"In early March 2003, the Azusa Pacific University Honeynet Project deployed an unpatched Windows 2000 honeypot having a null (blank) administrative password. During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a successful attack, the honeypot was joined to a large botnet. During operation of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet. The challenge is based on logs from five days of honeypot operation, collected using Snort. The logs have been edited to remove irrelevant traffic and combined into a single file. Also, IP addresses and certain other information have been obfuscated so that the identity of the honeynet is not readily apparent. Your mission is to analyze the log file in order to answer the questions below. Be sure you review the submission rules at the SotM challenge page before submitting your results."
This document presents the judging team's write up of the challenge. Like the reports submitted by the community, this report was prepared under significant time constraints. Although its authors exercised care in its preparation, it likely contains significant errors and omissions. Consequently, its authors disclaim responsibility for the reliability of any information contained herein.
In considering how to organize and present their report, the authors decided to focus their efforts on explaining how they analyzed the data rather than on the conclusions they drew. Several reports submitted by the community provide very clear and comprehensive descriptions of the attacks recorded in the honeypot's logs. The authors hope that beginning analysts will find this approach instructive and helpful. The authors also hope to stimulate discussion among more experienced analysts concerning tools and methods of analysis.
One of the central problems confronting the security analyst is lack of time in which to thoroughly investigate every potential attack. This challenge, which was based on five days of observation that saw dozens of attacks, was difficult—perhaps impossible—to thoroughly analyze in the time available. In that respect, it reflected the situation faced daily by security analysts. The authors, who are not professional security analysts, used a variety of techniques and heuristics intended to make the best use of time available for analysis. The authors are eager to learn more and better techniques for maximizing the effectiveness of security analysts operating in time-constrained situations and invite ongoing discussion of this issue on the honeypots email list and other forums.
$ wget http://www.honeynet.org/misc/files/sotm27.gz --20:51:11-- http://www.honeynet.org/misc/files/sotm27.gz => `sotm27.gz' Resolving www.honeynet.org... done. Connecting to www.honeynet.org[63.107.222.112]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 12,914,607 [application/x-gzip] 100%[=======================================================>] 12,914,607 146.21K/s ETA 00:00 20:52:38 (146.21 KB/s) - `sotm27.gz' saved [12914607/12914607] $ echo 'b4bfc10fa8346d89058a2e9507cfd9b9 sotm27.gz' >sotm27.gz.md5|md5sum -c sotm27.gz.md5 sotm27.gz: OK |
$ gunzip sotm27.gz $ ls -l total 17792 -rw-r--r-- 1 root root 18119637 Mar 22 14:24 sotm27 -rw-r--r-- 1 root root 44 Apr 29 20:59 sotm27.gz.md5 |
$ file sotm27 sotm27: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514) |
$ mkdir tcpflow $ cd tcpflow $ tcpflow -r ../sotm27 $ ls |wc -l 1164 $ ls -l *06667* -rw-r--r-- 1 root root 282 Apr 30 00:05 063.241.174.144.06667-172.016.134.191.01133 -rw-r--r-- 1 root root 55 Apr 30 00:05 172.016.134.191.01133-063.241.174.144.06667 -rw-r--r-- 1 root root 61 Apr 30 00:05 172.016.134.191.01139-217.199.175.010.06667 -rw-r--r-- 1 root root 1046 Apr 30 00:05 172.016.134.191.01152-209.196.044.172.06667 -rw-r--r-- 1 root root 1082018 Apr 30 00:05 209.196.044.172.06667-172.016.134.191.01152 -rw-r--r-- 1 root root 249 Apr 30 00:05 217.199.175.010.06667-172.016.134.191.01139 |
