IP/TCP troubleshooting (tcpFlags)

IP IPv4 IPv6 layer 3 layer 4 TCP troubleshooting

IP/TCP header features

In this tutorial we will show you the hidden power of the layer 3/4 for troubleshooting, security and admin applications. All is integrated in one plugin: tcpFlags. Its name is a bit misleading, as it evolved during practical application from a simple TCP flags decoder to a full blown troubleshooting plugin for L3/4. Hence, it provides the following features:

  • TCP warning bits for troubleshooting, similar to Wireshark/TShark
  • OS and application fingerprinting (TTL, initial window size, flags)
  • Host load estimation (IPv4 IPID)
  • L3/4 options
  • Sequence/Acknowledge Number Tricks
  • NAT flow bundling: boot time estimation, host clock estimation (OS fingerprinting)
  • Multipath TCP (MPTCP)
  • Trip and Round Trip Time (RTT), jitter estimation
  • L3/4 checksum evaluation
  • Protocol anomalies
  • Fragmentation anomalies
  • Flow health: window size statistics, bytes in flight
  • Scan detection support

If you read the The Basics tutorial, you already had a glimpse of some basic features from tcpFlags. Here we will explain the application of such features. Note that you need a version of the tcpFlags plugin 0.8.14 or higher, so that the output in your command line matches to the website.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y

Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the core (tranalyzer2) and the following plugins:

t2build tranalyzer2 basicFlow tcpFlags tcpStates txtSink

...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAPs used in this tutorial can be downloaded here:

Please save them in your ~/data folder.

Now you are all set!

tcpFlags default

Let’s start with tcpFlags in minimal mode.

Since 0.8.14 version, tcpFlags anomaly bits moved a bit closer to Wireshark and the flags bits for the TCP header changed. And IP ToS can now be represented in different forms.

A lot is different now, but a bit easier to interpret for the troubleshooter.

Nevertheless, the setting stayed the same. Open tcpFlags.h in the tcpFlags plugin folder:

tcpFlags

vi src/tcpFlags.h

...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define IPTOS            0 // IPv4 ToS / IPv6 Class:
                           //   0: IP ToS hex
                           //   1: DSCP_ECN dec
                           //   2: Precedence(1-7)_ECN

#define RTT_ESTIMATE     1 // 1: Round trip time estimation
#define IPCHECKSUM       2 // Checksum calculation
                           //   0: No checksum calculation
                           //   1: Calculation of L3 (IP) header checksum
                           //   2: Calculation of L3 (IP) and L4 (TCP, UDP, ...) checksum

#define WINDOWSIZE       1 // 1: Calculation of TCP window size parameters
#define WINMIN           1 // Minimal window size threshold defining a healthy communication
                           // (only packets below the threshold are counted)
#define SEQ_ACK_NUM      1 // 1: SEQ/ACK number feature analysis
#define FRAG_ANALYZE     1 // 1: Fragmentation analysis
#define NAT_BT_EST       1 // 1: NAT boot time estimation
#define SCAN_DETECTOR    1 // 1: Scan flow detector
#define MPTCP            1 // 1: Dissect MPTCP
#define TCPJA4T          0 // 1: JA4 Output Syn/Syn-Ack, 0: T2 output for these values
#define JA4TOPTMX        20 // Maximal options stored in flow, requires JA4T = 1
#define TCPFLGCNT        0 // TCP Flags Count

// The following options require SEQ_ACK_NUM = 1

#define SPKTMD_SEQACKREL 0 // SEQ/ACK numbers representation (-s option):
                           //   0: absolute,
                           //   1: relative

#define SPKTMD_SEQACKHEX 0 // SEQ/ACK numbers representation (-s option):
                           //   0: uint32_t
                           //   1: hex32

/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */

/*         No env / runtime configuration flags available for tcpFlags        */

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

The constants SPKTMD_SEQACKREL and SPKTMD_SEQACKHEX refer to the packet mode for absolute and relative SEQ/ACK number output and decimal/hex representation respectively, see the packet mode tutorial. All the other switches we will discuss in the following chapters. First, let’s look at the end report.

Now invoke t2 with the -s option.

t2 -s -r ~/data/faf-exercise.pcap -w ~/results

================================================================================
Tranalyzer 0.9.1 (Anteater), Cobra. PID: 21416, Prio: 0, SID: 666
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.1
    02: tcpFlags, 0.9.1
    03: tcpStates, 0.9.1
    04: txtSink, 0.9.1
[INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K)
[INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K)
Processing file: /home/user/data/faf-exercise.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 65535 (65.53 K)
Dump start: 1258544215.037210000 sec (Wed 18 Nov 2009 11:36:55 GMT)
Dump stop : 1258594491.683288000 sec (Thu 19 Nov 2009 01:34:51 GMT)
Total dump duration: 50276.646078000 sec (13h 57m 56s)
Finished processing. Elapsed time: 0.136815419 sec
Finished unloading flow memory. Time: 0.136854832 sec
Percentage completed: 100.00%
Number of processed packets: 5902 (5.90 K)
Number of processed bytes: 4993414 (4.99 M)
Number of raw bytes: 4993414 (4.99 M)
Number of pcap bytes: 5087870 (5.09 M)
Number of IPv4 packets: 5902 (5.90 K) [100.00%]
Number of A packets: 1986 (1.99 K) [33.65%]
Number of B packets: 3916 (3.92 K) [66.35%]
Number of A bytes: 209315 (209.31 K) [4.19%]
Number of B bytes: 4784099 (4.78 M) [95.81%]
<A packet load>: 105.40
<B packet load>: 1221.68 (1.22 K)
--------------------------------------------------------------------------------
tcpFlags: Aggregated ipFlags=0x0044
tcpFlags: Aggregated tcpFStat=0x4ff1
tcpFlags: Aggregated tcpFlags=0x071f
tcpFlags: Aggregated tcpAnomaly=0x02cc
tcpFlags: Number of TCP SYN retries, seq retries: 0, 27
tcpFlags: Number WinSz below 1: 3 [0.05%]
tcpStates: Aggregated tcpStatesAFlags=0x4a
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, avg: 3.00
Number of TCP packets: 5902 (5.90 K) [100.00%]
Number of TCP bytes: 4993414 (4.99 M) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 72
Number of processed IPv4 flows: 72 [100.00%]
Number of processed A    flows: 36 [50.00%]
Number of processed B    flows: 36 [50.00%]
Number of request        flows: 36 [50.00%]
Number of reply          flows: 36 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed A+B packets/A+B flows: 81.97
Number of processed A   packets/A   flows: 55.17
Number of processed   B packets/  B flows: 108.78
Number of processed total packets/s: 0.12
Number of processed A+B   packets/s: 0.12
Number of processed A     packets/s: 0.04
Number of processed   B   packets/s: 0.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 0.00
<Bandwidth>: 792 b/s
<Raw bandwidth>: 795 b/s
Max number of flows in memory: 18 [0.01%]
Memory usage: 0.04 GB [0.05%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows

Between the dashed lines tcpFlags reports a summary of the flow variables tcpFStat, tcpFlags, ipFlags, tcpAnomaly and SYN retry, WinSize threshold counts.

Note the bits are now grouped strictly according to their topic: windows, flags, IP header and TCP anomalies. The scans moved now to the tcpFlags, which became a 16 bit field, so bit combinations, such as FIN ACK are now in the upper byte of tcpFlags status bit field.

Let’s have a look at them:

tawk -V tcpFStat=0x4ff1 -V ipFlags=0x0044 -V tcpFlags=0x071f -V tcpAnomaly=0x02cc

The tcpFStat column with value 0x4ff1 is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     6 | 0x0040   | Win 0 probe
     7 | 0x0080   | Win 0 probe ACK
     8 | 0x0100   | Min Window detected
     9 | 0x0200   | WS used
    10 | 0x0400   | Window full
    11 | 0x0800   | Window state-machine count up(1)/down(0)
    14 | 0x4000   | TCP Selective ACK Option


The ipFlags column with value 0x0044 is to be interpreted as follows:

   bit | ipFlags | Description
   =============================================================================
      | 0x0004  | IPv4 ID roll over
     6 | 0x0040  | IPv4: Don't Fragment bit, IPv6: reserve bit


The tcpFlags column with value 0x071f is to be interpreted as follows:

   bit | tcpFlags | Description
   =============================================================================
     0 | 0x0001     | FIN: No more data, finish connection
     1 | 0x0002     | SYN: Synchronize sequence numbers
     2 | 0x0004     | RST: Reset connection
     3 | 0x0008     | PSH: Push data
     4 | 0x0010     | ACK: Acknowledgement field value valid
     8 | 0x0100     | FIN_ACK: Acknowledgement of FIN
     9 | 0x0200     | SYN_ACK: Acknowledgement of SYN
    10 | 0x0400     | RST_ACK: Acknowledgement of RST


The tcpAnomaly column with value 0x02cc is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     2 | 0x0004     | SEQ Fast retransmission
     3 | 0x0008     | Duplicate ACK
     6 | 0x0040     | Sequence number out-of-order
     7 | 0x0080     | Sequence mess, rather spurious Retransmission
     9 | 0x0200     | Previous packet not captured

Some duplicate ACKs with SEQ fast retransmissions, so packets were lost and retransmitted. As the WINMIN=1, the warning Min Window detected denotes that the window size hit 0, indicating that there is some overflow on the receiver side buffer. Win 0 probe indicates that it happened longer, so that the sender tries to probe the receiver side. Window full denotes that the transmission Window of the TCP flow is full as advertised by the receiver.

OS fingerprinting

The L3/4 Header provide still some information in order to estimate the Operating System of the sending host. All these parameters are included in the flow and packet file output, such as:

  • TTL (ipMinTTL, ipMaxTTL, ipTTLChg): Minimal/Maximal TTL, # TTL changes during flow life time
  • Initial Window Size (tcpInitWinSz): Init Winsize only valid if 3 way handshake is captured.
  • tcpOptions: aggregated or in the packet mode as hex or human readable interpreted

If you load the OS fingerprinting plugin tp0f, several other parameters will be used, and the calculation for the TTL to the next higher 2^n value is already done for you. If you are hard core, just use the parameters from tcpFlags and do the calculations by heart.

If you switch on TCPJA4T=1 then TCP window size, options, MSS and WS are printed in a JA4T notation to facilitate the creation of fingerprinting DB’s:

JA4T=tcpWinSize_SSAtcpOpts_MSS_WS

JA3/4 hashes are also calculated in sslDecode for SSL/TLS fingerprinting.

Host load estimation

I hate IPv6! Why? Because these bastards omitted the IP ID in the L3 header. And I hate OS which do not increment the IP ID by 1 for each packet being sent. Why? Because it is an excellent parameter to estimate the load of a server. If the IP ID increments by a large value, several other connections (flows) must exist beside the one I’m looking at, so the host has a lot of work to do.

  • IPv4 (ipMindIPID, ipMaxdIPID): Minimal/Maximal IP ID during flow life time.

There are still OS which increment the IP ID by 1, so if the ipMindIPID==2, ipMaxdIPID is an indicator of the host load.

Another indication are the number of flows per host. Have a look at the connStat plugin tutorial.

tcpFlags troubleshooting TCP connections

Basically the status bit fields tcpFStat and tcpAnomaly flag flows in trouble. Let’s have a look at all flows with duplicate ACKs and retransmissions. In the flow file you might notice, there is a new column tcpBFlgtMx. It denotes the maximum TCP bytes in flight of a certain flow. Why mostly B flows? Because the packet got lost in the A flow, right?

tawk 'bitsanyset($tcpAnomaly, 0x000c)' ~/results/faf-exercise_flows.txt | tcol

Have a look at A&B flow 36, which is lit up like a Xmas tree. Here we have a lot of reasons why there is a major mess:

tawk -V tcpFStat=0x49b1 -V tcpFStat=0x0c51 -V tcpAnomaly=0x02c4 -V tcpAnomaly=0008

The tcpFStat column with value 0x49b1 is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     7 | 0x0080   | Win 0 probe ACK
     8 | 0x0100   | Min Window detected
    11 | 0x0800   | Window state-machine count up(1)/down(0)
    14 | 0x4000   | TCP Selective ACK Option


The tcpFStat column with value 0x0c51 is to be interpreted as follows:
   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     4 | 0x0010   | Window state-machine initialized
     6 | 0x0040   | Win 0 probe
    10 | 0x0400   | Window full
    11 | 0x0800   | Window state-machine count up(1)/down(0)


The tcpAnomaly column with value 0x02c4 is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     2 | 0x0004     | SEQ Fast retransmission
     6 | 0x0040     | Sequence number out-of-order
     7 | 0x0080     | Sequence mess, rather spurious Retransmission
     9 | 0x0200     | Previous packet not captured

The tcpAnomaly column with value 0x0008 is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     3 | 0x0008     | Duplicate ACK

So flow A had a full buffer, reduced winsize to 0, B hit a window full alarm, since then B probes whether the win is non-zero to send more data. Therefore you have retransmissions, fast and spurious, and we have a case of a missing packet in the pcap. And therefore flow B sends duplicate ACKS.

