"                   4685     138.212.188.67   jp       "ASAHI KASEI CORPORATION"         1214     6        0x0011    0x0840   0xffc2    0x3000
B     392      0x0400000000004001  138.212.188.67   jp       "ASAHI KASEI CORPORATION"         1214     36.242.181.230   jp       "SoftBank Corp"                   4685     6        0x0011    0x0800   0xffd4    0x2000
A     906      0x0400000000004000  161.135.53.11    us       "Federal Express Corp"            5001     138.212.191.94   jp       "ASAHI KASEI CORPORATION"         80       6        0x0011    0x0840   0xffc2    0x3000
B     906      0x0400000000004001  138.212.191.94   jp       "ASAHI KASEI CORPORATION"         80       161.135.53.11    us       "Federal Express Corp"            5001     6        0x0011    0x0800   0xffd4    0x2000
A     1027     0x0400000000004000  146.162.158.230  gb       "Norwich Union Insurance Limite"  2849     138.212.184.193  jp       "ASAHI KASEI CORPORATION"         6346     6        0x0011    0x0840   0x0042    0x3000
B     1027     0x0400000000004001  138.212.184.193  jp       "ASAHI KASEI CORPORATION"         6346     146.162.158.230  gb       "Norwich Union Insurance Limite"  2849     6        0x0011    0x0840   0x0454    0x2000
A     1154     0x0400000000004000  193.133.224.57   gb       "Verizon UK Limited"              3286     138.212.188.67   jp       "ASAHI KASEI CORPORATION"         1214     6        0x0011    0x0840   0x0002    0x3000
B     1154     0x0400000000004001  138.212.188.67   jp       "ASAHI KASEI CORPORATION"         1214     193.133.224.57   gb       "Verizon UK Limited"              3286     6        0x0011    0x0800   0x0414    0x2000
A     867      0x0400000200004000  138.212.184.48   jp       "ASAHI KASEI CORPORATION"         6666     36.74.248.27     id       "Telekomunikasi Indonesia"        1108     6        0x0011    0x1840   0x0058    0x0000
B     867      0x0400000000004001  36.74.248.27     id       "Telekomunikasi Indonesia"        1108     138.212.184.48   jp       "ASAHI KASEI CORPORATION"         6666     6        0x0011    0x0840   0x0044    0x0000
A     864      0x0400000200004000  19.54.241.65     us       "Ford Motor Company"              6667     138.212.191.209  jp       "ASAHI KASEI CORPORATION"         45891    6        0x0011    0x1840   0xffd8    0x3000
B     864      0x0400000000004001  138.212.191.209  jp       "ASAHI KASEI CORPORATION"         45891    19.54.241.65     us       "Ford Motor Company"              6667     6        0x0011    0x0844   0xffd5    0x2000
A     1336     0x0400000000004000  216.21.10.20     ca       "XNS Technology Group Inc"        1305     138.212.191.94   jp       "ASAHI KASEI CORPORATION"         80       6        0x0011    0x0840   0x0002    0x3000
B     1336     0x0400000000004001  138.212.191.94   jp       "ASAHI KASEI CORPORATION"         80       216.21.10.20     ca       "XNS Technology Group Inc"        1305     6        0x0011    0x0800   0x0414    0x2000
A     1512     0x0400000000004000  19.150.217.57    us       "Ford Motor Company"              1678     138.212.189.66   jp       "ASAHI KASEI CORPORATION"         1214     6        0x0011    0x0800   0x0004    0x0000
A     1534     0x0400000000004000  216.233.229.167  us       "MCI Communications Services"     3782     138.212.185.86   jp       "ASAHI KASEI CORPORATION"         1058     6        0x0011    0x0840   0x0042    0x3000
B     1534     0x0400000000004001  138.212.185.86   jp       "ASAHI KASEI CORPORATION"         1058     216.233.229.167  us       "MCI Communications Services"     3782     6        0x0011    0x0800   0x0454    0x2000

Below the flow with flowInd 1336 is extracted to indicate that each packet has a wrong checksum, compare l4HdrChkSum and l4CalChkSum. The L3 checksums add up, why?

tawk 'flow(1336)' ~/results/annoloc2_packets.txt | tcol

%pktNo  flowInd  flowStat            time               pktIAT    pktTrip   flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP           srcIPCC  srcIPOrg                  srcPort  dstIP           dstIPCC  dstIPOrg                  dstPort  l4Proto  ipToS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq      ack      seqMax   seqDiff  ackDiff  seqLen  ackLen  seqFlowLen  ackFlowLen  tcpMLen  tcpBFlgt  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpWS  tcpMSS  tcpTmS  tcpTmER  tcpOptLen  tcpOpts                                  tcpStatesAFlags  l7Content
19221   1336     0x0400000000004000  1022171702.098369  0.000000  0.000000  0.000000      3        eth:ipv4:tcp             00:d0:02:6d:78:00  00:60:08:69:80:dd  0x0800   216.21.10.20    ca       XNS Technology Group Inc  1305     138.212.191.94  jp       ASAHI KASEI CORPORATION   80       6        0x00   11025  0         0x4000  119    0xac5a       0xac5a       0xa8c3       0x0150       0x0840   0                       0                     0                 1389457  0        1389457  0        0        0       0       0           0           0        0          0x0010    0x0002    0x0000      8192    0      536     0       0        8          0x02;0x04;0x02;0x18;0x01;0x01;0x04;0x02  0x00
19247   1336     0x0400000000004001  1022171702.098389  0.000000  0.000020  0.000000      3        eth:ipv4:tcp             00:60:08:69:80:dd  00:d0:02:6d:78:00  0x0800   138.212.191.94  jp       ASAHI KASEI CORPORATION   80       216.21.10.20    ca       XNS Technology Group Inc  1305     6        0x00   22725  0         0x0000  128    0xb5ae       0xb5ae       0xf1d7       0x4a64       0x0800   0                       0                     0                 0        1389458  0        0        0        0       0       0           0           0        0          0x0010    0x0414    0x0000      0       0      0       0       0        0                                                   0x40

