[Dshield] UDP/TCP:1214 probes - "normal" KaZaA?

KeithTarrant keithtarrant at spamcop.net
Mon Oct 7 15:21:41 GMT 2002


John -  the article last article below, by Jack Green, explains how,
apparently,  the
network connection algorithum used by Kazaa requires port scanning even
when the product is being used innocently, thus camouflaging attacks on
its users.

Just for your info, here is a listing of some web pages with good
articles explaining the popular P2P services, how they work,
how they scan, how they hide hackers, and how they create
up to 60% of the traffic on some ISPs.

(This list doesn't include references to P2P worms because such a list
would be obsolete within a couple of weeks.  Check www.cert.org or
antivirus software makers for assistance on worms.)

Keith
--------------
P2P swamps broadband networks
By John Leyden
Posted: 12/09/2002 at 14:10 GMT
http://www.theregister.co.uk/content/22/27092.html
---------------
Peer-to-Peer File Sharing
The Effects of File Sharing on a Service Provider's Network
An Industry White Paper
Copyright © July 2002, Sandvine Incorporated
http://www.sandvine.com/register.asp?TID=1&ID=1

An excellent paper describing how bandwidth is consumed in vast
quantities by current P2P architectures, up to 60% of traffic for ISPs.

Surprising much of this bandwidth consumption is background overhead,
not file transfers.  An idle computer running P2P apparently can consume
50kbps all day long.

Traffic is needlessly expensive because current P2P networks ignore the
network topology (i.e. you connect randomly all over the world, rather
than with a preference to computers "logically close" to yours).
---------------
Security Alert: Capturing Peer-to-Peer Applications
http://www.nwconnection.com/2001_12/securityd1/

Describes several security threats created by P2P, and approaches to
exclude P2P networking from an organization's intranet.
---------------
InfoWorld: Security Adviser
Mandy Andress
File-sharing warnings
September 16, 2002
http://www.infoworld.com/articles/op/xml/02/03/25/020325opsecurity.xml

"In addition to the copyright issues and bandwidth problems these
programs often cause, they can introduce numerous security risks into
your organization."
---------------
Instant Messaging and P2P:
Find it, Stop it, Make it safe.
Sygate
http://www.sygate.com/spotlight/IM_P2P_spotlight.htm

How Sygate Secure Enterprise can eliminate vulnerabilities introduced by
IM and P2P applications.
---------------
Network Quotas for Individuals - A better answer to the P2P bandwidth
problem?
Bruce Curtis
North Dakota State University
http://www.greatplains.net/activities/meetings/meeting-20020418/
presentations/BruceCurtis/BruceCurtis.ppt

How universities are dealing with P2P.
---------------
Usability and privacy: a study of Kazaa P2P file-sharing
Nathaniel S. Good
  Information Dynamics Lab, HP
Aaron Krekelberg
  Office of Information Technology, HP
http://www.hpl.hp.com/shl/papers/kazaa/KazaaUsability.pdf

"While Kazaa is not a security application, like PGP or
personal firewall software, it nonetheless shares similar
responsibilities and obligations to its users. It must help
users ensure that private and personal data is not shared
with others."
...
"The results of 443 searches in 12 hours showed that
unintentional file sharing is quite prevalent on the Kazaa
network. 61% of all searches performed in this test
returned one or more hits for inbox.dbx."

In its promotional material Kazaa claims 100 million downloads.  Of
course many will be re-installs, and many people will try it and
discontinue use.  But Kazaa's download statistic implies up to 61
million seriously exposed systems. (An exposed email inbox is a serious
exposure.)

P2P users need to make sure their shared folder has a distinctive name,
need to remember that normally any subfolders of a shared folder are
also shared, and need to only share their distinctively named folder,
not their whole drive.
---------------
Support for the Cyber Defense Initiative: Port 1214 - KaZaA
Jack D. Green
May 3, 2002
http://www.giac.org/practical/Jack_Green_GCIH.doc

"For months now TCP Port 1214 has been a top 10 target for scanners. The
source of the scanning activity is the TCP Syn scan. This paper offers
an explanation for the popularity of the scan, an example of an
automated scanning mechanism and methods for protecting your network
from the traffic."
...
"The KMG clients most closely resemble the Peer-to-Peer with Discovery
and Lookup Server. When a KMG client starts, it performs a syn scan,
searching for a supernode host. The supernode functions as a lookup and
discovery server."
...
"According to Hacker's Digest , about six percent of all downloads are
viruses. It is easy enough to rename a virus to the name of a popular
song, retaining the extension so that the virus will execute once
selected. "
...
"With versions under 1.5, KaZaA will display files even though sharing
has been deselected."
...
"· Additionally, KaZaA developers have chosen an ephemeral port over
which to communicate.  Ephemeral ports, those whose number is greater
than 1023, are typically associated with client requests and most often
are not screened by a connection arbiter unless explicitly told to do
so."
...
"The TCP syn request generated by Zatrix (or KaZaA) looks like this:
07:11:28.943334 narya.3917 > 192.168.3.17.1214: S
1350014296:1350014296(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

An effective snort rule would alert the network monitor about any tcp
packet coming from any outside address ($EXTERNAL_NET) to any of our
hosts
$HOME_NET) on port 1214 with the syn flag set (flags: S) would look like
this:
alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 \
(flags:S; (msg:"INFO KaZaA/Morpheus) Scan";)"
---------------



----- Original Message -----
From: "John Sage" <jsage at finchhaven.com>
To: <list at dshield.org>
Sent: Sunday, October 06, 2002 11:24 PM
Subject: [Dshield] UDP/TCP:1214 probes - "normal" KaZaA?


