redo traffic capture

[pub/jan/netsec2.git] / exercise1.tex

% tunet und eduroam down...

\section{Rep:1.a}
Own IP: 192.168.67.37

\section{Rep:1.b}
192.168.67.83

\section{Rep:1.c}
ip.addr == 192.168.67.83

\section{Rep:1.d}
Unusable features:
No. -> generated while monitoring
fixed values:
Source IP (192.168.67.83), Destination IP (192.168.67.37), Protocol (UDP), Length (82), TTL (64), Dest port (118), Flags (empty), Frag offset (0)


\section{Rep:1.e}


repeating transfers, transfers seem separable over time via the udp.srcport attribute

filtered traffic via wireshark again by source port 51899

reexported to csv

reimported to rapidminer

\section{Rep:1.f}
dscp + timing changes.

the DSCP value grows until 10962
grows until time 6.55
then it's fixed on DSCP 10962

\section{Rep:1.g}
Dest port == 118

\section{Rep:1.h}
siehe bladecode.py

\section{Rep:1.i}
some bits are broken, as the timing and my decodes is more a hack.

a hack is a hack is a hack ... :)



\section{Rep:1.j}
rescan... new ip: 192.168.67.26
10min.{pcap,csv}

filtered localnet
ip.src == 192.168.67.0/24 and ip.dst == 192.168.67.0/24

10min\_localnet.{pcap,csv}

look at it via rapidminer (filter away gateway (.1) and self (.26) as sources)
image:stream\_localnet.pdf

image:stream\_localnet\_ports.pdf
dest ports are always first 80/udp, then 443/udp, then 465/tcp, then 464/udp
always from first .83, then .82, then .81, then .84


%%%%%%%%%%%%%%%%%%%%%

%filtered away nfs and ssh
%!(tcp.port == 666 || tcp.port == 2049)
%asdf.{pcap,csv}

%look at it via rapidminer
%image:stream2.pdf

%((ip.addr eq 192.168.67.81 or ip.addr eq 192.168.67.82 or ip.addr eq 192.168.67.83) and ip.addr eq 192.168.67.37)
%better.{pcap,csv}

%look at it again via rapidminer
%image:stream\_better.pdf

%dest ports are always first 80/udp, then 443/udp, then 465/tcp

%filtered for one complete transaction
%tcp.port == 56533 or udp.port == 50293 or udp.port == 56040
%cool.{pcap,csv}

%look at it again via rapidminer
%image:stream\_cool.pdf

%%%%%%%%%%%%%%%%%%%%%%%

\section{Rep:1.k}
Unusable features:
No. -> generated while monitoring
fixed values:
TTL (64), Frag offset (0)

Time:
does not look like timing, packets arrive in almost equal distances (10ms sequence)

Flags:
0x0002: SYN (1x)
0x0012: SYN,ACK (1x)
0x0010: ACK (602x)
0x0018: ACK,PSH (600x)
0x0011: ACK,FIN (2x)

Expected distribution of values

\section{Rep:1.l}
not a high variance detected:
\begin{itemize}
\item UDP Stream from 192.168.67.83:56040 to 192.168.67.37:80 %TODO fix
\item UDP Stream from 192.168.67.82:50293 to 192.168.67.37:443 %TODO fix
\item TCP Traffic between 192.168.67.81:56533 to 192.168.67.37:465 %TODO fix
\imte UDP Stream from 192.168.67.84:36842 to 192.168.67.26:464
\end{itemize}

Length also does not vary very much:
\begin{itemize}
\item Length 60 for Source Port 56040/udp
\item Length 60 for Source Port 52093/udp
\item Length 70 for ACK,PSH (600x), 74 for SYN (1x), 66 for ACK (1x) and 66 for FIN (1x) for Source Port 56533/tcp
\item Length 66 for ACK, 74 for SYN,ACK for Source Port 465/tcp
\item %TODO fix for sport 464
\end{itemize}

%TODO DSCP is weird

\section{Rep:1.m}
Unknown, because we do have two shorter transmissions before a longer transmission from different source ips

\section{Rep:1.n}
Not yet. We do not know if the three transmissions are connected to each other

Most likely it is in the DSCP field of the third transmission. (This also has responses from the local system)

\section{Rep:1.o}