TCP Options

TCP options contain vital information about connection characteristics and even let us guess something about the type of application being involved. Let us select MSS and WSC options to see whether the decoding works, so bit position 2 and 3 in tcpOptions.

tawk 'bitsanyset($tcpOptions, 0x0000000c) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $tcpFlags, $ipFlags, $tcpAnomaly, $tcpOptCnt, $tcpOptions, $tcpMSS, $tcpWS }' ~/results/annoloc2_flows.txt | head -n 20 | tcol

%dir  flowInd  flowStat            srcIP            srcIPCC  srcIPOrg                          srcPort  dstIP            dstIPCC  dstIPOrg                   dstPort  l4Proto  tcpFStat  tcpFlags  ipFlags  tcpAnomaly  tcpOptCnt  tcpOptions  tcpMSS  tcpWS
A     392      0x0400000000004000  36.242.181.230   jp       "SoftBank Corp"                   4685     138.212.188.67   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0xffc2    0x0840   0x3000      4          0x00000016  1436    0
A     906      0x0400000000004000  161.135.53.11    us       "Federal Express Corp"            5001     138.212.191.94   jp       "ASAHI KASEI CORPORATION"  80       6        0x0011    0xffc2    0x0840   0x3000      3          0x0000000e  1460    0
A     1027     0x0400000000004000  146.162.158.230  gb       "Norwich Union Insurance Limite"  2849     138.212.184.193  jp       "ASAHI KASEI CORPORATION"  6346     6        0x0011    0x0042    0x0840   0x3000      4          0x00000016  1460    0
A     1154     0x0400000000004000  193.133.224.57   gb       "Verizon UK Limited"              3286     138.212.188.67   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  1460    0
A     1336     0x0400000000004000  216.21.10.20     ca       "XNS Technology Group Inc"        1305     138.212.191.94   jp       "ASAHI KASEI CORPORATION"  80       6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  536     0
A     1534     0x0400000000004000  216.233.229.167  us       "MCI Communications Services"     3782     138.212.185.86   jp       "ASAHI KASEI CORPORATION"  1058     6        0x0011    0x0042    0x0840   0x3000      4          0x00000016  1460    0
A     1586     0x0400000200004000  130.92.198.110   ch       "Universitaet Bern"               1249     138.212.191.248  jp       "ASAHI KASEI CORPORATION"  1214     6        0x4811    0xffdb    0x1840   0x0088      16         0x00000036  1460    0
B     1586     0x0400000200004001  138.212.191.248  jp       "ASAHI KASEI CORPORATION"         1214     130.92.198.110   ch       "Universitaet Bern"        1249     6        0x0011    0xffdf    0x3840   0x0044      4          0x00000016  1460    0
A     1836     0x0400000000004000  209.114.247.93   us       "Ideal Technology Solutions US "  1335     138.212.187.11   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0042    0x0840   0x3000      4          0x00000016  536     0
A     1909     0x0400000000004000  19.27.88.236     us       "Ford Motor Company"              4045     138.212.186.88   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0xff82    0x0840   0x3000      4          0x00000016  1452    0
A     1959     0x0400000000004000  216.21.10.20     ca       "XNS Technology Group Inc"        1305     138.212.191.94   jp       "ASAHI KASEI CORPORATION"  80       6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  536     0
A     1904     0x0400000000004000  138.212.186.27   jp       "ASAHI KASEI CORPORATION"         1396     83.220.134.126   de       "PlusServer GmbH"          4661     6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  1452    0
A     1969     0x0400000000004000  83.0.129.97      pl       "Orange Polska Spolka Akcyjna"    1395     138.212.187.11   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0xffc2    0x0840   0x3000      4          0x00000016  1460    0
A     2060     0x0400000000004000  18.97.211.233    us       "Amazon Technologies Inc"         3448     138.212.187.247  jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0xffc2    0x0840   0x3000      4          0x00000016  1460    0
A     2113     0x0400000000004000  36.92.31.200     id       "Telekomunikasi Indonesia"        48337    138.212.185.86   jp       "ASAHI KASEI CORPORATION"  1052     6        0x0011    0x0042    0x0800   0x3000      4          0x00000016  1460    0
A     2183     0x0400000000004000  201.133.193.218  mx       "Uninet SA de CV"                 3134     138.212.187.11   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  1440    0
A     2236     0x0400000000004000  83.45.182.68     es       "Telefonica de Espana SAU"        1322     138.212.187.10   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0xff82    0x0840   0x3000      4          0x00000016  1460    0
A     2274     0x0400000000004000  201.53.22.207    br       "CLARO SA"                        4810     138.212.187.11   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  1460    0
A     2333     0x0400000000004000  193.99.26.18     de       "Verizon Deutschland GmbH"        1925     138.212.188.67   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0xff82    0x0840   0x3000      6          0x0000001e  1452    0

Time stamp options are a formidable tool for RTT estimation and for revealing the boot time of the src host, if the RTT measurements are influenced by L7 protocol reaction times.

Boot time estimation

The TCP timestamp option originally being created for Round Trip Time (RTT) measurements can be abused for boot time estimation, because OS used the uptime as a derivative for the TCP timestamp.

As different machines boot at different times this measure separates these machines even behind a NAT where you normally see only one IP address. The only problem is that different OS have different incremental clocks, which can be calculated if several packets / flow are available, otherwise it comes down to OS guessing. The column tcpEcI below denotes this increment.

