Tutorial: Tor

This tutorial discusses the plugin torDetector. Unlike basicFlow, it also detects Tor flows which do not use Tor address ranges and uncovers Tor obfuscation tricks.

Preparation

Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$

Then compile the following plugins:

$ t2build tranalyzer2 basicflow tcpFlags torDetector txtSink
...
BUILD SUCCESSFUL

$

Note that torDetector requires tcpFlags as dependency to detect obfuscation protocols and the basicFlow plugin is always nice to have!

If you did not create a separate ~/data and ~/results directory yet, please do it now in another cmd window, it facilitates your workflow:

$ mkdir ~/data ~/results
$

Download the sample pcap here: tor-nobridge-http-external.pcap. Now you’re all set.

torDetector

Let’s look at the plugin configuration first:

$ torDetector
$ vi src/torDetector.h

It is very simple. You can choose whether you want to detect also obfuscated Tor protocols or just leave it out for performance reasons or if you are not interested in such. The debug is for development purposes, so feel free to improve the plugin. And I added a packet length magic as a last resort, in case everything is encrypted.

The supplied pcap does not use the standard Tor addresses, so undetectable for basicFlow!

Run t2 on the supplied pcap.

$ t2 -r tor-nobridge-http-external.pcap -w ~/results -s
================================================================================
Tranalyzer 0.8.11 (Anteater), Tarantula. PID: 6790
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.11
    02: tcpFlags, 0.8.11
    03: torDetector, 0.8.11
    04: txtSink, 0.8.11
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406084 (406.08 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51072 (51.07 K)
Processing file: /home/wurst/data/tor-nobridge-http-external.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1520594003.756441 sec (Fri 09 Mar 2018 11:13:23 GMT)
Dump stop : 1520594383.776386 sec (Fri 09 Mar 2018 11:19:43 GMT)
Total dump duration: 380.019945 sec (6m 20s)
Finished processing. Elapsed time: 0.234493 sec
Finished unloading flow memory. Time: 0.234635 sec
Percentage completed: 100.00%
Number of processed packets: 7025 (7.03 K)
Number of processed bytes: 7713015 (7.71 M)
Number of raw bytes: 7713015 (7.71 M)
Number of pad bytes: 960
Number of pcap bytes: 7825439 (7.83 M)
Number of IPv4 packets: 7023 (7.02 K) [99.97%]
Number of A packets: 2944 (2.94 K) [41.91%]
Number of B packets: 4081 (4.08 K) [58.09%]
Number of A bytes: 926835 (926.84 K) [12.02%]
Number of B bytes: 6786180 (6.79 M) [87.98%]
Average A packet load: 314.82
Average B packet load: 1662.87 (1.66 K)
--------------------------------------------------------------------------------
tcpFlags: Aggregated ipFlags=0x0846
tcpFlags: Aggregated tcpAnomaly=0xb803
tcpFlags: Aggregated ipToS=0xf8
torDetector: Aggregated torStat=0xb1
torDetector: Number of Tor flows: 4 [44.44%]
--------------------------------------------------------------------------------
Headers count: min: 2, max: 3, average: 3.00
Number of GRE packets: 2 [0.03%]
Number of IGMP packets: 3 [0.04%]
Number of TCP packets: 7018 (7.02 K) [99.90%]
Number of TCP bytes: 7712595 (7.71 M) [99.99%]
Number of UDP packets: 2 [0.03%]
Number of UDP bytes: 180 [0.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 9
Number of processed A flows: 6 [66.67%]
Number of processed B flows: 3 [33.33%]
Number of request     flows: 6 [66.67%]
Number of reply       flows: 3 [33.33%]
Total   A/B    flow asymmetry: 0.33
Total req/rply flow asymmetry: 0.33
Number of processed   packets/flows: 780.56
Number of processed A packets/flows: 490.67
Number of processed B packets/flows: 1360.33 (1.36 K)
Number of processed total packets/s: 18.49
Number of processed A+B   packets/s: 18.49
Number of processed A     packets/s: 7.75
Number of processed   B   packets/s: 10.74
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.02
Average full raw bandwidth: 162371 b/s (162.37 Kb/s)
Average full bandwidth : 162348 b/s (162.35 Kb/s)
Max number of flows in memory: 9 [0.00%]
Memory usage: 0.02 GB [0.03%]
Aggregated flowStat=0x0400100000004044
[WRN] Consecutive duplicate IP ID
[INF] Ethernet flows
[INF] IPv4 flows
[INF] ARP