> Is this at all unusual? UDP and TCP probes to 1214:KaZaA, with the
> UDP packets containing a substantial payload of indeterminate content,
> 1313 long. The payload seems to start with 0xC0 0x28; and is identical
> within each individual transaction, but changes between different
> transactions.
>
> There are two source hosts, separated by almost an hour:
> 172.159.180.210 and 12.253.191.105
>
> [toot at sparky /home/www/html/sys_docs/traces/Port_1214]# host
172.159.180.210
> 210.180.159.172.in-addr.arpa. domain name pointer AC9FB4D2.ipt.aol.com.
>
> [toot at sparky /home/www/html/sys_docs/traces/Port_1214]# host
12.253.191.105
> 105.191.253.12.in-addr.arpa. domain name pointer
12-253-191-105.client.attbi.com.
>
> Each probe starts out with a UDP packet (not the usual TCP with GET
> /.hash=blah blah...) of total length 1341; then a TCP connection is
> attempted.
>
> (Notes: I don't do KaZaA; these are *hours* after I last dialed up, so
> this is not dialup cruft; I'm wondering if these are hosts that have
> just come online and are attempting to resume transfers that did not
> complete sucessfully. Seems strange that KaZaA uses UDP for transport;
> Does it?)
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:36:32.158526 172.159.180.210:1214 -> 12.82.142.71:1214
> UDP TTL:112 TOS:0x0 ID:7791 IpLen:20 DgmLen:1341
> Len: 1321
> 0x0000: 45 00 05 3D 1E 6F 00 00 70 11 2B 36 AC 9F B4 D2
E..=.o..p.+6....
> 0x0010: 0C 52 8E 47 04 BE 04 BE 05 29 2F DB              .R.G.....)/.
>
>                                             C0 28 B1 8D
.(..
> 0x0020: 00 0A 00 00 50 4D B4 B6 6D A6 6D 87 FF 41 E8 CD
....PM..m.m..A..
> 0x0030: F5 55 2A AC 24 9B 48 34 98 17 82 65 C8 E3 5E 47
.U*.$.H4...e..^G
> 0x0040: 49 86 C3 65 32 E3 82 D3 E1 47 47 73 CE 9A B9 69
I..e2....GGs...i
> 0x0050: 2E D4 AF A8 06 F6 05 B8 F8 0A 6C B1 A9 D5 E2 0F
..........l.....
> 0x0060: 51 D1 29 9C E9 E4 C4 4C A3 51 0E 61 89 C1 77 17
Q.)....L.Q.a..w.
> 0x0070: C5 C9 E5 2D 70 8C 20 BD 14 07 10 FE 70 50 5F DF  ...-p.
.....pP_.
> 0x0080: 91 C3 EE 0E BE 24 51 0C 2F F6 16 AC FB 3E E6 2F
.....$Q./....>./
> 0x0090: 33 30 B6 DF CB CE E0 6D C2 A8 E4 F3 BB F0 9B 1B
30.....m........
> 0x00A0: 04 AC 69 70 98 9B 8F 8F 59 55 62 C1 5F 50 35 53
..ip....YUb._P5S
> 0x00B0: AB A2 FD EB 87 EA 58 D6 34 71 F6 0D 5D 22 E2 32
......X.4q..]".2
> 0x00C0: 70 52 1A A7 F9 D9 F1 B4 E6 BE 48 E5 C7 16 CA E8
pR........H.....
> 0x00D0: 84 0B 38 2C 88 B0 A6 AB A9 66 88 1B 42 4D 43 32
..8,.....f..BMC2
> 0x00E0: 07 BB 47 E2 35 8D A8 6A 3B C4 0B 74 D5 E6 D1 4F
..G.5..j;..t...O
> 0x00F0: 9F AF B0 DD 5A EE D8 49 AA 0E DC 31 8F 7C 0D F1
....Z..I...1.|..
> 0x0100: 3D 4D A9 8A 9F A4 C2 A9 17 51 97 05 65 DB DF 57
=M.......Q..e..W
> 0x0110: 1E 66 E5 FA 48 73 CD E3 1C FC AC 86 45 BE B5 1E
.f..Hs......E...
> 0x0120: 28 8F 96 7C 97 E9 CB A3 9D 8E 82 B7 F8 E2 B4 05
(..|............
> 0x0130: 93 BD EF 77 CA 6A 44 34 2E 9B CC 95 89 87 19 45
...w.jD4.......E
> 0x0140: A7 F8 4D 0E 4C A7 F8 07 73 A8 10 CD 9E 10 2E 24
..M.L...s......$
> 0x0150: 11 AB 98 12 FA D4 0A B9 86 D0 F6 42 AD DB 11 3F
...........B...?
> 0x0160: F8 85 C0 1A DA 7C 4C 3B B7 C5 D4 A8 1F DC 88 2B
.....|L;.......+
> 0x0170: 99 B3 A6 D1 F5 01 AD 75 1C AE 05 90 B1 F0 D0 F3
.......u........
> 0x0180: 2E 62 51 0E 44 D1 D5 DC EF 1E F1 2B 1F 1E 69 24
.bQ.D......+..i$
> 0x0190: 8A EA FD 58 B1 1B B1 42 EA DE F5 E9 0F 21 4F 50
...X...B.....!OP
> 0x01A0: 57 98 7E 29 CE BC FA 97 C3 6D 8E 08 B5 1F C3 C9
W.~).....m......
> 0x01B0: 77 6C 45 36 8B 39 CD 3E CA F4 F1 C3 0F D8 BB 03
wlE6.9.>........
> 0x01C0: 4A 83 DC 90 AB 69 C9 CF E8 C6 BA A7 EC 10 A0 ED
J....i..........
> 0x01D0: 16 56 8F 86 81 A1 6A CA E3 A7 76 C2 62 C0 05 C3
.V....j...v.b...
> 0x01E0: 53 E0 79 91 B5 82 E4 93 AD A1 FA 82 72 0E 0C 4A
S.y.........r..J
> 0x01F0: 4A C3 CC 22 F7 7B 69 1F 2E 15 CF 89 0B 74 B0 93
J..".{i......t..
> 0x0200: DC 34 B2 22 94 B5 19 85 67 9F 11 18 D1 91 C7 91
.4."....g.......
> 0x0210: E3 B3 C9 32 74 0C FE 4B 7A A5 41 40 45 EE 29 7F
...2t..Kz.A at E.).
> 0x0220: 6F 9E D6 C7 4D 5C 01 90 83 51 44 AC 58 B1 89 11
o...M\...QD.X...
> 0x0230: EF DF F9 AE 76 B5 32 50 20 27 57 4A B3 48 C1 A9  ....v.2P
'WJ.H..
> 0x0240: 44 D2 7C 1C 06 B2 2D 13 B1 3B A1 7E 17 3D 6A 4D
D.|...-..;.~.=jM
> 0x0250: 58 D8 BA 58 40 44 2E B8 71 9F BD D0 9C AD 7C 3D
X..X at D..q.....|=
> 0x0260: 2B 91 A2 CB 1E 48 7B FD 01 A6 C4 67 08 5D 50 9D
+....H{....g.]P.
> 0x0270: 05 AD 79 55 82 40 8A CE 71 F6 AD F6 07 5E 9A 04
..yU. at ..q....^..
> 0x0280: 8A 51 68 F3 13 7A 75 62 ED B7 09 3A 59 4A 50 77
.Qh..zub...:YJPw
> 0x0290: 40 4A 20 6C 7B 45 02 E0 49 92 6F 15 FE 59 60 AC  @J
l{E..I.o..Y`.
> 0x02A0: 9A 9C 57 F7 87 1E 8F 08 0D D8 60 10 1C CC E9 A0
..W.......`.....
> 0x02B0: 33 AB BE 01 51 31 42 02 01 BB 22 8A E6 06 34 8E
3...Q1B..."...4.
> 0x02C0: EC FA 15 71 94 69 5D F9 CC AD 58 E2 79 69 55 18
...q.i]...X.yiU.
> 0x02D0: 43 7F 1D 32 96 8B F7 4B F6 3A 53 C9 69 12 64 48
C..2...K.:S.i.dH
> 0x02E0: A2 AD 31 35 13 06 57 F9 5C 06 E2 10 18 20 DF 42  ..15..W.\....
.B
> 0x02F0: 4E C4 BD 7F E8 16 C8 7F 2E F6 AF 10 E2 78 D4 76
N............x.v
> 0x0300: 3C 60 4A 64 98 26 C7 66 F5 20 07 5F 44 83 12 D5  <`Jd.&.f.
._D...
> 0x0310: 84 23 CF 97 AB B1 EC A9 1C 40 48 5C E0 8E 60 56
.#....... at H\..`V
> 0x0320: 95 63 D0 77 48 02 A5 A1 0A 89 AD 68 F8 C3 39 61
.c.wH......h..9a
> 0x0330: 3A 08 25 A3 E5 B8 06 88 5B 91 85 92 3A C6 90 71
:.%.....[...:..q
> 0x0340: 8A 88 BE 3C 83 E0 E0 21 66 07 79 E0 67 F2 79 FC
...<...!f.y.g.y.
> 0x0350: 4B 1D 2C C8 2A 84 1F C3 2D 49 6F 66 CC 03 1C D4
K.,.*...-Iof....
> 0x0360: 11 DE B7 46 F7 A1 F9 A7 AE 14 D8 65 6E 09 E7 FF
...F.......en...
> 0x0370: DC BD DD 9A D7 CA 96 D0 8E 9E 24 77 9C 54 04 2F
..........$w.T./
> 0x0380: B2 4F F7 B2 76 4A 29 07 14 D2 57 BA E6 04 0B 70
.O..vJ)...W....p
> 0x0390: 35 3A 8F EA E7 19 0D 41 9C 38 28 29 02 7F CC 90
5:.....A.8()....
> 0x03A0: C3 23 99 86 EE 11 81 08 9F 1B B4 AA A2 D6 29 0F
.#............).
> 0x03B0: 3F 68 54 A1 84 0D 06 D9 71 6B 6F 38 9D 7C 55 F0
?hT.....qko8.|U.
> 0x03C0: 77 12 A5 54 DF 83 11 96 DA 88 DD 33 DD B7 A3 59
w..T.......3...Y
> 0x03D0: 4E 48 0C 97 96 2F 3A EF 7A E3 D1 2D E3 62 6B C2
NH.../:.z..-.bk.
> 0x03E0: 1A A2 D9 15 54 EC 8D 51 0F C5 4E 31 11 C4 D4 CE
....T..Q..N1....
> 0x03F0: 55 C4 1D 61 70 92 2F 69 A7 9E 75 9E 50 9F 09 61
U..ap./i..u.P..a
> 0x0400: F3 1A B1 6D 31 CF 95 B0 A6 90 E7 C4 A2 C3 07 04
...m1...........
> 0x0410: 82 6A 71 EB 97 AF DF 0E D7 06 51 99 03 BC A4 FB
.jq.......Q.....
> 0x0420: 59 A9 73 DC D0 98 AE 25 12 13 33 1B 0C D7 90 9C
Y.s....%..3.....
> 0x0430: 07 AB C2 40 5A E2 E1 53 05 9C 61 DF 96 0E 36 C3
... at Z..S..a...6.
> 0x0440: 1D BE C7 D9 A9 D8 08 D7 76 70 43 AB 08 9E 94 E0
........vpC.....
> 0x0450: FA 1F 2D 36 A4 DE 5A 08 B8 B0 BD A4 9A 03 EB 22
..-6..Z........"
> 0x0460: 82 35 F3 50 47 E1 47 CA 00 87 6E A1 8B D4 A7 B8
.5.PG.G...n.....
> 0x0470: E9 8E F6 03 33 62 09 8C D3 3B 11 78 10 1C 80 1D
....3b...;.x....
> 0x0480: AA D4 C7 FF 58 FC 2C 0E AD 7E 07 B6 7A 65 83 A3
....X.,..~..ze..
> 0x0490: 2C 74 E5 A7 39 B6 B8 97 3D 86 36 0D 4A 00 70 3C
,t..9...=.6.J.p<
> 0x04A0: 53 E3 65 43 79 49 D0 C4 4B 8B 6D B4 D2 1F B4 6E
S.eCyI..K.m....n
> 0x04B0: AA FB 11 2A 16 11 95 CF 52 DF 12 3C 8B EC D3 33
...*....R..<...3
> 0x04C0: 13 32 81 6A 67 26 57 BD 80 89 C0 DF C5 79 03 7A
.2.jg&W......y.z
> 0x04D0: D7 8B 00 19 5B C1 84 DF EF 5F A1 6E BE 0A 01 04
....[...._.n....
> 0x04E0: 63 27 50 45 07 E3 AC DE CF EE D7 F1 35 85 B6 95
c'PE........5...
> 0x04F0: 82 57 BF 5A B8 3D 4A 57 64 3C 7D 12 37 39 07 DF
.W.Z.=JWd<}.79..
> 0x0500: 07 5C B6 9C 94 86 36 A6 D2 76 D4 31 D3 60 75 37
.\....6..v.1.`u7
> 0x0510: CC 01 C1 EC 0B 68 0F 2D D1 E9 D0 9E 25 3C 05 EC
.....h.-....%<..
> 0x0520: 63 AE FE 9F 2E 42 49 02 5A DC A8 98 E6 80 39 47
c....BI.Z.....9G
> 0x0530: BF E3 85 61 DE 5E 2B 4D 06 5A 88 3E AA           ...a.^+M.Z.>.
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> And then this TCP (note I'm showing incoming only, not my outgoing
> ACK/SYN's..)
>
> Again, note the IP ID's, and the source port has changed:
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:36:32.168550 172.159.180.210:1275 -> 12.82.142.71:1214
> TCP TTL:112 TOS:0x0 ID:7792 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0x4BD3C06A  Ack: 0x0  Win: 0x4000  TcpLen: 28
> TCP Options (4) => MSS: 1360 NOP NOP SackOK
> 0x0000: 45 00 00 30 1E 70 40 00 70 06 F0 4C AC 9F B4 D2
E..0.p at .p..L....
> 0x0010: 0C 52 8E 47 04 FB 04 BE 4B D3 C0 6A 00 00 00 00
.R.G....K..j....
> 0x0020: 70 02 40 00 31 81 00 00 02 04 05 50 01 01 04 02
p. at .1......P....
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:36:32.608509 172.159.180.210:1275 -> 12.82.142.71:1214
> TCP TTL:112 TOS:0x0 ID:7795 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x4BD3C06B  Ack: 0x60E744C0  Win: 0x4510  TcpLen: 20
> 0x0000: 45 00 00 28 1E 73 40 00 70 06 F0 51 AC 9F B4 D2
E..(.s at .p..Q....
> 0x0010: 0C 52 8E 47 04 FB 04 BE 4B D3 C0 6B 60 E7 44 C0
.R.G....K..k`.D.
> 0x0020: 50 10 45 10 B3 19 00 00                          P.E.....
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:36:32.608553 172.159.180.210:1275 -> 12.82.142.71:1214
> TCP TTL:112 TOS:0x0 ID:7796 IpLen:20 DgmLen:40 DF