Unfortunately, newer version of different OS use a random value per connection, aka flow. Hence, a comparison of different flows from the same machine will yield in different up or boot times, becoming useless. Nevertheless, the estimation of tcpEcI is still useful for newer OS.

annoloc2.pcap was acquired in 2002, so if you look at the boot time below you will see a correlation; it works.

tawk '{ print $srcIP, $tcpTmS, $tcpTmER, $tcpEcI, $tcpUtm, $tcpBtm }' ~/results/annoloc2_flows.txt | sort -V | uniq | awkf '$2' | head -n 40 | tcol

18.2.89.211     7748617     849533919  0.01  77486.168268     1022094226.113857
18.2.89.211     7748924     849534263  0.01  77489.238268     1022094226.117551
18.2.89.211     7749342     849534680  0.01  77493.418268     1022094226.112002
18.2.89.211     7749343     849534252  0.01  77493.428268     1022094226.110962
18.2.89.211     7749424     204508834  0.01  77494.238268     1022094226.109821
18.2.89.211     7749524     849534270  0.01  77495.238268     1022094226.114326
18.2.89.211     7749624     849534698  0.01  77496.238268     1022094226.112043
18.2.89.211     7749726     849535064  0.01  77497.258268     1022094226.108770
18.2.89.211     7749831     849534861  0.01  77498.308268     1022094226.110499
18.2.89.211     7749831     849535169  0.01  77498.308268     1022094226.106990
18.2.89.211     7749838     849535176  0.01  77498.378268     1022094226.108500
18.2.89.211     7749938     849535064  0.01  77499.378268     1022094226.111827
18.2.89.211     7749967     849535305  0.01  77499.668268     1022094226.108143
18.85.17.135    22846249    826368     0.01  228462.484893    1021943255.914858
18.85.17.135    22846930    826851     0.01  228469.294893    1021943255.920749
18.107.26.21    103819943   373699105  0.01  1038199.406794   1021133503.026880
18.155.23.221   33847443    43376223   0.01  338474.422435    1021833231.196510
18.155.23.221   33848762    248428209  0.01  338487.612434    1021833231.192676
18.155.23.221   33848960    182165005  0.01  338489.592434    1021833231.189961
18.155.23.221   33849237    6322419    0.01  338492.362434    1021833231.189718
19.24.4.45      1693583440  72029656   0.01  16935834.021455  1005235877.235269
19.24.4.45      1693583872  793132504  0.01  16935838.341455  1005235877.273548
19.29.161.16    19986317    34285718   0.01  199863.165533    1021971858.270386
19.55.36.202    1098236     390486740  0.01  10982.359755     1022160744.225946
19.55.36.202    1098240     8297346    0.01  10982.399755     1022160744.232882
19.59.134.250   199361062   113909808  0.01  1993610.575439   1020178116.063283
19.67.192.174   35424473    785167233  0.01  354244.722082    1021817463.220258
19.67.210.218   4323074     689732     0.1   432307.406442    1021739419.180875
19.114.68.45    78574708    17008889   0.01  785747.062437    1021385960.390762
19.114.68.45    78574918    34284567   0.01  785749.162437    1021385960.391068
19.114.68.45    78575088    72029658   0.01  785750.862437    1021385960.391782
19.139.46.124   29251       785168750  0.1   2925.100044      1022168799.345162
19.169.122.89   1806691     853448585  0.01  18066.909596     1022153659.006621
19.173.18.204   17719695    785166685  0.1   1771969.526404   1020399734.567682
19.173.18.204   17719720    785168065  0.01  177197.196039    1021994520.359783
19.173.18.204   17719731    785168629  0.01  177197.306039    1021994526.080392
19.182.177.87   49516646    34285659   0.01  495166.448932    1021676554.013431
19.182.177.87   144345608   34285961   0.01  1443456.047736   1020728267.433657
19.182.178.138  23254415    34285407   0.01  232544.144802    1021939173.792873
19.182.178.197  139712      853446502  0.1   13971.200208     1022157733.965144

The plugin will evolve, as soon we find something else for this feature it will be implemented in tcpFlags. So if you have an idea, please contact are happy to cooperate with you doing research of such things.

Multipath TCP (MPTCP)

Multipath TCP was developed in order to allow a TCP connection to use multiple paths to optimize resource usage and to increase redundancy. There are several other protocols such as

  • SCTP
  • Multipath QUIC from Google

MPTCP in tcpFlags.h controls the MPTCP dissection. It is enabled by default and decodes the subtype and the different flags. More will be added in future.

Download the sample pcap iperf-mptcp-0-0.pcap and store it under your ~/data folder. More pcaps are available under https://wiki.wireshark.org/SampleCaptures#MPTCP