If you look at the torStat in the end report, it labels clearly 4 flows as Tor:

$ tawk -V torStat=0xb1
The torStat column with value 0xb1 is to be interpreted as follows:

   bit | torStat | Description
   =============================================================================
     0 | 0x01    | Tor flow
     4 | 0x10    | Internal state: SYN detected
     5 | 0x20    | Internal state: obfuscation checked
     7 | 0x80    | Packet snapped, decoding failed

You will find the 4 flows in the flow file, if you search for the 0x01 (Tor flow) bit in the torStat column.

$ cd ~/results
$ tawk 'bitsanyset($torStat, 0x01)' tor-nobridge-http-external_flows.txt
%dir  flowInd  flowStat            timeFirst          timeLast           duration    numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP            srcIPCC  srcIPOrg                        srcPort  dstIP            dstIPCC  dstIPOrg                        dstPort  l4Proto  tcpFStat  ipMindIPID  ipMaxdIPID  ipMinTTL  ipMaxTTL  ipTTLChg  ipToS  ipFlags  ipOptCnt  ipOptCpCl_Num    ip6OptCntHH_D  ip6OptHH_D             tcpISeqN    tcpPSeqCnt  tcpSeqSntBytes  tcpSeqFaultCnt  tcpPAckCnt  tcpFlwLssAckRcvdBytes  tcpAckFaultCnt  tcpInitWinSz  tcpAveWinSz  tcpMinWinSz  tcpMaxWinSz  tcpWinSzDwnCnt  tcpWinSzUpCnt  tcpWinSzChgDirCnt  tcpWinSzThRt  tcpFlags  tcpAnomaly  tcpOptPktCnt  tcpOptCnt  tcpOptions  tcpMSS  tcpWS  tcpMPTBF  tcpMPF  tcpMPAID  tcpMPdssF  tcpTmS      tcpTmER     tcpEcI  tcpUtm           tcpBtm             tcpSSASAATrip  tcpRTTAckTripMin  tcpRTTAckTripMax  tcpRTTAckTripAve  tcpRTTAckTripJitAve  tcpRTTSseqAA  tcpRTTAckJitAve  torStat
A     2        0x0400000000004000  1520594008.353611  1520594372.111536  363.757925  1           3        eth:ipv4:tcp  52:54:00:f8:29:c8  8c:04:ff:31:9a:3f  0x0800              192.168.150.106  07       "Private network"               33152    158.58.170.183   it       "CloudFlow Virtual Datacenter"  443      6        0x00d0    1           2           64        64        0         0x00   0x0840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2597746474  2633        623713          3               2157        6423297                6               3737600       233088       29312        3737600      420             354            575                0             0x1b      0xa801      2638          7937       0x0000013e  1460    128    0x0000    0x00    0         0x00       216463      3801765560  0.004   865.852041       1520593506.259495  0              0                 7.859543          0.08542278        0.5849248            0.013286      -1               0xb1
B     2        0x0400000000004001  1520594008.366897  1520594372.111436  363.744539  1           3        eth:ipv4:tcp  8c:04:ff:31:9a:3f  52:54:00:f8:29:c8  0x0800              158.58.170.183   it       "CloudFlow Virtual Datacenter"  443      192.168.150.106  07       "Private network"               33152    6        0x00d0    1           65535       55        55        0         0x28   0x0846   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2288126131  3748        6452065         0               772         620275                 2               3706880       185852.8     30080        3706880      38              121            65                 0             0x1b      0xb803      3750          11315      0x0000013e  1460    128    0x0000    0x00    0         0x00       3801765560  216459      0.004   15207062.962297  1505387309.149140  0.013286       3e-06             7.645392          0.05011251        0.3469249            0.1355353     0.680069         0xb1
A     1        0x0400000000004000  1520594003.756441  1520594383.776386  380.019945  1           3        eth:ipv4:tcp  52:54:00:f8:29:c8  8c:04:ff:31:9a:3f  0x0800              192.168.150.106  07       "Private network"               36832    185.21.216.198   gb       "feralhostingcom network"       9001     6        0x00d0    1           2           64        64        0         0x00   0x0840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  3481612513  297         113818          2               169         94793                  0               3737600       185855.5     29312        3737600      3               135            5                  0             0x1b      0x0001      1             5          0x0000011e  1460    128    0x0000    0x00    0         0x00       124374      0           0.004   497.496024       1520593506.260418  0              6e-05             8.861889          0.9113134         1.881575             0.024216      -1               0xb1
B     1        0x0400000000004001  1520594003.780657  1520594383.776204  379.995547  1           3        eth:ipv4:tcp  8c:04:ff:31:9a:3f  52:54:00:f8:29:c8  0x0800              185.21.216.198   gb       "feralhostingcom network"       9001     192.168.150.106  07       "Private network"               36832    6        0x00c0    1           8186        53        53        0         0x00   0x0840   0         0x00_0x00000000  0_0            0x00000000_0x00000000  2145018101  330         94792           0               184         113819                 1               134215680     262040.7     260096       134215680    2               1              1                  0             0x1b      0x0003      1             6          0x0000001e  1460    2048   0x0000    0x00    0         0x00       0           0           0       0.000000         0.000000           0.024216       0.006561          8.716528          0.3753675         1.248649             1.286681      2.258196         0xb1