$ argus -X -r sotm27 -w sotm27.argus $ ra -A -c -n -r sotm27.argus > sotm27-argus.txt $ cat sotm27-argus.txt |grep 6667|tail # Grab the last few IRC transactions to illustrate the format. # Format: time proto srchost dir dsthost pktsin pktsout bytesin bytesout status 06 Mar 03 00:18:39 tcp 172.16.134.191.1152 -> 209.196.44.172.6667 38 39 0 2630 EST 06 Mar 03 00:19:39 tcp 172.16.134.191.1152 -> 209.196.44.172.6667 41 40 0 2956 EST 06 Mar 03 00:20:41 tcp 172.16.134.191.1152 -> 209.196.44.172.6667 47 46 0 3145 EST 06 Mar 03 00:21:42 tcp 172.16.134.191.1152 -> 209.196.44.172.6667 42 44 19 3062 EST 06 Mar 03 00:22:43 tcp 172.16.134.191.1152 -> 209.196.44.172.6667 31 34 0 2347 EST 06 Mar 03 00:23:44 tcp 172.16.134.191.1152 -> 209.196.44.172.6667 35 35 0 2480 EST 06 Mar 03 00:24:44 tcp 172.16.134.191.1152 -> 209.196.44.172.6667 44 47 0 3604 EST 06 Mar 03 00:25:45 tcp 172.16.134.191.1152 -> 209.196.44.172.6667 35 35 19 2305 EST 06 Mar 03 00:26:47 tcp 172.16.134.191.1152 -> 209.196.44.172.6667 43 45 0 3388 EST 06 Mar 03 00:27:47 tcp 172.16.134.191.1152 -> 209.196.44.172.6667 5 5 0 335 EST |
"The PASS command is used to set a 'connection password.' The optional password can and MUST be set before any attempt to register the connection is made. Currently this requires that user send a PASS command before sending the NICK/USER combination."After a client is registered to an IRC server, a JOIN command is generally issued in order to join a channel. In addition to a parameter specifying the channel to be joined, the JOIN command can optionally include a channel key. A channel key is used as a password, restricting access to a channel to only those users possessing it.
$ tcpdump -i eth0 -w binary.log $ snort -b -L binary.log |
$ tcpdump -r binary.log $ snort -r binary.log |
$ grep '\.6667' sotm27-argus.txt \ # Grab only transactions which involve port 6667 | sed "s/.*->[ ]*//g" \ # Get rid of the first part of the line | sed "s/.6667.*$//g" \ # Get rid of the last part of the line, leaving only the IP | sort -t. -u -k1,1n -k2,2n -k3,3n -k4,4n # Sort it, and provide only unique IPs 63.241.174.144 66.33.65.58 209.126.161.29 209.196.44.172 217.199.175.10 |
$ ls -l *06667* -rw-r--r-- 1 bmccarty bmccarty 282 Apr 30 20:06 063.241.174.144.06667-172.016.134.191.01133 -rw-r--r-- 1 bmccarty bmccarty 55 Apr 30 20:06 172.016.134.191.01133-063.241.174.144.06667 -rw-r--r-- 1 bmccarty bmccarty 61 Apr 30 20:06 172.016.134.191.01139-217.199.175.010.06667 -rw-r--r-- 1 bmccarty bmccarty 1046 Apr 30 20:06 172.016.134.191.01152-209.196.044.172.06667 -rw-r--r-- 1 bmccarty bmccarty 1082018 Apr 30 20:06 209.196.044.172.06667-172.016.134.191.01152 -rw-r--r-- 1 bmccarty bmccarty 249 Apr 30 20:06 217.199.175.010.06667-172.016.134.191.01139 |
$ less 063.241.174.144.06667-172.016.134.191.01133 NOTICE AUTH :*** Looking up your hostname... NOTICE AUTH :*** Checking Ident NOTICE AUTH :*** No Ident response NOTICE AUTH :*** Found your hostname :irc4.aol.com 433 * eohisou :Nickname is already in use. ERROR :Closing Link: [eohisou@255.255.255.255] (Connection Timed Out) |
When the compromised honeypot joined the botnet, the IRC server reported 4,752 users online among the four servers in the IRC network. However, this count of users could include legitimate non-bot users. Moreover, a single host having multiple connections to the server would be multiply counted.