t2 -r ~/data/iperf-mptcp-0-0.pcap -w ~/results/ -s

================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 11470
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.14
    02: tcpFlags, 0.8.14
    03: tcpStates, 0.8.14
    04: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/iperf-mptcp-0-0.pcap
Link layer type: PPP [PPP/9]
Dump start: 0.000000 sec (Thu 01 Jan 1970 00:00:00 GMT)
Dump stop : 12.319482 sec (Thu 01 Jan 1970 00:00:12 GMT)
Total dump duration: 12.319482 sec
Finished processing. Elapsed time: 0.117536 sec
Finished unloading flow memory. Time: 0.117741 sec
Percentage completed: 100.00%
Number of processed packets: 2560 (2.56 K)
Number of processed bytes: 2538100 (2.54 M)
Number of raw bytes: 2538100 (2.54 M)
Number of pad bytes: 240
Number of pcap bytes: 2579084 (2.58 M)
Number of IPv4 packets: 2554 (2.55 K) [99.77%]
Number of IPv6 packets: 6 [0.23%]
Number of A packets: 1680 (1.68 K) [65.62%]
Number of B packets: 880 [34.38%]
Number of A bytes: 2483492 (2.48 M) [97.85%]
Number of B bytes: 54608 (54.61 K) [2.15%]
Average A packet load: 1478.27 (1.48 K)
Average B packet load: 62.05
--------------------------------------------------------------------------------
tcpFlags: Aggregated ipFlags=0x0040
tcpFlags: Aggregated tcpFStat=0x8a33
tcpFlags: Aggregated tcpFlags=0x031b
tcpFlags: Aggregated tcpAnomaly=0x0009
tcpFlags: Number of TCP SYN retries, seq retries: 4, 0
tcpFlags: Aggregated MPTCP subtypes: tcpMPTBF=0x000f
tcpFlags: Aggregated MPTCP flags: tcpMPF=0x81
tcpFlags: Number of MPTCP packets: 2557 (2.56 K) [99.88%]
tcpStates: Aggregated tcpStatesAFlags=0x03
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of ICMPv6 packets: 6 [0.23%]
Number of TCP packets: 2554 (2.55 K) [99.77%]
Number of TCP bytes: 2537752 (2.54 M) [99.99%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 8
Number of processed A flows: 6 [75.00%]
Number of processed B flows: 2 [25.00%]
Number of request     flows: 6 [75.00%]
Number of reply       flows: 2 [25.00%]
Total   A/B    flow asymmetry: 0.50
Total req/rply flow asymmetry: 0.50
Number of processed   packets/flows: 320.00
Number of processed A packets/flows: 280.00
Number of processed B packets/flows: 440.00
Number of processed total packets/s: 207.80
Number of processed A+B   packets/s: 207.80
Number of processed A     packets/s: 136.37
Number of processed   B   packets/s: 71.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.65
Average full raw bandwidth: 1648186 b/s (1.65 Mb/s)
Average full bandwidth : 1648186 b/s (1.65 Mb/s)
Max number of flows in memory: 8 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0c0000000000e002
[INF] IPv4 flows
[INF] IPv6 flows
[INF] No Ethernet header
[INF] PPP/HDLC encapsulation

tcpFStat flags MPTCP, 2557 packets of 2560.

tawk -V tcpFStat=0x8a33

The tcpFStat column with value 0x8a33 is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     1 | 0x0002   | TCP option init
     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     9 | 0x0200   | WS used
    11 | 0x0800   | Window state-machine count up(1)/down(0)
    15 | 0x8000   | MPTCP detected

The subtypes are coded in a T2 bit field:

tawk -V tcpMPTBF=0x000f

The tcpMPTBF column with value 0x000f is to be interpreted as follows:

   bit | tcpMPTBF | Description
   =============================================================================
     0 | 0x0001   | Multipath Capable
     1 | 0x0002   | Join Connection
     2 | 0x0004   | Data Sequence Signal (Data ACK and data sequence mapping)
     3 | 0x0008   | Add Address

So in the flow file you will see the subType bit field, flags, address ID and the DSS flags e.g. for subtype 2.

tawk '{ print $srcIP, $srcPort, $dstIP, $dstPort, $l4Proto, $tcpFStat, $tcpMPTBF, $tcpMPF, $tcpMPAID, $tcpMPDSSF }' ~/results/iperf-mptcp-0-0_flows.txt | tcol

srcIP                srcPort  dstIP     dstPort  l4Proto  tcpFStat  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPdDSSF
fe80::200:ff:fe00:1  0        ff02::2   0        58       0x0001    0x0000    0x00    0         0x00
fe80::200:ff:fe00:2  0        ff02::2   0        58       0x0001    0x0000    0x00    0         0x00
10.1.1.1             43376    10.2.0.1  5001     6        0x8013    0x0002    0x00    3         0x00
10.1.1.1             57841    10.2.1.1  5001     6        0x8013    0x0002    0x00    3         0x00
10.1.0.1             49078    10.2.1.1  5001     6        0x8213    0x0006    0x00    2         0x15
10.2.1.1             5001     10.1.0.1  49078    6        0x8a33    0x0006    0x00    3         0x15
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    0x000d    0x81    3         0x05
10.2.0.1             5001     10.1.0.1  5001     6        0x8a13    0x000d    0x81    3         0x01

Same for the packet file, except the subType is the actual value instead of a T2 bit field:

tawk '{ print $srcIP, $srcPort, $dstIP, $dstPort, $l4Proto, $tcpFStat, $tcpMPTyp, $tcpMPF, $tcpMPAID, $tcpMPDSSF }' ~/results/iperf-mptcp-0-0_packets.txt | tcol

srcIP                srcPort  dstIP     dstPort  l4Proto  tcpFStat  tcpMPTyp  tcpMPF  tcpMPAID  tcpMPDSSF
fe80::200:ff:fe00:1           ff02::2            58
fe80::200:ff:fe00:2           ff02::2            58
fe80::200:ff:fe00:1           ff02::2            58
fe80::200:ff:fe00:2           ff02::2            58
10.1.0.1             5001     10.2.0.1  5001     6        0x8012    0         0x81    0         0x00
10.2.0.1             5001     10.1.0.1  5001     6        0x8012    0         0x81    0         0x00
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x81    0         0x01
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    3         0x01
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.2.0.1             5001     10.1.0.1  5001     6        0x8213    2         0x00    3         0x01

In future more features will be added.

Fragmentation

Fragmentation is a diverse subject. In IPv4 it should not occur anymore, because the MTU today is generally large enough throughout the whole networks. If you see it in your corporate network, it should be investigated. IPv6 different story, here fragmentation is an established tool.

The constant FRAG_ANALYZE in tcpFLags.h controls the fragmentation analysis. Moreover the constant FRAGMENTATION has to be enabled in tranalyzer.h under the tranalyzer2/src directory, actually being the default.