You can follow that in the corresponding packet file:

tawk 'flow(36)' ~/results/faf-exercise_packets.txt | tcol

%pktNo  flowInd  flowStat            time                  pktIAT       pktTrip      flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPOrg           srcPort  dstIP          dstIPCC  dstIPOrg           dstPort  l4Proto  ipToS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq         ack         seqMax      seqDiff  ackDiff  seqLen  ackLen  seqFlowLen  ackFlowLen  tcpMLen  tcpBFlgt  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpWS  tcpMSS  tcpTmS  tcpTmER  tcpMPTyp  tcpMPF  tcpMPAID  tcpMPDSSF  tcpOptLen  tcpOpts                                                                                                                                      tcpStatesAFlags  l7Content
1280    36       0x0400000000004000  1258594163.408285000  0.000000000  0.000000000  0.000000000   3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   16259  0         0x4000  128    0x5e7f       0x5e7f       0xbd9c       0xbd9c       0x0040   0                       0                     0                 3392384642  0           3392384642  0        0        0       0       0           0           0        0         0x0010    0x0002    0x0000      8192    0      1460    0       0        0         0x00    0         0x00       12         0x02;0x04;0x05;0xb4;0x01;0x03;0x03;0x02;0x01;0x01;0x04;0x02                                                                                  0x00
1281    36       0x0400000000004001  1258594163.487027000  0.000000000  0.078742016  0.000000000   3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  64334    192.168.1.105  07       Private network    49330    6        0x00   17228  0         0x4000  111    0x6bba       0x6bba       0x738a       0x738a       0x0040   0                       0                     0                 3177226489  3392384643  3177226489  0        0        0       0       0           0           0        0         0x0010    0x0212    0x0000      8192    0      1380    0       0        0         0x00    0         0x00       8          0x02;0x04;0x05;0x64;0x01;0x01;0x04;0x02                                                                                                      0x00
1282    36       0x0400000000004000  1258594163.487488000  0.079203000  0.000460992  0.079203000   3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   16266  7         0x4000  128    0x5e84       0x5e84       0xc2a1       0xc2a1       0x0040   0                       0                     0                 3392384643  3177226490  3392384643  1        0        0       0       0           0           0        0         0x0811    0x0010    0x0000      64860   0      1460    0       0        0         0x00    0         0x00       0                                                                                                                                                       0x00
1287    36       0x0400000000004001  1258594163.644682000  0.157655000  0.157193984  0.157655000   3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  64334    192.168.1.105  07       Private network    49330    6        0x00   18966  1738      0x4000  111    0x5f94       0x5f94       0x153a       0x153a       0x0040   0                       0                     0                 3177226490  3392384643  3177226490  1        0        0       0       0           0           1380     1380      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                                                                                                       0x00             MZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\r\n$.......PE..L....IV:.................&...*...............@....@.................................Z.A...................................... .......@...$............@......p..t\e...................................................#...............................text....$.......&.................. ..`.rdata..\t....@.......*..............@..@.data...|....P.......,..............@....idata....... .......H..............@....rsrc....$...@...&...\..............@..@.reloc...!...p..."..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................U....X...SVWh....3.W...%C.P...%C.W.u\bW.E.h....V...%C..u\f......Q.l.....\b......hhPA.Q.`.....\bWj.V...%C.P...%C.............PQ..h$C......ubj.V...%C.P...%C.f=..w7.u\f.T).......u4.u\f......Q.......\b......hhPA.Q.......\b...E\f.@................V...%C..E....C...\g..k.....................P..!.....H......PQ.......\b.......uA.......u/.......u&.u\f...........r`hdPA.......
1288    36       0x0400000000004001  1258594163.644692000  0.000010000  0.157203968  0.157665000   3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  64334    192.168.1.105  07       Private network    49330    6        0x00   18967  1         0x4000  111    0x5f93       0x5f93       0x77eb       0x77eb       0x0040   0                       0                     0                 3177227870  3392384643  3177227870  1380     0        1380    0       1380        0           2760     2760      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                                                                                                       0x00             P.F.....\b.\t.......tA.E.......PQ..............PQ.u....#C.;].}..].......Pj.h....V...%C.......PW..l$C.....2...j.Sh....V...%C.W..\f%C.j.j.h....V...%C..u....%C._^[..].U3.....(V.E\b.M..M..E..M..u\f.M..E..u.P.M..E...@..E.6....\r\PA..M....%C.f.......tD3....C..M..M..E..M..M..u...`PA..M..M..U..E...@..E.\b...Q...%C.f=..\e.@^..].V......t$\b.5\PA....%C...u.3..t$\b.5`PA....%C...u.3...^.U........SVW.xPA..}...E\f...tS.....3........1........D.....+........,......=...........u..u..u\f.u\b..|%C._^[..]....u.j.3..v..v..v..v..u\b...%C.S....C..5..C.S...Dg...u\bk.....P.F....Pj.j.h.. P.v$hlPA.S...%C.P.E.S.u\b...%C.S.5XZA.j0.u....%C..u..}..].......:...... .E.........Ha.A.......E..E.P..d$C..E....t#...t4..............w....E......|......C....g.....g...f......C.hhPA..........g.....g..Q......\.X.....\b..X.........PQ..h$C.hdPA.......Q.E..%.....\b......Q..#...........PQ.......\b.u...\f%C.......E.......P..............E.....QR.@...........j\......P.......\b...@P. #...........Pjs...C..2...PQ.Z%...........Q..".................PjcQR.2%.................QR.R.....\b.\r..C....... ...g.....g...!=.\b..t\t.E..........C....g.....g...}..t2......Pj.hC....u....%C............QPhQ....u....%C..E..}...........C.......:u\n......$.........@...................Pj.hM....u....%C.3......3......j..u\b...%C....P...%C.3............P.u\b..h&C..M.Q.u\b..p&C.j..u..u..u..u........pE...........Q.u\b...&C.3.......u..~\b.u.V.\nD................F\f..t"V.AB..
1289    36       0x0400000000004000  1258594163.644891000  0.157403000  0.000199040  0.236606000   3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   16277  11        0x4000  128    0x5e79       0x5e79       0xbd3d       0xbd3d       0x0040   0                       0                     0                 3392384643  3177229250  3392384643  0        2760     0       2760    0           2760        0        0         0x0011    0x0010    0x0000      63480   0      1460    0       0        0         0x00    0         0x00       0                                                                                                                                                       0x00
1290    36       0x0400000000004000  1258594163.647385000  0.002494000  0.002693056  0.239100000   3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   16278  1         0x4000  128    0x5e78       0x5e78       0xb7d9       0xb7d9       0x0040   0                       0                     0                 3392384643  3177229250  3392384643  0        0        0       0       0           2760        0        0         0x0831    0x0010    0x0000      64860   0      1460    0       0        0         0x00    0         0x00       0                                                                                                                                                       0x00
1291    36       0x0400000000004001  1258594163.722388000  0.077696000  0.075002944  0.235361000   3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  64334    192.168.1.105  07       Private network    49330    6        0x00   19785  818       0x4000  111    0x5c61       0x5c61       0xf480       0xf480       0x0040   0                       0                     0                 3177229250  3392384643  3177229250  1380     0        1380    0       2760        0           4140     1380      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                                                                                                       0x00             ....F..t\tV..C...........V.....t.V.\eB...........?.......%...V..C...........$....M..A\fd......C....Dg........Q.......E....f=..uDj..u\b...%C....j.......QP...%C...M\bf..........QPh.....u\b...%C.P...%C.3......U........SVW.u\f...w-..|......tl.....H....u..u.V.u\b..|%C._^[..]........f.....+........,...........%...........5..............................].j..K @....{.3..s..7.s..s..u\b...%C.V.C..5..C..s\b.u\b...P.....Pj.j.hS..P.s$h.PA.V...%C.....u.V..PA.PP.u\b...%C.3..XZA.VPj0S...%C.V.............Ph....S...%C.h.....p........SV.u\b...%C.Wj..u\b..l%C.Vj..u\b...%C.Vh....j..u\b..p%C.3......j..u\b..x%C.P........j..u\b..t%C.3......j..u\b...%C....P...%C..x....E.P.u\b..h&C..M.Q.u\b..p&C.j..u..u..u..u..u...B......M.Q.u\b...&C.3..A....}...\b.u.W.a?...........%....G\f..t"W.x=......G..t\tW.8?.................t.W.R=.......................W..?..................C..U....Dg........J.......u..u.V.u\b...%C.P...%C.......E................3.W.u\b...%C....j..u\b..x%C...WWh....V...%C......L...QPh....V...%C...L... u.S.a..........L...PS.......\bh|PA.S.......\bSV.>.....\bSS.d......Ph.....u\b...%C.P...%C.3......j..u\b...%C.f@Pj..u\b...%C.3......j..u\b..x%C..u.P.........\bV.........|..\t.h|PA.V.x.....\bj..u\b...%C....VP.......\bVV........Ph.....u\b...%C.P...%C.3..F...U....L....}\f....SVWv..E\b.......M....E.....jD..|...j.P.......\f.E\b.M\f........|...Iu..E\f9.|...u.3..U..E .\n.\b...........E..8.u....A.U.;.v..E .M...9\bs.........E..8.u....N..|..
1292    36       0x0400000000004001  1258594163.722400000  0.000012000  0.075014976  0.235373000   3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  64334    192.168.1.105  07       Private network    49330    6        0x00   19786  1         0x4000  111    0x5c60       0x5c60       0xe46d       0xe46d       0x0040   0                       0                     0                 3177230630  3392384643  3177230630  1380     0        1380    0       4140        0           5520     2760      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                                                                                                       0x00             .;.u..E .u.90v..0........E.;.v....|....8)}.x(...A.}...;..}.w....|.....)E.y.......g.........]....E.3.N...E.............t\r.8....9...Nu..u\b3........t..........@...<..tA.G;}\fr.3.3..}.........8..........}..}..E..tA..E.....9U........E....|....M....E..E..M.....p....u......5<.....;E...3....E.@.E...5<.......U..E +..E...;.v....E.+..E.......M...;E.v$.M..E.A+..M.;U.v......;.v\n+..E.;U.w..E...;E.v\r9].v\b.E.+..E.......M....M..E....\b.....5<...R.P...............M..U.A....\r\b.C..E..H....\n.M.........5....tP.E..M.....5......58....E....U..E..E..U..U........J*.58...#U.......M...5.......J...5<.....;E........M..E\f*.....tA..M.;U.w..E.c.^.E...;U.s.f.U........E...U...E..E..6.}$.t..E.......E.+u...p.E..}$.t\bf.E.....+U..E.f..Pf.E..E........U......E...9U.v..E..\f..E.....M..E..u..U..E..M....E..N..E.9U.w.......M......E.t\n1E....E.u..U......1E........H#E.;............+..8...............H.M.#E.;......u.......E..E.9E...a.....<....E .}...\bt(.}..t"........}..t......................3._^[..]..D$.V..t..p...\bP.\f..........u.3.^.U...C....\r..C.....E..E..M.SVW.5..C...\fE.UA..U..M....U.UA..E..E.9E.sQ..{A..\r.{A...~ .\r..A.x..\r$.A......$.A..\f......................M....M.\tE..E.\b9M.r..M..E\b#M..<...............c.......O.....m....)E.9].sN..{A..\r.{A...~ .\r..A.x..\r$.A......$.A..\f.y...............t....M....E.\b\tE.9].r....].UA.#E.....G...........v....O..m....)E....ug.G.F.........|A........=.YA..t1.@.A...;.,{A.w2V.@.A.h.|
...

In the following a chapters we will discuss window size, sequence number and other features useful in troubleshooting and security analysis.

Window size features

The TCP window size is part of TCP flow control receiving buffer and gives an indication about the digestive performance of the destination host. As indicated in the previous chapter all anomaly window bits are situated in tcpFStat now:

tawk -V tcpFStat

The tcpFStat column is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     1 | 0x0002   | TCP option init
     2 | 0x0004   | Timestamp option decreasing
     3 | 0x0008   | L4 option field corrupt or not acquired

     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     6 | 0x0040   | Win 0 probe
     7 | 0x0080   | Win 0 probe ACK

     8 | 0x0100   | Min Window detected
     9 | 0x0200   | WS used
    10 | 0x0400   | Window full
    11 | 0x0800   | Window state-machine count up(1)/down(0)

    12 | 0x1000   | L4 Checksum calculation if present
    13 | 0x2000   | UDPLITE Checksum coverage error
    14 | 0x4000   | TCP Selective ACK Option
    15 | 0x8000   | MPTCP detected

So Windows Scaling was used at the beginning. Then after a Min Window detected a sender Window full followed, then a Win 0 probe was issued in order to test the acceptance of more bytes. Makes sense, and can be investigated in the packet file in the previous chapter.

In the flow file the initial window size tcpInitWinSz in combination with the TTL is still a reasonable feature to estimate the type of OS. If tcpMinWinSz hits 0 the buffer of the receiving host is full, and the sender has to wait. As in the end report the variable tcpWinSzThRt counts the occurrences where the window size drops below a configurable threshold WINMIN in tcpFlags.h; default 1. So it counts how often the receiver performs back-pressure to the sender. The parameters tcpWinSzDwnCnt, tcpWinSzUpCnt, tcpWinSzChgDirCnt are experimental, trying to aggregate the evolution of the window size, which is governed by several algorithms. They denote the up or down count/packet of the window size and how often these counts reverse the direction. Giving an indication about irregularities in flow control. As you can see, the counts are increased in flow 36, which has a lot of flow and error control problems.

tawk 'bitsanyset($tcpFStat, 0x0700) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $tcpInitWinSz, $tcpAveWinSz, $tcpMinWinSz, $tcpMaxWinSz, $tcpWinSzDwnCnt, $tcpWinSzUpCnt, $tcpWinSzChgDirCnt, $tcpWinSzThRt }' ~/results/faf-exercise_flows.txt | tcol

%dir  flowInd  flowStat            srcIP          srcIPCC  srcIPOrg             srcPort  dstIP          dstIPCC  dstIPOrg             dstPort  l4Proto  tcpFStat  ipFlags  tcpFlags  tcpAnomaly  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt
A     15       0x0400000000004000  192.168.1.105  07       "Private network"    49218    192.168.1.1    07       "Private network"    25       6        0x0a11    0x0040   0x011b    0x0000      8192          64982.55     8192         65536        3               2              4                  0
B     15       0x0400000000004001  192.168.1.1    07       "Private network"    25       192.168.1.105  07       "Private network"    49218    6        0x0a11    0x0044   0x031b    0x0008      65535         524219.4     65535        524280       1               2              2                  0
A     16       0x0400000000004000  192.168.1.105  07       "Private network"    49219    192.168.1.1    07       "Private network"    25       6        0x0a11    0x0040   0x011b    0x0000      8192          64673.17     8192         65536        3               1              4                  0
B     16       0x0400000000004001  192.168.1.1    07       "Private network"    25       192.168.1.105  07       "Private network"    49219    6        0x0a11    0x0044   0x031b    0x0008      65535         524225.7     65535        524280       1               2              2                  0
A     17       0x0400000000004000  192.168.1.105  07       "Private network"    49220    192.168.1.1    07       "Private network"    25       6        0x0a11    0x0040   0x011b    0x0000      8192          64668.98     8192         65536        3               2              4                  0
B     17       0x0400000000004001  192.168.1.1    07       "Private network"    25       192.168.1.105  07       "Private network"    49220    6        0x0a11    0x0044   0x031b    0x0008      65535         524220.3     65535        524280       1               2              2                  0
A     22       0x0400000000004000  192.168.1.105  07       "Private network"    49336    192.168.1.1    07       "Private network"    25       6        0x0a11    0x0040   0x011b    0x0000      8192          64668.98     8192         65536        3               2              4                  0
B     22       0x0400000000004001  192.168.1.1    07       "Private network"    25       192.168.1.105  07       "Private network"    49336    6        0x0a11    0x0044   0x031b    0x0008      65535         524228.2     65535        524280       1               2              2                  0
A     23       0x0400000000004000  192.168.1.105  07       "Private network"    49353    192.168.1.1    07       "Private network"    25       6        0x0a11    0x0040   0x011b    0x0000      8192          64668.98     8192         65536        3               2              4                  0
B     23       0x0400000000004001  192.168.1.1    07       "Private network"    25       192.168.1.105  07       "Private network"    49353    6        0x0a11    0x0044   0x031b    0x0008      65535         524227.5     65535        524280       1               2              2                  0
A     26       0x0400000000004000  192.168.1.105  07       "Private network"    49561    192.168.1.1    07       "Private network"    25       6        0x0a11    0x0040   0x011b    0x0000      8192          64740.93     8192         65536        3               2              4                  0
B     26       0x0400000000004001  192.168.1.1    07       "Private network"    25       192.168.1.105  07       "Private network"    49561    6        0x0a11    0x0044   0x031b    0x0008      65535         524166.4     65535        524280       2               2              3                  0
A     36       0x0400000000004000  192.168.1.105  07       "Private network"    49330    143.166.11.10  us       "Dell Technologies"  64334    6        0x49b1    0x0040   0x0416    0x0008      8192          45402        0            64860        253             194            254                0.001981506
B     36       0x0400000000004001  143.166.11.10  us       "Dell Technologies"  64334    192.168.1.105  07       "Private network"    49330    6        0x0c51    0x0044   0x031b    0x02c4      8192          64860        8192         64860        0               1              1                  0

Have a look at the packet file and identify the flow control problems in flow 36. Is this flow benign or part of malicious activity?