The packet mode also labels the Tor packets:

$ tawk 'bitsanyset($torStat,1)' tor-nobridge-http-external_packets.txt | tcol
%pktNo  flowInd  flowStat            time               pktIAT    flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP            srcIPCC  srcIPOrg                 srcPort  dstIP            dstIPCC  dstIPOrg                 dstPort  l4Proto  ipToS  ipID   ipIDDiff  ipFrag  ipTTL  ipHdrChkSum  ipCalChkSum  l4HdrChkSum  l4CalChkSum  ipFlags  ip6HHOptLen  ip6HHOpts  ip6DOptLen  ip6DOpts  ipOptLen  ipOpts  seq         ack         seqDiff  ackDiff  seqPktLen  ackPktLen  tcpFStat  tcpFlags  tcpAnomaly  tcpWin  tcpTmS  tcpTmER  tcpOptLen  tcpOpts  torStat  l7Content
6       1        0x0400000000004001  1520594003.808328  0.003717  0.027671      3        eth:ipv4:tcp             8c:04:ff:31:9a:3f  52:54:00:f8:29:c8  0x0800   185.21.216.198   gb       feralhostingcom network  9001     192.168.150.106  07       Private network          36832    6        0x00   8187   1         0x4000  53     0x38f0       0x38f0       0xed84       0xed84       0x0040   0                       0                     0                 2145018102  3481612696  0        0        0          182        0x0040    0x18      0x0000      262144  0       0        0                   0x11     ....9...5..IV(.Uy.q2......\nv\%....<....W.f%..0..\r.................X...T..Q..N0..J0..........Tf.....10\r.\t*.H..\r.....0$1"0 ..U....www.tw2oqiqdbk72duyls.com0..\r180216000000Z.\r190206235959Z0'1%0#..U....www.2kmnfur45oihgqzmt4fz.net0.."0\r.\t*.H..\r..........0..\n...............^....B:0.\n.....W0. x.F...\......V..#.tk...Igp..e.7.....-Qg)../...=o<\n5.7..eC.SSfC..*L.h....di.Z.[...<v.z.E.......G..B..H.....~..d..1..#...^..&...3...E6##.=p...g.. ...e.....+.......#...R....gh\n......n....=.....&...L@...I.E...\...M9{.....i.g..X.!.......0\r.\t*.H..\r.................9..}(......l8.....9..&W.S\n...\P...v....1....z....^.M\r..).>.]|d............Ar...)...7.}...K..A.HV$bK..@..H\r`...w..i..7.......M...I...A...cwE.$.s..\-N6F+;J$.t.t.XJA..3..S...c.....Xr!.7H.f........qi.........{.v...[#.-M.&....h%.E...,>...."iU.B......s..:0.gx..E.+s..&...{zTd/\..h..+CnL.................d...L........P...d.a...~......*..8.1E3VWg..C........\n....%......j\n..5.+Nt..GC....(.....*F....).-.......6.p..1..Hz..K...R...MP%.c...r....]#.[....~%.Z..y..n?4.q+@+.........
7       1        0x0400000000004000  1520594003.808495  0.027000  0.052054      3        eth:ipv4:tcp             52:54:00:f8:29:c8  8c:04:ff:31:9a:3f  0x0800   192.168.150.106  07       Private network          36832    185.21.216.198   gb       feralhostingcom network  9001     6        0x00   54586  1         0x4000  64     0x7ca6       0x7ca6       0xe909       0x2d03       0x0840   0                       0                     0                 3481612696  2145019116  182      1014     182        1014       0x00d0    0x10      0x0000      31232   124374  0        0                   0x11