> ***A***F Seq: 0x4BD3C06B  Ack: 0x60E744C0  Win: 0x4510  TcpLen: 20
> 0x0000: 45 00 00 28 1E 74 40 00 70 06 F0 50 AC 9F B4 D2
E..(.t at .p..P....
> 0x0010: 0C 52 8E 47 04 FB 04 BE 4B D3 C0 6B 60 E7 44 C0
.R.G....K..k`.D.
> 0x0020: 50 11 45 10 B3 18 00 00                          P.E.....
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:36:33.108605 172.159.180.210:1275 -> 12.82.142.71:1214
> TCP TTL:112 TOS:0x0 ID:7798 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x4BD3C06C  Ack: 0x60E744C1  Win: 0x4510  TcpLen: 20
> 0x0000: 45 00 00 28 1E 76 40 00 70 06 F0 4E AC 9F B4 D2
E..(.v at .p..N....
> 0x0010: 0C 52 8E 47 04 FB 04 BE 4B D3 C0 6C 60 E7 44 C1
.R.G....K..l`.D.
> 0x0020: 50 10 45 10 B3 17 00 00                          P.E.....
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:36:35.178814 172.159.180.210:1214 -> 12.82.142.71:1214
> UDP TTL:112 TOS:0x0 ID:7799 IpLen:20 DgmLen:1341
> Len: 1321
> 0x0000: 45 00 05 3D 1E 77 00 00 70 11 2B 2E AC 9F B4 D2
E..=.w..p.+.....
> 0x0010: 0C 52 8E 47 04 BE 04 BE 05 29 2F DB              .R.G.....)/.
>
>                                             C0 28 B1 8D
.(..
> 0x0020: 00 0A 00 00 50 4D B4 B6 6D A6 6D 87 FF 41 E8 CD
....PM..m.m..A..
> 0x0030: F5 55 2A AC 24 9B 48 34 98 17 82 65 C8 E3 5E 47
.U*.$.H4...e..^G
> 0x0040: 49 86 C3 65 32 E3 82 D3 E1 47 47 73 CE 9A B9 69
I..e2....GGs...i
> 0x0050: 2E D4 AF A8 06 F6 05 B8 F8 0A 6C B1 A9 D5 E2 0F
..........l.....
> 0x0060: 51 D1 29 9C E9 E4 C4 4C A3 51 0E 61 89 C1 77 17
Q.)....L.Q.a..w.
> 0x0070: C5 C9 E5 2D 70 8C 20 BD 14 07 10 FE 70 50 5F DF  ...-p.
.....pP_.
> 0x0080: 91 C3 EE 0E BE 24 51 0C 2F F6 16 AC FB 3E E6 2F
.....$Q./....>./
> 0x0090: 33 30 B6 DF CB CE E0 6D C2 A8 E4 F3 BB F0 9B 1B
30.....m........
> 0x00A0: 04 AC 69 70 98 9B 8F 8F 59 55 62 C1 5F 50 35 53
..ip....YUb._P5S
> 0x00B0: AB A2 FD EB 87 EA 58 D6 34 71 F6 0D 5D 22 E2 32
......X.4q..]".2
> 0x00C0: 70 52 1A A7 F9 D9 F1 B4 E6 BE 48 E5 C7 16 CA E8
pR........H.....
> 0x00D0: 84 0B 38 2C 88 B0 A6 AB A9 66 88 1B 42 4D 43 32
..8,.....f..BMC2
> 0x00E0: 07 BB 47 E2 35 8D A8 6A 3B C4 0B 74 D5 E6 D1 4F
..G.5..j;..t...O
> 0x00F0: 9F AF B0 DD 5A EE D8 49 AA 0E DC 31 8F 7C 0D F1
....Z..I...1.|..
> 0x0100: 3D 4D A9 8A 9F A4 C2 A9 17 51 97 05 65 DB DF 57
=M.......Q..e..W
> 0x0110: 1E 66 E5 FA 48 73 CD E3 1C FC AC 86 45 BE B5 1E
.f..Hs......E...
> 0x0120: 28 8F 96 7C 97 E9 CB A3 9D 8E 82 B7 F8 E2 B4 05
(..|............
> 0x0130: 93 BD EF 77 CA 6A 44 34 2E 9B CC 95 89 87 19 45
...w.jD4.......E
> 0x0140: A7 F8 4D 0E 4C A7 F8 07 73 A8 10 CD 9E 10 2E 24
..M.L...s......$
> 0x0150: 11 AB 98 12 FA D4 0A B9 86 D0 F6 42 AD DB 11 3F
...........B...?
> 0x0160: F8 85 C0 1A DA 7C 4C 3B B7 C5 D4 A8 1F DC 88 2B
.....|L;.......+
> 0x0170: 99 B3 A6 D1 F5 01 AD 75 1C AE 05 90 B1 F0 D0 F3
.......u........
> 0x0180: 2E 62 51 0E 44 D1 D5 DC EF 1E F1 2B 1F 1E 69 24
.bQ.D......+..i$
> 0x0190: 8A EA FD 58 B1 1B B1 42 EA DE F5 E9 0F 21 4F 50
...X...B.....!OP
> 0x01A0: 57 98 7E 29 CE BC FA 97 C3 6D 8E 08 B5 1F C3 C9
W.~).....m......
> 0x01B0: 77 6C 45 36 8B 39 CD 3E CA F4 F1 C3 0F D8 BB 03
wlE6.9.>........
> 0x01C0: 4A 83 DC 90 AB 69 C9 CF E8 C6 BA A7 EC 10 A0 ED
J....i..........
> 0x01D0: 16 56 8F 86 81 A1 6A CA E3 A7 76 C2 62 C0 05 C3
.V....j...v.b...
> 0x01E0: 53 E0 79 91 B5 82 E4 93 AD A1 FA 82 72 0E 0C 4A
S.y.........r..J
> 0x01F0: 4A C3 CC 22 F7 7B 69 1F 2E 15 CF 89 0B 74 B0 93
J..".{i......t..
> 0x0200: DC 34 B2 22 94 B5 19 85 67 9F 11 18 D1 91 C7 91
.4."....g.......
> 0x0210: E3 B3 C9 32 74 0C FE 4B 7A A5 41 40 45 EE 29 7F
...2t..Kz.A at E.).
> 0x0220: 6F 9E D6 C7 4D 5C 01 90 83 51 44 AC 58 B1 89 11
o...M\...QD.X...
> 0x0230: EF DF F9 AE 76 B5 32 50 20 27 57 4A B3 48 C1 A9  ....v.2P
'WJ.H..
> 0x0240: 44 D2 7C 1C 06 B2 2D 13 B1 3B A1 7E 17 3D 6A 4D
D.|...-..;.~.=jM
> 0x0250: 58 D8 BA 58 40 44 2E B8 71 9F BD D0 9C AD 7C 3D
X..X at D..q.....|=
> 0x0260: 2B 91 A2 CB 1E 48 7B FD 01 A6 C4 67 08 5D 50 9D
+....H{....g.]P.
> 0x0270: 05 AD 79 55 82 40 8A CE 71 F6 AD F6 07 5E 9A 04
..yU. at ..q....^..
> 0x0280: 8A 51 68 F3 13 7A 75 62 ED B7 09 3A 59 4A 50 77
.Qh..zub...:YJPw
> 0x0290: 40 4A 20 6C 7B 45 02 E0 49 92 6F 15 FE 59 60 AC  @J
l{E..I.o..Y`.
> 0x02A0: 9A 9C 57 F7 87 1E 8F 08 0D D8 60 10 1C CC E9 A0
..W.......`.....
> 0x02B0: 33 AB BE 01 51 31 42 02 01 BB 22 8A E6 06 34 8E
3...Q1B..."...4.
> 0x02C0: EC FA 15 71 94 69 5D F9 CC AD 58 E2 79 69 55 18
...q.i]...X.yiU.
> 0x02D0: 43 7F 1D 32 96 8B F7 4B F6 3A 53 C9 69 12 64 48
C..2...K.:S.i.dH
> 0x02E0: A2 AD 31 35 13 06 57 F9 5C 06 E2 10 18 20 DF 42  ..15..W.\....
.B
> 0x02F0: 4E C4 BD 7F E8 16 C8 7F 2E F6 AF 10 E2 78 D4 76
N............x.v
> 0x0300: 3C 60 4A 64 98 26 C7 66 F5 20 07 5F 44 83 12 D5  <`Jd.&.f.
._D...
> 0x0310: 84 23 CF 97 AB B1 EC A9 1C 40 48 5C E0 8E 60 56
.#....... at H\..`V
> 0x0320: 95 63 D0 77 48 02 A5 A1 0A 89 AD 68 F8 C3 39 61
.c.wH......h..9a
> 0x0330: 3A 08 25 A3 E5 B8 06 88 5B 91 85 92 3A C6 90 71
:.%.....[...:..q
> 0x0340: 8A 88 BE 3C 83 E0 E0 21 66 07 79 E0 67 F2 79 FC
...<...!f.y.g.y.
> 0x0350: 4B 1D 2C C8 2A 84 1F C3 2D 49 6F 66 CC 03 1C D4
K.,.*...-Iof....
> 0x0360: 11 DE B7 46 F7 A1 F9 A7 AE 14 D8 65 6E 09 E7 FF
...F.......en...
> 0x0370: DC BD DD 9A D7 CA 96 D0 8E 9E 24 77 9C 54 04 2F
..........$w.T./
> 0x0380: B2 4F F7 B2 76 4A 29 07 14 D2 57 BA E6 04 0B 70
.O..vJ)...W....p
> 0x0390: 35 3A 8F EA E7 19 0D 41 9C 38 28 29 02 7F CC 90
5:.....A.8()....
> 0x03A0: C3 23 99 86 EE 11 81 08 9F 1B B4 AA A2 D6 29 0F
.#............).
> 0x03B0: 3F 68 54 A1 84 0D 06 D9 71 6B 6F 38 9D 7C 55 F0
?hT.....qko8.|U.
> 0x03C0: 77 12 A5 54 DF 83 11 96 DA 88 DD 33 DD B7 A3 59
w..T.......3...Y
> 0x03D0: 4E 48 0C 97 96 2F 3A EF 7A E3 D1 2D E3 62 6B C2
NH.../:.z..-.bk.
> 0x03E0: 1A A2 D9 15 54 EC 8D 51 0F C5 4E 31 11 C4 D4 CE
....T..Q..N1....
> 0x03F0: 55 C4 1D 61 70 92 2F 69 A7 9E 75 9E 50 9F 09 61
U..ap./i..u.P..a
> 0x0400: F3 1A B1 6D 31 CF 95 B0 A6 90 E7 C4 A2 C3 07 04
...m1...........
> 0x0410: 82 6A 71 EB 97 AF DF 0E D7 06 51 99 03 BC A4 FB
.jq.......Q.....
> 0x0420: 59 A9 73 DC D0 98 AE 25 12 13 33 1B 0C D7 90 9C
Y.s....%..3.....
> 0x0430: 07 AB C2 40 5A E2 E1 53 05 9C 61 DF 96 0E 36 C3
... at Z..S..a...6.
> 0x0440: 1D BE C7 D9 A9 D8 08 D7 76 70 43 AB 08 9E 94 E0
........vpC.....
> 0x0450: FA 1F 2D 36 A4 DE 5A 08 B8 B0 BD A4 9A 03 EB 22
..-6..Z........"
> 0x0460: 82 35 F3 50 47 E1 47 CA 00 87 6E A1 8B D4 A7 B8
.5.PG.G...n.....
> 0x0470: E9 8E F6 03 33 62 09 8C D3 3B 11 78 10 1C 80 1D
....3b...;.x....
> 0x0480: AA D4 C7 FF 58 FC 2C 0E AD 7E 07 B6 7A 65 83 A3
....X.,..~..ze..
> 0x0490: 2C 74 E5 A7 39 B6 B8 97 3D 86 36 0D 4A 00 70 3C
,t..9...=.6.J.p<
> 0x04A0: 53 E3 65 43 79 49 D0 C4 4B 8B 6D B4 D2 1F B4 6E
S.eCyI..K.m....n
> 0x04B0: AA FB 11 2A 16 11 95 CF 52 DF 12 3C 8B EC D3 33
...*....R..<...3
> 0x04C0: 13 32 81 6A 67 26 57 BD 80 89 C0 DF C5 79 03 7A
.2.jg&W......y.z
> 0x04D0: D7 8B 00 19 5B C1 84 DF EF 5F A1 6E BE 0A 01 04
....[...._.n....
> 0x04E0: 63 27 50 45 07 E3 AC DE CF EE D7 F1 35 85 B6 95
c'PE........5...
> 0x04F0: 82 57 BF 5A B8 3D 4A 57 64 3C 7D 12 37 39 07 DF
.W.Z.=JWd<}.79..
> 0x0500: 07 5C B6 9C 94 86 36 A6 D2 76 D4 31 D3 60 75 37
.\....6..v.1.`u7
> 0x0510: CC 01 C1 EC 0B 68 0F 2D D1 E9 D0 9E 25 3C 05 EC
.....h.-....%<..
> 0x0520: 63 AE FE 9F 2E 42 49 02 5A DC A8 98 E6 80 39 47
c....BI.Z.....9G
> 0x0530: BF E3 85 61 DE 5E 2B 4D 06 5A 88 3E AA           ...a.^+M.Z.>.
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:36:37.899010 172.159.180.210:1214 -> 12.82.142.71:1214
> UDP TTL:112 TOS:0x0 ID:7800 IpLen:20 DgmLen:1341
> Len: 1321
> 0x0000: 45 00 05 3D 1E 78 00 00 70 11 2B 2D AC 9F B4 D2
E..=.x..p.+-....
> 0x0010: 0C 52 8E 47 04 BE 04 BE 05 29 2F DB              .R.G.....)/.
>
>                                             C0 28 B1 8D
.(..
> 0x0020: 00 0A 00 00 50 4D B4 B6 6D A6 6D 87 FF 41 E8 CD
....PM..m.m..A..
> 0x0030: F5 55 2A AC 24 9B 48 34 98 17 82 65 C8 E3 5E 47
.U*.$.H4...e..^G
> 0x0040: 49 86 C3 65 32 E3 82 D3 E1 47 47 73 CE 9A B9 69
I..e2....GGs...i
> 0x0050: 2E D4 AF A8 06 F6 05 B8 F8 0A 6C B1 A9 D5 E2 0F
..........l.....
> 0x0060: 51 D1 29 9C E9 E4 C4 4C A3 51 0E 61 89 C1 77 17
Q.)....L.Q.a..w.
> 0x0070: C5 C9 E5 2D 70 8C 20 BD 14 07 10 FE 70 50 5F DF  ...-p.
.....pP_.
> 0x0080: 91 C3 EE 0E BE 24 51 0C 2F F6 16 AC FB 3E E6 2F
.....$Q./....>./
> 0x0090: 33 30 B6 DF CB CE E0 6D C2 A8 E4 F3 BB F0 9B 1B
30.....m........
> 0x00A0: 04 AC 69 70 98 9B 8F 8F 59 55 62 C1 5F 50 35 53
..ip....YUb._P5S
> 0x00B0: AB A2 FD EB 87 EA 58 D6 34 71 F6 0D 5D 22 E2 32
......X.4q..]".2
> 0x00C0: 70 52 1A A7 F9 D9 F1 B4 E6 BE 48 E5 C7 16 CA E8
pR........H.....
> 0x00D0: 84 0B 38 2C 88 B0 A6 AB A9 66 88 1B 42 4D 43 32
..8,.....f..BMC2
> 0x00E0: 07 BB 47 E2 35 8D A8 6A 3B C4 0B 74 D5 E6 D1 4F
..G.5..j;..t...O
> 0x00F0: 9F AF B0 DD 5A EE D8 49 AA 0E DC 31 8F 7C 0D F1
....Z..I...1.|..
> 0x0100: 3D 4D A9 8A 9F A4 C2 A9 17 51 97 05 65 DB DF 57
=M.......Q..e..W
> 0x0110: 1E 66 E5 FA 48 73 CD E3 1C FC AC 86 45 BE B5 1E
.f..Hs......E...
> 0x0120: 28 8F 96 7C 97 E9 CB A3 9D 8E 82 B7 F8 E2 B4 05
(..|............
> 0x0130: 93 BD EF 77 CA 6A 44 34 2E 9B CC 95 89 87 19 45
...w.jD4.......E
> 0x0140: A7 F8 4D 0E 4C A7 F8 07 73 A8 10 CD 9E 10 2E 24