Sequence and acknowledge numbers

I added some more columns for the packet mode to track faults and to make counts more consistent. seqDiff and ackDiff are now the real difference of the seq or ack numbers, so they could also be negative. seqLen and ackLen denote the positive difference, hence an indication for the payload length. seqFlowLen and ackFlowLen are aggregated seqLen and ackLen. tcpMLen is the real l7Len, just like in basicStats. tcpBFlgt denotes the bytes in time of flight. Similar columns exist in the flow file.

TCP error control is achieved by Seq and Ack numbers which are a formidable tool for troubleshooting and contain information about network or host problems. The differences between these parameters denote the bytes being transferred between both peers. The packet ACK count is only correct if each packet being sent is acknowledged, so Idle Repeat Request mode, which would actually defeat the purpose of an efficient TCP communication. So in general only a lower limit.

The fault counts from both directions are an indicator for the health of the connection. If divided by the packet sent from basicStats you have a good performance measure.

The initial sequence number tcpISeqN is used for covert channels and it can help to identify crafting tools if more than one flow from the same IP is available. Make sure that the flow is complete by checking the tcpFlags for a SYN, otherwise tcpISeqN denotes just the sequence number of the first packet being seen.

As in earlier versions the column tcpFlwLssAckRcvdBytes denotes the amount of content being transmitted of the opposite flow. So if you have only one flow, you have a number to estimate the amount of traffic not being seen by that pcap. Some magic to impress customers.

tawk 'bitsanyset($tcpAnomaly, 0x0008) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $ipFlags, $tcpFStat, $tcpFlags, $tcpAnomaly, $tcpISeqN, $tcpSeqSntBytes, $tcpSeqFaultCnt, $tcpPAckCnt, $tcpFlwLssAckRcvdBytes, $tcpAckFaultCnt, $tcpBFlgtMx }' ~/results/faf-exercise_flows.txt | tcol

%dir  flowInd  flowStat            srcIP          srcIPCC  srcIPOrg           srcPort  dstIP           dstIPCC  dstIPOrg                       dstPort  l4Proto  ipFlags  tcpFStat  tcpFlags  tcpAnomaly  tcpISeqN    tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx
B     12       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1397     6        0x0044   0x0011    0x031b    0x0008      1702698086  1440            0               30          2943                   1               852
B     13       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1749     6        0x0044   0x0011    0x031b    0x0008      645942508   1405            0               30          5679                   2               852
B     14       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1755     6        0x0044   0x0011    0x031b    0x0008      328872932   1405            0               28          2357                   1               852
B     15       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49218    6        0x0044   0x0a11    0x031b    0x0008      652739796   1519            0               29          4899                   2               852
B     16       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49219    6        0x0044   0x0a11    0x031b    0x0008      1405763652  799             0               30          4429                   2               166
B     17       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49220    6        0x0044   0x0a11    0x031b    0x0008      916601873   1466            0               27          2750                   2               852
B     18       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1806     6        0x0044   0x0011    0x031b    0x0008      925488549   1370            0               28          4371                   2               852
B     19       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1400     6        0x0044   0x0011    0x031b    0x0008      1816175150  1370            0               26          1522                   1               852
B     20       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1404     6        0x0044   0x0011    0x031b    0x0008      113675184   1370            0               28          5247                   2               852
B     21       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1405     6        0x0044   0x0011    0x031b    0x0008      6599705     632             0               28          5796                   1               166
B     22       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49336    6        0x0044   0x0a11    0x031b    0x0008      226877106   1466            0               27          2430                   2               852
B     23       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49353    6        0x0044   0x0a11    0x031b    0x0008      1304812153  1466            0               27          2462                   2               852
B     24       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1836     6        0x0044   0x0011    0x031b    0x0008      1667500374  1370            0               26          3372                   1               852
B     25       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1709     6        0x0044   0x0011    0x031b    0x0008      1075440067  1370            0               26          2374                   1               852
B     26       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.105   07       "Private network"              49561    6        0x0044   0x0a11    0x031b    0x0008      1983906088  1466            0               28          4334                   2               852
B     27       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.104   07       "Private network"              1572     6        0x0044   0x0011    0x031b    0x0008      1684028818  308             0               17          1021                   1               166
B     28       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.104   07       "Private network"              1604     6        0x0044   0x0011    0x031b    0x0008      1644748927  308             0               17          761                    1               166
B     29       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.104   07       "Private network"              1665     6        0x0044   0x0011    0x031b    0x0008      1401071890  308             0               17          574                    1               166
B     30       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              1934     6        0x0044   0x0011    0x031b    0x0008      18417741    1370            0               27          5732                   1               852
B     31       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.103   07       "Private network"              2008     6        0x0044   0x0011    0x031b    0x0008      2088358893  1370            0               26          3460                   1               852
B     32       0x0400000000004001  192.168.1.1    07       "Private network"  25       192.168.1.102   07       "Private network"              1911     6        0x0044   0x0011    0x031b    0x0008      398501520   1370            0               29          7079                   2               852
A     33       0x0400000000004000  192.168.1.104  07       "Private network"  1908     198.189.255.75  us       "California State University"  80       6        0x0040   0x0011    0x011b    0x0008      3626872219  319             0               23          95699                  1               319
A     36       0x0400000000004000  192.168.1.105  07       "Private network"  49330    143.166.11.10   us       "Dell Technologies"            64334    6        0x0040   0x49b1    0x0416    0x0008      3392384642  0               0               1511        4255056                437             0

If you look at the packet mode from packet 4188 on you will notice during the fast retransmit the seqDiff is negative in packet 4209 and seqLen is 0, denoting, no new L7 content is sent. You can follow now the process of sending and acknowledging data. If you got only one flow, you are now able to estimate the payload of the other flow via ackLen and ackFlowLen for each packet. Comes in really handy if you cannot see the other flow and still want to be able to assess the amount of traffic is flowing in the other direction.

