work and IT @ 11 Jul 2008 07:04 pm by ayoi
Don’t worry, it is not about my twin btw.
Can you spot the difference (especially in sense of the traffic behavior) of this two packet captured files?
I use windump on my Windows XP machine and the command I executed to produce these outputs is
wd -Snnr packet_capture_file.pcap dst port 22
Packet Capture 1
20:25:00.696718 IP 192.168.4.128.1813 > 192.168.4.126.22: S 2151807408:2151807408(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK>
20:25:00.698859 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369704931 win 64000
20:25:00.751279 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807409:2151807437(28) ack 1369704970 win 63980
20:25:00.760521 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807437:2151807941(504) ack 1369705706 win 63612
20:25:00.760616 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807941:2151807957(16) ack 1369705706 win 63612
20:25:00.900008 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807957:2151808229(272) ack 1369705986 win 63472
20:25:01.094824 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808229:2151808245(16) ack 1369706770 win 64000
20:25:01.095211 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808245:2151808297(52) ack 1369706770 win 64000
20:25:01.211169 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369706822 win 63974
20:25:06.746347 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808297:2151808365(68) ack 1369706822 win 63974
20:25:07.627074 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808365:2151808465(100) ack 1369706890 win 63940
20:25:07.747682 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369706958 win 63906
20:25:09.354328 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808465:2151808741(276) ack 1369706958 win 63906
20:25:09.361925 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808741:2151808841(100) ack 1369707026 win 63872
20:25:09.559764 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707094 win 63838
20:25:11.762118 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808841:2151809117(276) ack 1369707094 win 63838
20:25:11.768410 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151809117:2151809217(100) ack 1369707162 win 63804
20:25:11.973704 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707230 win 63770
20:25:13.357811 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151809217:2151809493(276) ack 1369707230 win 63770
20:25:13.365031 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151809493:2151809593(100) ack 1369707298 win 63736
20:25:13.482591 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707366 win 63702
20:25:14.856313 IP 192.168.4.128.1813 > 192.168.4.126.22: F 2151809593:2151809593(0) ack 1369707366 win 63702
20:25:14.864991 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707367 win 63702
Packet Capture 2
16:30:59.167586 IP 192.168.2.8.32862 > 192.168.2.9.22: S 1789751218:1789751218(0) win 5840 <mss 1460,sackOK,timestamp 25550657 0,nop,wscale 2>
16:30:59.168266 IP 192.168.2.8.32862 > 192.168.2.9.22: . ack 1673969780 win 1460 <nop,nop,timestamp 25550658 20899740>
16:30:59.194809 IP 192.168.2.8.32862 > 192.168.2.9.22: . ack 1673969800 win 1460 <nop,nop,timestamp 25550659 20899766>
16:30:59.194814 IP 192.168.2.8.32862 > 192.168.2.9.22: P 1789751219:1789751240(21) ack 1673969800 win 1460 <nop,nop,timestamp 25550659 20899766>
16:30:59.203125 IP 192.168.2.8.32862 > 192.168.2.9.22: P 1789751240:1789751392(152) ack 1673970440 win 1780 <nop,nop,timestamp 25550660 20899774>
16:30:59.210623 IP 192.168.2.8.32863 > 192.168.2.9.22: S 1783492046:1783492046(0) win 5840 <mss 1460,sackOK,timestamp 25550662 0,nop,wscale 2>
16:30:59.210642 IP 192.168.2.8.32864 > 192.168.2.9.22: S 1787890826:1787890826(0) win 5840 <mss 1460,sackOK,timestamp 25550663 0,nop,wscale 2>
16:30:59.210647 IP 192.168.2.8.32865 > 192.168.2.9.22: S 1788072431:1788072431(0) win 5840 <mss 1460,sackOK,timestamp 25550664 0,nop,wscale 2>
16:30:59.212077 IP 192.168.2.8.32863 > 192.168.2.9.22: . ack 1687906519 win 1460 <nop,nop,timestamp 25550665 20899783>
16:30:59.238583 IP 192.168.2.8.32864 > 192.168.2.9.22: . ack 1678854406 win 1460 <nop,nop,timestamp 25550665 20899784>
16:30:59.238588 IP 192.168.2.8.32865 > 192.168.2.9.22: . ack 1673861893 win 1460 <nop,nop,timestamp 25550665 20899784>
16:30:59.238592 IP 192.168.2.8.32863 > 192.168.2.9.22: . ack 1687906539 win 1460 <nop,nop,timestamp 25550666 20899810>
16:30:59.238596 IP 192.168.2.8.32863 > 192.168.2.9.22: P 1783492047:1783492068(21) ack 1687906539 win 1460 <nop,nop,timestamp 25550666 20899810>
16:30:59.238600 IP 192.168.2.8.32866 > 192.168.2.9.22: S 1780193083:1780193083(0) win 5840 <mss 1460,sackOK,timestamp 25550667 0,nop,wscale 2>
16:30:59.238604 IP 192.168.2.8.32867 > 192.168.2.9.22: S 1781912197:1781912197(0) win 5840 <mss 1460,sackOK,timestamp 25550668 0,nop,wscale 2>
16:30:59.280609 IP 192.168.2.8.32866 > 192.168.2.9.22: . ack 1685157275 win 1460 <nop,nop,timestamp 25550668 20899812>
16:30:59.280614 IP 192.168.2.8.32867 > 192.168.2.9.22: . ack 1686380212 win 1460 <nop,nop,timestamp 25550669 20899812>
16:30:59.280619 IP 192.168.2.8.32868 > 192.168.2.9.22: S 1786479460:1786479460(0) win 5840 <mss 1460,sackOK,timestamp 25550670 0,nop,wscale 2>
16:30:59.280623 IP 192.168.2.8.32862 > 192.168.2.9.22: P 1789751392:1789751536(144) ack 1673970440 win 1780 <nop,nop,timestamp 25550670 20899816>
16:30:59.280627 IP 192.168.2.8.32864 > 192.168.2.9.22: . ack 1678854426 win 1460 <nop,nop,timestamp 25550670 20899837>
16:30:59.280631 IP 192.168.2.8.32864 > 192.168.2.9.22: P 1787890827:1787890848(21) ack 1678854426 win 1460 <nop,nop,timestamp 25550670 20899837>
16:30:59.280635 IP 192.168.2.8.32865 > 192.168.2.9.22: . ack 1673861913 win 1460 <nop,nop,timestamp 25550671 20899851>
16:30:59.280639 IP 192.168.2.8.32865 > 192.168.2.9.22: P 1788072432:1788072453(21) ack 1673861913 win 1460 <nop,nop,timestamp 25550671 20899851>
16:30:59.280643 IP 192.168.2.8.32863 > 192.168.2.9.22: P 1783492068:1783492220(152) ack 1687907179 win 1780 <nop,nop,timestamp 25550671 20899849>
There are some significant differences between those two packets and from the pattern itself we can probably identify what happen on trace 1 and trace 2.
So what do you think?