8       1        0x0400000000004000  1520594003.810099  0.001604  0.053658      3        eth:ipv4:tcp             52:54:00:f8:29:c8  8c:04:ff:31:9a:3f  0x0800   192.168.150.106  07       Private network          36832    185.21.216.198   gb       feralhostingcom network  9001     6        0x00   54587  1         0x4000  64     0x7c27       0x7c27       0xe987       0xd4c6       0x0840   0                       0                     0                 3481612696  2145019116  0        0        182        1014       0x00d0    0x18      0x0000      31232   124374  0        0                   0x11     ....F...BA.../h,."........fL.'.&...U3...3.+.B..v.....n.0}+.g.!4.........dO...........(yOz..x\t>...L:....+>.Y|qWy.....2F.4...#.g
9       1        0x0400000000004001  1520594003.834059  0.025731  0.053402      3        eth:ipv4:tcp             8c:04:ff:31:9a:3f  52:54:00:f8:29:c8  0x0800   185.21.216.198   gb       feralhostingcom network  9001     192.168.150.106  07       Private network          36832    6        0x00   8188   1         0x4000  53     0x3cb2       0x3cb2       0x3542       0x3542       0x0040   0                       0                     0                 2145019116  3481612822  1014     126      1014       308        0x0040    0x18      0x0000      262144  0       0        0                   0x31     ..........(z~.h{..oT.5...........w..i..\t")....}np..
10      1        0x0400000000004000  1520594003.834719  0.024620  0.078278      3        eth:ipv4:tcp             52:54:00:f8:29:c8  8c:04:ff:31:9a:3f  0x0800   192.168.150.106  07       Private network          36832    185.21.216.198   gb       feralhostingcom network  9001     6        0x00   54588  1         0x4000  64     0x7c7c       0x7c7c       0xe931       0x0c0f       0x0840   0                       0                     0                 3481612822  2145019167  126      51       308        1065       0x00d0    0x18      0x0000      31232   124374  0        0                   0x11     ....#yOz..x\t?....%B.~......<Tv....T.....
11      1        0x0400000000004001  1520594003.859915  0.025856  0.079258      3        eth:ipv4:tcp             8c:04:ff:31:9a:3f  52:54:00:f8:29:c8  0x0800   185.21.216.198   gb       feralhostingcom network  9001     192.168.150.106  07       Private network          36832    6        0x00   8189   1         0x4000  53     0x34c7       0x34c7       0xf126       0x93b1       0x0840   0                       0                     0                 2145019167  3481612862  51       40       1065       348        0x0040    0x18      0x0000      262144  0       0        0                   0x31     .....z~.h{..p..+....p...Nzu..;@.F>.8..^]t...P...\n...1r...?..