tawk 'packet("4188-4211")' ~/results/faf-exercise_packets.txt | tcol

%pktNo  flowInd  flowStat            time                  pktIAT       pktTrip      flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPOrg           srcPort  dstIP          dstIPCC  dstIPOrg           dstPort  l4Proto  ipToS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq         ack         seqMax      seqDiff  ackDiff  seqLen  ackLen  seqFlowLen  ackFlowLen  tcpMLen  tcpBFlgt  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpWS  tcpMSS  tcpTmS  tcpTmER  tcpMPTyp  tcpMPF  tcpMPAID  tcpMPDSSF  tcpOptLen  tcpOpts                                                      tcpStatesAFlags  l7Content
4188    36       0x0400000000004001  1258594178.123989000  0.000008000  0.005184000  14.636962000  3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  64334    192.168.1.105  07       Private network    49330    6        0x00   28901  1         0x4000  111    0x38c5       0x38c5       0x8f75       0x8f75       0x0040   0                       0                     0                 3179900510  3392384643  3179900510  1380     0        1380    0       3304680     0           2687822  24840     0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             .X,........\R\b.7o*.\f...[6...UiT...p.[X@(.OW..;\b.Qn#..-.-\[..Z..`...E.T..]..a!k..is..@.....K.>jb.K...i ...o..p.Pp..G....a.n...t=..e^...D....!9..l.....SPX....a]....E....\f.*y.T.\n.A.n.^....\b..<.z[...CBlJ......O.N...r.Z.....A....f..P..).X.h..........p^.c.....J..M.j..E....el....B.....B?...aS...T:4.....n..Dqe...3..l.HQ3&f,KZ....R)..B.....]..........I>....e...w.....bp6p.......C..T.[....81......I....w.|....!.8....5....A..\f....T?.m..p.<...a...[.../.....P.plD..y .....j............p...^..\..\...j..(.....^...r.....lw.kQ.......<..u....;..........~..;......Is{.Y...<?..;............;.m..k...N?..;...W.(...[-..~.iw.?.....o.*.^..x\b...^...p.t..~...|...c..s.8.G.\e......?Nw.~......\...eS..~.w.!.F?..w.sy...v..g.....7....U.?................w.../....K....s..........7(..6.....r...oV......'!..j^..0........3.R.yj....p.....k...]~........z.....g\n..?.t.nA.u%J..iJ.@:}..)-.?..wH....W...........~...T\t#....F.k..]A......jJ.E.g..Lz\r.^.>..;...xj|p...a..Y.......k/S.......;.....M.p.\nWX.R....Q2!0.J....0m.....T.6...n!!_h..2I^..e..2.t..%\e..`.>o,....G......l....\r....kK)...1.i@7.,.\......@.J..A.....F5e....K...P..Ni.HWn..D.F....zU..h3A..\...l3W.....5KA....C..Z.}O.FiT...o..H.U|VP...R.u%..\boh...,L.\\n.,I.:.u....n...mrc...9A[..P....!...:.....O..\e..K....:.*=....[2WZ\n`J....(.....@..\e6A...u...H...uk7f.......4..S\n!...SYTJ..B.&....89.TPP\n."E../9.E.-7<_S.|-..U..Y...?.b.....z$.w~I.6'QXs.\n.......2.|.v\nx.B.l...]W..w.
4189    36       0x0400000000004000  1258594178.124053000  0.005248000  0.000064000  14.715768000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17789  1         0x4000  128    0x5885       0x5885       0xa53a       0xa53a       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x18;0x1e  0x00
4190    36       0x0400000000004000  1258594178.124055000  0.000002000  0.000066000  14.715770000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17790  1         0x4000  128    0x5884       0x5884       0x9fd6       0x9fd6       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x1d;0x82  0x00
4191    36       0x0400000000004000  1258594178.124056000  0.000001000  0.000067000  14.715771000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17791  1         0x4000  128    0x5883       0x5883       0x9a72       0x9a72       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x22;0xe6  0x00
4192    36       0x0400000000004000  1258594178.124058000  0.000002000  0.000069000  14.715773000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17792  1         0x4000  128    0x5882       0x5882       0x950e       0x950e       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x28;0x4a  0x00
4193    36       0x0400000000004000  1258594178.124295000  0.000237000  0.000306000  14.716010000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17793  1         0x4000  128    0x5881       0x5881       0x8faa       0x8faa       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x2d;0xae  0x00
4194    36       0x0400000000004000  1258594178.124297000  0.000002000  0.000308000  14.716012000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17794  1         0x4000  128    0x5880       0x5880       0x8a46       0x8a46       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x33;0x12  0x00
4195    36       0x0400000000004000  1258594178.124298000  0.000001000  0.000309000  14.716013000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17795  1         0x4000  128    0x587f       0x587f       0x84e2       0x84e2       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x38;0x76  0x00
4196    36       0x0400000000004000  1258594178.124300000  0.000002000  0.000311000  14.716015000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17796  1         0x4000  128    0x587e       0x587e       0x7f7e       0x7f7e       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x3d;0xda  0x00
4197    36       0x0400000000004000  1258594178.124302000  0.000002000  0.000313000  14.716017000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17797  1         0x4000  128    0x587d       0x587d       0x7a1a       0x7a1a       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x43;0x3e  0x00
4198    36       0x0400000000004000  1258594178.124303000  0.000001000  0.000314000  14.716018000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17798  1         0x4000  128    0x587c       0x587c       0x74b6       0x74b6       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x48;0xa2  0x00
4199    36       0x0400000000004000  1258594178.124305000  0.000002000  0.000316000  14.716020000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17799  1         0x4000  128    0x587b       0x587b       0x6f52       0x6f52       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x4e;0x06  0x00
4200    36       0x0400000000004000  1258594178.124306000  0.000001000  0.000317000  14.716021000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17800  1         0x4000  128    0x587a       0x587a       0x69ee       0x69ee       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x53;0x6a  0x00
4201    36       0x0400000000004000  1258594178.124308000  0.000002000  0.000319000  14.716023000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17801  1         0x4000  128    0x5879       0x5879       0x648a       0x648a       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x58;0xce  0x00
4202    36       0x0400000000004000  1258594178.124309000  0.000001000  0.000320000  14.716024000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17802  1         0x4000  128    0x5878       0x5878       0x5f26       0x5f26       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x5e;0x32  0x00
4203    36       0x0400000000004000  1258594178.124545000  0.000236000  0.000556000  14.716260000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17803  1         0x4000  128    0x5877       0x5877       0x59c2       0x59c2       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x63;0x96  0x00
4204    36       0x0400000000004000  1258594178.124547000  0.000002000  0.000558000  14.716262000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17804  1         0x4000  128    0x5876       0x5876       0x545e       0x545e       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x68;0xfa  0x00
4205    36       0x0400000000004000  1258594178.124548000  0.000001000  0.000559000  14.716263000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17805  1         0x4000  128    0x5875       0x5875       0x4efa       0x4efa       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x6e;0x5e  0x00
4206    36       0x0400000000004000  1258594178.124550000  0.000002000  0.000561000  14.716265000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17806  1         0x4000  128    0x5874       0x5874       0x4996       0x4996       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x73;0xc2  0x00
4207    36       0x0400000000004001  1258594178.196555000  0.072566000  0.072005008  14.709528000  3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  64334    192.168.1.105  07       Private network    49330    6        0x00   30005  1104      0x4000  111    0x3475       0x3475       0x74c0       0x74c0       0x0040   0                       0                     0                 3179901890  3392384643  3179901890  1380     0        1380    0       3306060     0           2689202  1380      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             ...k.J-E..4.hV...P..I....\fbTCy...R:.zY........$*+.....E)....!..L..Bq..]I\n.1..~\b.....e..... T).a#Q....u......|..E"....>.\a.....6.d).7..FR.=...$..f].%.r*y...e...>..O-..O.\b5....gE.Z./...6.O.Q.4.Y... ..................B........}m.X...RkR.Jo......\r\e...,]JQv........c.w.....kW.\e.6m...~E..xS?'.J.~M.W.*o...k7..M}..6...kKY..i.D.~.IQ..u..V......T'.\n.^T._+.z.!.f.*.#>k.$.}m...vK.~A...P.;Z.2.G\n...M.....,\[...YhcK.w4K..!\t2.\r.P......=r..b.K..\n\f=$T....m..?.>./.\nNh...M..\n.TF5.bn...{.......9..V(5Q..)0..;..+...R.jI.....B....$..g.=ys.!\r..`..0.P.>...\e.2..6...r.C...L@.A...m..c...t|..8~9.....++F,..."`.[\b?w......u..{...^w......u..{......-.2pY...{i..E..2?j.._b....;x...B-<a.<.[..........>?....[..p.LIT\t..96..........vF."..e.W.>.yK!.I.\..P}...H-D8\ng.(j....q.s.......}..?{.B1.-........y..gt.....e........?\r....aa+(+..Z\fyXI..r\bL:..* .y$.T.C......+..V.'/_..x.....,?%ie...f]..|Ez..d....l.T...ONZ......x.u.n....4)3....b..../9Y.KJ.r...,pK....,..h.....Y....M...t0...`....w.....n..#*kS..m.......\t..\e.G............F....h..-u.~...\t..7 ..\n"..[&...7<\r..(.x#.....oW .1x...Up........p....U.{...pO...W.nR.i.i....h......XSq.i.i.6bk....3.8S....|#..n..O_.d...Z,..7n^.a]>1&.......x\e.7.g.....o....E..k7./.Ux.......'..R..4.........aS.f@._.....2p.k-T......y.F.7...B.Q....Gw@u.z.r.m.Z.^w......u..{...^w......u..{...^w......u..{...^w......u..{._v.m@.........c......a7..Q.;.U..o D....?........?...5.;.....6)...)xZX...]......
4208    36       0x0400000000004000  1258594178.197003000  0.072453000  0.000448000  14.788718000  3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49330    143.166.11.10  us       Dell Technologies  64334    6        0x00   17813  7         0x4000  128    0x586d       0x586d       0x4432       0x4432       0x0040   0                       0                     0                 3392384643  3179870150  3392384643  0        0        0       0       0           2643660     0        0         0x4811    0x0010    0x0008      64860   0      1460    0       0        0         0x00    0         0x00       12         0x01;0x01;0x05;0x0a;0xbd;0x88;0xfd;0x2a;0xbd;0x89;0x79;0x26  0x00
4209    36       0x0400000000004001  1258594178.202048000  0.005493000  0.005044992  14.715021000  3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  64334    192.168.1.105  07       Private network    49330    6        0x00   30105  100       0x4000  111    0x3411       0x3411       0xbb17       0xbb17       0x0040   0                       0                     0                 3179870150  3392384643  3179903270  -31740   0        0       0       3306060     0           2690582  1380      0x0811    0x0010    0x0044      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             ....5.$*.\e.{5.......\r.I'.,...S.p.Q...XG...T...k.M...hC.8..].q....>!......B........8...x.r|..5(m....'.....,....|B.[.*.@.S..(X.Z....V..,..,.W..9.`|..>.R....W._.%&3e.Rh".-..E/vL.....t"g4_..*.....{v..%....J..R....-....YL.}L..&....j.{R>.|. .....a9#>.....,.g.S..+.Z.@9...rc.5.p.4\eU.E4h..V...G.dW........`.O...hw.\g..........Z./2.....8.K.....wJ....w.. @...g.[.h5r.3.l...x.......L.............{.O...e.*!....[@.(...)].\b..$s...-^s....@...u`UN..8].i#`...BQ...Y...g ....b....\bA..;..h.c..\f....@L0.......#MP&...Z.r.b&(......Kh....D..%\#... J.L...+.....H\n...g..l...T..!..X.v.r..<...o..C.......@"n.AF..T/..i....U.\t....P>.d.Q..........=F9pT.ft}.)<2W%0W.E,....E.J..l.6.%.9p.24.[...c".6.\e..bk..-3....F.4tz.-C.._.2.r.U..`..j\bp1a.@...y."...-.RV<.\F..2.eMuI............}-+j.d x..\b3.=V..LX\t.#\r=....+....{>'.#.T=.3n+mn..r...{.0t.$V..`.;.5.....'Z*.W.G....)..%..2(.Yz..q...7..P.)...x...0..\;.\n._.R'...).[}\nW0F...~..X........1Co6...e..>.H:..Oi(M.Z.V8.k\rM\tJ.+............5N....P..M.z...L.B../&...hC\r...%t;...z37p.x...h4.....t.%......AH.E....1\.`.....g..w........f..+>D'n..,..\f..OL.h.dtB.....lD.\b1-B.E\b.#<.@........F.....bH...\bm\./..a.X.8t7..NFz.PG.E.../l..!.]..l%tI..6H|O..x.%,a0g...&?q[..&TC._s\tm....'V..U.0...~{....."(n..-.\e....\b2...)...}&q{.."...<.t.a..\b.j.J..T.-.ph..,.d%h..&..\b........jq.......>.B2..a......i..........^. B%..=..~....!}N>tY.=..S....I..V.f..[ y.s.......g.Mz|...\...X..Q..D\.....f...P.c\b..
4210    36       0x0400000000004001  1258594178.202058000  0.000010000  0.005054992  14.715031000  3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  64334    192.168.1.105  07       Private network    49330    6        0x00   30106  1         0x4000  111    0x3410       0x3410       0xb02e       0xb02e       0x0040   0                       0                     0                 3179903270  3392384643  3179903270  33120    0        33120   0       3339180     0           2691962  2760      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             k..Epx.PT}..g\f<...O....._}~...i..]~.?.{.......... px..~K..i...1.z-.^.....\..w.{..b'.\r..pO..P...}..{..PQp..;..<..Qp_...p..w<....6.u.\r...6.?...p...1....o#..\b.^Y.\r.H'..U..PUA.1=..\t.......r.h...H.taY.An....^w....hi.....k....x...O.......Wm.....E....a.G{L....>.nQ........~......=....._..-..r7y...)....LT.G....A...n....E..Tbb;..4y..N.c..m.?...~\n..}\n.=xn.....{.....6\..w.....a?4Tu.?^....'.....M..B..T.......F..QJ.[J(...........J.s.z.B\r...j..~.\bO.|^}.M).yQM.7.......j..jxT.B......{n\t.....=[....m...sL.P.......>..>8Ry..92..Y....c.G.:..b.x..%S......`9.{c.?G=.|...<.....<$.}....\{......>]..\e.w....{..q....lnj...:.....Kz............o...'.~y.S....._l....{....'e.q..z^1~.....x~s.j..........X.......#?...V8B.U...r$-={....8.<.....L..?s..=.,>......:v..W..9w..\e..b..\......I......%.c...G~.3S.v....8,.?..C.r.......pO\t..,x....r..6\r.....tl....G.~........F/z....f....\e6.1.os..Y.?.......g......n.8..:|..._\p..U....|.'_.Y....f.........>Y..3..?...{.,......o.g..._.6+...O..C.._..7......&.z....{...N.j....T........'>.zp....M\....X5...=0..u..g..<o.p2..E?;@...|.6...'.....37U[....97.......>5...o..z8..'..;>...K............J.y..;i..isf-.|..#...._...P.u.i.._.>....wl...e..~........\b.8.._.?.B..Rk\b5.B92NC......=."g.Pk.N.\f.\..KC.PD......}......6.........n......\eo.o..5U.j....*........4Dv.^.>..^...3....Ap..~.J-......m..B...b.K5......n....n.>.4.Tf...e"....B.!Zp0.)..}...9qI3.S...OI.6+..4-q...i.s.g..57avBBR....m.wJ.
4211    36       0x0400000000004001  1258594178.202310000  0.000252000  0.005306992  14.715283000  3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  64334    192.168.1.105  07       Private network    49330    6        0x00   30115  9         0x4000  111    0x3407       0x3407       0x0894       0x0894       0x0040   0                       0                     0                 3179904650  3392384643  3179904650  1380     0        1380    0       3340560     0           2693342  4140      0x0811    0x0010    0x0000      64860   0      1380    0       0        0         0x00    0         0x00       0                                                                       0x00             8X..W2Wj/,U.o........w.......o...?.x..)(..|Yo.o_.`.....\n\nK\n...er..J4r....!~..;)}yJ.R.$.`.d)...G.....&.I.....<.K5cZ....iV..9.....d.,B'$.B..0ocM.L].U.?XUHpL..|. .C^...;..8f.(....W..v.........Q.B \f.....G....(....mu_..}..?\r|?.S...=\r3..{..3...[a.]..>k\b../>....w.Qd...sC.9.v...'M....P......tA.Hd.(.=./\f."Mij....'h.4 ..S.....(..5.=n../...b)o..Q1)ih..p.....4n.W.S..j.k~aJ.......\rW.YM........\t5p._F.4f.4...T......Z3T.S.......V.^...xS.6.F,.k....z......{..\...q~~k.....;..y....{s.'..'......[..{.......R..\e.G.@.I..TF..._C.......?.[/-...=YH_l\e..n.R..L....*....&J..J}G...{W..!5.K...e.....y[.85.*c.6o,..\e....<.B}o..^.T..u.a....|..~...E..._-5.........3....u.>.........x...W.....?...t......N.....7.!..*\r.i..f).4Z....Ko....tlE....F.].....O..|../.ZgY.(5...r..`\fJ\r.Mx...P.(P...v.\..0.x.\e.N]....)..../\b...Z..AH.[....I..@j.d"zl.....o,.6..o....\...-..`........#."..}..h.z..|!.\e..v.k=....P.?.......67..9.D.P. Q.......%P.....G<k....b.....l.e.....e...P......OS./...n...z..w.(A.G.=......F.y.C.3l.V...........^..L!........p...:L....nf7.m...R...^..\r..\r...\e.M.H.~.d..~.t.9.p`.......Ay...Q.....4R/...T..6.......@Co.0j......s ...'..D.T9...7.J...m.]................Z.C.].<=5 O......;...+.. .x..?^)Q.....S..#.9@r@...Q....P.N!,..];.=.......7..E..\r.c.\.f.......\e6...BE/T......>.'.e..y..Q...lN`#h.S_9..+\n.H-b.....M3....Q{...p.S7i7...?EM......\n..G......[tD#.a.;\b.g.UR......n......x........?+.0o<..D........j(#n..6...\fn

SPKTMD_SEQACKREL in tcpFlags.h controls the output of the seq/ack numbers in the packet mode. Switching to relative it facilitates the analysis of irregularities in throughput. Look into the packet mode tutorial to see an example of Absolute Relative Seq Ack Numbers.

RTT estimate

The Round Trip Time (RTT) estimate is a vital tool for troubleshooting. The mode is controlled by RTT_ESTIMATE in tcpFlags.h. The RTT features are estimated for all L4 protocols and gives additional information about TCP connection anomalies such as ACK retries and SYN connection timeout retries.

  • tcpSSASAATrip denotes the RTT during the TCP connection phase, which has no influence of the src and dst host.
  • tcpSSASAATrip denotes the Time from the measurement point to the dst host and back.
  • tcpRTTAckTripMin, tcpRTTAckTripMax, tcpRTTAckTripAve denote the minimal, maximal and average Trip time
  • tcpRTTSseqAA denotes the total RTT, which also includes delays at the hosts
  • tcpRTTAckJitAve denotes the average jitter, useful for voice communication, see also the voipDetector plugin

RTT can also be estimated from the TCP timestamp option. Using the MSS, which is supplied in the TCP options part and the RTT a bandwidth / flow can be calculated.

Let’s look for flows which have a <RTT> or Initial sequence RTT > 0.5 seconds.

tawk '$tcpRTTAckTripJitAve > 0.5 || $tcpRTTSseqAA > 0.5 { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $tcpSSASAATrip, $tcpRTTAckTripMin, $tcpRTTAckTripMax, $tcpRTTAckTripAve, $tcpRTTAckTripJitAve, $tcpRTTSseqAA, $tcpRTTAckJitAve }' ~/results/faf-exercise_flows.txt | tcol

%dir  flowInd  flowStat            srcIP          srcIPCC  srcIPOrg             srcPort  dstIP          dstIPCC  dstIPOrg             dstPort  l4Proto  tcpFStat  ipFlags  tcpFlags  tcpAnomaly  tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve
A     11       0x0400000000004000  192.168.1.104  07       "Private network"    1384     63.245.221.11  us       "Mozilla"            80       6        0x0011    0x0040   0x011b    0x0000      0.061556       0.02061101        23.03958          2.930275          8.20785              0.06196701    0
B     11       0x0400000000004001  63.245.221.11  us       "Mozilla"            80       192.168.1.104  07       "Private network"    1384     6        0x0811    0x0044   0x031b    0x0000      0.000411008    0.000405984       8.196325          1.171332          3.09773              4.101607      8.772954
A     10       0x0400000000004000  192.168.1.104  07       "Private network"    1379     63.245.221.11  us       "Mozilla"            80       6        0x0811    0x0040   0x011b    0x0000      0.005547008    7.1008e-05        22.97788          1.313045          5.416256             0.005753984   0
B     10       0x0400000000004001  63.245.221.11  us       "Mozilla"            80       192.168.1.104  07       "Private network"    1379     6        0x0811    0x0044   0x031b    0x0000      0.000206976    0.000186016       9.952202          1.338241          3.450881             2.651285      6.422182
B     12       0x0400000000004001  192.168.1.1    07       "Private network"    25       192.168.1.103  07       "Private network"    1397     6        0x0011    0x0044   0x031b    0x0008      0.000452032    0.000294976       2.176203          0.1305968         0.5305589            0.1459511     0.5378596
B     19       0x0400000000004001  192.168.1.1    07       "Private network"    25       192.168.1.102  07       "Private network"    1400     6        0x0011    0x0044   0x031b    0x0008      0.000201984    0.000101952       3.94484           0.2614954         1.016245             0.2686045     1.016971
A     35       0x0400000000004000  192.168.1.105  07       "Private network"    49329    143.166.11.10  us       "Dell Technologies"  21       6        0x0811    0x0040   0x001a    0x0000      0.08025197     0.07749402        306.0649          29.85101          91.8391              0.08094997    0
B     35       0x0400000000004001  143.166.11.10  us       "Dell Technologies"  21       192.168.1.105  07       "Private network"    49329    6        0x0811    0x0044   0x061e    0x0000      0.000698       0.000449984       0.194089          0.04303963        0.07786669           29.89405      91.83913

L3/4 checksums

Looking at checksums reveals whether there are manipulations of the L4 header or the content. Moreover you can determine whether a pcap is acquired on a computer itself or at a network intercept, such as a span port. Only works, if the checksum off load option is present and activated on the HW. Think how a checksum would look like if a pcap is acquired on a computer.