I prepared a pcap which illustrates a pitfall of flow based representation when fragmentation is present. So download frag.pcap and add basicStats so that we can look at the packet and payload statistics.

t2build basicStats

Then rerun t2 using the -s option, as we also want to look at the packets.

t2 -r ~/data/frag.pcap -w ~/results/ -s

================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 13607
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.14
    02: basicStats, 0.8.14
    03: tcpFlags, 0.8.14
    04: tcpStates, 0.8.14
    05: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/frag.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1294260264.274530 sec (Wed 05 Jan 2011 20:44:24 GMT)
Dump stop : 1294260291.961272 sec (Wed 05 Jan 2011 20:44:51 GMT)
Total dump duration: 27.686742 sec
Finished processing. Elapsed time: 0.001058 sec
Finished unloading flow memory. Time: 0.001428 sec
Percentage completed: 100.00%
Number of processed packets: 82
Number of processed bytes: 14857 (14.86 K)
Number of raw bytes: 14857 (14.86 K)
Number of pad bytes: 124
Number of pcap bytes: 16193 (16.19 K)
Number of IPv4 packets: 38 [46.34%]
Number of A packets: 80 [97.56%]
Number of B packets: 2 [2.44%]
Number of A bytes: 14737 (14.74 K) [99.19%]
Number of B bytes: 120 [0.81%]
Average A packet load: 184.21
Average B packet load: 60.00
--------------------------------------------------------------------------------
basicStats: Biggest L2 talker: 00:0d:65:4f:38:94: 14 [17.07%] packets
basicStats: Biggest L2 talker: 00:1e:13:0c:02:07: 780 [5.25%] bytes
basicStats: Biggest L3 talker: 192.168.203.131: 26 [31.71%] packets
basicStats: Biggest L3 talker: 192.168.203.131: 10904 (10.90 K) [73.39%] bytes
tcpFlags: Aggregated ipFlags=0x0860
tcpFlags: Aggregated tcpFStat=0x1011
tcpFlags: Aggregated tcpFlags=0x0c14
tcpFlags: Aggregated tcpAnomaly=0x3180
tcpFlags: Aggregated ipToS=0xc0
tcpFlags: Number of TCP scans attempted, successful: 0, 1 [inf%]
tcpStates: Aggregated tcpStatesAFlags=0xc3
--------------------------------------------------------------------------------
Headers count: min: 2, max: 4, average: 2.67
Number of LLC packets: 16 [19.51%]
Number of ICMP packets: 3 [3.66%]
Number of TCP packets: 27 [32.93%]
Number of TCP bytes: 10964 (10.96 K) [73.80%]
Number of UDP packets: 5 [6.10%]
Number of UDP bytes: 763 [5.14%]
Number of IPv4 fragmented packets: 26 [68.42%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 20
Number of processed A flows: 18 [90.00%]
Number of processed B flows: 2 [10.00%]
Number of request     flows: 18 [90.00%]
Number of reply       flows: 2 [10.00%]
Total   A/B    flow asymmetry: 0.80
Total req/rply flow asymmetry: 0.80
Number of processed   packets/flows: 4.10
Number of processed A packets/flows: 4.44
Number of processed B packets/flows: 1.00
Number of processed total packets/s: 2.96
Number of processed A+B   packets/s: 2.96
Number of processed A     packets/s: 2.89
Number of processed   B   packets/s: 0.07
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.72
Average full raw bandwidth: 4293 b/s (4.29 Kb/s)
Average full bandwidth : 3515 b/s (3.52 Kb/s)
Max number of flows in memory: 18 [0.01%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400081000004044
[INF] Layer 2 flows
[INF] IPv4 flows
[INF] ARP
[INF] IPv4/6 fragmentation

We see that 26 [68.42%] packets are fragmented. Two warnings about fragmentation in the end report indicate abnormalities of the IPv4 fragmented traffic. Below is fragmented traffic including abnormalities are selected from the flow file. We have a perfect fragmented packet, all packets sum up in the numBytesSnt and numBytesRcvd columns.

tawk 'bitsanyset($ipFlags, 0x03b8) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $numPktsSnt, $numPktsRcvd, $numBytesSnt, $numBytesRcvd }' ~/results/frag_flows.txt | tcol

%dir  flowInd  flowStat            srcIP            srcIPCC  srcIPOrg           srcPort  dstIP            dstIPCC  dstIPOrg           dstPort  tcpFStat  ipFlags  tcpFlags  tcpAnomaly  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd
A     4        0x0400081000004000  192.168.203.131  07       "Private network"  1509     192.168.203.134  07       "Private network"  0        0x1011    0x0820   0x0800    0x3000      26          1            10000        0

Looking at the packet file the first packet contains a layer 4 header with the checksum. At the last fragment T2 adds the IP pseudo header and calculates the final checksum which matches 0x7366 from the TCP header of the initial packet.