Finally, the output of the NAMES command issued when the honeypot joined the channel indicates that 3,457 distinct nicknames were present in the botnet channel at that time. However, at other times, more or fewer nicknames may have been present. The question asks how many hosts accessed the botnet during the observation period. So, this count isn't as appropriate an answer to the question as the first count. Nevertheless, this count better reflects the known DDoS capacity of the botnet at a particular moment in time than either of the other two counts.
Here's how these counts were obtained. First, a count of distinct hosts on the botnet, as identified by hostname or ip address:
$ ls -l 209.196.044.172.06667-172.016.134.191.01152 -rw-r--r-- 1 root root 1082018 Apr 30 00:05 209.196.044.172.06667-172.016.134.191.01152 $ grep -e 'JOIN' 209.196.044.172.06667-172.016.134.191.01152 \ | sed -e 's/^[^@]*@//' \ | sed -e 's/ .*//' \ | sort -fu > hosts ; wc -l hosts 4793 hosts $ grep -e 'QUIT' 209.196.044.172.06667-172.016.134.191.01152 \ | sed -e 's/^[^@]*@//' \ | sed -e 's/ .*//' \ | sort -fu > hosts ; wc -l hosts 4922 hosts $ grep -e 'JOIN\|QUIT' 209.196.044.172.06667-172.016.134.191.01152 \ | sed -e 's/^[^@]*@//' \ | sed -e 's/ .*//' \ | sort -fu > hosts ; wc -l hosts 5580 hosts |
$ grep "^[^ ]* 2[0-9][0-9]" 209.196.044.172.06667-172.016.134.191.01152 :irc5.aol.com 251 rgdiuggac :There are 0 users and 4752 invisible on 4 servers :irc5.aol.com 252 rgdiuggac 1 :IRC Operators online :irc5.aol.com 254 rgdiuggac 4 :channels formed :irc5.aol.com 255 rgdiuggac :I have 346 clients and 1 servers :irc5.aol.com 265 rgdiuggac :Current local users: 346 Max: 348 :irc5.aol.com 266 rgdiuggac :Current global users: 4752 Max: 4765 :irc5.aol.com 250 rgdiuggac :Highest connection count: 349 (348 clients) (378 since server was (re)started) |
$ cat 209.196.044.172.06667-172.016.134.191.01152 \ | grep "^:irc5.aol.com 353" \ # Grab the NAMES output lines | sed "s/^:irc5.aol.com 353 rgdiuggac @ #x[^x]*x ://g" \ # Get rid of the prefix | tr ' ' '\n' \ # Translate spaces to newlines | tr -d "\15" \ # Get rid of a rogue carriage return | grep -v "^$" \ # Get rid of blank lines | sort -u \ # Sort and remove duplicates (for fun) | wc -l # Get the linecount 3457 |
$ ra -A -c -n -r sotm27.argus \ | grep -v man \ | awk '{printf("%-21s\n%-21s\n",$6,$8)}' \ | grep -v 172.16.134.191 \ | sed -e 's/\.[0-9]* *$//' \ | sort -t. -u -k1,1n -k2,2n -k3,3n -k4,4n > sotm27-ips.txtThe output from this command, which includes 171 IP addresses, is available here. |
$ ra -A -c -n -r sotm27.argus - \ | grep '\->.*172.16.134.191' \ | awk '{bytes=$11+$12; if ($5!="man" && bytes>0) print $0; }' \ > sotm27-attacks.txtThe output from the command is available here. |
$ awk '{printf("%3s %-21s\n",$5,$8)}' sotm27-attacks.txt \ | sort -u |
Port | Associated Protocol |
---|---|
tcp/80 | HTTP |
tcp/139 | CIFS |
tcp/445 | CIFS |
tcp/4899 | Unknown |
udp/137 | NetBIOS |
udp/1434 | SQL Server |
udp/28431 | Unknown |
Attack on udp/1434 |