Another reason can be snapped payload during traffic capture.

annoloc2.pcap was acquired in 2002 and it is very murky.

t2 -r ~/data/annoloc2.pcap -w ~/results -s

================================================================================
Tranalyzer 0.9.1 (Anteater), Cobra. PID: 23618, Prio: 0, SID: 666
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.1
    02: tcpFlags, 0.9.1
    03: tcpStates, 0.9.1
    04: txtSink, 0.9.1
[INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K)
[INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K)
Processing file: /home/user/data/annoloc2.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 66
Dump start: 1022171701.691172000 sec (Thu 23 May 2002 16:35:01 GMT)
[WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500
Dump stop : 1022171726.640398000 sec (Thu 23 May 2002 16:35:26 GMT)
Total dump duration: 24.949226000 sec
Finished processing. Elapsed time: 8.505853382 sec
Finished unloading flow memory. Time: 8.744516690 sec
Percentage completed: 100.00%
Number of processed packets: 1219015 (1.22 M)
Number of processed bytes: 64082726 (64.08 M)
Number of raw bytes: 844642686 (844.64 M)
Number of pad bytes: 8591685635 (8.59 G)
Number of pcap bytes: 83586990 (83.59 M)
Number of IPv4 packets: 1218588 (1.22 M) [99.96%]
Number of IPv6 packets: 180 [0.01%]
Number of A packets: 564233 (564.23 K) [46.29%]
Number of B packets: 654782 (654.78 K) [53.71%]
Number of A bytes: 29448166 (29.45 M) [45.95%]
Number of B bytes: 34634560 (34.63 M) [54.05%]
<A packet load>: 52.19
<B packet load>: 52.89
--------------------------------------------------------------------------------
tcpFlags: Aggregated ipFlags=0x7964
tcpFlags: Aggregated tcpFStat=0x5fff
tcpFlags: Aggregated tcpFlags=0x0fdf
tcpFlags: Aggregated tcpAnomaly=0x33ff
tcpFlags: Aggregated ipToS=0xff
tcpFlags: Number of TCP scans attempted, successful: 959, 886 [92.39%]
tcpFlags: Number of TCP SYN retries, seq retries: 147, 5252 (5.25 K)
tcpFlags: Number WinSz below 1: 1443 (1.44 K) [0.15%]
tcpStates: Aggregated tcpStatesAFlags=0xdf
--------------------------------------------------------------------------------
Headers count: min: 2, max: 5, avg: 3.01
Number of ARP packets: 247 [0.02%]
Number of GRE packets: 20 [0.00%]
Number of IGMP packets: 12 [0.00%]
Number of ICMP packets: 3059 (3.06 K) [0.25%]
Number of ICMPv6 packets: 11 [0.00%]
Number of TCP packets: 948743 (948.74 K) [77.83%]
Number of TCP bytes: 52643546 (52.64 M) [82.15%]
Number of UDP packets: 266900 (266.90 K) [21.89%]
Number of UDP bytes: 11234272 (11.23 M) [17.53%]
Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 17603 (17.60 K)
Number of processed L2   flows: 99 [0.56%]
Number of processed IPv4 flows: 17440 (17.44 K) [99.07%]
Number of processed IPv6 flows: 64 [0.36%]
Number of processed A    flows: 9995 (9.99 K) [56.78%]
Number of processed B    flows: 7608 (7.61 K) [43.22%]
Number of request        flows: 9948 (9.95 K) [56.51%]
Number of reply          flows: 7655 (7.66 K) [43.49%]
Total   A/B    flow asymmetry: 0.14
Total req/rply flow asymmetry: 0.13
Number of processed A+B packets/A+B flows: 69.25
Number of processed A   packets/A   flows: 56.45
Number of processed   B packets/  B flows: 86.06
Number of processed total packets/s: 48859.83 (48.86 K)
Number of processed A+B   packets/s: 48859.83 (48.86 K)
Number of processed A     packets/s: 22615.25 (22.61 K)
Number of processed   B   packets/s: 26244.58 (26.24 K)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 705.55
<Bandwidth>: 270268480 b/s (270.27 Mb/s)
<Snapped bandwidth>: 20548205 b/s (20.55 Mb/s)
<Raw bandwidth>: 270835716 b/s (270.84 Mb/s)
Max number of flows in memory: 15220 (15.22 K) [5.81%]
Memory usage: 0.07 GB [0.11%]
Aggregated flowStat=0x2c0098fa0222d044
[WRN] L3 SnapLength < Length in IP header
[WRN] L4 header snapped
[WRN] Consecutive duplicate IP ID
[WRN] IPv4/6 payload length > framing length
[WRN] IPv4/6 fragmentation header packet missing
[WRN] IPv4/6 packet fragmentation sequence not finished
[INF] Stop dissecting: Clipped packet, unhandled protocol or subsequent fragment
[INF] Layer 2 flows
[INF] IPv4 flows
[INF] IPv6 flows
[INF] ARP
[INF] IPv4/6 fragmentation
[INF] IPv4/6 in IPv4/6
[INF] GRE encapsulation
[INF] GTP tunnel
[INF] SSDP/UPnP
[INF] DTLS
tawk -V ipFlags=0x7964

The ipFlags column with value 0x7964 is to be interpreted as follows:

   bit | ipFlags | Description
   =============================================================================
     2 | 0x0004  | IPv4 ID roll over
     5 | 0x0020  | More Fragment bit
     6 | 0x0040  | IPv4: Don't Fragment bit, IPv6: reserve bit
     8 | 0x0100  | Fragmentation position error
    11 | 0x0800  | L4 checksum error
    12 | 0x1000  | Length in L3/4 header < actual L3/4 length
    13 | 0x2000  | Length in UDP/UDP-Lite header != actual UDP/UDP-Lite length
    14 | 0x4000  | Packet inter-distance = 0

tawk -V tcpFStat=0x5fff

The tcpFStat column with value 0x5fff is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     1 | 0x0002   | TCP option init
     2 | 0x0004   | Timestamp option decreasing
     3 | 0x0008   | L4 option field corrupt or not acquired
     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     6 | 0x0040   | Win 0 probe
     7 | 0x0080   | Win 0 probe ACK
     8 | 0x0100   | Min Window detected
     9 | 0x0200   | WS used
    10 | 0x0400   | Window full
    11 | 0x0800   | Window state-machine count up(1)/down(0)
    12 | 0x1000   | L4 checksum calculation if present
    14 | 0x4000   | TCP Selective ACK option

tawk -V tcpFlags=0x0fdf

The tcpFlags column with value 0x0fdf is to be interpreted as follows:

   bit | tcpFlags | Description
   =============================================================================
     0 | 0x0001     | FIN: No more data, finish connection
     1 | 0x0002     | SYN: Synchronize sequence numbers
     2 | 0x0004     | RST: Reset connection
     3 | 0x0008     | PSH: Push data
     4 | 0x0010     | ACK: Acknowledgement field value valid
     6 | 0x0040     | ECE: ECN-Echo
     7 | 0x0080     | CWR: Congestion Window Reduced flag is set
     8 | 0x0100     | FIN_ACK: Acknowledgement of FIN
     9 | 0x0200     | SYN_ACK: Acknowledgement of SYN
    10 | 0x0400     | RST_ACK: Acknowledgement of RST
    11 | 0x0800     | Potential NULL scan packet or malicious channel

tawk -V tcpAnomaly=0x33ff

The tcpAnomaly column with value 0x33ff is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     0 | 0x0001     | SYN retransmission
     1 | 0x0002     | SEQ Timeout retransmission
     2 | 0x0004     | SEQ Fast retransmission
     3 | 0x0008     | Duplicate ACK
     4 | 0x0010     | TCP Keep-Alive
     5 | 0x0020     | TCP Keep-Alive ACK
     6 | 0x0040     | Sequence number out-of-order
     7 | 0x0080     | Sequence mess, rather spurious Retransmission
     8 | 0x0100     | ACK for unseen packet
     9 | 0x0200     | Previous packet not captured
    12 | 0x1000     | Scan detected in flow
    13 | 0x2000     | Successful scan detected in flow

As the end report ipFlags=0x7964 and tcpAnomaly=0x33ff indicate, there are lots of broken packets, due to anonymization. And there are scans detected.

The flowStat in the rend report and all flows have a L3 packet length field warning, resulting in wrong L4 checksums. Just select all L3/4 checksum errors and display the first 20, as all flows have the problem.

tawk 'bitsanyset($ipFlags, 0x0c00) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly }' ~/results/annoloc2_flows.txt | head -n 20 | tcol

%dir  flowInd  flowStat            srcIP            srcIPCC  srcIPOrg                          srcPort  dstIP            dstIPCC  dstIPOrg                          dstPort  l4Proto  tcpFStat  ipFlags  tcpFlags  tcpAnomaly
A     265      0x0400000000004000  209.171.12.143   ca       "TELUS Communications Inc"        4987     138.212.185.230  jp       "ASAHI KASEI CORPORATION"         41250    6        0x0011    0x0840   0x00c4    0x0000
A     447      0x0400000000004000  217.41.129.13    gb       "BT Infrastructure Layer"         58872    138.212.187.186  jp       "ASAHI KASEI CORPORATION"         80       6        0x0011    0x0840   0x0044    0x0000
A     392      0x0400000000004000  36.242.181.230   jp       "SoftBank Corp"                   4685     138.212.188.67   jp       "ASAHI KASEI CORPORATION"         1214     6        0x0011    0x0840   0x00c2    0x3000
B     392      0x0400000000004001  138.212.188.67   jp       "ASAHI KASEI CORPORATION"         1214     36.242.181.230   jp       "SoftBank Corp"                   4685     6        0x0011    0x0800   0x04d4    0x2000
A     906      0x0400000000004000  161.135.53.11    us       "Federal Express Corp"            5001     138.212.191.94   jp       "ASAHI KASEI CORPORATION"         80       6        0x0011    0x0840   0x00c2    0x3000
B     906      0x0400000000004001  138.212.191.94   jp       "ASAHI KASEI CORPORATION"         80       161.135.53.11    us       "Federal Express Corp"            5001     6        0x0011    0x0800   0x04d4    0x2000
A     1027     0x0400000000004000  146.162.158.230  gb       "Norwich Union Insurance Limite"  2849     138.212.184.193  jp       "ASAHI KASEI CORPORATION"         6346     6        0x0011    0x0840   0x0042    0x3000
B     1027     0x0400000000004001  138.212.184.193  jp       "ASAHI KASEI CORPORATION"         6346     146.162.158.230  gb       "Norwich Union Insurance Limite"  2849     6        0x0011    0x0840   0x0454    0x2000
A     1154     0x0400000000004000  193.133.224.57   gb       "UK PA route"                     3286     138.212.188.67   jp       "ASAHI KASEI CORPORATION"         1214     6        0x0011    0x0840   0x0002    0x3000
B     1154     0x0400000000004001  138.212.188.67   jp       "ASAHI KASEI CORPORATION"         1214     193.133.224.57   gb       "UK PA route"                     3286     6        0x0011    0x0800   0x0414    0x2000
A     867      0x0400000200004000  138.212.184.48   jp       "ASAHI KASEI CORPORATION"         6666     36.74.248.27     id       "PT Telekomunikasi Indonesia"     1108     6        0x0011    0x1840   0x0058    0x0000
B     867      0x0400000000004001  36.74.248.27     id       "PT Telekomunikasi Indonesia"     1108     138.212.184.48   jp       "ASAHI KASEI CORPORATION"         6666     6        0x0011    0x0840   0x0044    0x0000
A     864      0x0400000200004000  19.54.241.65     us       "MAINT-APNIC-AP"                  6667     138.212.191.209  jp       "ASAHI KASEI CORPORATION"         45891    6        0x0011    0x1840   0x00d8    0x0000
B     864      0x0400000000004001  138.212.191.209  jp       "ASAHI KASEI CORPORATION"         45891    19.54.241.65     us       "MAINT-APNIC-AP"                  6667     6        0x0011    0x0844   0x01d5    0x3000
A     1336     0x0400000000004000  216.21.10.20     ca       "XNS Technology Group Inc"        1305     138.212.191.94   jp       "ASAHI KASEI CORPORATION"         80       6        0x0011    0x0840   0x0002    0x3000
B     1336     0x0400000000004001  138.212.191.94   jp       "ASAHI KASEI CORPORATION"         80       216.21.10.20     ca       "XNS Technology Group Inc"        1305     6        0x0011    0x0800   0x0414    0x2000
A     1512     0x0400000000004000  19.150.217.57    us       "MAINT-APNIC-AP"                  1678     138.212.189.66   jp       "ASAHI KASEI CORPORATION"         1214     6        0x0011    0x0800   0x0004    0x0000
A     1534     0x0400000000004000  216.233.229.167  us       "MCI Communications Services"     3782     138.212.185.86   jp       "ASAHI KASEI CORPORATION"         1058     6        0x0011    0x0840   0x0042    0x3000
B     1534     0x0400000000004001  138.212.185.86   jp       "ASAHI KASEI CORPORATION"         1058     216.233.229.167  us       "MCI Communications Services"     3782     6        0x0011    0x0800   0x0454    0x2000

Below the flow with flowInd 1336 is extracted to indicate that each packet has a wrong checksum, compare l4HdrChkSum and l4CalChkSum. The L3 checksums add up, why?

tawk 'flow(1336)' ~/results/annoloc2_packets.txt | tcol

%pktNo  flowInd  flowStat            time                  pktIAT       pktTrip      flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP           srcIPCC  srcIPOrg                  srcPort  dstIP           dstIPCC  dstIPOrg                  dstPort  l4Proto  ipToS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq      ack      seqMax   seqDiff  ackDiff  seqLen  ackLen  seqFlowLen  ackFlowLen  tcpMLen  tcpBFlgt  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpWS  tcpMSS  tcpTmS  tcpTmER  tcpMPTyp  tcpMPF  tcpMPAID  tcpMPDSSF  tcpOptLen  tcpOpts                                  tcpStatesAFlags  l7Content
19221   1336     0x0400000000004000  1022171702.098369000  0.000000000  0.000000000  0.000000000   3        eth:ipv4:tcp          00:d0:02:6d:78:00  00:60:08:69:80:dd  0x0800   216.21.10.20    ca       XNS Technology Group Inc  1305     138.212.191.94  jp       ASAHI KASEI CORPORATION   80       6        0x00   11025  0         0x4000  119    0xac5a       0xac5a       0xa8c3       0x0150       0x0840   0                       0                     0                 1389457  0        1389457  0        0        0       0       0           0           0        0         0x0010    0x0002    0x0000      8192    0      536     0       0        0         0x00    0         0x00       8          0x02;0x04;0x02;0x18;0x01;0x01;0x04;0x02  0x00
19247   1336     0x0400000000004001  1022171702.098389000  0.000000000  0.000020000  0.000000000   3        eth:ipv4:tcp          00:60:08:69:80:dd  00:d0:02:6d:78:00  0x0800   138.212.191.94  jp       ASAHI KASEI CORPORATION   80       216.21.10.20    ca       XNS Technology Group Inc  1305     6        0x00   22725  0         0x0000  128    0xb5ae       0xb5ae       0xf1d7       0x4a64       0x0800   0                       0                     0                 0        1389458  0        0        0        0       0       0           0           0        0         0x0010    0x0414    0x0000      0       0      0       0       0        0         0x00    0         0x00       0                                                   0x40