..M.L...s......$
> 0x0150: 11 AB 98 12 FA D4 0A B9 86 D0 F6 42 AD DB 11 3F
...........B...?
> 0x0160: F8 85 C0 1A DA 7C 4C 3B B7 C5 D4 A8 1F DC 88 2B
.....|L;.......+
> 0x0170: 99 B3 A6 D1 F5 01 AD 75 1C AE 05 90 B1 F0 D0 F3
.......u........
> 0x0180: 2E 62 51 0E 44 D1 D5 DC EF 1E F1 2B 1F 1E 69 24
.bQ.D......+..i$
> 0x0190: 8A EA FD 58 B1 1B B1 42 EA DE F5 E9 0F 21 4F 50
...X...B.....!OP
> 0x01A0: 57 98 7E 29 CE BC FA 97 C3 6D 8E 08 B5 1F C3 C9
W.~).....m......
> 0x01B0: 77 6C 45 36 8B 39 CD 3E CA F4 F1 C3 0F D8 BB 03
wlE6.9.>........
> 0x01C0: 4A 83 DC 90 AB 69 C9 CF E8 C6 BA A7 EC 10 A0 ED
J....i..........
> 0x01D0: 16 56 8F 86 81 A1 6A CA E3 A7 76 C2 62 C0 05 C3
.V....j...v.b...
> 0x01E0: 53 E0 79 91 B5 82 E4 93 AD A1 FA 82 72 0E 0C 4A
S.y.........r..J
> 0x01F0: 4A C3 CC 22 F7 7B 69 1F 2E 15 CF 89 0B 74 B0 93
J..".{i......t..
> 0x0200: DC 34 B2 22 94 B5 19 85 67 9F 11 18 D1 91 C7 91
.4."....g.......
> 0x0210: E3 B3 C9 32 74 0C FE 4B 7A A5 41 40 45 EE 29 7F
...2t..Kz.A at E.).
> 0x0220: 6F 9E D6 C7 4D 5C 01 90 83 51 44 AC 58 B1 89 11
o...M\...QD.X...
> 0x0230: EF DF F9 AE 76 B5 32 50 20 27 57 4A B3 48 C1 A9  ....v.2P
'WJ.H..
> 0x0240: 44 D2 7C 1C 06 B2 2D 13 B1 3B A1 7E 17 3D 6A 4D
D.|...-..;.~.=jM
> 0x0250: 58 D8 BA 58 40 44 2E B8 71 9F BD D0 9C AD 7C 3D
X..X at D..q.....|=
> 0x0260: 2B 91 A2 CB 1E 48 7B FD 01 A6 C4 67 08 5D 50 9D
+....H{....g.]P.
> 0x0270: 05 AD 79 55 82 40 8A CE 71 F6 AD F6 07 5E 9A 04
..yU. at ..q....^..
> 0x0280: 8A 51 68 F3 13 7A 75 62 ED B7 09 3A 59 4A 50 77
.Qh..zub...:YJPw
> 0x0290: 40 4A 20 6C 7B 45 02 E0 49 92 6F 15 FE 59 60 AC  @J
l{E..I.o..Y`.
> 0x02A0: 9A 9C 57 F7 87 1E 8F 08 0D D8 60 10 1C CC E9 A0
..W.......`.....
> 0x02B0: 33 AB BE 01 51 31 42 02 01 BB 22 8A E6 06 34 8E
3...Q1B..."...4.
> 0x02C0: EC FA 15 71 94 69 5D F9 CC AD 58 E2 79 69 55 18
...q.i]...X.yiU.
> 0x02D0: 43 7F 1D 32 96 8B F7 4B F6 3A 53 C9 69 12 64 48
C..2...K.:S.i.dH
> 0x02E0: A2 AD 31 35 13 06 57 F9 5C 06 E2 10 18 20 DF 42  ..15..W.\....
.B
> 0x02F0: 4E C4 BD 7F E8 16 C8 7F 2E F6 AF 10 E2 78 D4 76
N............x.v
> 0x0300: 3C 60 4A 64 98 26 C7 66 F5 20 07 5F 44 83 12 D5  <`Jd.&.f.
._D...
> 0x0310: 84 23 CF 97 AB B1 EC A9 1C 40 48 5C E0 8E 60 56
.#....... at H\..`V
> 0x0320: 95 63 D0 77 48 02 A5 A1 0A 89 AD 68 F8 C3 39 61
.c.wH......h..9a
> 0x0330: 3A 08 25 A3 E5 B8 06 88 5B 91 85 92 3A C6 90 71
:.%.....[...:..q
> 0x0340: 8A 88 BE 3C 83 E0 E0 21 66 07 79 E0 67 F2 79 FC
...<...!f.y.g.y.
> 0x0350: 4B 1D 2C C8 2A 84 1F C3 2D 49 6F 66 CC 03 1C D4
K.,.*...-Iof....
> 0x0360: 11 DE B7 46 F7 A1 F9 A7 AE 14 D8 65 6E 09 E7 FF
...F.......en...
> 0x0370: DC BD DD 9A D7 CA 96 D0 8E 9E 24 77 9C 54 04 2F
..........$w.T./
> 0x0380: B2 4F F7 B2 76 4A 29 07 14 D2 57 BA E6 04 0B 70
.O..vJ)...W....p
> 0x0390: 35 3A 8F EA E7 19 0D 41 9C 38 28 29 02 7F CC 90
5:.....A.8()....
> 0x03A0: C3 23 99 86 EE 11 81 08 9F 1B B4 AA A2 D6 29 0F
.#............).
> 0x03B0: 3F 68 54 A1 84 0D 06 D9 71 6B 6F 38 9D 7C 55 F0
?hT.....qko8.|U.
> 0x03C0: 77 12 A5 54 DF 83 11 96 DA 88 DD 33 DD B7 A3 59
w..T.......3...Y
> 0x03D0: 4E 48 0C 97 96 2F 3A EF 7A E3 D1 2D E3 62 6B C2
NH.../:.z..-.bk.
> 0x03E0: 1A A2 D9 15 54 EC 8D 51 0F C5 4E 31 11 C4 D4 CE
....T..Q..N1....
> 0x03F0: 55 C4 1D 61 70 92 2F 69 A7 9E 75 9E 50 9F 09 61
U..ap./i..u.P..a
> 0x0400: F3 1A B1 6D 31 CF 95 B0 A6 90 E7 C4 A2 C3 07 04
...m1...........
> 0x0410: 82 6A 71 EB 97 AF DF 0E D7 06 51 99 03 BC A4 FB
.jq.......Q.....
> 0x0420: 59 A9 73 DC D0 98 AE 25 12 13 33 1B 0C D7 90 9C
Y.s....%..3.....
> 0x0430: 07 AB C2 40 5A E2 E1 53 05 9C 61 DF 96 0E 36 C3
... at Z..S..a...6.
> 0x0440: 1D BE C7 D9 A9 D8 08 D7 76 70 43 AB 08 9E 94 E0
........vpC.....
> 0x0450: FA 1F 2D 36 A4 DE 5A 08 B8 B0 BD A4 9A 03 EB 22
..-6..Z........"
> 0x0460: 82 35 F3 50 47 E1 47 CA 00 87 6E A1 8B D4 A7 B8
.5.PG.G...n.....
> 0x0470: E9 8E F6 03 33 62 09 8C D3 3B 11 78 10 1C 80 1D
....3b...;.x....
> 0x0480: AA D4 C7 FF 58 FC 2C 0E AD 7E 07 B6 7A 65 83 A3
....X.,..~..ze..
> 0x0490: 2C 74 E5 A7 39 B6 B8 97 3D 86 36 0D 4A 00 70 3C
,t..9...=.6.J.p<
> 0x04A0: 53 E3 65 43 79 49 D0 C4 4B 8B 6D B4 D2 1F B4 6E
S.eCyI..K.m....n
> 0x04B0: AA FB 11 2A 16 11 95 CF 52 DF 12 3C 8B EC D3 33
...*....R..<...3
> 0x04C0: 13 32 81 6A 67 26 57 BD 80 89 C0 DF C5 79 03 7A
.2.jg&W......y.z
> 0x04D0: D7 8B 00 19 5B C1 84 DF EF 5F A1 6E BE 0A 01 04
....[...._.n....
> 0x04E0: 63 27 50 45 07 E3 AC DE CF EE D7 F1 35 85 B6 95
c'PE........5...
> 0x04F0: 82 57 BF 5A B8 3D 4A 57 64 3C 7D 12 37 39 07 DF
.W.Z.=JWd<}.79..
> 0x0500: 07 5C B6 9C 94 86 36 A6 D2 76 D4 31 D3 60 75 37
.\....6..v.1.`u7
> 0x0510: CC 01 C1 EC 0B 68 0F 2D D1 E9 D0 9E 25 3C 05 EC
.....h.-....%<..
> 0x0520: 63 AE FE 9F 2E 42 49 02 5A DC A8 98 E6 80 39 47
c....BI.Z.....9G
> 0x0530: BF E3 85 61 DE 5E 2B 4D 06 5A 88 3E AA           ...a.^+M.Z.>.
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 15 minutes pass; the IP ID increments; the source port changes on TCP:
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:51:44.100439 172.147.121.249:1208 -> 12.82.142.71:1214
> TCP TTL:112 TOS:0x0 ID:10761 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0x13D175  Ack: 0x0  Win: 0x2000  TcpLen: 28
> TCP Options (4) => MSS: 1360 NOP NOP SackOK
> 0x0000: 45 00 00 30 2A 09 40 00 70 06 1F 99 AC 93 79 F9
E..0*. at .p.....y.
> 0x0010: 0C 52 8E 47 04 B8 04 BE 00 13 D1 75 00 00 00 00
.R.G.......u....
> 0x0020: 70 02 20 00 C7 5E 00 00 02 04 05 50 01 01 04 02  p.
..^.....P....
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:51:47.090749 172.147.121.249:1208 -> 12.82.142.71:1214
> TCP TTL:112 TOS:0x0 ID:13321 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0x13D175  Ack: 0x0  Win: 0x2000  TcpLen: 28
> TCP Options (4) => MSS: 1360 NOP NOP SackOK
> 0x0000: 45 00 00 30 34 09 40 00 70 06 15 99 AC 93 79 F9
E..04. at .p.....y.
> 0x0010: 0C 52 8E 47 04 B8 04 BE 00 13 D1 75 00 00 00 00
.R.G.......u....
> 0x0020: 70 02 20 00 C7 5E 00 00 02 04 05 50 01 01 04 02  p.
..^.....P....
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> and now for UDP the source port is back to 1214, but the payload seems
> changed..
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:51:48.200885 172.147.121.249:1214 -> 12.82.142.71:1214
> UDP TTL:112 TOS:0x0 ID:13577 IpLen:20 DgmLen:1341
> Len: 1321
> 0x0000: 45 00 05 3D 35 09 00 00 70 11 4F 81 AC 93 79 F9
E..=5...p.O...y.
> 0x0010: 0C 52 8E 47 04 BE 04 BE 05 29 0F DA              .R.G.....)..
>
>                                             C0 28 A7 EE
.(..
> 0x0020: BC 65 00 02 DD 51 1F FC 57 ED B0 DD A5 F1 59 51
.e...Q..W.....YQ
> 0x0030: 0E 3D 3D 54 DB D6 EC 35 67 16 4E 8B 8C B9 CF 55
.==T...5g.N....U
> 0x0040: 03 01 19 EC 1E C6 F5 35 DE E2 46 0A 28 B0 AB 25
.......5..F.(..%
> 0x0050: B8 B9 BB A2 BB DE EA 26 96 5D 3A 91 30 48 E2 ED
.......&.]:.0H..
> 0x0060: 8C 69 9C B3 21 9D 44 47 59 11 14 70 65 F5 58 78
.i..!.DGY..pe.Xx
> 0x0070: E7 79 0F 38 14 1F 49 C5 A5 1C C0 7F FB 84 C7 74
.y.8..I........t
> 0x0080: C2 9C 2B 16 02 03 30 47 EF 48 FA A7 74 30 FD B0
..+...0G.H..t0..
> 0x0090: AB 69 E2 FF 2F C8 5D 72 80 8C FA 6F 1D 66 8E 23
.i../.]r...o.f.#
> 0x00A0: B6 5D EE 31 85 E8 93 7A 78 4F 0D 4A B4 7A 26 F1
.].1...zxO.J.z&.
> 0x00B0: B3 3C 72 C7 BE D7 04 B2 B3 0D 9F 57 2B 11 BA 08
.<r........W+...
> 0x00C0: 21 B3 6A CE C2 9A 17 48 02 20 58 6E 08 D7 7F AE  !.j....H.
Xn....
> 0x00D0: 84 52 80 69 55 5C A7 8F 18 34 3F EE 53 EF 64 8B
.R.iU\...4?.S.d.
> 0x00E0: 9F 5C 92 74 23 B8 E3 3E 23 D0 87 B3 D7 29 36 67
.\.t#..>#....)6g
> 0x00F0: D0 8B 6D 35 C4 FE 58 4A D1 26 03 66 F1 F9 17 CC
..m5..XJ.&.f....
> 0x0100: 58 3F 48 CA 0B 2C 8E B7 84 2C B8 A1 18 48 9E 58
X?H..,...,...H.X
> 0x0110: 2A 6B 49 DA 9F EF 81 76 21 52 C3 6D 69 B8 AE 84
*kI....v!R.mi...
> 0x0120: D8 14 FD 7C EB 62 41 A7 8D 8C 12 DE 86 F2 5C E4
...|.bA.......\.
> 0x0130: FF 03 D4 69 ED 38 2B 59 A5 7A 45 4A 15 55 62 71
...i.8+Y.zEJ.Ubq
> 0x0140: F6 93 96 3B BC F5 84 69 FC AD 05 47 3A B3 C2 34
...;...i...G:..4
> 0x0150: B1 8F BE 72 BB 91 EB D4 CC 90 1A 30 46 E8 42 A9
...r.......0F.B.
> 0x0160: 70 B3 0A 2C 15 70 E3 07 04 70 46 25 80 BA 13 CF
p..,.p...pF%....
> 0x0170: C6 F1 5B 1C 12 5B B1 28 F3 83 8A 15 73 FA B8 A0
..[..[.(....s...
> 0x0180: 07 F7 B0 6F B4 08 58 8E F6 11 80 45 76 71 CA A4
...o..X....Evq..
> 0x0190: E3 AA 21 8F C6 8C 9F 44 32 CB 7E 48 0B F8 79 80
..!....D2.~H..y.
> 0x01A0: BB A1 60 BC E8 C9 4E B8 9D 14 B9 9A 9D 3B D3 70
..`...N......;.p
> 0x01B0: A8 70 F5 88 0D A3 A5 2E 2B 2B 07 76 7F D1 66 B7
.p......++.v..f.
> 0x01C0: 34 F9 DC 0F 92 11 D6 27 72 31 01 5B AD A5 8B 07
4......'r1.[....
> 0x01D0: 4C 16 E4 1A D4 F6 73 5D F5 C6 04 F2 38 09 B8 AB
L.....s]....8...
> 0x01E0: 5A EC 85 86 3B CC 92 C7 BA 62 4F 8A 07 8E BD B3
Z...;....bO.....
> 0x01F0: 3B 2F 0A 7F BA B5 87 AA FD AE 2B 71 D5 34 DC FE
;/........+q.4..
> 0x0200: 70 3E 71 27 24 68 B4 C3 E2 3B E9 72 49 91 48 34
p>q'$h...;.rI.H4
> 0x0210: 6A 65 58 07 5B 90 A3 DD C7 81 CF 8B 09 48 42 AA
jeX.[........HB.
> 0x0220: C0 20 35 1E 08 56 2E 83 B7 E0 88 16 30 18 40 70  .
5..V......0. at p
> 0x0230: 41 CE 03 2F 59 BC 3A E1 79 54 19 BD 5B CC F9 39
A../Y.:.yT..[..9
> 0x0240: C3 36 A1 BA 63 DA 55 BB C9 26 08 64 50 6B DB 5B
.6..c.U..&.dPk.[