tawk 'flow(4)' ~/results/frag_packets.txt | tcol

%pktNo  flowInd  flowStat            time               pktIAT    pktTrip   flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP            srcIPCC  srcIPOrg         srcPort  dstIP            dstIPCC  dstIPOrg         dstPort  l4Proto  pktLen  l7Len  ipToS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq        ack        seqMax     seqDiff  ackDiff  seqLen  ackLen  seqFlowLen  ackFlowLen  tcpMLen  tcpBFlgt  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpWS  tcpMSS  tcpTmS  tcpTmER  tcpOptLen  tcpOpts  tcpStatesAFlags  l7Content
4       4        0x0400009000004000  1294260266.528280  0.000000  0.000000  0.000000      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  1509     192.168.203.134  07       Private network  0        6        434     380    0x00   249    0         0x2000  64     0x4000       0x4000       0x7366       0x0000       0x0020   0                       0                     0                 280548844  777151161  280548844  0        0        0       0       0           0           380      0          0x1010    0x0800    0x1000      512     0      0       0       0        0                   0x81             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5       4        0x0400089000004000  1294260266.528318  0.000038  0.000000  0.000038      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x2032  64     0x3fce       0x3fce       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6       4        0x0400089000004000  1294260266.528335  0.000017  0.000000  0.000055      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x2064  64     0x3f9c       0x3f9c       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7       4        0x0400089000004000  1294260266.528348  0.000013  0.000000  0.000068      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x2096  64     0x3f6a       0x3f6a       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8       4        0x0400089000004000  1294260266.528363  0.000015  0.000000  0.000083      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x20c8  64     0x3f38       0x3f38       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9       4        0x0400089000004000  1294260266.528383  0.000020  0.000000  0.000103      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x20fa  64     0x3f06       0x3f06       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10      4        0x0400089000004000  1294260266.528404  0.000021  0.000000  0.000124      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x212c  64     0x3ed4       0x3ed4       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
11      4        0x0400089000004000  1294260266.528424  0.000020  0.000000  0.000144      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x215e  64     0x3ea2       0x3ea2       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
12      4        0x0400089000004000  1294260266.528443  0.000019  0.000000  0.000163      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x2190  64     0x3e70       0x3e70       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
13      4        0x0400089000004000  1294260266.528462  0.000019  0.000000  0.000182      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x21c2  64     0x3e3e       0x3e3e       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14      4        0x0400089000004000  1294260266.528480  0.000018  0.000000  0.000200      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x21f4  64     0x3e0c       0x3e0c       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
15      4        0x0400089000004000  1294260266.528497  0.000017  0.000000  0.000217      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x2226  64     0x3dda       0x3dda       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
16      4        0x0400089000004000  1294260266.528512  0.000015  0.000000  0.000232      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x2258  64     0x3da8       0x3da8       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
17      4        0x0400089000004000  1294260266.528526  0.000014  0.000000  0.000246      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x228a  64     0x3d76       0x3d76       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
18      4        0x0400089000004000  1294260266.528544  0.000018  0.000000  0.000264      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x22bc  64     0x3d44       0x3d44       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
19      4        0x0400089000004000  1294260266.528561  0.000017  0.000000  0.000281      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x22ee  64     0x3d12       0x3d12       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
20      4        0x0400089000004000  1294260266.528575  0.000014  0.000000  0.000295      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x2320  64     0x3ce0       0x3ce0       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
21      4        0x0400089000004000  1294260266.528588  0.000013  0.000000  0.000308      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x2352  64     0x3cae       0x3cae       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
22      4        0x0400089000004000  1294260266.528601  0.000013  0.000000  0.000321      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x2384  64     0x3c7c       0x3c7c       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
23      4        0x0400089000004000  1294260266.528613  0.000012  0.000000  0.000333      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x23b6  64     0x3c4a       0x3c4a       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
24      4        0x0400089000004000  1294260266.528626  0.000013  0.000000  0.000346      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x23e8  64     0x3c18       0x3c18       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
25      4        0x0400089000004000  1294260266.528776  0.000150  0.000000  0.000496      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x241a  64     0x3be6       0x3be6       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
26      4        0x0400089000004000  1294260266.528818  0.000042  0.000000  0.000538      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x244c  64     0x3bb4       0x3bb4       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
27      4        0x0400089000004000  1294260266.528854  0.000036  0.000000  0.000574      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x247e  64     0x3b82       0x3b82       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
28      4        0x0400089000004000  1294260266.528889  0.000035  0.000000  0.000609      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     400    0x00   249    0         0x24b0  64     0x3b50       0x3b50       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
29      4        0x0400081000004000  1294260266.528923  0.000034  0.000000  0.000643      3        eth:ipv4:tcp             00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        54      20     0x00   249    0         0x04e2  64     0x5c9a       0x5c9a       0x7366       0x5f52       0x0800   0                       0                     0                                                                                                                                                                                                                                             XXXXXXXXXXXXXXXXXXXX
30      4        0x0400000000004001  1294260266.529423  0.000000  0.000500  0.000000      3        eth:ipv4:tcp             00:0f:ea:e8:f5:51  00:24:e8:ed:3f:10  0x0800   192.168.203.134  07       Private network  0        192.168.203.131  07       Private network  1509     6        60      0      0x00   14196  0         0x4000  64     0xeb00       0xeb00       0x83db       0x83db       0x0040   0                       0                     0                 0          280558844  0          0        0        0       0       0           0           0        0          0x0010    0x0414    0x0180      0       0      0       0       0        0                   0x40

Detecting Scans

Scans are normally an initiation of some serious attacks. Nevertheless, a lot of normal TCP traffic looks like scanning. Anybody who used SNORT, the de facto standard of an IDS, might have suffered from interpreting all the scan alarms. So it needs filtering.

I needed once an indication in the end report and the flow/packet file whether there is a TCP malicious scan around. It is not perfect, but often served its purpose.

To see its effect clearly please download nmap_v_sT.pcap, copy it under your data folder and rerun t2. The pcap is generated by the nmap scanning tool.