TCP options

TCP options contain vital information about connection characteristics and even let us guess something about the type of application being involved. Let us select MSS and WSC options to see whether the decoding works, so bit position 2 and 3 in tcpOptions.

tawk 'bitsanyset($tcpOptions, 0x0000000c) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $l4Proto, $tcpFStat, $tcpFlags, $ipFlags, $tcpAnomaly, $tcpOptCnt, $tcpOptions, $tcpMSS, $tcpWS }' ~/results/annoloc2_flows.txt | head -n 20 | tcol

%dir  flowInd  flowStat            srcIP            srcIPCC  srcIPOrg                          srcPort  dstIP            dstIPCC  dstIPOrg                   dstPort  l4Proto  tcpFStat  tcpFlags  ipFlags  tcpAnomaly  tcpOptCnt  tcpOptions  tcpMSS  tcpWS
A     392      0x0400000000004000  36.242.181.230   jp       "SoftBank Corp"                   4685     138.212.188.67   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x00c2    0x0840   0x3000      4          0x00000016  1436    0
A     906      0x0400000000004000  161.135.53.11    us       "Federal Express Corp"            5001     138.212.191.94   jp       "ASAHI KASEI CORPORATION"  80       6        0x0011    0x00c2    0x0840   0x3000      3          0x0000000e  1460    0
A     1027     0x0400000000004000  146.162.158.230  gb       "Norwich Union Insurance Limite"  2849     138.212.184.193  jp       "ASAHI KASEI CORPORATION"  6346     6        0x0011    0x0042    0x0840   0x3000      4          0x00000016  1460    0
A     1154     0x0400000000004000  193.133.224.57   gb       "UK PA route"                     3286     138.212.188.67   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  1460    0
A     1336     0x0400000000004000  216.21.10.20     ca       "XNS Technology Group Inc"        1305     138.212.191.94   jp       "ASAHI KASEI CORPORATION"  80       6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  536     0
A     1534     0x0400000000004000  216.233.229.167  us       "MCI Communications Services"     3782     138.212.185.86   jp       "ASAHI KASEI CORPORATION"  1058     6        0x0011    0x0042    0x0840   0x3000      4          0x00000016  1460    0
A     1586     0x0400000200004000  130.92.198.110   ch       "Universitaet Bern"               1249     138.212.191.248  jp       "ASAHI KASEI CORPORATION"  1214     6        0x4811    0x01db    0x1840   0x0088      16         0x00000036  1460    0
B     1586     0x0400000200004001  138.212.191.248  jp       "ASAHI KASEI CORPORATION"         1214     130.92.198.110   ch       "Universitaet Bern"        1249     6        0x0011    0x03df    0x5840   0x0044      4          0x00000016  1460    0
A     1836     0x0400000000004000  209.114.247.93   us       "Ideal Technology Solutions US "  1335     138.212.187.11   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0042    0x0840   0x3000      4          0x00000016  536     0
A     1909     0x0400000000004000  19.27.88.236     us       "MAINT-APNIC-AP"                  4045     138.212.186.88   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0082    0x0840   0x3000      4          0x00000016  1452    0
A     1959     0x0400000000004000  216.21.10.20     ca       "XNS Technology Group Inc"        1305     138.212.191.94   jp       "ASAHI KASEI CORPORATION"  80       6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  536     0
A     1904     0x0400000000004000  138.212.186.27   jp       "ASAHI KASEI CORPORATION"         1396     83.220.134.126   de       "MNT-PlusServer"           4661     6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  1452    0
A     1969     0x0400000000004000  83.0.129.97      pl       "TPNET"                           1395     138.212.187.11   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x00c2    0x0840   0x3000      4          0x00000016  1460    0
A     2060     0x0400000000004000  18.97.211.233    us       "Amazon Technologies Inc"         3448     138.212.187.247  jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x00c2    0x0840   0x3000      4          0x00000016  1460    0
A     2113     0x0400000000004000  36.92.31.200     id       "PT Telekomunikasi Indonesia"     48337    138.212.185.86   jp       "ASAHI KASEI CORPORATION"  1052     6        0x0011    0x0042    0x0800   0x3000      4          0x00000016  1460    0
A     2183     0x0400000000004000  201.133.193.218  mx       "Uninet SA de CV"                 3134     138.212.187.11   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  1440    0
A     2236     0x0400000000004000  83.45.182.68     es       "Telefonica de Espana SAU"        1322     138.212.187.10   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0082    0x0840   0x3000      4          0x00000016  1460    0
A     2274     0x0400000000004000  201.53.22.207    br       "CLARO SA"                        4810     138.212.187.11   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0002    0x0840   0x3000      4          0x00000016  1460    0
A     2333     0x0400000000004000  193.99.26.18     nl       "Not allocated by APNIC"          1925     138.212.188.67   jp       "ASAHI KASEI CORPORATION"  1214     6        0x0011    0x0082    0x0840   0x3000      6          0x0000001e  1452    0

Time stamp options are a formidable tool for RTT estimation and for revealing the boot time of the src host, if the RTT measurements are influenced by L7 protocol reaction times.

Boot time estimation

The TCP timestamp option originally being created for Round Trip Time (RTT) measurements can be abused for boot time estimation, because OS used the uptime as a derivative for the TCP timestamp.

As different machines boot at different times this measure separates these machines even behind a NAT where you normally see only one IP address. The only problem is that different OS have different incremental clocks, which can be calculated if several packets / flow are available, otherwise it comes down to OS guessing. The column tcpEcI below denotes this increment.

Unfortunately, newer version of different OS use a random value per connection, aka flow. Hence, a comparison of different flows from the same machine will yield in different up or boot times, becoming useless. Nevertheless, the estimation of tcpEcI is still useful for newer OS.

annoloc2.pcap was acquired in 2002, so if you look at the boot time below you will see a correlation; it works.

tawk '{ print $srcIP, $tcpTmS, $tcpTmER, $tcpEcI, $tcpUtm, $tcpBtm }' ~/results/annoloc2_flows.txt | sort -V | uniq | awkf '$2' | head -n 40 | tcol

18.2.89.211     7748617     849533919  0.01  77486.168268     1022094226.113856951
18.2.89.211     7748924     849534263  0.01  77489.238268     1022094226.117550020
18.2.89.211     7749342     849534680  0.01  77493.418268     1022094226.112001113
18.2.89.211     7749343     849534252  0.01  77493.428268     1022094226.110961114
18.2.89.211     7749424     204508834  0.01  77494.238268     1022094226.109820132
18.2.89.211     7749524     849534270  0.01  77495.238268     1022094226.114325154
18.2.89.211     7749624     849534698  0.01  77496.238268     1022094226.112042176
18.2.89.211     7749726     849535064  0.01  77497.258268     1022094226.108769199
18.2.89.211     7749831     849534861  0.01  77498.308268     1022094226.110498223
18.2.89.211     7749831     849535169  0.01  77498.308268     1022094226.106989223
18.2.89.211     7749838     849535176  0.01  77498.378268     1022094226.108499224
18.2.89.211     7749938     849535064  0.01  77499.378268     1022094226.111826247
18.2.89.211     7749967     849535305  0.01  77499.668268     1022094226.108142253
18.85.17.135    22846249    826368     0.01  228462.484893    1021943255.4210824831
18.85.17.135    22846930    826851     0.01  228469.294893    1021943255.4216715983
18.107.26.21    103819943   373699105  0.01  1038199.406794   1021133503.026879566
18.155.23.221   33847443    43376223   0.01  338474.422435    1021833231.196509494
18.155.23.221   33848762    248428209  0.01  338487.612434    1021833231.192675788
18.155.23.221   33848960    182165005  0.01  338489.592434    1021833231.189960833
18.155.23.221   33849237    6322419    0.01  338492.362434    1021833231.189717895
19.24.4.45      1693583440  72029656   0.01  16935834.021455  1005235877.235268398
19.24.4.45      1693583872  793132504  0.01  16935838.341455  1005235877.273547495
19.29.161.16    19986317    34285718   0.01  199863.165533    1021971858.270385290
19.55.36.202    1098236     390486740  0.01  10982.359755     1022160744.225945475
19.55.36.202    1098240     8297346    0.01  10982.399755     1022160744.232881476
19.59.134.250   199361062   113909808  0.01  1993610.575439   1020178116.063282670
19.67.192.174   35424473    785167233  0.01  354244.722082    1021817463.220257987
19.67.210.218   4323074     689732     0.1   432307.406442    1021739419.180874118
19.114.68.45    78574708    17008889   0.01  785747.062437    1021385960.390761816
19.114.68.45    78574918    34284567   0.01  785749.162437    1021385960.391067863
19.114.68.45    78575088    72029658   0.01  785750.862437    1021385960.3687749197
19.139.46.124   29251       785168750  0.1   2925.100044      1022168799.345161413
19.169.122.89   1806691     853448585  0.01  18066.909596     1022153659.006620827
19.173.18.204   17719695    785166685  0.1   1771969.526404   1020399734.3863648893
19.173.18.204   17719720    785168065  0.01  177197.196039    1021994520.359782667
19.173.18.204   17719731    785168629  0.01  177197.306039    1021994526.080391669
19.182.177.87   49516646    34285659   0.01  495166.448932    1021676554.013430833
19.182.177.87   144345608   34285961   0.01  1443456.047736   1020728267.433656758
19.182.178.138  23254415    34285407   0.01  232544.144802    1021939173.792872767
19.182.178.197  139712      853446502  0.1   13971.200208     1022157733.4261111109

The plugin will evolve, as soon we find something else for this feature it will be implemented in tcpFlags. So if you have an idea, please contact are happy to cooperate with you doing research of such things.

Multipath TCP (MPTCP)

Multipath TCP was developed in order to allow a TCP connection to use multiple paths to optimize resource usage and to increase redundancy. There are several other protocols such as

  • SCTP
  • Multipath QUIC from Google

MPTCP in tcpFlags.h controls the MPTCP dissection. It is enabled by default and decodes the subtype and the different flags. More will be added in future.

Download the sample pcap iperf-mptcp-0-0.pcap and store it under your ~/data folder. More pcaps are available under https://wiki.wireshark.org/SampleCaptures#MPTCP

t2 -r ~/data/iperf-mptcp-0-0.pcap -w ~/results/ -s

================================================================================
Tranalyzer 0.9.1 (Anteater), Cobra. PID: 25069, Prio: 0, SID: 666
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.1
    02: tcpFlags, 0.9.1
    03: tcpStates, 0.9.1
    04: txtSink, 0.9.1
[INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K)
[INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K)
Processing file: /home/user/data/iperf-mptcp-0-0.pcap
Link layer type: PPP [PPP/9]
Snapshot length: 65535 (65.53 K)
Dump start: 0.000000000 sec (Thu 01 Jan 1970 00:00:00 GMT)
Dump stop : 12.319482000 sec (Thu 01 Jan 1970 00:00:12 GMT)
Total dump duration: 12.319482000 sec
Finished processing. Elapsed time: 0.067807865 sec
Finished unloading flow memory. Time: 0.067960258 sec
Percentage completed: 100.00%
Number of processed packets: 2560 (2.56 K)
Number of processed bytes: 2538100 (2.54 M)
Number of raw bytes: 2538100 (2.54 M)
Number of pad bytes: 240
Number of pcap bytes: 2579084 (2.58 M)
Number of IPv4 packets: 2554 (2.55 K) [99.77%]
Number of IPv6 packets: 6 [0.23%]
Number of A packets: 1680 (1.68 K) [65.62%]
Number of B packets: 880 [34.38%]
Number of A bytes: 2483492 (2.48 M) [97.85%]
Number of B bytes: 54608 (54.61 K) [2.15%]
<A packet load>: 1478.27 (1.48 K)
<B packet load>: 62.05
--------------------------------------------------------------------------------
tcpFlags: Aggregated ipFlags=0x0040
tcpFlags: Aggregated tcpFStat=0x8a33
tcpFlags: Aggregated tcpFlags=0x031b
tcpFlags: Aggregated tcpAnomaly=0x0009
tcpFlags: Number of TCP SYN retries, seq retries: 4, 0
tcpFlags: Aggregated MPTCP subtypes: tcpMPTBF=0x000f
tcpFlags: Aggregated MPTCP flags: tcpMPF=0x81
tcpFlags: Number of MPTCP packets: 2557 (2.56 K) [99.88%]
tcpStates: Aggregated tcpStatesAFlags=0x03
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, avg: 3.00
Number of ICMPv6 packets: 6 [0.23%]
Number of TCP packets: 2554 (2.55 K) [99.77%]
Number of TCP bytes: 2537752 (2.54 M) [99.99%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 8
Number of processed IPv4 flows: 6 [75.00%]
Number of processed IPv6 flows: 2 [25.00%]
Number of processed A    flows: 6 [75.00%]
Number of processed B    flows: 2 [25.00%]
Number of request        flows: 6 [75.00%]
Number of reply          flows: 2 [25.00%]
Total   A/B    flow asymmetry: 0.50
Total req/rply flow asymmetry: 0.50
Number of processed A+B packets/A+B flows: 320.00
Number of processed A   packets/A   flows: 280.00
Number of processed   B packets/  B flows: 440.00
Number of processed total packets/s: 207.80
Number of processed A+B   packets/s: 207.80
Number of processed A     packets/s: 136.37
Number of processed   B   packets/s: 71.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 0.65
<Bandwidth>: 1648186 b/s (1.65 Mb/s)
<Raw bandwidth>: 1648186 b/s (1.65 Mb/s)
Max number of flows in memory: 8 [0.00%]
Memory usage: 0.03 GB [0.05%]
Aggregated flowStat=0x0c0000000000e002
[INF] IPv4 flows
[INF] IPv6 flows
[INF] No Ethernet header
[INF] PPP/HDLC encapsulation

tcpFStat flags MPTCP, 2557 packets of 2560.

tawk -V tcpFStat=0x8a33

The tcpFStat column with value 0x8a33 is to be interpreted as follows:

   bit | tcpFStat | Description
   =============================================================================
     0 | 0x0001   | Packet good for inter-distance assessment
     1 | 0x0002   | TCP option init
     4 | 0x0010   | Window state-machine initialized
     5 | 0x0020   | Window update
     9 | 0x0200   | WS used
    11 | 0x0800   | Window state-machine count up(1)/down(0)
    15 | 0x8000   | MPTCP detected