\n|..U..]...a...i_..........?.......8........tZ......V...r..[\n...{..5|..H.!.Z5H9..H..%K.z.-SX{.^....L.u.....=x2.{.Y..... 2tc.*.t...+...u.\n..#h..':.w..;mJr...S`:.B..TI.. l.O.Ug.:q....KM.PP.;.0..Ybd.!..~..!..........t..O...Z.?..\t...jA.".\nN......FKl}..E.\n.`e[.....9z.X.D..O.K..l"..U.Y.T.J\r1.6....."\.z....q...OcV..~..iah.c..B..JM.R.....XJ\R..L..$q\t,3B..f4dQ....<]8..Y.H...X......+../....('....[.)[Lm.#.yr!@l .>.t.(...*.=E..O:.[j........G.?5.*.:,...;.......MF`QB..N._w..W...q..q.?."R...np..w..Fy..k...zq..........f{E/.C.VK.j.L.>..3.F.$..3".%....'.W./Ysu.nF.O......3^.~..=...TU..8.....k.\n.,..NG.fb.s.H..O#...T9x|.,...G........Z......."..}U.D..tp..d~Hpg.gJ....C$..Xg..M#..T.....i..@...+...... ..(.3.i........=..{_.p|{../3..a8...K.\n..dW.S....J...-..F......>.2...)c....v.............:...?i?Y...-....^4=.2!R.U....?.....Y..G.n.~.O...4e.W~oG..{Q..t.S.0...<.W.......*wn..z...M...nWE..u...>...PH^.+..........yK...".L....##...@.JyJU......|s..o..F.:1v.Xb|a>5...%U3.L..j...=....3.Zn.x\rf$R...J..2..)..h=......w..~.......}...Z_.[....y.L.qJ@-QK.!...py...Hz....p...sU.@...~....H.+..6;.3..D..i3....=NX.*$l.....%.c.....=..Y...;.....G ........qRe...t.....q'..m.w.}...........}....}h*..g.....,.. .-..yL\.dz...,zd...t...LqS8...{|4X8x...X.:..pw.b....w.y.E.F...F3X\t.....;\t7.SFW....]...Y..39....i... ......Q.......C.b9..E.......t[...Y..+.6.r.|.....F..O....OR\.p..T.j2._Z..i.....)..S..;...l.+....s..X....9h|5U.G...`...Kp.......;.YP..t .........._....=jg,'.c..<p.|dE.........B.#e....`....V...G'.)..v........$I.......:...O6...\t.....'.\.>.....n<"...7./.n................yW\rG...x94.....!...8Kp./.q..i}T.bQ;.S.......7)-?.\.\t~(?.....n.P_.......5...r2...,....R.}..(nf.>..wqe.\r.-.kr.i.ai.._.L.....Y.....q.....G..4..RS...b..}O\t}...~...Q.m.n..@.*.S.K ...../.1..|@L,...Mr.0.1...VL..s&uQ.&[.h..!..P`#.L`.9.........#(..L.dH.$....V........*q.g........g...i7.?)....Ob..].G.v.z.21dE..E.~.D.{.tj.4...c..cn...D.....C.....mDTJlu....r.Jq5.R.......8p4..8...u..W........W0[...../..L..w.....b.L.I.....B..i...C...*.?\r,.\t.JD6W.........v-MXF.]K..\r...Q$..v....=.=.}...@>.Uk~
12      1        0x0400000000004000  1520594003.860102  0.025383  0.103661      3        eth:ipv4:tcp             52:54:00:f8:29:c8  8c:04:ff:31:9a:3f  0x0800   192.168.150.106  07       Private network          36832    185.21.216.198   gb       feralhostingcom network  9001     6        0x00   54589  1         0x4000  64     0x7ca3       0x7ca3       0xe909       0x23ec       0x0840   0                       0                     0                 3481612862  2145021244  40       2077     348        3142       0x00d0    0x10      0x0000      35456   124374  0        0                   0x11