t2 -r ~/data/nmap_v_sT.pcap -w ~/results/

================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 27141
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.14
    02: basicStats, 0.8.14
    03: tcpFlags, 0.8.14
    04: tcpStates, 0.8.14
    05: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/nmap_v_sT.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1416313200.358106 sec (Tue 18 Nov 2014 12:20:00 GMT)
Dump stop : 1416313214.101341 sec (Tue 18 Nov 2014 12:20:14 GMT)
Total dump duration: 13.743235 sec
Finished processing. Elapsed time: 0.017391 sec
Finished unloading flow memory. Time: 0.041641 sec
Percentage completed: 100.00%
Number of processed packets: 1081 (1.08 K)
Number of processed bytes: 83786 (83.79 K)
Number of raw bytes: 83786 (83.79 K)
Number of pcap bytes: 101106 (101.11 K)
Number of IPv4 packets: 1081 (1.08 K) [100.00%]
Number of A packets: 1081 (1.08 K) [100.00%]
Number of A bytes: 83786 (83.79 K) [100.00%]
Average A packet load: 77.51
Average B packet load: 0.00
--------------------------------------------------------------------------------
basicStats: Biggest L3 talker: 10.20.6.125: 16 [1.48%] packets
basicStats: Biggest L3 talker: 10.20.6.125: 2832 (2.83 K) [3.38%] bytes
tcpFlags: Aggregated ipFlags=0x0044
tcpFlags: Aggregated tcpFStat=0x0013
tcpFlags: Aggregated tcpFlags=0x803b
tcpFlags: Aggregated tcpAnomaly=0x1008
tcpFlags: Aggregated ipToS=0x04
tcpFlags: Number of TCP scans attempted, successful: 1039 (1.04 K), 0 [0.00%]
tcpStates: Aggregated tcpStatesAFlags=0x83
--------------------------------------------------------------------------------
Headers count: min: 3, max: 4, average: 3.00
Number of ICMP packets: 16 [1.48%]
Number of TCP packets: 1057 (1.06 K) [97.78%]
Number of TCP bytes: 78218 (78.22 K) [93.35%]
Number of UDP packets: 8 [0.74%]
Number of UDP bytes: 2736 (2.74 K) [3.27%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 1042 (1.04 K)
Number of processed A flows: 1042 (1.04 K) [100.00%]
Number of request     flows: 1042 (1.04 K) [100.00%]
Total   A/B    flow asymmetry: 1.00
Total req/rply flow asymmetry: 1.00
Number of processed   packets/flows: 1.04
Number of processed A packets/flows: 1.04
Number of processed total packets/s: 78.66
Number of processed A+B   packets/s: 78.66
Number of processed A     packets/s: 78.66
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 75.82
Average full raw bandwidth: 48772 b/s (48.77 Kb/s)
Average full bandwidth : 48772 b/s (48.77 Kb/s)
Max number of flows in memory: 1042 (1.04 K) [0.40%]
Memory usage: 0.02 GB [0.02%]
Aggregated flowStat=0x0400100002004000
[WRN] Consecutive duplicate IP ID
[INF] IPv4 flows
[INF] SSDP/UPnP
tawk -V tcpFlags=0x803b -V tcpAnomaly=0x1008 -V ipToS=0x04

The tcpFlags column with value 0x803b is to be interpreted as follows:

   bit | tcpFlags | Description
   =============================================================================
     0 | 0x0001     | FIN: No more data, finish connection
     1 | 0x0002     | SYN: Synchronize sequence numbers
     3 | 0x0008     | PSH: Push data
     4 | 0x0010     | ACK: Acknowledgement field value valid
     5 | 0x0020     | URG: Urgent pointer valid
    15 | 0x8000     | Potential Xmas scan packet or malicious channel


The tcpAnomaly column with value 0x1008 is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     3 | 0x0008     | Duplicate ACK
    12 | 0x1000     | Scan detected in flow


The ipToS column with value 0x04 is to be interpreted as follows:

   bit | ipToS    | Description
   =============================================================================
     2 | 0x04     | Precedence 0

Below the first 20 rows of the flow file containing scans are printed.

tawk 'bitsanyset($tcpAnomaly, 0x1000)' ~/results/nmap_v_sT_flows.txt | head -n 10 | tcol

%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP        srcIPCC  srcIPOrg           srcPort  dstIP        dstIPCC  dstIPOrg           dstPort  l4Proto  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT  aveIAT  stdIAT  pktps  bytps  pktAsm  bytAsm  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipToS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPdssF  tcpTmS   tcpTmER  tcpEcI  tcpUtm        tcpBtm             tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStatesAFlags
A     1        0x0400000000004000  1416313200.358106  1416313200.358106  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  54118    10.20.0.125  04       "Private network"  587      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2868435842  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3992845  0        0.004   15971.380759  1416297228.977348  0              65535             0                 0                 0                    0             0                0x03
A     2        0x0400000000004000  1416313200.457149  1416313200.457149  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  33056    10.20.0.125  04       "Private network"  1720     6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2506148143  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3992875  0        0.004   15971.500759  1416297228.956391  0              65535             0                 0                 0                    0             0                0x03
A     3        0x0400000000004000  1416313201.458313  1416313201.458313  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  45750    10.20.0.125  04       "Private network"  1720     6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1770850395  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993175  0        0.004   15972.700759  1416297228.757555  0              65535             0                 0                 0                    0             0                0x03
A     4        0x0400000000004000  1416313201.458361  1416313201.458361  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  38704    10.20.0.125  04       "Private network"  587      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3336324932  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993175  0        0.004   15972.700759  1416297228.757603  0              65535             0                 0                 0                    0             0                0x03
A     5        0x0400000000004000  1416313201.557900  1416313201.557900  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  50322    10.20.0.125  04       "Private network"  995      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3712758514  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993205  0        0.004   15972.820759  1416297228.737142  0              65535             0                 0                 0                    0             0                0x03
A     6        0x0400000000004000  1416313201.558981  1416313201.558981  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  45384    10.20.0.125  04       "Private network"  135      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2792320487  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993206  0        0.004   15972.824759  1416297228.734223  0              65535             0                 0                 0                    0             0                0x03
A     7        0x0400000000004000  1416313201.559756  1416313201.559756  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  55726    10.20.0.125  04       "Private network"  443      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  742007355   0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993206  0        0.004   15972.824759  1416297228.734998  0              65535             0                 0                 0                    0             0                0x03
A     8        0x0400000000004000  1416313201.759706  1416313201.759706  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  55879    10.20.0.125  04       "Private network"  443      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3280881276  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993266  0        0.004   15973.064759  1416297228.694948  0              65535             0                 0                 0                    0             0                0x03
A     9        0x0400000000004000  1416313201.759861  1416313201.759861  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  45598    10.20.0.125  04       "Private network"  135      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3916203706  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993266  0        0.004   15973.064759  1416297228.695103  0              65535             0                 0                 0                    0             0                0x03
...