The subtypes are coded in a T2 bit field:

tawk -V tcpMPTBF=0x000f

The tcpMPTBF column with value 0x000f is to be interpreted as follows:

   bit | tcpMPTBF | Description
   =============================================================================
     0 | 0x0001   | Multipath Capable
     1 | 0x0002   | Join Connection
     2 | 0x0004   | Data Sequence Signal (Data ACK and data sequence mapping)
     3 | 0x0008   | Add Address

So in the flow file you will see the subType bit field, flags, address ID and the DSS flags e.g. for subtype 2.

tawk '{ print $srcIP, $srcPort, $dstIP, $dstPort, $l4Proto, $tcpFStat, $tcpMPTBF, $tcpMPF, $tcpMPAID, $tcpMPDSSF }' ~/results/iperf-mptcp-0-0_flows.txt | tcol

srcIP                srcPort  dstIP     dstPort  l4Proto  tcpFStat  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPDSSF
fe80::200:ff:fe00:1  0        ff02::2   0        58       0x0001    0x0000    0x00    0         0x00
fe80::200:ff:fe00:2  0        ff02::2   0        58       0x0001    0x0000    0x00    0         0x00
10.1.1.1             43376    10.2.0.1  5001     6        0x8013    0x0002    0x00    3         0x00
10.1.1.1             57841    10.2.1.1  5001     6        0x8013    0x0002    0x00    3         0x00
10.1.0.1             49078    10.2.1.1  5001     6        0x8213    0x0006    0x00    2         0x15
10.2.1.1             5001     10.1.0.1  49078    6        0x8a33    0x0006    0x00    3         0x15
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    0x000d    0x81    3         0x05
10.2.0.1             5001     10.1.0.1  5001     6        0x8a13    0x000d    0x81    3         0x01

Same for the packet file, except the subType is the actual value instead of a T2 bit field:

tawk '{ print $srcIP, $srcPort, $dstIP, $dstPort, $l4Proto, $tcpFStat, $tcpMPTyp, $tcpMPF, $tcpMPAID, $tcpMPDSSF }' ~/results/iperf-mptcp-0-0_packets.txt | tcol

srcIP                srcPort  dstIP     dstPort  l4Proto  tcpFStat  tcpMPTyp  tcpMPF  tcpMPAID  tcpMPDSSF
fe80::200:ff:fe00:1           ff02::2            58
fe80::200:ff:fe00:2           ff02::2            58
fe80::200:ff:fe00:1           ff02::2            58
fe80::200:ff:fe00:2           ff02::2            58
10.1.0.1             5001     10.2.0.1  5001     6        0x8012    0         0x81    0         0x00
10.2.0.1             5001     10.1.0.1  5001     6        0x8012    0         0x81    0         0x00
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x81    0         0x01
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    3         0x01
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.1.0.1             5001     10.2.0.1  5001     6        0x8213    2         0x00    0         0x05
10.2.0.1             5001     10.1.0.1  5001     6        0x8213    2         0x00    3         0x01

In future more features will be added.

Fragmentation

Fragmentation is a diverse subject. In IPv4 it should not occur anymore, because the MTU today is generally large enough throughout the whole networks. If you see it in your corporate network, it should be investigated. IPv6 different story, here fragmentation is an established tool.

The constant FRAG_ANALYZE in tcpFLags.h controls the fragmentation analysis. Moreover the constant FRAGMENTATION has to be enabled in tranalyzer.h under the tranalyzer2/src directory, actually being the default.

I prepared a pcap which illustrates a pitfall of flow based representation when fragmentation is present. So download frag.pcap and add basicStats so that we can look at the packet and payload statistics.

t2build basicStats

Then rerun t2 using the -s option, as we also want to look at the packets.

t2 -r ~/data/frag.pcap -w ~/results/ -s

================================================================================
Tranalyzer 0.9.1 (Anteater), Cobra. PID: 25747, Prio: 0, SID: 666
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.1
    02: basicStats, 0.9.1
    03: tcpFlags, 0.9.1
    04: tcpStates, 0.9.1
    05: txtSink, 0.9.1
[INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K)
[INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K)
Processing file: /home/user/data/frag.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 65535 (65.53 K)
Dump start: 1294260264.274530000 sec (Wed 05 Jan 2011 20:44:24 GMT)
Dump stop : 1294260291.961272000 sec (Wed 05 Jan 2011 20:44:51 GMT)
Total dump duration: 27.686742000 sec
Finished processing. Elapsed time: 0.000896996 sec
Finished unloading flow memory. Time: 0.001257418 sec
Percentage completed: 100.00%
Number of processed packets: 82
Number of processed bytes: 14857 (14.86 K)
Number of raw bytes: 14857 (14.86 K)
Number of pad bytes: 124
Number of pcap bytes: 16193 (16.19 K)
Number of IPv4 packets: 38 [46.34%]
Number of A packets: 80 [97.56%]
Number of B packets: 2 [2.44%]
Number of A bytes: 14737 (14.74 K) [99.19%]
Number of B bytes: 120 [0.81%]
<A packet load>: 184.21
<B packet load>: 60.00
--------------------------------------------------------------------------------
basicStats: Flow max(pktload): 384
basicStats: Flow max(b/s), pkts: 124416792 (124.42 Mb/s), 26
basicStats: Biggest L2 flow talker: 00:0d:65:4f:38:94: 14 [17.07%] packets
basicStats: Biggest L2 flow talker: 00:0d:65:4f:38:94: 602 [4.05%] bytes
basicStats: Biggest L3 flow talker: 192.168.203.131: 26 [31.71%] packets
basicStats: Biggest L3 flow talker: 192.168.203.131: 10000 (10.00 K) [67.31%] bytes
tcpFlags: Aggregated ipFlags=0x0860
tcpFlags: Aggregated tcpFStat=0x1011
tcpFlags: Aggregated tcpFlags=0x0c14
tcpFlags: Aggregated tcpAnomaly=0x3180
tcpFlags: Aggregated ipToS=0xc0
tcpFlags: Number of TCP scans attempted, successful: 0, 1 [inf%]
tcpStates: Aggregated tcpStatesAFlags=0xc3
--------------------------------------------------------------------------------
Headers count: min: 2, max: 4, avg: 2.67
Number of LLC packets: 16 [19.51%]
Number of ARP packets: 25 [30.49%]
Number of ICMP packets: 3 [3.66%]
Number of TCP packets: 27 [32.93%]
Number of TCP bytes: 10964 (10.96 K) [73.80%]
Number of UDP packets: 5 [6.10%]
Number of UDP bytes: 763 [5.14%]
Number of IPv4 fragmented packets: 26 [68.42%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 20
Number of processed L2   flows: 11 [55.00%]
Number of processed IPv4 flows: 9 [45.00%]
Number of processed A    flows: 18 [90.00%]
Number of processed B    flows: 2 [10.00%]
Number of request        flows: 18 [90.00%]
Number of reply          flows: 2 [10.00%]
Total   A/B    flow asymmetry: 0.80
Total req/rply flow asymmetry: 0.80
Number of processed A+B packets/A+B flows: 4.10
Number of processed A   packets/A   flows: 4.44
Number of processed   B packets/  B flows: 1.00
Number of processed total packets/s: 2.96
Number of processed A+B   packets/s: 2.96
Number of processed A     packets/s: 2.89
Number of processed   B   packets/s: 0.07
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 0.72
<Bandwidth>: 3515 b/s (3.52 Kb/s)
<Raw bandwidth>: 4293 b/s (4.29 Kb/s)
Max number of flows in memory: 18 [0.01%]
Memory usage: 0.04 GB [0.05%]
Aggregated flowStat=0x0400081000004044
[INF] Stop dissecting: Clipped packet, unhandled protocol or subsequent fragment
[INF] Layer 2 flows
[INF] IPv4 flows
[INF] ARP
[INF] IPv4/6 fragmentation

We see that 26 [68.42%] packets are fragmented. Two warnings about fragmentation in the end report indicate abnormalities of the IPv4 fragmented traffic. Below is fragmented traffic including abnormalities are selected from the flow file. We have a perfect fragmented packet, all packets sum up in the numBytesSnt and numBytesRcvd columns.

tawk 'bitsanyset($ipFlags, 0x03b8) { print $dir, $flowInd, $flowStat, $srcIP, $srcIPCC, $srcIPOrg, $srcPort, $dstIP, $dstIPCC, $dstIPOrg, $dstPort, $tcpFStat, $ipFlags, $tcpFlags, $tcpAnomaly, $numPktsSnt, $numPktsRcvd, $numBytesSnt, $numBytesRcvd }' ~/results/frag_flows.txt | tcol

%dir  flowInd  flowStat            srcIP            srcIPCC  srcIPOrg           srcPort  dstIP            dstIPCC  dstIPOrg           dstPort  tcpFStat  ipFlags  tcpFlags  tcpAnomaly  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd
A     4        0x0400081000004000  192.168.203.131  07       "Private network"  1509     192.168.203.134  07       "Private network"  0        0x1011    0x0820   0x0800    0x3000      26          1            10000        0

Looking at the packet file the first packet contains a layer 4 header with the checksum. At the last fragment T2 adds the IP pseudo header and calculates the final checksum which matches 0x7366 from the TCP header of the initial packet.

tawk 'flow(4)' ~/results/frag_packets.txt | tcol

%pktNo  flowInd  flowStat            time                  pktIAT       pktTrip      flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP            srcIPCC  srcIPOrg         srcPort  dstIP            dstIPCC  dstIPOrg         dstPort  l4Proto  pktLen  udpLen  snapL4Len  snapL7Len  l7Len  ipToS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq        ack        seqMax     seqDiff  ackDiff  seqLen  ackLen  seqFlowLen  ackFlowLen  tcpMLen  tcpBFlgt  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpWS  tcpMSS  tcpTmS  tcpTmER  tcpMPTyp  tcpMPF  tcpMPAID  tcpMPDSSF  tcpOptLen  tcpOpts  tcpStatesAFlags  l7Content
4       4        0x0400009000004000  1294260266.528280000  0.000000000  0.000000000  0.000000000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  1509     192.168.203.134  07       Private network  0        6        434     0       400        380        380    0x00   249    0         0x2000  64     0x4000       0x4000       0x7366       0x0000       0x0020   0                       0                     0                 280548844  777151161  280548844  0        0        0       0       0           0           380      0         0x1010    0x0800    0x1000      512     0      0       0       0        0         0x00    0         0x00       0                   0x81             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5       4        0x0400089000004000  1294260266.528318000  0.000038000  0.000000000  0.000038000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x2032  64     0x3fce       0x3fce       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6       4        0x0400089000004000  1294260266.528335000  0.000017000  0.000000000  0.000055000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x2064  64     0x3f9c       0x3f9c       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7       4        0x0400089000004000  1294260266.528348000  0.000013000  0.000000000  0.000068000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x2096  64     0x3f6a       0x3f6a       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8       4        0x0400089000004000  1294260266.528363000  0.000015000  0.000000000  0.000083000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x20c8  64     0x3f38       0x3f38       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9       4        0x0400089000004000  1294260266.528383000  0.000020000  0.000000000  0.000103000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x20fa  64     0x3f06       0x3f06       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10      4        0x0400089000004000  1294260266.528404000  0.000021000  0.000000000  0.000124000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x212c  64     0x3ed4       0x3ed4       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
11      4        0x0400089000004000  1294260266.528424000  0.000020000  0.000000000  0.000144000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x215e  64     0x3ea2       0x3ea2       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
12      4        0x0400089000004000  1294260266.528443000  0.000019000  0.000000000  0.000163000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x2190  64     0x3e70       0x3e70       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
13      4        0x0400089000004000  1294260266.528462000  0.000019000  0.000000000  0.000182000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x21c2  64     0x3e3e       0x3e3e       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
14      4        0x0400089000004000  1294260266.528480000  0.000018000  0.000000000  0.000200000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x21f4  64     0x3e0c       0x3e0c       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
15      4        0x0400089000004000  1294260266.528497000  0.000017000  0.000000000  0.000217000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x2226  64     0x3dda       0x3dda       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
16      4        0x0400089000004000  1294260266.528512000  0.000015000  0.000000000  0.000232000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x2258  64     0x3da8       0x3da8       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
17      4        0x0400089000004000  1294260266.528526000  0.000014000  0.000000000  0.000246000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x228a  64     0x3d76       0x3d76       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
18      4        0x0400089000004000  1294260266.528544000  0.000018000  0.000000000  0.000264000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x22bc  64     0x3d44       0x3d44       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
19      4        0x0400089000004000  1294260266.528561000  0.000017000  0.000000000  0.000281000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x22ee  64     0x3d12       0x3d12       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
20      4        0x0400089000004000  1294260266.528575000  0.000014000  0.000000000  0.000295000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x2320  64     0x3ce0       0x3ce0       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
21      4        0x0400089000004000  1294260266.528588000  0.000013000  0.000000000  0.000308000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x2352  64     0x3cae       0x3cae       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
22      4        0x0400089000004000  1294260266.528601000  0.000013000  0.000000000  0.000321000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x2384  64     0x3c7c       0x3c7c       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
23      4        0x0400089000004000  1294260266.528613000  0.000012000  0.000000000  0.000333000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x23b6  64     0x3c4a       0x3c4a       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
24      4        0x0400089000004000  1294260266.528626000  0.000013000  0.000000000  0.000346000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x23e8  64     0x3c18       0x3c18       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
25      4        0x0400089000004000  1294260266.528776000  0.000150000  0.000000000  0.000496000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x241a  64     0x3be6       0x3be6       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
26      4        0x0400089000004000  1294260266.528818000  0.000042000  0.000000000  0.000538000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x244c  64     0x3bb4       0x3bb4       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
27      4        0x0400089000004000  1294260266.528854000  0.000036000  0.000000000  0.000574000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x247e  64     0x3b82       0x3b82       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
28      4        0x0400089000004000  1294260266.528889000  0.000035000  0.000000000  0.000609000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        434     0       400        400        400    0x00   249    0         0x24b0  64     0x3b50       0x3b50       0x0000       0x0000       0x0020   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
29      4        0x0400081000004000  1294260266.528923000  0.000034000  0.000000000  0.000643000   3        eth:ipv4:tcp          00:24:e8:ed:3f:10  00:0f:ea:e8:f5:51  0x0800   192.168.203.131  07       Private network  0        192.168.203.134  07       Private network  0        6        54      0       20         20         20     0x00   249    0         0x04e2  64     0x5c9a       0x5c9a       0x7366       0x5f52       0x0800   0                       0                     0                                                                                                                               0x0000                                                                                                         0                   0x00             XXXXXXXXXXXXXXXXXXXX
30      4        0x0400000000004001  1294260266.529423000  0.000000000  0.000500000  0.000000000   3        eth:ipv4:tcp          00:0f:ea:e8:f5:51  00:24:e8:ed:3f:10  0x0800   192.168.203.134  07       Private network  0        192.168.203.131  07       Private network  1509     6        60      0       20         0          0      0x00   14196  0         0x4000  64     0xeb00       0xeb00       0x83db       0x83db       0x0040   0                       0                     0                 0          280558844  0          0        0        0       0       0           0           0        0         0x0010    0x0414    0x0180      0       0      0       0       0        0         0x00    0         0x00       0                   0x40

Detecting scans

Scans are normally an initiation of some serious attacks. Nevertheless, a lot of normal TCP traffic looks like scanning. Anybody who used SNORT, the de facto standard of an IDS, might have suffered from interpreting all the scan alarms. So it needs filtering.