> 0x0250: 21 7C CF 1E FF B2 93 62 6D 28 EE 75 E1 0F EA 5E
!|.....bm(.u...^
> 0x0260: 2C 66 FA 71 09 32 C5 02 31 8E 56 9D FF 89 D4 64
,f.q.2..1.V....d
> 0x0270: 71 A0 78 59 99 EB E7 21 C1 74 D4 2D 41 A1 38 5A
q.xY...!.t.-A.8Z
> 0x0280: E2 B3 EE C8 B0 25 17 A6 30 24 6F 4D 6E 40 FD 0C
.....%..0$oMn at ..
> 0x0290: 99 4D F5 2A C4 5E 00 49 D3 10 1C 0A 5A 27 4D E1
.M.*.^.I....Z'M.
> 0x02A0: 6C 5D 0D 3C B3 F6 6F 95 F0 B4 F5 2A 96 AE 65 C1
l].<..o....*..e.
> 0x02B0: B9 38 6A 89 A7 73 DD 0D 50 37 E6 46 F3 6D D9 1D
.8j..s..P7.F.m..
> 0x02C0: B5 BD 0F A2 CC FC 63 8C 12 4A B2 A5 6A C6 4E 42
......c..J..j.NB
> 0x02D0: 4B 9C 12 D9 FA D6 1C 9F 4F F9 6F D1 F5 33 03 39
K.......O.o..3.9
> 0x02E0: 7E 10 4D B7 FE EB 65 16 20 05 98 6E 08 85 A6 8F  ~.M...e.
..n....
> 0x02F0: 2F CE 8F 03 A1 E0 0B 5F CD 55 43 99 93 51 A5 8E
/......_.UC..Q..
> 0x0300: ED 00 56 A5 F7 D1 E6 CC F6 54 6C F6 93 70 10 28
..V......Tl..p.(
> 0x0310: E3 A6 25 9D 68 85 4B 8C 13 BE 75 8C 83 6F FB A9
..%.h.K...u..o..
> 0x0320: C7 F2 FA 69 21 00 EB 0E A8 E1 A3 FB 6F 8C 29 8E
...i!.......o.).
> 0x0330: C8 00 AC 07 90 F0 0D 27 71 57 91 87 BA 2D B5 81
.......'qW...-..
> 0x0340: D1 E0 8D 21 89 B5 19 21 67 B1 76 61 DB 29 87 1E
...!...!g.va.)..
> 0x0350: 6D F2 1E 15 62 A3 88 D4 B3 5D B1 98 FE 8C EA 48
m...b....].....H
> 0x0360: 60 BF 50 6B 71 30 F4 90 0D 52 5F 67 A7 E9 68 B9
`.Pkq0...R_g..h.
> 0x0370: 23 4E B0 78 AE 19 6B BB 76 58 70 43 C3 98 9F 21
#N.x..k.vXpC...!
> 0x0380: B2 3F E8 23 58 49 42 CC 9D D6 AF 57 CF E5 19 02
.?.#XIB....W....
> 0x0390: 5F 74 C1 F6 25 9F CC BA CA 27 B0 4E C9 76 D9 FE
_t..%....'.N.v..
> 0x03A0: 4A 1E 1B FE 11 32 18 50 30 4F 5C EB 1E 26 E6 67
J....2.P0O\..&.g
> 0x03B0: 99 2E E6 ED 89 7C CB D2 12 05 1E 24 0F 88 0B 13
.....|.....$....
> 0x03C0: CF DF 15 89 7D E1 79 EF AF 82 CD 02 81 12 44 2A
....}.y.......D*
> 0x03D0: FA F1 BE 10 E7 2E 50 73 84 59 6C 06 17 DB AD 7C
......Ps.Yl....|
> 0x03E0: AC 22 2C 08 D1 0C 41 72 73 7E 81 C7 44 05 24 38
.",...Ars~..D.$8
> 0x03F0: 24 58 44 70 7C C2 B8 8B F6 91 C4 6B E8 FD 9A A5
$XDp|......k....
> 0x0400: A9 80 1E 64 C3 2D 70 AF 97 7E AE C6 CE 4F 0D 53
...d.-p..~...O.S
> 0x0410: 7A 8F F1 68 A6 F9 9E 10 04 51 50 57 42 FD ED 68
z..h.....QPWB..h
> 0x0420: 00 66 C7 E9 27 8A DC 7E 13 FE A2 50 CE 75 1C C0
.f..'..~...P.u..
> 0x0430: 8B E7 BE 0E 33 64 EF EC BF 7E 49 F6 40 FC 2F AE
....3d...~I. at ./.
> 0x0440: E4 B0 88 E1 87 88 15 42 D9 90 82 0C 0B 2A A9 42
.......B.....*.B
> 0x0450: 44 9F D1 CF 2D 9F 00 32 01 ED 00 F8 AB DC A1 37
D...-..2.......7
> 0x0460: 46 7A 77 70 FB C9 24 E1 BF 42 69 74 A9 9A 57 74
Fzwp..$..Bit..Wt
> 0x0470: 2E 7C 98 E8 F4 9F CA 46 6F 04 2F A4 56 76 81 94
.|.....Fo./.Vv..
> 0x0480: 0A A6 E1 CF D7 AC F0 2F BE 28 3E 00 C4 70 5D 2E
......./.(>..p].
> 0x0490: 30 A4 DF 6F 05 C3 12 A0 EC 5E E4 2B DB 19 71 85
0..o.....^.+..q.
> 0x04A0: 84 73 E7 0B C6 99 BD 8A D7 57 91 7A 52 8D BD B7
.s.......W.zR...
> 0x04B0: 2A 10 1F 52 11 86 00 BD E3 F6 28 F3 01 C8 33 DC
*..R......(...3.
> 0x04C0: 5C 9A 0F A5 BA E4 ED F8 2B 29 F1 47 18 1C 5D F0
\.......+).G..].
> 0x04D0: 8C 85 38 79 73 B2 03 52 38 C5 0D 44 14 70 B5 EC
..8ys..R8..D.p..
> 0x04E0: 9A 22 51 85 11 CE D0 F7 01 9C 71 F9 93 5B F4 DF
."Q.......q..[..
> 0x04F0: 10 6B FC B6 6F 17 B9 92 9E 70 47 28 EF 5E 24 FD
.k..o....pG(.^$.
> 0x0500: 6F 1A E2 B0 4C 2A 61 98 CB 12 4E 79 E0 0C 15 09
o...L*a...Ny....
> 0x0510: 7F AB 4D 25 EA 0A EF 45 49 3E 62 F0 6E B2 44 DD
..M%...EI>b.n.D.
> 0x0520: 59 B9 E6 DE B3 FD F8 0E 23 92 7E 46 03 D4 9B CC
Y.......#.~F....
> 0x0530: F0 6E EA C4 C2 61 E9 9C 96 7A 85 DF 62           .n...a...z..b
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:51:49.371030 172.147.121.249:1208 -> 12.82.142.71:1214
> TCP TTL:112 TOS:0x0 ID:16137 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x13D176  Ack: 0x9A332282  Win: 0x2530  TcpLen: 20
> 0x0000: 45 00 00 28 3F 09 40 00 70 06 0A A1 AC 93 79 F9
E..(?. at .p.....y.
> 0x0010: 0C 52 8E 47 04 B8 04 BE 00 13 D1 76 9A 33 22 82
.R.G.......v.3".
> 0x0020: 50 10 25 30 31 C9 00 00                          P.%01...
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:51:49.431025 172.147.121.249:1208 -> 12.82.142.71:1214
> TCP TTL:112 TOS:0x0 ID:16649 IpLen:20 DgmLen:40 DF
> ***A***F Seq: 0x13D176  Ack: 0x9A332282  Win: 0x2530  TcpLen: 20
> 0x0000: 45 00 00 28 41 09 40 00 70 06 08 A1 AC 93 79 F9
E..(A. at .p.....y.
> 0x0010: 0C 52 8E 47 04 B8 04 BE 00 13 D1 76 9A 33 22 82
.R.G.......v.3".
> 0x0020: 50 11 25 30 31 C8 00 00                          P.%01...
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:51:51.531203 172.147.121.249:1214 -> 12.82.142.71:1214
> UDP TTL:112 TOS:0x0 ID:17929 IpLen:20 DgmLen:1341
> Len: 1321
> 0x0000: 45 00 05 3D 46 09 00 00 70 11 3E 81 AC 93 79 F9
E..=F...p.>...y.
> 0x0010: 0C 52 8E 47 04 BE 04 BE 05 29 0F DA              .R.G.....)..
>
>                                             C0 28 A7 EE
.(..
> 0x0020: BC 65 00 02 DD 51 1F FC 57 ED B0 DD A5 F1 59 51
.e...Q..W.....YQ
> 0x0030: 0E 3D 3D 54 DB D6 EC 35 67 16 4E 8B 8C B9 CF 55
.==T...5g.N....U
> 0x0040: 03 01 19 EC 1E C6 F5 35 DE E2 46 0A 28 B0 AB 25
.......5..F.(..%
> 0x0050: B8 B9 BB A2 BB DE EA 26 96 5D 3A 91 30 48 E2 ED
.......&.]:.0H..
> 0x0060: 8C 69 9C B3 21 9D 44 47 59 11 14 70 65 F5 58 78
.i..!.DGY..pe.Xx
> 0x0070: E7 79 0F 38 14 1F 49 C5 A5 1C C0 7F FB 84 C7 74
.y.8..I........t
> 0x0080: C2 9C 2B 16 02 03 30 47 EF 48 FA A7 74 30 FD B0
..+...0G.H..t0..
> 0x0090: AB 69 E2 FF 2F C8 5D 72 80 8C FA 6F 1D 66 8E 23
.i../.]r...o.f.#
> 0x00A0: B6 5D EE 31 85 E8 93 7A 78 4F 0D 4A B4 7A 26 F1
.].1...zxO.J.z&.
> 0x00B0: B3 3C 72 C7 BE D7 04 B2 B3 0D 9F 57 2B 11 BA 08
.<r........W+...
> 0x00C0: 21 B3 6A CE C2 9A 17 48 02 20 58 6E 08 D7 7F AE  !.j....H.
Xn....
> 0x00D0: 84 52 80 69 55 5C A7 8F 18 34 3F EE 53 EF 64 8B
.R.iU\...4?.S.d.
> 0x00E0: 9F 5C 92 74 23 B8 E3 3E 23 D0 87 B3 D7 29 36 67
.\.t#..>#....)6g
> 0x00F0: D0 8B 6D 35 C4 FE 58 4A D1 26 03 66 F1 F9 17 CC
..m5..XJ.&.f....
> 0x0100: 58 3F 48 CA 0B 2C 8E B7 84 2C B8 A1 18 48 9E 58
X?H..,...,...H.X
> 0x0110: 2A 6B 49 DA 9F EF 81 76 21 52 C3 6D 69 B8 AE 84
*kI....v!R.mi...
> 0x0120: D8 14 FD 7C EB 62 41 A7 8D 8C 12 DE 86 F2 5C E4
...|.bA.......\.
> 0x0130: FF 03 D4 69 ED 38 2B 59 A5 7A 45 4A 15 55 62 71
...i.8+Y.zEJ.Ubq
> 0x0140: F6 93 96 3B BC F5 84 69 FC AD 05 47 3A B3 C2 34
...;...i...G:..4
> 0x0150: B1 8F BE 72 BB 91 EB D4 CC 90 1A 30 46 E8 42 A9
...r.......0F.B.
> 0x0160: 70 B3 0A 2C 15 70 E3 07 04 70 46 25 80 BA 13 CF
p..,.p...pF%....
> 0x0170: C6 F1 5B 1C 12 5B B1 28 F3 83 8A 15 73 FA B8 A0
..[..[.(....s...
> 0x0180: 07 F7 B0 6F B4 08 58 8E F6 11 80 45 76 71 CA A4
...o..X....Evq..
> 0x0190: E3 AA 21 8F C6 8C 9F 44 32 CB 7E 48 0B F8 79 80
..!....D2.~H..y.
> 0x01A0: BB A1 60 BC E8 C9 4E B8 9D 14 B9 9A 9D 3B D3 70
..`...N......;.p
> 0x01B0: A8 70 F5 88 0D A3 A5 2E 2B 2B 07 76 7F D1 66 B7
.p......++.v..f.
> 0x01C0: 34 F9 DC 0F 92 11 D6 27 72 31 01 5B AD A5 8B 07
4......'r1.[....
> 0x01D0: 4C 16 E4 1A D4 F6 73 5D F5 C6 04 F2 38 09 B8 AB
L.....s]....8...
> 0x01E0: 5A EC 85 86 3B CC 92 C7 BA 62 4F 8A 07 8E BD B3
Z...;....bO.....
> 0x01F0: 3B 2F 0A 7F BA B5 87 AA FD AE 2B 71 D5 34 DC FE
;/........+q.4..
> 0x0200: 70 3E 71 27 24 68 B4 C3 E2 3B E9 72 49 91 48 34
p>q'$h...;.rI.H4
> 0x0210: 6A 65 58 07 5B 90 A3 DD C7 81 CF 8B 09 48 42 AA
jeX.[........HB.
> 0x0220: C0 20 35 1E 08 56 2E 83 B7 E0 88 16 30 18 40 70  .
5..V......0. at p
> 0x0230: 41 CE 03 2F 59 BC 3A E1 79 54 19 BD 5B CC F9 39
A../Y.:.yT..[..9
> 0x0240: C3 36 A1 BA 63 DA 55 BB C9 26 08 64 50 6B DB 5B
.6..c.U..&.dPk.[
> 0x0250: 21 7C CF 1E FF B2 93 62 6D 28 EE 75 E1 0F EA 5E
!|.....bm(.u...^
> 0x0260: 2C 66 FA 71 09 32 C5 02 31 8E 56 9D FF 89 D4 64
,f.q.2..1.V....d
> 0x0270: 71 A0 78 59 99 EB E7 21 C1 74 D4 2D 41 A1 38 5A
q.xY...!.t.-A.8Z
> 0x0280: E2 B3 EE C8 B0 25 17 A6 30 24 6F 4D 6E 40 FD 0C
.....%..0$oMn at ..
> 0x0290: 99 4D F5 2A C4 5E 00 49 D3 10 1C 0A 5A 27 4D E1
.M.*.^.I....Z'M.
> 0x02A0: 6C 5D 0D 3C B3 F6 6F 95 F0 B4 F5 2A 96 AE 65 C1
l].<..o....*..e.
> 0x02B0: B9 38 6A 89 A7 73 DD 0D 50 37 E6 46 F3 6D D9 1D
.8j..s..P7.F.m..
> 0x02C0: B5 BD 0F A2 CC FC 63 8C 12 4A B2 A5 6A C6 4E 42
......c..J..j.NB
> 0x02D0: 4B 9C 12 D9 FA D6 1C 9F 4F F9 6F D1 F5 33 03 39
K.......O.o..3.9
> 0x02E0: 7E 10 4D B7 FE EB 65 16 20 05 98 6E 08 85 A6 8F  ~.M...e.
..n....
> 0x02F0: 2F CE 8F 03 A1 E0 0B 5F CD 55 43 99 93 51 A5 8E
/......_.UC..Q..
> 0x0300: ED 00 56 A5 F7 D1 E6 CC F6 54 6C F6 93 70 10 28
..V......Tl..p.(
> 0x0310: E3 A6 25 9D 68 85 4B 8C 13 BE 75 8C 83 6F FB A9
..%.h.K...u..o..
> 0x0320: C7 F2 FA 69 21 00 EB 0E A8 E1 A3 FB 6F 8C 29 8E
...i!.......o.).
> 0x0330: C8 00 AC 07 90 F0 0D 27 71 57 91 87 BA 2D B5 81
.......'qW...-..
> 0x0340: D1 E0 8D 21 89 B5 19 21 67 B1 76 61 DB 29 87 1E
...!...!g.va.)..
> 0x0350: 6D F2 1E 15 62 A3 88 D4 B3 5D B1 98 FE 8C EA 48
m...b....].....H
> 0x0360: 60 BF 50 6B 71 30 F4 90 0D 52 5F 67 A7 E9 68 B9
`.Pkq0...R_g..h.
> 0x0370: 23 4E B0 78 AE 19 6B BB 76 58 70 43 C3 98 9F 21
#N.x..k.vXpC...!
> 0x0380: B2 3F E8 23 58 49 42 CC 9D D6 AF 57 CF E5 19 02
.?.#XIB....W....
> 0x0390: 5F 74 C1 F6 25 9F CC BA CA 27 B0 4E C9 76 D9 FE
_t..%....'.N.v..
> 0x03A0: 4A 1E 1B FE 11 32 18 50 30 4F 5C EB 1E 26 E6 67