ra -A -c -n -r sotm27.argus - udp and port 1434 > sotm27-udp1434.txtThe output from the command is available here. |
$ snort -devp -r sotm27 udp and port 1434 \ | sort \ | sed -e 's/^[0-9][0-9]\/[0-9][0-9]-[0-9][0-9].*//' \ | sed -e 's/[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*:[0-9]* ->.*//' \ | sed -e 's/^=+.*//' \ | uniq -c \ | sort -nr > sotm27-slammer.txtThe output from the command is available here. |
Attack on udp/28431 |
$ ra -A -c -n -r sotm27.argus - udp and port 28431 \ > sotm27-hackatack.txtThe output from the command is available here. |
Attack on udp/137 |
$ tethereal -Vx -r sotm27 udp and udp.port == 137 > sotm27-udp137.txtThe output from the command is available here. |
$ grep Flags: sotm27-udp137.txt |sort | uniq -ci 129 Flags: 0x00 65 Flags: 0x0010 (Name query) 64 Flags: 0x8400 (Name query response, No error) |
$ grep Name: sotm27-udp137.txt |sort | uniq -ci 64 Name: *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> 65 Name: *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> (Workstation/Redirector) 64 Name: <01><02>__MSBROWSE__<02><01> (Browser) 28 Name: ADMINISTRATOR<03> (Messenger service/Main name) 40 Name: INet~Services<1c> (Domain Controllers) 40 Name: IS~PC0191<00><00><00><00><00><00><00> (Workstation/Redirector) 24 Name: IWAM_PC0191<03> (Messenger service/Main name) 64 Name: PC0191<00> (Workstation/Redirector) 64 Name: PC0191<03> (Messenger service/Main name) 64 Name: PC0191<20> (Server service) 64 Name: SBM<00> (Workstation/Redirector) 64 Name: SBM<1d> (Local Master Browser) 64 Name: SBM<1e> (Browser Election Service) |
$ gcc -o udpsniff -lpcap -I/usr/include/pcap udpsniff.c $ ./udpsniff sotm27 'udp and port 137 and dst host 172.16.134.191' >sotm27-udpsniff.txtThe output from the command is available here. |
$ cut -f 2 -d ' ' test |sort | uniq -ci| sort -nThe output from the command is available here. |
$ ra -A -c -n -r sotm27.argus - udp and dst port 137 > sotm27-udp137-ra.txtThe output from the command is available here. |
Attack on tcp/139 |
$ ra -A -c -n -r sotm27.argus - tcp and port 139 | awk '{if ($11>0) print $0}' > sotm27-tcp139.txtThe output from the command is available here. |
$ tethereal -Vx -r sotm27 tcp and tcp.port == 139 > sotm27-tcp139-details.txtThe output from the command is available here. |
$ cd tcpflow/tcp139 $ md5sum *-172.16.134.191* > md5dum.txt $ cut -f 1 -d ' ' md5sum.txt | sort | uniq -c 21 02bbacdad7786a5de951a4f46416bcf2 11 291ad8657f45a25942ba086a186a0e8c 1 58f59ff84bb6eb10c38ea3ebe47d47fc 1 7b15f30f5fd59c4a2ef3a12f430adfa7 8 8a4ad4d4f3e4744e4fbfe9dcd79ab2b8 11 d6bcefb3b55db1126b2fc413e0cc649f 1 f01d05bbb249ec73f0d5ee1d20904efa |
02bbacdad7786a5de951a4f46416bcf2 004.064.221.042.33220-172.016.134.191.00139 291ad8657f45a25942ba086a186a0e8c 061.177.154.228.01514-172.016.134.191.00139 58f59ff84bb6eb10c38ea3ebe47d47fc 210.022.204.101.02832-172.016.134.191.00139 7b15f30f5fd59c4a2ef3a12f430adfa7 024.197.194.106.02015-172.016.134.191.00139 8a4ad4d4f3e4744e4fbfe9dcd79ab2b8 024.161.196.103.64773-172.016.134.191.00139 d6bcefb3b55db1126b2fc413e0cc649f 062.201.096.159.62958-172.016.134.191.00139 f01d05bbb249ec73f0d5ee1d20904efa 216.170.214.226.04708-172.016.134.191.00139 |
