1 % tunet und eduroam down...
10 ip.addr == 192.168.67.83
14 No. -> generated while monitoring
16 Source IP (192.168.67.83), Destination IP (192.168.67.37), Protocol (UDP), Length (82), TTL (64), Dest port (118), Flags (empty), Frag offset (0)
22 repeating transfers, transfers seem separable over time via the udp.srcport attribute
24 filtered traffic via wireshark again by source port 52899
25 ip.addr == 192.168.67.83 and udp.srcport == 52899
29 reimported to rapidminer
32 dscp + timing changes.
34 the DSCP value grows until 10962
36 then it's fixed on DSCP 10962
45 some bits are broken, as the timing and my decodes is more a hack.
47 a hack is a hack is a hack ... :)
52 rescan... new ip: 192.168.67.26
56 ip.src == 192.168.67.0/24 and ip.dst == 192.168.67.0/24
58 10min\_localnet.{pcap,csv}
60 look at it via rapidminer (filter away gateway (.1) and self (.26) as sources)
61 image:stream\_localnet.pdf
63 image:stream\_localnet\_ports.pdf
64 dest ports are always first 80/udp, then 443/udp, then 465/tcp, then 464/udp
65 always from first .83, then .82, then .81, then .84
67 filtered for one complete transaction
68 udp.port == 58493 or udp.port == 45875 or tcp.port == 40875 or udp.port == 36842
69 10min\_transaction.{pcap,csv}
73 %filtered away nfs and ssh
74 %!(tcp.port == 666 || tcp.port == 2049)
77 %look at it via rapidminer
80 %((ip.addr eq 192.168.67.81 or ip.addr eq 192.168.67.82 or ip.addr eq 192.168.67.83) and ip.addr eq 192.168.67.37)
83 %look at it again via rapidminer
84 %image:stream\_better.pdf
86 %dest ports are always first 80/udp, then 443/udp, then 465/tcp
88 %filtered for one complete transaction
89 %tcp.port == 56533 or udp.port == 50293 or udp.port == 56040
92 %look at it again via rapidminer
93 %image:stream\_cool.pdf
95 %%%%%%%%%%%%%%%%%%%%%%%
99 No. -> generated while monitoring
101 TTL (64), Frag offset (0)
104 does not look like timing, packets arrive in almost equal distances (10ms sequence)
110 0x0018: ACK,PSH (600x)
113 Expected distribution of values
116 not a high variance detected:
118 \item UDP Stream from 192.168.67.83:56040 to 192.168.67.37:80 %TODO fix
119 \item UDP Stream from 192.168.67.82:50293 to 192.168.67.37:443 %TODO fix
120 \item TCP Traffic between 192.168.67.81:56533 to 192.168.67.37:465 %TODO fix
121 \imte UDP Stream from 192.168.67.84:36842 to 192.168.67.26:464
124 Length also does not vary very much:
126 \item Length 60 for Source Port 56040/udp
127 \item Length 60 for Source Port 52093/udp
128 \item Length 70 for ACK,PSH (600x), 74 for SYN (1x), 66 for ACK (1x) and 66 for FIN (1x) for Source Port 56533/tcp
129 \item Length 66 for ACK, 74 for SYN,ACK for Source Port 465/tcp
130 \item %TODO fix for sport 464
134 %TODO DSCP @tcp-connection is weird (incoming)
135 -> map in rapidminer ipid vs dscp
136 -> every dscp has two ipid's? (ipid1 xor ipid2) or (ipid1 - ipid2) -> char
139 Unknown, because we do have two shorter transmissions before a longer transmission from different source ips
141 Later the IP address turned out to be 192.168.67.84.
144 Not yet. We do not know if the three transmissions are connected to each other.
146 Most likely it is in the DSCP field of the third transmission. (This also has responses from the local system)
148 Turned out that the 6 bits from the DSCP field just needed to be concatenated and then split into 8 bit chunks again.
152 ./exercise2/parse\_stream\_data.py
153 "Agent South already successfully infiltrated The minister's office. In the next step, we try to acquire data from the Ministry of Cyber Affair's office network. Stay tuned, I will keep you updated on the progress. (This message was sent by agent Scott)Agent South already successfully infiltrated The minister's office. In the next step, we try to acquire data from the Ministry of Cyber Affair's office network. Stay tuned, I will keep you updated on t"
157 We did have a wireshark configuration issue as we had mistakenly configured it to show the IPID as the DSCP field and did miss the (correct) DSCP field completely.