J....2.P0O\..&.g
> 0x03B0: 99 2E E6 ED 89 7C CB D2 12 05 1E 24 0F 88 0B 13
.....|.....$....
> 0x03C0: CF DF 15 89 7D E1 79 EF AF 82 CD 02 81 12 44 2A
....}.y.......D*
> 0x03D0: FA F1 BE 10 E7 2E 50 73 84 59 6C 06 17 DB AD 7C
......Ps.Yl....|
> 0x03E0: AC 22 2C 08 D1 0C 41 72 73 7E 81 C7 44 05 24 38
.",...Ars~..D.$8
> 0x03F0: 24 58 44 70 7C C2 B8 8B F6 91 C4 6B E8 FD 9A A5
$XDp|......k....
> 0x0400: A9 80 1E 64 C3 2D 70 AF 97 7E AE C6 CE 4F 0D 53
...d.-p..~...O.S
> 0x0410: 7A 8F F1 68 A6 F9 9E 10 04 51 50 57 42 FD ED 68
z..h.....QPWB..h
> 0x0420: 00 66 C7 E9 27 8A DC 7E 13 FE A2 50 CE 75 1C C0
.f..'..~...P.u..
> 0x0430: 8B E7 BE 0E 33 64 EF EC BF 7E 49 F6 40 FC 2F AE
....3d...~I. at ./.
> 0x0440: E4 B0 88 E1 87 88 15 42 D9 90 82 0C 0B 2A A9 42
.......B.....*.B
> 0x0450: 44 9F D1 CF 2D 9F 00 32 01 ED 00 F8 AB DC A1 37
D...-..2.......7
> 0x0460: 46 7A 77 70 FB C9 24 E1 BF 42 69 74 A9 9A 57 74
Fzwp..$..Bit..Wt
> 0x0470: 2E 7C 98 E8 F4 9F CA 46 6F 04 2F A4 56 76 81 94
.|.....Fo./.Vv..
> 0x0480: 0A A6 E1 CF D7 AC F0 2F BE 28 3E 00 C4 70 5D 2E
......./.(>..p].
> 0x0490: 30 A4 DF 6F 05 C3 12 A0 EC 5E E4 2B DB 19 71 85
0..o.....^.+..q.
> 0x04A0: 84 73 E7 0B C6 99 BD 8A D7 57 91 7A 52 8D BD B7
.s.......W.zR...
> 0x04B0: 2A 10 1F 52 11 86 00 BD E3 F6 28 F3 01 C8 33 DC
*..R......(...3.
> 0x04C0: 5C 9A 0F A5 BA E4 ED F8 2B 29 F1 47 18 1C 5D F0
\.......+).G..].
> 0x04D0: 8C 85 38 79 73 B2 03 52 38 C5 0D 44 14 70 B5 EC
..8ys..R8..D.p..
> 0x04E0: 9A 22 51 85 11 CE D0 F7 01 9C 71 F9 93 5B F4 DF
."Q.......q..[..
> 0x04F0: 10 6B FC B6 6F 17 B9 92 9E 70 47 28 EF 5E 24 FD
.k..o....pG(.^$.
> 0x0500: 6F 1A E2 B0 4C 2A 61 98 CB 12 4E 79 E0 0C 15 09
o...L*a...Ny....
> 0x0510: 7F AB 4D 25 EA 0A EF 45 49 3E 62 F0 6E B2 44 DD
..M%...EI>b.n.D.
> 0x0520: 59 B9 E6 DE B3 FD F8 0E 23 92 7E 46 03 D4 9B CC
Y.......#.~F....
> 0x0530: F0 6E EA C4 C2 61 E9 9C 96 7A 85 DF 62           .n...a...z..b
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:51:53.841431 172.147.121.249:1208 -> 12.82.142.71:1214
> TCP TTL:112 TOS:0x0 ID:19721 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x13D177  Ack: 0x9A332282  Win: 0x2530  TcpLen: 20
> 0x0000: 45 00 00 28 4D 09 40 00 70 06 FC A0 AC 93 79 F9
E..(M. at .p.....y.
> 0x0010: 0C 52 8E 47 04 B8 04 BE 00 13 D1 77 9A 33 22 82
.R.G.......w.3".
> 0x0020: 50 10 25 30 31 C8 00 00                          P.%01...
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:51:54.171511 172.147.121.249:1208 -> 12.82.142.71:1214
> TCP TTL:112 TOS:0x0 ID:19977 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x13D177  Ack: 0x9A332282  Win: 0x2530  TcpLen: 20
> 0x0000: 45 00 00 28 4E 09 40 00 70 06 FB A0 AC 93 79 F9
E..(N. at .p.....y.
> 0x0010: 0C 52 8E 47 04 B8 04 BE 00 13 D1 77 9A 33 22 82
.R.G.......w.3".
> 0x0020: 50 10 25 30 31 C8 00 00                          P.%01...
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:51:55.311607 172.147.121.249:1208 -> 12.82.142.71:1214
> TCP TTL:112 TOS:0x0 ID:20745 IpLen:20 DgmLen:40 DF
> ***A***F Seq: 0x13D176  Ack: 0x9A332282  Win: 0x2530  TcpLen: 20
> 0x0000: 45 00 00 28 51 09 40 00 70 06 F8 A0 AC 93 79 F9
E..(Q. at .p.....y.
> 0x0010: 0C 52 8E 47 04 B8 04 BE 00 13 D1 76 9A 33 22 82
.R.G.......v.3".
> 0x0020: 50 11 25 30 31 C8 00 00                          P.%01...
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:51:57.971838 172.147.121.249:1208 -> 12.82.142.71:1214
> TCP TTL:112 TOS:0x0 ID:22281 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x13D177  Ack: 0x9A332283  Win: 0x2530  TcpLen: 20
> 0x0000: 45 00 00 28 57 09 40 00 70 06 F2 A0 AC 93 79 F9
E..(W. at .p.....y.
> 0x0010: 0C 52 8E 47 04 B8 04 BE 00 13 D1 77 9A 33 22 83
.R.G.......w.3".
> 0x0020: 50 10 25 30 31 C7 00 00                          P.%01...
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-17:52:00.432117 172.147.121.249:1208 -> 12.82.142.71:1214
> TCP TTL:112 TOS:0x0 ID:23561 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x13D177  Ack: 0x9A332283  Win: 0x2530  TcpLen: 20
> 0x0000: 45 00 00 28 5C 09 40 00 70 06 ED A0 AC 93 79 F9
E..(\. at .p.....y.
> 0x0010: 0C 52 8E 47 04 B8 04 BE 00 13 D1 77 9A 33 22 83
.R.G.......w.3".
> 0x0020: 50 10 25 30 31 C7 00 00                          P.%01...
>
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
> And almost an hour later; different payload:
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-18:51:34.064318 12.253.191.105:3152 -> 12.82.142.71:1214
> UDP TTL:117 TOS:0x0 ID:27661 IpLen:20 DgmLen:1341
> Len: 1321
> 0x0000: 45 00 05 3D 6C 0D 00 00 75 11 6D A3 0C FD BF 69
E..=l...u.m....i
> 0x0010: 0C 52 8E 47 0C 50 04 BE 05 29 01 80              .R.G.P...)..
>
>                                             C0 28 68 55
.(hU
> 0x0020: B8 38 00 00 72 F0 7E 03 CB 1E B9 71 85 8B 85 CD
.8..r.~....q....
> 0x0030: 8E 60 FD 65 4E 9D 76 24 30 E9 F3 A8 F8 69 CF 8C
.`.eN.v$0....i..
> 0x0040: 72 91 97 EF 6E 2F 44 07 C0 44 72 B0 9C C3 0F 65
r...n/D..Dr....e
> 0x0050: BB 7A 73 F0 C2 15 A0 49 18 2B 6D 84 7C CA 35 61
.zs....I.+m.|.5a
> 0x0060: B0 64 72 FB A1 BC 95 2F F8 9A BF 96 DE 0A A2 CE
.dr..../........
> 0x0070: 63 B6 6B CA 24 CE 8F 0D B2 1A F5 23 8A 06 A4 51
c.k.$......#...Q
> 0x0080: 4D 8B 7D 6A 9D BC 4E DC FB 0C 81 8A 01 B4 06 71
M.}j..N........q
> 0x0090: 45 57 CC 4F C3 3B BA 7C 02 AA 27 35 D2 E4 8C FC
EW.O.;.|..'5....
> 0x00A0: 16 92 B8 B7 AA 23 95 07 23 6E D2 18 16 8D 09 4D
.....#..#n.....M
> 0x00B0: E1 D6 0F 5F 69 B6 1A 1A 83 67 30 FE B6 18 0C 63
..._i....g0....c
> 0x00C0: B5 0C 52 5B 53 F0 1E 57 67 8C D8 45 C5 55 53 4B
..R[S..Wg..E.USK
> 0x00D0: B8 72 B5 1A BF 10 A2 81 B5 E3 6E 3C 5A 11 42 BD
.r........n<Z.B.
> 0x00E0: 3F 88 32 6D 33 60 00 85 77 05 E8 4A DD B8 62 E6
?.2m3`..w..J..b.
> 0x00F0: C9 D8 61 CB 5D 36 30 D1 15 77 F5 76 42 7B B1 77
..a.]60..w.vB{.w
> 0x0100: 62 65 BB C8 94 31 36 37 EF 66 1E 72 49 0F 74 F4
be...167.f.rI.t.
> 0x0110: E5 E0 65 AB D1 0D 7A 89 F1 E5 D9 79 54 E7 F0 1A
..e...z....yT...
> 0x0120: FC 2B 61 79 0A BA 44 52 4F 27 93 83 EB 09 99 57
.+ay..DRO'.....W
> 0x0130: 37 C8 1E 6B E1 EE E7 4B 98 57 0C AB A9 A2 86 37
7..k...K.W.....7
> 0x0140: 31 04 8F 50 C8 20 E1 41 DC AE 4C 14 79 BF 74 E3  1..P.
.A..L.y.t.
> 0x0150: A8 F2 C1 E0 26 9D 75 0F 4C 40 CE 55 FC EB 1F DA
....&.u.L at .U....
> 0x0160: 8C B9 58 50 43 66 99 76 E6 1F EF 3A 92 C9 BF D3
..XPCf.v...:....
> 0x0170: 8E AF 68 8B 73 DC 52 64 C8 13 BD 27 05 CF 2F FF
..h.s.Rd...'../.
> 0x0180: E5 49 42 DD FB 98 7A 8B 6D 64 09 CF A5 E6 B1 B4
.IB...z.md......
> 0x0190: 37 FB A8 02 53 28 AF 2C C0 40 11 56 B5 34 24 F8
7...S(.,. at .V.4$.
> 0x01A0: 15 64 27 AA 67 D6 43 8D AE 52 34 19 5B 7E 46 7B
.d'.g.C..R4.[~F{
> 0x01B0: 0A 26 BD FF 61 15 D1 82 AA 20 3C 5D C7 72 D7 40  .&..a....
<].r.@
> 0x01C0: 8C A7 25 29 69 4C 09 F1 55 5E 7E F2 B5 8D 7F 49
..%)iL..U^~....I
> 0x01D0: F0 2E C5 3D 22 71 3F 8A 2C B7 AA CD DB C6 E0 94
...="q?.,.......
> 0x01E0: E6 EE FA 80 77 79 FE 4B CB 56 98 EA F7 C1 39 02
....wy.K.V....9.
> 0x01F0: 82 8D 3B 00 CA 12 A9 9D A9 88 3B 39 32 40 97 3A
..;.......;92 at .:
> 0x0200: FA CA 91 F4 FF E7 AD F9 20 8D 30 20 7B D7 8F CD  ........ .0
{...
> 0x0210: 52 B4 C4 E0 0F 9F AC 39 7C E3 16 E7 ED 34 19 E6
R......9|....4..
> 0x0220: B1 60 09 D7 B5 46 7E 4A 72 4C A9 19 C1 1F 08 B8
.`...F~JrL......
> 0x0230: BA B0 53 B6 63 55 AE 40 84 9D AF 48 60 56 3F B2
..S.cU. at ...H`V?.
> 0x0240: 77 1E 68 9A 1F F5 EF 5D A5 B4 4E 34 5A 9F B0 2F
w.h....]..N4Z../
> 0x0250: DF D9 B8 13 1E 19 39 75 39 3A 96 69 26 9B B1 34
......9u9:.i&..4
> 0x0260: 00 E5 29 17 F6 DD 1A 1C E3 B5 AD 00 42 8B 3C EC
..).........B.<.
> 0x0270: 50 DC 8C E7 B4 BB BF C9 29 B8 24 B8 90 9C 26 CE
P.......).$...&.
> 0x0280: 12 2E 5C 38 17 7A EF B8 65 48 0A 0A 98 D1 0C 66
..\8.z..eH.....f
> 0x0290: 71 20 35 7E 75 EE 9B 5B A0 EE 8A 56 37 16 19 01  q
5~u..[...V7...
> 0x02A0: BC 81 47 BE 3C 64 5A FF 31 FC CB 5E 2E F7 DD 96
..G.<dZ.1..^....
> 0x02B0: C8 A1 F8 40 E9 4A 41 D3 04 88 68 7B EA C4 3E DC
... at .JA...h{..>.
> 0x02C0: 9F 53 2F B4 EB DC AD 54 D9 24 14 47 24 A0 1A 9F
.S/....T.$.G$...
> 0x02D0: D0 77 EB EB 62 5D 1E A2 EB FB 73 FE 9A F8 D6 0E
.w..b]....s.....
> 0x02E0: C9 B8 E4 17 61 21 EF 6A 8A 96 3F 60 83 85 83 56
....a!.j..?`...V
> 0x02F0: 17 BA 70 FA F7 0B 01 02 5D 22 90 F9 61 5D B8 EC
..p.....]"..a]..
> 0x0300: D9 7C 0B B5 E8 FD 8C 5E D9 FD 3F F2 1D FE 43 73
.|.....^..?...Cs
> 0x0310: 24 5F CE 5E B2 82 F5 11 2A E1 A0 AE 25 2B CD 4D
$_.^....*...%+.M
> 0x0320: 6D 5B 3A 46 89 60 AE E9 56 92 B3 9D EF 5E EF AA
m[:F.`..V....^..
> 0x0330: 3A 0F 0C A3 1D 5D DD E1 8B E0 AD 04 BD 2F 8E 31
:....]......./.1
> 0x0340: C9 1C E0 64 47 32 84 CC 1E 7C F3 55 CF 05 49 2B
...dG2...|.U..I+
> 0x0350: CB 66 5B B8 E8 DF 81 A3 A9 76 5A 0B EA 58 B2 52
.f[......vZ..X.R
> 0x0360: 49 9B AE 92 00 82 B2 5C DD FF AE 7D 3F 6E 16 DE
I......\...}?n..
> 0x0370: 7C 17 B7 6F F8 FA C0 94 13 8E FC DE 09 34 1E CD
|..o.........4..
> 0x0380: A7 A8 4E DF C4 8F 75 B5 26 45 3B 2C 74 43 F1 EE
..N...u.&E;,tC..
> 0x0390: 57 41 D6 C7 4A 4A 8A 74 80 17 9F FF 1D A4 CE 17
WA..JJ.t........
> 0x03A0: D7 06 4C 51 66 B5 3F CA 07 F9 15 90 43 4C 73 8B
..LQf.?.....CLs.
> 0x03B0: 93 BA B9 33 8A 08 36 F7 62 E7 AC 74 31 FC D0 79
...3..6.b..t1..y