$ tethereal -n -Vx -r sotm27 'ip.addr == 4.64.221.42 and tcp and tcp.port == 139' > sotm27-tcp139-example.txt |
$ grep Path: sotm27-tcp139-details.txt | sort | uniq -ci 51 Path: \\PC0191\C 2 Path: \\PC0191\IPC$ |
Attack on tcp/80 |
$ ra -A -c -n -r sotm27.argus - tcp and dst host 172.16.134.191 and dst port 80 > sotm27-tcp80.txtThe output from the command is available here. |
$ awk '{if ($11>=100) printf("%-21s %5d %5d\n",$6,$11,$12)}' sotm27-tcp80.txt > sotm27-tcp80-summary.txtThe output from the command is available here. |
IP Address |
---|
68.169.174.108 |
210.22.204.101 |
218.25.147.83 |
$ more 068.169.174.108.* :::::::::::::: 068.169.174.108.16378-172.016.134.191.00080 :::::::::::::: GET / HTTP/1.1 Host: 172.16.134.191 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20021216 Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,t ext/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1 Accept-Language: en-us, en;q=0.50 Accept-Encoding: gzip, deflate, compress;q=0.9 Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66 Keep-Alive: 300 Connection: keep-alive GET /pagerror.gif HTTP/1.1 Host: 172.16.134.191 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20021216 Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,t ext/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1 Accept-Language: en-us, en;q=0.50 Accept-Encoding: gzip, deflate, compress;q=0.9 Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66 Keep-Alive: 300 Connection: keep-alive Referer: http://172.16.134.191/ Cookie: ASPSESSIONIDQQQQGSDY=GJEPJAHAEEJPFKPODHGPPBOP :::::::::::::: 068.169.174.108.26956-172.016.134.191.00080 :::::::::::::: GET / HTTP/1.1 Host: 172.16.134.191 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20021216 Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,t ext/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1 Accept-Language: en-us, en;q=0.50 Accept-Encoding: gzip, deflate, compress;q=0.9 Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66 Keep-Alive: 300 Connection: keep-alive Cookie: ASPSESSIONIDQQQQGSDY=GJEPJAHAEEJPFKPODHGPPBOP Cache-Control: max-age=0 GET /pagerror.gif HTTP/1.1 Host: 172.16.134.191 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20021216 Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,t ext/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1 Accept-Language: en-us, en;q=0.50 Accept-Encoding: gzip, deflate, compress;q=0.9 Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66 Keep-Alive: 300 Connection: keep-alive Referer: http://172.16.134.191/ Cookie: ASPSESSIONIDQQQQGSDY=GJEPJAHAEEJPFKPODHGPPBOP If-Modified-Since: Thu, 03 Jun 1999 23:13:40 GMT If-None-Match: "0aa41b716aebe1:8e3" Cache-Control: max-age=0 |
$ strings 210.022.204.101.0* |more GET /NULL.IDA?CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb%ub890%ubcaf%u77e3%u0000%u0000%u838b%u0094%u0000%u408b %u0564%u0150%u0000%ue0ff%u9090=x& r p Z!ffffZ q PnHek7 &cmd.exe$ HTTP/1.1 Host: 172.16.134.191:80 GET / HTTP/1.0 |