I needed once an indication in the end report and the flow/packet file whether there is a TCP malicious scan around. It is not perfect, but often served its purpose.

To see its effect clearly please download nmap_v_sT.pcap, copy it under your data folder and rerun t2. The pcap is generated by the nmap scanning tool.

t2 -r ~/data/nmap_v_sT.pcap -w ~/results/

tawk -V tcpFlags=0x803b -V tcpAnomaly=0x1008 -V ipToS=0x04

The tcpFlags column with value 0x803b is to be interpreted as follows:

   bit | tcpFlags | Description
   =============================================================================
     0 | 0x0001     | FIN: No more data, finish connection
     1 | 0x0002     | SYN: Synchronize sequence numbers
     3 | 0x0008     | PSH: Push data
     4 | 0x0010     | ACK: Acknowledgement field value valid
     5 | 0x0020     | URG: Urgent pointer valid
    15 | 0x8000     | Potential Xmas scan packet or malicious channel


The tcpAnomaly column with value 0x1008 is to be interpreted as follows:

   bit | tcpAnomaly | Description
   =============================================================================
     3 | 0x0008     | Duplicate ACK
    12 | 0x1000     | Scan detected in flow


The ipToS column with value 0x04 is to be interpreted as follows:

   bit | ipToS    | Description
   =============================================================================
     2 | 0x04     | Precedence 0

Below the first 20 rows of the flow file containing scans are printed.

tawk 'bitsanyset($tcpAnomaly, 0x1000)' ~/results/nmap_v_sT_flows.txt | head -n 10 | tcol

%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP        srcIPCC  srcIPOrg           srcPort  dstIP        dstIPCC  dstIPOrg           dstPort  l4Proto  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT  aveIAT  stdIAT  pktps  bytps  pktAsm  bytAsm  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipToS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPdssF  tcpTmS   tcpTmER  tcpEcI  tcpUtm        tcpBtm             tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStatesAFlags
A     1        0x0400000000004000  1416313200.358106  1416313200.358106  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  54118    10.20.0.125  04       "Private network"  587      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2868435842  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3992845  0        0.004   15971.380759  1416297228.977348  0              65535             0                 0                 0                    0             0                0x03
A     2        0x0400000000004000  1416313200.457149  1416313200.457149  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  33056    10.20.0.125  04       "Private network"  1720     6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2506148143  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3992875  0        0.004   15971.500759  1416297228.956391  0              65535             0                 0                 0                    0             0                0x03
A     3        0x0400000000004000  1416313201.458313  1416313201.458313  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  45750    10.20.0.125  04       "Private network"  1720     6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  1770850395  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993175  0        0.004   15972.700759  1416297228.757555  0              65535             0                 0                 0                    0             0                0x03
A     4        0x0400000000004000  1416313201.458361  1416313201.458361  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  38704    10.20.0.125  04       "Private network"  587      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3336324932  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993175  0        0.004   15972.700759  1416297228.757603  0              65535             0                 0                 0                    0             0                0x03
A     5        0x0400000000004000  1416313201.557900  1416313201.557900  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  50322    10.20.0.125  04       "Private network"  995      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3712758514  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993205  0        0.004   15972.820759  1416297228.737142  0              65535             0                 0                 0                    0             0                0x03
A     6        0x0400000000004000  1416313201.558981  1416313201.558981  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  45384    10.20.0.125  04       "Private network"  135      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2792320487  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993206  0        0.004   15972.824759  1416297228.734223  0              65535             0                 0                 0                    0             0                0x03
A     7        0x0400000000004000  1416313201.559756  1416313201.559756  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  55726    10.20.0.125  04       "Private network"  443      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  742007355   0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993206  0        0.004   15972.824759  1416297228.734998  0              65535             0                 0                 0                    0             0                0x03
A     8        0x0400000000004000  1416313201.759706  1416313201.759706  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  55879    10.20.0.125  04       "Private network"  443      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3280881276  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993266  0        0.004   15973.064759  1416297228.694948  0              65535             0                 0                 0                    0             0                0x03
A     9        0x0400000000004000  1416313201.759861  1416313201.759861  0.000000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  45598    10.20.0.125  04       "Private network"  135      6        1           0            0            0             0         0         0           0           0       0       0       0       0      0      1       0       0x0013    65535       0           64        64        0         0x00   0x0040   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3916203706  0           0               0               0           0                      0               0           29200         29200        29200        29200        0               0              0                  0             0x0002    0x1000      1             5          0x0000011e  1460    0      0x0000    0x00    0         0x00       3993266  0        0.004   15973.064759  1416297228.695103  0              65535             0                 0                 0                    0             0                0x03
...

tawk '$numPktsSnt > 1' ~/results/nmap_v_sT_flows.txt | tcol

%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc        srcMac             dstMac             ethType  ethVlanID  srcIP        srcIPCC  srcIPOrg           srcPort  dstIP        dstIPCC  dstIPOrg           dstPort  l4Proto  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT     stdIAT     pktps     bytps     pktAsm  bytAsm  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipToS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPdssF  tcpTmS      tcpTmER  tcpEcI  tcpUtm           tcpBtm             tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  tcpStatesAFlags
A     1035     0x0400100000004000  1416313207.526140  1416313209.202341  1.676201  1           3        eth:ipv4:udp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56907    10.20.0.125  04       "Private network"  41661    17       4           0            1200         0             300       300       300         0           0       0.571979  0.4190502  0.1840924  2.386349  715.9046  1       1       0x0001    0           0           51        51        0         0x00   0x0000   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      0               0           0             0            0            0            0               0              0                  0             0x0000    0x0000      0             0          0x00000000  0       0      0x0000    0x00    0         0x00       0           0        0       0.000000         0.000000           0              65535             0                 0                 0                    0             0                0x00
A     1036     0x0400000000004000  1416313207.600509  1416313209.299168  1.698659  1           3        eth:ipv4:tcp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56862    10.20.0.125  04       "Private network"  41089    6        4           0            0            0             0         0         0           0           0       0.58213   0.4246647  0.1861713  2.354799  0         1       0       0x0013    14560       41214       40        53        3         0x00   0x0004   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2449289213  0           0               0               0           0                      0               0           31337         31337        31337        31337        0               0              0                  0             0x0002    0x1000      4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363537.309168  0              65535             0                 0                 0                    0             0                0x03
A     1037     0x0400000000004000  1416313207.670968  1416313209.394928  1.723960  1           3        eth:ipv4:tcp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56863    10.20.0.125  04       "Private network"  41089    6        4           0            0            0             0         0         0           0           0       0.582315  0.43099    0.187417   2.320239  0         1       0       0x0013    723         11955       50        54        2         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2449289213  4           0               0               4           0                      3               0           32768         32768        32768        32768        0               0              0                  0             0x0010    0x0008      4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363537.404928  0              65535             0                 0                 0                    0             0                0x03
A     1038     0x0400000000004000  1416313207.768806  1416313209.490977  1.722171  1           3        eth:ipv4:tcp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56864    10.20.0.125  04       "Private network"  41089    6        4           0            0            0             0         0         0           0           0       0.579505  0.4305428  0.1871625  2.32265   0         1       0       0x0013    5943        47665       43        56        3         0x00   0x0004   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2449289213  0           0               0               0           0                      0               0           65535         65535        65535        65535        0               0              0                  0             0x8029    0x1000      4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363537.500977  0              65535             0                 0                 0                    0             0                0x83
A     1034     0x0400000000004000  1416313207.399029  1416313213.771996  6.372967  1           3        eth:ipv4:icmp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  0        10.20.0.125  04       "Private network"  0        1        16          0            2160         0             120       150       135         13.60319    0       3.084397  0.3983104  0.6733372  2.510605  338.9316  1       1       0x0001    24122       39230       37        59        14        0x04   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      0               0           0             0            0            0            0               0              0                  0             0x0000    0x0000      0             0          0x00000000  0       0      0x0000    0x00    0         0x00       0           0        0       0.000000         0.000000           0              65535             0                 0                 0                    0             0                0x00
A     1039     0x0400100000004000  1416313212.383429  1416313213.855100  1.471671  1           3        eth:ipv4:udp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56907    10.20.0.125  04       "Private network"  44093    17       4           0            1200         0             300       300       300         0           0       0.497902  0.3679178  0.1605711  2.717999  815.3997  1       1       0x0001    0           0           56        56        0         0x00   0x0000   0         0x00_0x00000000  0_0            0x00000000_0x00000000  0           0           0               0               0           0                      0               0           0             0            0            0            0               0              0                  0             0x0000    0x0000      0             0          0x00000000  0       0      0x0000    0x00    0         0x00       0           0        0       0.000000         0.000000           0              65535             0                 0                 0                    0             0                0x00
A     1040     0x0400000000004000  1416313212.449125  1416313213.938839  1.489714  1           3        eth:ipv4:tcp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56862    10.20.0.125  04       "Private network"  36508    6        4           0            0            0             0         0         0           0           0       0.50196   0.3724285  0.1617426  2.685079  0         1       0       0x0013    3237        53852       43        57        3         0x00   0x0004   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3748830669  0           0               0               0           0                      0               0           31337         31337        31337        31337        0               0              0                  0             0x0002    0x1000      4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363541.948839  0              65535             0                 0                 0                    0             0                0x03
A     1041     0x0400000000004000  1416313212.530015  1416313214.021189  1.491174  1           3        eth:ipv4:tcp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56863    10.20.0.125  04       "Private network"  36508    6        4           0            0            0             0         0         0           0           0       0.498118  0.3727935  0.1617746  2.68245   0         1       0       0x0013    10342       29962       41        52        3         0x00   0x0044   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3748830669  4           0               0               4           0                      3               0           32768         32768        32768        32768        0               0              0                  0             0x0010    0x0008      4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363542.031189  0              65535             0                 0                 0                    0             0                0x03
A     1042     0x0400000000004000  1416313212.619118  1416313214.101341  1.482223  1           3        eth:ipv4:tcp   e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.125  04       "Private network"  56864    10.20.0.125  04       "Private network"  36508    6        4           0            0            0             0         0         0           0           0       0.494521  0.3705558  0.1608062  2.698649  0         1       0       0x0013    3455        6768        47        56        3         0x00   0x0004   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3748830669  0           0               0               0           0                      0               0           65535         65535        65535        65535        0               0              0                  0             0x8029    0x1000      4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363542.111341  0              65535             0                 0                 0                    0             0                0x83

If you look at the bit tcpFlags=0x0002 it is also a measure to select unsuccessful SYN scan flows. The aggregated TCP flags indicate that these flows are unanswered SYN scans.

Odd is the high window scale factor, the random initial Window size and the TTL indicate a Linux platform. Is it malicious?

Flags count as AI features

t2conf tcpFlags -D TCPFLGCNT=1 && t2build tcpFlags

t2 -r ~/data/nmap_v_sT.pcap -w ~/results/

tawk ’{ split($tcpCntF_S_R_P_A_U_E_C_FA_SA_RA_N_SF_SFR_RF_X,A,“_“); if (A[16]>0) print;}’ nmap_v_sT_flows.txt | tcol

%dir  flowInd  flowStat            timeFirst             timeLast              duration     numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  vlanID  srcIP        srcIPCC  srcIPOrg           srcPort  dstIP        dstIPCC  dstIPOrg           dstPort  l4Proto  pktsSnt  pktsRcvd  padBytesSnt  l7BytesSnt  l7BytesRcvd  minL7PktSz  maxL7PktSz  avgL7PktSz  stdL7PktSz  minIAT  maxIAT    avgIAT     stdIAT     pktps     bytps  pktAsm  bytAsm  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipToS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpBFlgtMx  tcpInitWinSz  tcpAvgWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpCntF_S_R_P_A_U_E_C_FA_SA_RA_N_SF_SFR_RF_X  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPDSSF  tcpTmS      tcpTmER  tcpEcI  tcpUtm           tcpBtm                 tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAvg  tcpRTTAckTripJitAvg  tcpRTTSseqAA  tcpRTTAckJitAvg  tcpStatesAFlags
A     1038     0x0400000000004000  1416313207.768806000  1416313209.490977000  1.722171000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.125  04       "Private network"  56864    10.20.0.125  04       "Private network"  41089    6        4        0         0            0           0            0           0           0           0           0       0.579505  0.4305428  0.3343525  2.32265   0      1       0       0x0013    5943        47665       43        56        3         0x00   0x0004   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2449289213  0           0               0               0           0                      0               0           65535         65535        65535        65535        0               0              0                  0             0x8029    0x1000      4_0_0_4_0_4_0_0_0_0_0_0_0_0_0_4               4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363537.3796944294  0              65535             0                 0                 0                    0             0                0x83
A     1042     0x0400000000004000  1416313212.619118000  1416313214.101341000  1.482223000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.125  04       "Private network"  56864    10.20.0.125  04       "Private network"  36508    6        4        0         0            0           0            0           0           0           0           0       0.494521  0.3705558  0.2881742  2.698649  0      1       0       0x0013    3455        6768        47        56        3         0x00   0x0004   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3748830669  0           0               0               0           0                      0               0           65535         65535        65535        65535        0               0              0                  0             0x8029    0x1000      4_0_0_4_0_4_0_0_0_0_0_0_0_0_0_4               4             20         0x0000011e  265     0      0x0000    0x00    0         0x00       4294967295  0        0.01    42949671.990000  1373363542.3407308294  0              65535             0                 0 

So you see right away the counts of X-mas scan flags in both flows, if you want to build a X-mas detector. But for that you do not need AI. Note that the FIN, PUSH, URG flags are also set, as some people are not interested in the Xmas count. They can mask bits 8-15. So if you are interested in the true flags count, then you have to substract the count from the combined flags, such as FA, SA,…, X. In a later version I will add a mode where this is done automatically.

Conclusion

You may now reset the whole configuration of T2 to ensure that in the next tutorial all flags are properly set to default.

t2conf --reset -a

Look at the other pcaps and checkout the scan alarms.

Have fun!