> 0x03C0: DD FD 08 65 CF 5D 2B 43 02 0A FE 57 6E AF 83 55
...e.]+C...Wn..U
> 0x03D0: A2 25 F4 A8 C1 F3 59 E3 68 DF E6 67 F3 2F AB 3C
.%....Y.h..g./.<
> 0x03E0: 47 2B 42 52 16 7B E4 3D 7B 7B 0A DB A5 E1 2F 72
G+BR.{.={{..../r
> 0x03F0: D6 B7 2F 44 95 6A A0 DF B3 ED D6 48 EA 18 54 64
../D.j.....H..Td
> 0x0400: 17 00 BD 71 83 5E 02 91 86 71 D7 D6 2B 5E 36 76
...q.^...q..+^6v
> 0x0410: 6F 4B 1C 69 B0 6F FE 5A 58 C5 CF 88 42 80 2D 8F
oK.i.o.ZX...B.-.
> 0x0420: 32 D7 0F 7D 2E 03 77 FA C6 62 BC 0E C1 DE 49 52
2..}..w..b....IR
> 0x0430: 91 DC 38 BF FA 41 62 53 9A CA 2C 2F 0B 0B BF 83
..8..AbS..,/....
> 0x0440: 46 3E E8 47 01 92 7F B2 B1 42 C9 98 DA 59 1C FD
F>.G.....B...Y..
> 0x0450: BE A5 33 88 52 8D E9 07 A0 74 99 71 05 C4 C7 27
..3.R....t.q...'
> 0x0460: E2 50 9A AD 77 7B 6E 40 3C 7C 22 98 71 6C 02 2F
.P..w{n@<|".ql./
> 0x0470: BF C0 E6 D2 02 0D 52 09 E5 73 DE AB 33 40 21 EC
......R..s..3@!.
> 0x0480: DD 29 73 79 C7 76 CB C6 79 7F CA F0 79 45 0B 6A
.)sy.v..y...yE.j
> 0x0490: 4A D1 0D 6D 90 93 39 06 EB CE 91 F2 BF CA E7 AA
J..m..9.........
> 0x04A0: C5 76 10 C1 16 77 50 5E 53 AC CF 70 A8 8A 3B B6
.v...wP^S..p..;.
> 0x04B0: 59 14 D7 0E EF 94 0F 1D 20 3E E6 93 63 49 14 53  Y.......
>..cI.S
> 0x04C0: 3D E9 07 1B 6C F2 A2 C4 79 55 EE 1E D0 AF DC A1
=...l...yU......
> 0x04D0: 60 85 E2 82 56 4A 18 3F 57 45 E2 4E A7 FC 10 BE
`...VJ.?WE.N....
> 0x04E0: 4D 6B CA 88 89 C4 F1 DA 17 47 05 A1 4D 37 54 DE
Mk.......G..M7T.
> 0x04F0: 6C B1 70 2A 1A 2D 1C 8B 5F 43 B4 D1 2B 35 4F EC
l.p*.-.._C..+5O.
> 0x0500: 51 D7 19 42 B5 07 28 08 36 B2 51 7A D5 96 3A 85
Q..B..(.6.Qz..:.
> 0x0510: B7 D1 C5 5E 12 81 6C 17 30 E1 FD BF DF 38 0D 52
...^..l.0....8.R
> 0x0520: EE 3B 29 DC 17 37 00 FC A1 44 8F 92 AE C3 DB B9
.;)..7...D......
> 0x0530: E1 36 FD F9 30 4F E5 CC 94 6C 2A BB 41           .6..0O...l*.A
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-18:51:34.074343 12.253.191.105:1318 -> 12.82.142.71:1214
> TCP TTL:117 TOS:0x0 ID:27917 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0x1099BD  Ack: 0x0  Win: 0x2000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK
> 0x0000: 45 00 00 30 6D 0D 40 00 75 06 31 BB 0C FD BF 69
E..0m. at .u.1....i
> 0x0010: 0C 52 8E 47 05 26 04 BE 00 10 99 BD 00 00 00 00
.R.G.&..........
> 0x0020: 70 02 20 00 58 6E 00 00 02 04 05 B4 01 01 04 02  p.
.Xn..........
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-18:51:34.284346 12.253.191.105:1318 -> 12.82.142.71:1214
> TCP TTL:117 TOS:0x0 ID:32781 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x1099BE  Ack: 0x7C192DFA  Win: 0x2238  TcpLen: 20
> 0x0000: 45 00 00 28 80 0D 40 00 75 06 1E C3 0C FD BF 69
E..(.. at .u......i
> 0x0010: 0C 52 8E 47 05 26 04 BE 00 10 99 BE 7C 19 2D FA
.R.G.&......|.-.
> 0x0020: 50 10 22 38 D8 D6 00 00                          P."8....
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-18:51:34.294409 12.253.191.105:1318 -> 12.82.142.71:1214
> TCP TTL:117 TOS:0x0 ID:33037 IpLen:20 DgmLen:40 DF
> ***A***F Seq: 0x1099BE  Ack: 0x7C192DFA  Win: 0x2238  TcpLen: 20
> 0x0000: 45 00 00 28 81 0D 40 00 75 06 1D C3 0C FD BF 69
E..(.. at .u......i
> 0x0010: 0C 52 8E 47 05 26 04 BE 00 10 99 BE 7C 19 2D FA
.R.G.&......|.-.
> 0x0020: 50 11 22 38 D8 D5 00 00                          P."8....
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-18:51:34.544431 12.253.191.105:1318 -> 12.82.142.71:1214
> TCP TTL:117 TOS:0x0 ID:35085 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x1099BF  Ack: 0x7C192DFB  Win: 0x2238  TcpLen: 20
> 0x0000: 45 00 00 28 89 0D 40 00 75 06 15 C3 0C FD BF 69
E..(.. at .u......i
> 0x0010: 0C 52 8E 47 05 26 04 BE 00 10 99 BF 7C 19 2D FB
.R.G.&......|.-.
> 0x0020: 50 10 22 38 D8 D4 00 00                          P."8....
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-18:51:37.034634 12.253.191.105:3152 -> 12.82.142.71:1214
> UDP TTL:117 TOS:0x0 ID:45325 IpLen:20 DgmLen:1341
> Len: 1321
> 0x0000: 45 00 05 3D B1 0D 00 00 75 11 28 A3 0C FD BF 69
E..=....u.(....i
> 0x0010: 0C 52 8E 47 0C 50 04 BE 05 29 01 80              .R.G.P...)..
>
>                                             C0 28 68 55
.(hU
> 0x0020: B8 38 00 00 72 F0 7E 03 CB 1E B9 71 85 8B 85 CD
.8..r.~....q....
> 0x0030: 8E 60 FD 65 4E 9D 76 24 30 E9 F3 A8 F8 69 CF 8C
.`.eN.v$0....i..
> 0x0040: 72 91 97 EF 6E 2F 44 07 C0 44 72 B0 9C C3 0F 65
r...n/D..Dr....e
> 0x0050: BB 7A 73 F0 C2 15 A0 49 18 2B 6D 84 7C CA 35 61
.zs....I.+m.|.5a
> 0x0060: B0 64 72 FB A1 BC 95 2F F8 9A BF 96 DE 0A A2 CE
.dr..../........
> 0x0070: 63 B6 6B CA 24 CE 8F 0D B2 1A F5 23 8A 06 A4 51
c.k.$......#...Q
> 0x0080: 4D 8B 7D 6A 9D BC 4E DC FB 0C 81 8A 01 B4 06 71
M.}j..N........q
> 0x0090: 45 57 CC 4F C3 3B BA 7C 02 AA 27 35 D2 E4 8C FC
EW.O.;.|..'5....
> 0x00A0: 16 92 B8 B7 AA 23 95 07 23 6E D2 18 16 8D 09 4D
.....#..#n.....M
> 0x00B0: E1 D6 0F 5F 69 B6 1A 1A 83 67 30 FE B6 18 0C 63
..._i....g0....c
> 0x00C0: B5 0C 52 5B 53 F0 1E 57 67 8C D8 45 C5 55 53 4B
..R[S..Wg..E.USK
> 0x00D0: B8 72 B5 1A BF 10 A2 81 B5 E3 6E 3C 5A 11 42 BD
.r........n<Z.B.
> 0x00E0: 3F 88 32 6D 33 60 00 85 77 05 E8 4A DD B8 62 E6
?.2m3`..w..J..b.
> 0x00F0: C9 D8 61 CB 5D 36 30 D1 15 77 F5 76 42 7B B1 77
..a.]60..w.vB{.w
> 0x0100: 62 65 BB C8 94 31 36 37 EF 66 1E 72 49 0F 74 F4
be...167.f.rI.t.
> 0x0110: E5 E0 65 AB D1 0D 7A 89 F1 E5 D9 79 54 E7 F0 1A
..e...z....yT...
> 0x0120: FC 2B 61 79 0A BA 44 52 4F 27 93 83 EB 09 99 57
.+ay..DRO'.....W
> 0x0130: 37 C8 1E 6B E1 EE E7 4B 98 57 0C AB A9 A2 86 37
7..k...K.W.....7
> 0x0140: 31 04 8F 50 C8 20 E1 41 DC AE 4C 14 79 BF 74 E3  1..P.
.A..L.y.t.
> 0x0150: A8 F2 C1 E0 26 9D 75 0F 4C 40 CE 55 FC EB 1F DA
....&.u.L at .U....
> 0x0160: 8C B9 58 50 43 66 99 76 E6 1F EF 3A 92 C9 BF D3
..XPCf.v...:....
> 0x0170: 8E AF 68 8B 73 DC 52 64 C8 13 BD 27 05 CF 2F FF
..h.s.Rd...'../.
> 0x0180: E5 49 42 DD FB 98 7A 8B 6D 64 09 CF A5 E6 B1 B4
.IB...z.md......
> 0x0190: 37 FB A8 02 53 28 AF 2C C0 40 11 56 B5 34 24 F8
7...S(.,. at .V.4$.
> 0x01A0: 15 64 27 AA 67 D6 43 8D AE 52 34 19 5B 7E 46 7B
.d'.g.C..R4.[~F{
> 0x01B0: 0A 26 BD FF 61 15 D1 82 AA 20 3C 5D C7 72 D7 40  .&..a....
<].r.@
> 0x01C0: 8C A7 25 29 69 4C 09 F1 55 5E 7E F2 B5 8D 7F 49
..%)iL..U^~....I
> 0x01D0: F0 2E C5 3D 22 71 3F 8A 2C B7 AA CD DB C6 E0 94
...="q?.,.......
> 0x01E0: E6 EE FA 80 77 79 FE 4B CB 56 98 EA F7 C1 39 02
....wy.K.V....9.
> 0x01F0: 82 8D 3B 00 CA 12 A9 9D A9 88 3B 39 32 40 97 3A
..;.......;92 at .:
> 0x0200: FA CA 91 F4 FF E7 AD F9 20 8D 30 20 7B D7 8F CD  ........ .0
{...
> 0x0210: 52 B4 C4 E0 0F 9F AC 39 7C E3 16 E7 ED 34 19 E6
R......9|....4..
> 0x0220: B1 60 09 D7 B5 46 7E 4A 72 4C A9 19 C1 1F 08 B8
.`...F~JrL......
> 0x0230: BA B0 53 B6 63 55 AE 40 84 9D AF 48 60 56 3F B2
..S.cU. at ...H`V?.
> 0x0240: 77 1E 68 9A 1F F5 EF 5D A5 B4 4E 34 5A 9F B0 2F
w.h....]..N4Z../
> 0x0250: DF D9 B8 13 1E 19 39 75 39 3A 96 69 26 9B B1 34
......9u9:.i&..4
> 0x0260: 00 E5 29 17 F6 DD 1A 1C E3 B5 AD 00 42 8B 3C EC
..).........B.<.
> 0x0270: 50 DC 8C E7 B4 BB BF C9 29 B8 24 B8 90 9C 26 CE
P.......).$...&.
> 0x0280: 12 2E 5C 38 17 7A EF B8 65 48 0A 0A 98 D1 0C 66
..\8.z..eH.....f
> 0x0290: 71 20 35 7E 75 EE 9B 5B A0 EE 8A 56 37 16 19 01  q
5~u..[...V7...
> 0x02A0: BC 81 47 BE 3C 64 5A FF 31 FC CB 5E 2E F7 DD 96
..G.<dZ.1..^....
> 0x02B0: C8 A1 F8 40 E9 4A 41 D3 04 88 68 7B EA C4 3E DC
... at .JA...h{..>.
> 0x02C0: 9F 53 2F B4 EB DC AD 54 D9 24 14 47 24 A0 1A 9F
.S/....T.$.G$...
> 0x02D0: D0 77 EB EB 62 5D 1E A2 EB FB 73 FE 9A F8 D6 0E
.w..b]....s.....
> 0x02E0: C9 B8 E4 17 61 21 EF 6A 8A 96 3F 60 83 85 83 56
....a!.j..?`...V
> 0x02F0: 17 BA 70 FA F7 0B 01 02 5D 22 90 F9 61 5D B8 EC
..p.....]"..a]..
> 0x0300: D9 7C 0B B5 E8 FD 8C 5E D9 FD 3F F2 1D FE 43 73
.|.....^..?...Cs
> 0x0310: 24 5F CE 5E B2 82 F5 11 2A E1 A0 AE 25 2B CD 4D
$_.^....*...%+.M
> 0x0320: 6D 5B 3A 46 89 60 AE E9 56 92 B3 9D EF 5E EF AA
m[:F.`..V....^..
> 0x0330: 3A 0F 0C A3 1D 5D DD E1 8B E0 AD 04 BD 2F 8E 31
:....]......./.1
> 0x0340: C9 1C E0 64 47 32 84 CC 1E 7C F3 55 CF 05 49 2B
...dG2...|.U..I+
> 0x0350: CB 66 5B B8 E8 DF 81 A3 A9 76 5A 0B EA 58 B2 52
.f[......vZ..X.R
> 0x0360: 49 9B AE 92 00 82 B2 5C DD FF AE 7D 3F 6E 16 DE
I......\...}?n..
> 0x0370: 7C 17 B7 6F F8 FA C0 94 13 8E FC DE 09 34 1E CD
|..o.........4..
> 0x0380: A7 A8 4E DF C4 8F 75 B5 26 45 3B 2C 74 43 F1 EE
..N...u.&E;,tC..
> 0x0390: 57 41 D6 C7 4A 4A 8A 74 80 17 9F FF 1D A4 CE 17
WA..JJ.t........
> 0x03A0: D7 06 4C 51 66 B5 3F CA 07 F9 15 90 43 4C 73 8B
..LQf.?.....CLs.
> 0x03B0: 93 BA B9 33 8A 08 36 F7 62 E7 AC 74 31 FC D0 79
...3..6.b..t1..y
> 0x03C0: DD FD 08 65 CF 5D 2B 43 02 0A FE 57 6E AF 83 55
...e.]+C...Wn..U
> 0x03D0: A2 25 F4 A8 C1 F3 59 E3 68 DF E6 67 F3 2F AB 3C
.%....Y.h..g./.<
> 0x03E0: 47 2B 42 52 16 7B E4 3D 7B 7B 0A DB A5 E1 2F 72
G+BR.{.={{..../r
> 0x03F0: D6 B7 2F 44 95 6A A0 DF B3 ED D6 48 EA 18 54 64
../D.j.....H..Td
> 0x0400: 17 00 BD 71 83 5E 02 91 86 71 D7 D6 2B 5E 36 76
...q.^...q..+^6v
> 0x0410: 6F 4B 1C 69 B0 6F FE 5A 58 C5 CF 88 42 80 2D 8F
oK.i.o.ZX...B.-.
> 0x0420: 32 D7 0F 7D 2E 03 77 FA C6 62 BC 0E C1 DE 49 52
2..}..w..b....IR
> 0x0430: 91 DC 38 BF FA 41 62 53 9A CA 2C 2F 0B 0B BF 83
..8..AbS..,/....
> 0x0440: 46 3E E8 47 01 92 7F B2 B1 42 C9 98 DA 59 1C FD