13      1        0x0400000000004000  1520594003.861555  0.001453  0.105114      3        eth:ipv4:tcp             52:54:00:f8:29:c8  8c:04:ff:31:9a:3f  0x0800   192.168.150.106  07       Private network          36832    185.21.216.198   gb       feralhostingcom network  9001     6        0x00   54590  1         0x4000  64     0x7881       0x7881       0xed2a       0xdd74       0x0840   0                       0                     0                 3481612862  2145021244  0        0        348        3142       0x00d0    0x18      0x0000      35456   124374  0        0                   0x31     .....yOz..x\t@.-....R.v...\.b3..u....L....|...N...&E.....\tX..S....8$p{|..........qT?j.DF.[1..pM....gu...j..(....g...D"*..D...k...J..Z .@...Qq.U.s..\r.Np{=..O..m&.42.o..S.[...m.N&Vyr..o...1.1..B.yd\r.~...-...;.dy....G.Psx..E...H&.\M........Wh....Sf..H..~....\t.|.=A..6.|x .u62.nN.......}c.V.X ...a.PL0.4k....D+"..[......Q..o..B.~.,..).C.vz!]`......9..=\n!M...$...X..m.......d...........H]....9r."Ns...r.k/z.u.'...p.%.lG..".8.........K.j..C_..B.u(.....bJzRWx..x........hR..}y.......d..,......:.p..E...}...l.Z...H...\rs.`...W.>~.l.....q........P...T.Ye{...H..9V"...Q..}j...x......!k!.L.y..B3|..6...h(........#........Yf..j.._l.$..a*g.6).U.B.a..e.U*.N.}K.#p.......K.QE~.....`....{$.8..#....1.p1Y$......2......L=..\n.Z.~=........k..f%c....m?aElV!..#.D<}n.`!.*......[.?.....\r..l7..uQ.T/>n.h(.L$....I.eV...*..b......D`...G..Y.....\r...p}..}.T..\tB.........z*>.RPQ.4....m0.....5x.....q.-<.n_.U.e.4...K1! ... ...d.....l........B....T.. ......'.W....A.@d6..<........./.^TI..i...>...Z.......X.ei..K._.Cb.8q.....:.Z.EB....J.\.N........{I0m.h......a.?.w(.........{......8Z.1D5..e
14      1        0x0400000000004001  1520594003.899154  0.039239  0.118497      3        eth:ipv4:tcp             8c:04:ff:31:9a:3f  52:54:00:f8:29:c8  0x0800   185.21.216.198   gb       feralhostingcom network  9001     192.168.150.106  07       Private network          36832    6        0x00   8191   2         0x4000  53     0x3ac3       0x3ac3       0x383e       0x383e       0x0040   0                       0                     0                 2145021244  3481613919  2077     1057     3142       1405       0x0040    0x18      0x0000      262144  0       0        0                   0x31     .....z~.h{..q............^...[q..5".MEJ.-.j..$.1n.(..T6..Yi}.....^...=r..x.- J.bEc....G5.U....qc,...$..5.r..Z.e.....J.w...T....(.}.`...IW'.e.&.l....|...Lgq.$Wag...?>....\taSwr..[yc......R...p._....;.].. Y.X~.....P.oZ.[..\r..hX....E~..H...#Z..\..aU.,..q....|..Zp9Zb[.....9f.j.../.=...}.@.Dp....c.~p<..0\t..y.0{'m.G...`.|S.[..~:~............$.f..k^....[..Q..|.......Xz...Ev1.\...4.8.y.=]!k.n.T,s.O$..UH.j`\.G..n.A..Q.(.#]g...?.{..l-....4.7..w.....SD..c...~2..,...>:..T.%[.j@.t..].~\n.9..=..6...$..P...~.....&X#...)........S.....Y..w....Mq.|..e...)..
...

Don’t forget to reset the plugin configuration if you changed it, for the next tutorial.

$ t2conf torDetector --reset && t2build torDetector
...
$

Have fun analyzing.