$ strings 218.025.147.083.03634-172.016.134.191.00080 GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN[More 'N's here were trimmed] HTTP/1.0 8%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 Content-type: text/xml HOST:www.worm.com Accept: */* Content-length: 3569 :KERN EL32 GetP rocA CKCK CKCK CKCK CKCK CKCK CKCK :LMTHu CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK CKCK UWSVPj< X^[_] uK |
$ mkdir inbound outbound $ mv *-172.016.134.191.00080 inbound/ $ mv 172.016.134.191.00080-* inbound/ $ mv *172* outbound/ $ cd inbound $ mv *-172* client $ mv *172* server $ cd server $ file * 172.016.134.191.00080-068.169.174.108.16378: data 172.016.134.191.00080-068.169.174.108.26956: ASCII English text, with CRLF line terminators 172.016.134.191.00080-210.022.204.101.01565: ASCII English text, with CRLF line terminators 172.016.134.191.00080-213.023.049.158.01445: ASCII text, with CRLF line terminators $ strings * | less [output omitted] |
Attack on tcp/445 |
$ ra -A -c -n -r sotm27.argus - tcp and dst port 445 > sotm27-tcp445.txtThe output from the command is available here. |
$ for i in 129.116.182.239 195.36.247.77 209.45.125.69 210.22.204.101 61.111.101.78 \ 66.139.10.15 66.8.163.125 80.181.116.202 ; do \ tethereal -Vx -r sotm27 tcp and tcp.port==445 and ip.addr==$i > sotm27-tcp445-$i.txt ; done |
$ grep -A 100 '\(Path:\|Share:\|File Name:\)' sotm27-tcp445-[0-9]*.txt \ | grep '\(Path:\|Share:\|File Name:\|Status:\)' \ >sotm27-tcp445-commands.txtThe output from the command is available here. |
Attack on tcp/4899 |
$ ra -A -c -n -r sotm27.argus - tcp and dst port 4899 > sotm27-tcp4899.txtThe output from the command is available here. |
$ grep -i rad sotm27-tcp445-210.22.204.101.txt 0230 fa 2a e3 f4 f3 ee 4b 3b 52 41 64 fb 04 1c d4 1b .*....K;RAd..... File Name: \WINNT\System32\raddrv.dll 03a0 55 6e 6c 6f 61 64 69 6e 67 20 52 61 64 64 72 76 Unloading Raddrv 0190 65 74 52 41 44 53 65 63 75 72 69 74 79 00 47 65 etRADSecurity.Ge 0150 00 00 53 59 53 54 45 4d 5c 52 41 64 6d 69 6e 5c ..SYSTEM\RAdmin\ 00c0 00 00 06 00 00 00 72 61 64 6d 6d 00 00 00 34 5b ......radmm...4[ |
Analysis of Outbound Traffic |
$ ra -A -c -n -r sotm27.argus - tcp and src host 172.16.134.191 > sotm27-outbound.txtThe output from the command is available here. |
$ tcpdump -nn -r sotm27 host 24.197.194.106 and tcp and port 3806 03:43:09.551513 24.197.194.106.3806 > 172.16.134.191.80: F 1594580868:1594580868(0) ack 1256638560 win 17520 (DF) 03:43:09.551515 172.16.134.191.80 > 24.197.194.106.3806: . ack 1 win 17503 (DF) 03:45:57.118969 172.16.134.191.80 > 24.197.194.106.3806: F 1:1(0) ack 1 win 17503 (DF) 03:45:59.759206 172.16.134.191.80 > 24.197.194.106.3806: F 1:1(0) ack 1 win 17503 (DF) 03:46:05.012613 172.16.134.191.80 > 24.197.194.106.3806: F 1:1(0) ack 1 win 17503 (DF) 03:46:36.661844 172.16.134.191.80 > 24.197.194.106.3806: F 1:1(0) ack 1 win 17503 (DF) 03:47:19.670442 172.16.134.191.80 > 24.197.194.106.3806: F 1:1(0) ack 1 win 17503 (DF) |