F>.G.....B...Y..
> 0x0450: BE A5 33 88 52 8D E9 07 A0 74 99 71 05 C4 C7 27
..3.R....t.q...'
> 0x0460: E2 50 9A AD 77 7B 6E 40 3C 7C 22 98 71 6C 02 2F
.P..w{n@<|".ql./
> 0x0470: BF C0 E6 D2 02 0D 52 09 E5 73 DE AB 33 40 21 EC
......R..s..3@!.
> 0x0480: DD 29 73 79 C7 76 CB C6 79 7F CA F0 79 45 0B 6A
.)sy.v..y...yE.j
> 0x0490: 4A D1 0D 6D 90 93 39 06 EB CE 91 F2 BF CA E7 AA
J..m..9.........
> 0x04A0: C5 76 10 C1 16 77 50 5E 53 AC CF 70 A8 8A 3B B6
.v...wP^S..p..;.
> 0x04B0: 59 14 D7 0E EF 94 0F 1D 20 3E E6 93 63 49 14 53  Y.......
>..cI.S
> 0x04C0: 3D E9 07 1B 6C F2 A2 C4 79 55 EE 1E D0 AF DC A1
=...l...yU......
> 0x04D0: 60 85 E2 82 56 4A 18 3F 57 45 E2 4E A7 FC 10 BE
`...VJ.?WE.N....
> 0x04E0: 4D 6B CA 88 89 C4 F1 DA 17 47 05 A1 4D 37 54 DE
Mk.......G..M7T.
> 0x04F0: 6C B1 70 2A 1A 2D 1C 8B 5F 43 B4 D1 2B 35 4F EC
l.p*.-.._C..+5O.
> 0x0500: 51 D7 19 42 B5 07 28 08 36 B2 51 7A D5 96 3A 85
Q..B..(.6.Qz..:.
> 0x0510: B7 D1 C5 5E 12 81 6C 17 30 E1 FD BF DF 38 0D 52
...^..l.0....8.R
> 0x0520: EE 3B 29 DC 17 37 00 FC A1 44 8F 92 AE C3 DB B9
.;)..7...D......
> 0x0530: E1 36 FD F9 30 4F E5 CC 94 6C 2A BB 41           .6..0O...l*.A
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/06-18:51:39.944957 12.253.191.105:3152 -> 12.82.142.71:1214
> UDP TTL:117 TOS:0x0 ID:56077 IpLen:20 DgmLen:1341
> Len: 1321
> 0x0000: 45 00 05 3D DB 0D 00 00 75 11 FE A2 0C FD BF 69
E..=....u......i
> 0x0010: 0C 52 8E 47 0C 50 04 BE 05 29 01 80              .R.G.P...)..
>
>                                             C0 28 68 55
.(hU
> 0x0020: B8 38 00 00 72 F0 7E 03 CB 1E B9 71 85 8B 85 CD
.8..r.~....q....
> 0x0030: 8E 60 FD 65 4E 9D 76 24 30 E9 F3 A8 F8 69 CF 8C
.`.eN.v$0....i..
> 0x0040: 72 91 97 EF 6E 2F 44 07 C0 44 72 B0 9C C3 0F 65
r...n/D..Dr....e
> 0x0050: BB 7A 73 F0 C2 15 A0 49 18 2B 6D 84 7C CA 35 61
.zs....I.+m.|.5a
> 0x0060: B0 64 72 FB A1 BC 95 2F F8 9A BF 96 DE 0A A2 CE
.dr..../........
> 0x0070: 63 B6 6B CA 24 CE 8F 0D B2 1A F5 23 8A 06 A4 51
c.k.$......#...Q
> 0x0080: 4D 8B 7D 6A 9D BC 4E DC FB 0C 81 8A 01 B4 06 71
M.}j..N........q
> 0x0090: 45 57 CC 4F C3 3B BA 7C 02 AA 27 35 D2 E4 8C FC
EW.O.;.|..'5....
> 0x00A0: 16 92 B8 B7 AA 23 95 07 23 6E D2 18 16 8D 09 4D
.....#..#n.....M
> 0x00B0: E1 D6 0F 5F 69 B6 1A 1A 83 67 30 FE B6 18 0C 63
..._i....g0....c
> 0x00C0: B5 0C 52 5B 53 F0 1E 57 67 8C D8 45 C5 55 53 4B
..R[S..Wg..E.USK
> 0x00D0: B8 72 B5 1A BF 10 A2 81 B5 E3 6E 3C 5A 11 42 BD
.r........n<Z.B.
> 0x00E0: 3F 88 32 6D 33 60 00 85 77 05 E8 4A DD B8 62 E6
?.2m3`..w..J..b.
> 0x00F0: C9 D8 61 CB 5D 36 30 D1 15 77 F5 76 42 7B B1 77
..a.]60..w.vB{.w
> 0x0100: 62 65 BB C8 94 31 36 37 EF 66 1E 72 49 0F 74 F4
be...167.f.rI.t.
> 0x0110: E5 E0 65 AB D1 0D 7A 89 F1 E5 D9 79 54 E7 F0 1A
..e...z....yT...
> 0x0120: FC 2B 61 79 0A BA 44 52 4F 27 93 83 EB 09 99 57
.+ay..DRO'.....W
> 0x0130: 37 C8 1E 6B E1 EE E7 4B 98 57 0C AB A9 A2 86 37
7..k...K.W.....7
> 0x0140: 31 04 8F 50 C8 20 E1 41 DC AE 4C 14 79 BF 74 E3  1..P.
.A..L.y.t.
> 0x0150: A8 F2 C1 E0 26 9D 75 0F 4C 40 CE 55 FC EB 1F DA
....&.u.L at .U....
> 0x0160: 8C B9 58 50 43 66 99 76 E6 1F EF 3A 92 C9 BF D3
..XPCf.v...:....
> 0x0170: 8E AF 68 8B 73 DC 52 64 C8 13 BD 27 05 CF 2F FF
..h.s.Rd...'../.
> 0x0180: E5 49 42 DD FB 98 7A 8B 6D 64 09 CF A5 E6 B1 B4
.IB...z.md......
> 0x0190: 37 FB A8 02 53 28 AF 2C C0 40 11 56 B5 34 24 F8
7...S(.,. at .V.4$.
> 0x01A0: 15 64 27 AA 67 D6 43 8D AE 52 34 19 5B 7E 46 7B
.d'.g.C..R4.[~F{
> 0x01B0: 0A 26 BD FF 61 15 D1 82 AA 20 3C 5D C7 72 D7 40  .&..a....
<].r.@
> 0x01C0: 8C A7 25 29 69 4C 09 F1 55 5E 7E F2 B5 8D 7F 49
..%)iL..U^~....I
> 0x01D0: F0 2E C5 3D 22 71 3F 8A 2C B7 AA CD DB C6 E0 94
...="q?.,.......
> 0x01E0: E6 EE FA 80 77 79 FE 4B CB 56 98 EA F7 C1 39 02
....wy.K.V....9.
> 0x01F0: 82 8D 3B 00 CA 12 A9 9D A9 88 3B 39 32 40 97 3A
..;.......;92 at .:
> 0x0200: FA CA 91 F4 FF E7 AD F9 20 8D 30 20 7B D7 8F CD  ........ .0
{...
> 0x0210: 52 B4 C4 E0 0F 9F AC 39 7C E3 16 E7 ED 34 19 E6
R......9|....4..
> 0x0220: B1 60 09 D7 B5 46 7E 4A 72 4C A9 19 C1 1F 08 B8
.`...F~JrL......
> 0x0230: BA B0 53 B6 63 55 AE 40 84 9D AF 48 60 56 3F B2
..S.cU. at ...H`V?.
> 0x0240: 77 1E 68 9A 1F F5 EF 5D A5 B4 4E 34 5A 9F B0 2F
w.h....]..N4Z../
> 0x0250: DF D9 B8 13 1E 19 39 75 39 3A 96 69 26 9B B1 34
......9u9:.i&..4
> 0x0260: 00 E5 29 17 F6 DD 1A 1C E3 B5 AD 00 42 8B 3C EC
..).........B.<.
> 0x0270: 50 DC 8C E7 B4 BB BF C9 29 B8 24 B8 90 9C 26 CE
P.......).$...&.
> 0x0280: 12 2E 5C 38 17 7A EF B8 65 48 0A 0A 98 D1 0C 66
..\8.z..eH.....f
> 0x0290: 71 20 35 7E 75 EE 9B 5B A0 EE 8A 56 37 16 19 01  q
5~u..[...V7...
> 0x02A0: BC 81 47 BE 3C 64 5A FF 31 FC CB 5E 2E F7 DD 96
..G.<dZ.1..^....
> 0x02B0: C8 A1 F8 40 E9 4A 41 D3 04 88 68 7B EA C4 3E DC
... at .JA...h{..>.
> 0x02C0: 9F 53 2F B4 EB DC AD 54 D9 24 14 47 24 A0 1A 9F
.S/....T.$.G$...
> 0x02D0: D0 77 EB EB 62 5D 1E A2 EB FB 73 FE 9A F8 D6 0E
.w..b]....s.....
> 0x02E0: C9 B8 E4 17 61 21 EF 6A 8A 96 3F 60 83 85 83 56
....a!.j..?`...V
> 0x02F0: 17 BA 70 FA F7 0B 01 02 5D 22 90 F9 61 5D B8 EC
..p.....]"..a]..
> 0x0300: D9 7C 0B B5 E8 FD 8C 5E D9 FD 3F F2 1D FE 43 73
.|.....^..?...Cs
> 0x0310: 24 5F CE 5E B2 82 F5 11 2A E1 A0 AE 25 2B CD 4D
$_.^....*...%+.M
> 0x0320: 6D 5B 3A 46 89 60 AE E9 56 92 B3 9D EF 5E EF AA
m[:F.`..V....^..
> 0x0330: 3A 0F 0C A3 1D 5D DD E1 8B E0 AD 04 BD 2F 8E 31
:....]......./.1
> 0x0340: C9 1C E0 64 47 32 84 CC 1E 7C F3 55 CF 05 49 2B
...dG2...|.U..I+
> 0x0350: CB 66 5B B8 E8 DF 81 A3 A9 76 5A 0B EA 58 B2 52
.f[......vZ..X.R
> 0x0360: 49 9B AE 92 00 82 B2 5C DD FF AE 7D 3F 6E 16 DE
I......\...}?n..
> 0x0370: 7C 17 B7 6F F8 FA C0 94 13 8E FC DE 09 34 1E CD
|..o.........4..
> 0x0380: A7 A8 4E DF C4 8F 75 B5 26 45 3B 2C 74 43 F1 EE
..N...u.&E;,tC..
> 0x0390: 57 41 D6 C7 4A 4A 8A 74 80 17 9F FF 1D A4 CE 17
WA..JJ.t........
> 0x03A0: D7 06 4C 51 66 B5 3F CA 07 F9 15 90 43 4C 73 8B
..LQf.?.....CLs.
> 0x03B0: 93 BA B9 33 8A 08 36 F7 62 E7 AC 74 31 FC D0 79
...3..6.b..t1..y
> 0x03C0: DD FD 08 65 CF 5D 2B 43 02 0A FE 57 6E AF 83 55
...e.]+C...Wn..U
> 0x03D0: A2 25 F4 A8 C1 F3 59 E3 68 DF E6 67 F3 2F AB 3C
.%....Y.h..g./.<
> 0x03E0: 47 2B 42 52 16 7B E4 3D 7B 7B 0A DB A5 E1 2F 72
G+BR.{.={{..../r
> 0x03F0: D6 B7 2F 44 95 6A A0 DF B3 ED D6 48 EA 18 54 64
../D.j.....H..Td
> 0x0400: 17 00 BD 71 83 5E 02 91 86 71 D7 D6 2B 5E 36 76
...q.^...q..+^6v
> 0x0410: 6F 4B 1C 69 B0 6F FE 5A 58 C5 CF 88 42 80 2D 8F
oK.i.o.ZX...B.-.
> 0x0420: 32 D7 0F 7D 2E 03 77 FA C6 62 BC 0E C1 DE 49 52
2..}..w..b....IR
> 0x0430: 91 DC 38 BF FA 41 62 53 9A CA 2C 2F 0B 0B BF 83
..8..AbS..,/....
> 0x0440: 46 3E E8 47 01 92 7F B2 B1 42 C9 98 DA 59 1C FD
F>.G.....B...Y..
> 0x0450: BE A5 33 88 52 8D E9 07 A0 74 99 71 05 C4 C7 27
..3.R....t.q...'
> 0x0460: E2 50 9A AD 77 7B 6E 40 3C 7C 22 98 71 6C 02 2F
.P..w{n@<|".ql./
> 0x0470: BF C0 E6 D2 02 0D 52 09 E5 73 DE AB 33 40 21 EC
......R..s..3@!.
> 0x0480: DD 29 73 79 C7 76 CB C6 79 7F CA F0 79 45 0B 6A
.)sy.v..y...yE.j
> 0x0490: 4A D1 0D 6D 90 93 39 06 EB CE 91 F2 BF CA E7 AA
J..m..9.........
> 0x04A0: C5 76 10 C1 16 77 50 5E 53 AC CF 70 A8 8A 3B B6
.v...wP^S..p..;.
> 0x04B0: 59 14 D7 0E EF 94 0F 1D 20 3E E6 93 63 49 14 53  Y.......
>..cI.S
> 0x04C0: 3D E9 07 1B 6C F2 A2 C4 79 55 EE 1E D0 AF DC A1
=...l...yU......
> 0x04D0: 60 85 E2 82 56 4A 18 3F 57 45 E2 4E A7 FC 10 BE
`...VJ.?WE.N....
> 0x04E0: 4D 6B CA 88 89 C4 F1 DA 17 47 05 A1 4D 37 54 DE
Mk.......G..M7T.
> 0x04F0: 6C B1 70 2A 1A 2D 1C 8B 5F 43 B4 D1 2B 35 4F EC
l.p*.-.._C..+5O.
> 0x0500: 51 D7 19 42 B5 07 28 08 36 B2 51 7A D5 96 3A 85
Q..B..(.6.Qz..:.
> 0x0510: B7 D1 C5 5E 12 81 6C 17 30 E1 FD BF DF 38 0D 52
...^..l.0....8.R
> 0x0520: EE 3B 29 DC 17 37 00 FC A1 44 8F 92 AE C3 DB B9
.;)..7...D......
> 0x0530: E1 36 FD F9 30 4F E5 CC 94 6C 2A BB 41           .6..0O...l*.A
>
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> Run time for packet processing was 1.4294882627 seconds
>
>
>
==========================================================================
=====
>
> Snort processed 25 packets.
> Breakdown by protocol:                Action Stats:
>
>     TCP: 17         (68.000%)         ALERTS: 0
>     UDP: 8          (32.000%)         LOGGED: 0
>    ICMP: 0          (0.000%)          PASSED: 0
>     ARP: 0          (0.000%)
>    IPv6: 0          (0.000%)
>     IPX: 0          (0.000%)
>   OTHER: 0          (0.000%)
>
==========================================================================
=====
> Fragmentation Stats:
> Fragmented IP Packets: 0          (0.000%)
>    Rebuilt IP Packets: 0
>    Frag elements used: 0
> Discarded(incomplete): 0
>    Discarded(timeout): 0
>
==========================================================================
=====
>
> TCP Stream Reassembly Stats:
>    TCP Packets Used:      0          (0.000%)
>    Reconstructed Packets: 0          (0.000%)
>    Streams Reconstructed: 0
>
==========================================================================
=====
>
>
>
>
> - John
> --
> "Broken pipe"
>
> PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
> Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705
>
>
>
>





More information about the list mailing list