tawk '$numPktsSnt > 1' ~/results/nmap_v_sT_flows.txt | tcol

%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc        srcMac             dstMac             ethType  ethVlanID  srcIP        srcIPCC  srcIPOrg           srcPort  dstIP        dstIPCC  dstIPOrg           dstPort  l4Proto  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT     stdIAT     pktps     bytps     pktAsm  bytAsm  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipToS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPdssF  tcpTmS      tcpTmER  tcpEcI  tcpUtm           tcpBtm             tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStatesAFlags
A     1035     0x0400100000004000  1416313207.526140  1416313209.202341  1.676201  1           3        eth:ipv4:udp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56907    10.20.0.125  04       "Private network"  41661    17       4           0            1200         0             300       300       300         0           0       0.571979  0.4190502  0.1840924  2.386349  715.9046  1       1       0x0001    0           0           51        51        0         0x00   0x0000   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      0               0           0             0            0            0            0               0              0                  0             0x0000    0x0000      0             0          0x00000000  0       0      0x0000    0x00    0         0x00       0           0        0       0.000000         0.000000           0              65535             0                 0                 0                    0             0                0x00
A     1036     0x0400000000004000  1416313207.600509  1416313209.299168  1.698659  1           3        eth:ipv4:tcp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56862    10.20.0.125  04       "Private network"  41089    6        4           0            0            0             0         0         0           0           0       0.58213   0.4246647  0.1861713  2.354799  0         1       0       0x0013    14560       41214       40        53        3         0x00   0x0004   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2449289213  0           0               0               0           0                      0               0           31337         31337        31337        31337        0               0              0                  0             0x0002    0x1000      4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363537.309168  0              65535             0                 0                 0                    0             0                0x03
A     1037     0x0400000000004000  1416313207.670968  1416313209.394928  1.723960  1           3        eth:ipv4:tcp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56863    10.20.0.125  04       "Private network"  41089    6        4           0            0            0             0         0         0           0           0       0.582315  0.43099    0.187417   2.320239  0         1       0       0x0013    723         11955       50        54        2         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2449289213  4           0               0               4           0                      3               0           32768         32768        32768        32768        0               0              0                  0             0x0010    0x0008      4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363537.404928  0              65535             0                 0                 0                    0             0                0x03
A     1038     0x0400000000004000  1416313207.768806  1416313209.490977  1.722171  1           3        eth:ipv4:tcp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56864    10.20.0.125  04       "Private network"  41089    6        4           0            0            0             0         0         0           0           0       0.579505  0.4305428  0.1871625  2.32265   0         1       0       0x0013    5943        47665       43        56        3         0x00   0x0004   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2449289213  0           0               0               0           0                      0               0           65535         65535        65535        65535        0               0              0                  0             0x8029    0x1000      4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363537.500977  0              65535             0                 0                 0                    0             0                0x83
A     1034     0x0400000000004000  1416313207.399029  1416313213.771996  6.372967  1           3        eth:ipv4:icmp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  0        10.20.0.125  04       "Private network"  0        1        16          0            2160         0             120       150       135         13.60319    0       3.084397  0.3983104  0.6733372  2.510605  338.9316  1       1       0x0001    24122       39230       37        59        14        0x04   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      0               0           0             0            0            0            0               0              0                  0             0x0000    0x0000      0             0          0x00000000  0       0      0x0000    0x00    0         0x00       0           0        0       0.000000         0.000000           0              65535             0                 0                 0                    0             0                0x00
A     1039     0x0400100000004000  1416313212.383429  1416313213.855100  1.471671  1           3        eth:ipv4:udp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56907    10.20.0.125  04       "Private network"  44093    17       4           0            1200         0             300       300       300         0           0       0.497902  0.3679178  0.1605711  2.717999  815.3997  1       1       0x0001    0           0           56        56        0         0x00   0x0000   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      0               0           0             0            0            0            0               0              0                  0             0x0000    0x0000      0             0          0x00000000  0       0      0x0000    0x00    0         0x00       0           0        0       0.000000         0.000000           0              65535             0                 0                 0                    0             0                0x00
A     1040     0x0400000000004000  1416313212.449125  1416313213.938839  1.489714  1           3        eth:ipv4:tcp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56862    10.20.0.125  04       "Private network"  36508    6        4           0            0            0             0         0         0           0           0       0.50196   0.3724285  0.1617426  2.685079  0         1       0       0x0013    3237        53852       43        57        3         0x00   0x0004   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3748830669  0           0               0               0           0                      0               0           31337         31337        31337        31337        0               0              0                  0             0x0002    0x1000      4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363541.948839  0              65535             0                 0                 0                    0             0                0x03
A     1041     0x0400000000004000  1416313212.530015  1416313214.021189  1.491174  1           3        eth:ipv4:tcp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56863    10.20.0.125  04       "Private network"  36508    6        4           0            0            0             0         0         0           0           0       0.498118  0.3727935  0.1617746  2.68245   0         1       0       0x0013    10342       29962       41        52        3         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3748830669  4           0               0               4           0                      3               0           32768         32768        32768        32768        0               0              0                  0             0x0010    0x0008      4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363542.031189  0              65535             0                 0                 0                    0             0                0x03
A     1042     0x0400000000004000  1416313212.619118  1416313214.101341  1.482223  1           3        eth:ipv4:tcp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56864    10.20.0.125  04       "Private network"  36508    6        4           0            0            0             0         0         0           0           0       0.494521  0.3705558  0.1608062  2.698649  0         1       0       0x0013    3455        6768        47        56        3         0x00   0x0004   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3748830669  0           0               0               0           0                      0               0           65535         65535        65535        65535        0               0              0                  0             0x8029    0x1000      4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363542.111341  0              65535             0                 0                 0                    0             0                0x83

If you look at the bit tcpFlags=0x0002 it is also a measure to select unsuccessful SYN scan flows. The aggregated TCP flags indicate that these flows are unanswered SYN scans.

Odd is the high window scale factor, the random initial Window size and the TTL indicate a Linux platform. Is it malicious?

Conclusion

You may now reset the whole configuration of T2 to ensure that in the next tutorial all flags are properly set to default.

t2conf --reset -a

Look at the other pcaps and checkout the scan alarms.

Have fun!