SCTP: Stream Control Transmission Protocol
layer 4 SCTP
Contents
WTF is SCTP
SCTP was created because TCP with its flow control bears too much overhead for modern multimedia protocols. It combines characteristics of UDP and TCP, without head-of-line blocking, to ensure optimal transfer. Error forward correction is included by CRC and flow control is not byte oriented but sequence oriented, being more adapted to multimedia application.
Moreover multi-homing is supported, meaning clients with multiple addresses can be serviced in one stream. Several streams can then be transported in one packet, so less sockets need to be opened as in TCP or UDP. The protocol is not widely spread although being standardized in 2000. And most important, a SCTP socket implementation is missing for programming languages. Nevertheless, it is predominantly used in the regime of telecommunication.
This tutorial will teach you about the configuration of T2 core to activate the SCTP flow stream dissector and give a short introduction to the SCTP plugin.
This is not a tutorial about SCTP, a good overview about the packet structure can be found here: SCTP Note that the tutorial is valid for a version 0.8.13lmw2 and higher.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the following plugins:
t2build tranalyzer2 protoStats basicFlow basicStats sctpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: sctp-multi.pcap.
Please save it in your ~/data folder.
Now you’re all set. Let’s start with the SCTP pcap in T2 default mode.
SCTP in T2 default mode
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define SCTP_CRCADL32CHK 0 // Checksum computation:
// 0: none,
// 1: CRC32,
// 2: ADLER
#define SCTP_CHNKVAL 0 // 0: chunk type bit field,
// 1: chunk type value,
// 2: chunk type as string
#define SCTP_CHNKAGGR 0 // Aggregate chunk types, if SCTP_CHNKVAL > 0
#define SCTP_TSNREL 0 // 0: Absolute TSN
// 1: Relative TSN
#define SCTP_MAXCTYPE 15 // Maximum chunk types to store/flow, if SCTP_CHNKVAL > 0
#define SCTP_ASMX 10 // Maximum ASCONF IP
#define SCTP_MXADDR 5 // Maximum number of addresses to print in packet mode
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
/* No env / runtime configuration flags available for sctpDecode */
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Invoke t2 with the pcap, store the results it in your ~/results folder and also generate a packet file:
t2 -r ~/data/sctp-multi.pcap -w ~/results/ -s
Only 2 flows. One A and B.
Looking at the plugin end report, a summary of the number of packets and aggregated states is supplied.
Two flows are created, so one communication between two peers. A summary of the SCTP statistics and
type bitfields is present and can be decoded using tawk -V.
As no sctpStat appears in the end report we have no grave errors, these are the
defined bits which can appear:
The sctpStat column is to be interpreted as follows: bit | sctpStat | Description ============================================================================= 0 | 0x01 | Adler32 error 1 | 0x02 | CRC32 error 2 | 0x04 | Chunk padded 3 | 0x08 | Chunk truncated 4 | 0x10 | 3 Ack 5 | 0x20 | Type Field overflow 6 | 0x40 | Do not report 7 | 0x80 | Stop processing of the packet
But we see these control and type flags:
tawk -V sctpCFlags=0xc7 -V sctpTypeBF=0x0c0fThe sctpCFlags column with value 0xc7 is to be interpreted as follows: bit | sctpCFlags | Description ============================================================================= 0 | 0x01 | Last segment 1 | 0x02 | First segment 2 | 0x04 | Ordered delivery 6 | 0x40 | Transmission sequence number Error 7 | 0x80 | Association Sequence Number Error The sctpTypeBF column with value 0x0c0f is to be interpreted as follows: bit | sctpTypeBF | Description ============================================================================= 0 | 0x0001 | Payload data 1 | 0x0002 | Initiation 2 | 0x0004 | Initiation acknowledgement 3 | 0x0008 | Selective acknowledgement 10 | 0x0400 | State cookie 11 | 0x0800 | Cookie acknowledgement
The Transmission sequence number error can happen, when either packet get lost or swapped.
The sctpTypeBF contains the aggregated chunk content types over all flows. So an SCTP flow
which is in progress and not terminated yet.
Nevertheless, a quasi normal SCTP stream. Now, open the flow file under your ~/results directory.
tcol ~/results/sctp-multi_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm sctpStat sctpMaxDSNum sctpPID sctpVTag sctpTypeBF sctpCntD_I_A sctpCFlags sctpCCBF sctpASIP sctpIS sctpOS sctpIARW sctpIARWMin sctpIARWMax sctpARW
A 1 0x0400000001004000 1108716598.686079 1108716598.763435 0.077356 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 37 37 32072 32340 16 1072 866.8108 303.2927 0 0.007658 0.002090703 0.001983343 478.3081 414602.6 0 -0.004160715 0x00 11 0 0x00000eb0 0x040b 60_1_0 0xc7 0x0000 17 17 65535 65535 65535 65535
B 1 0x0400000001004001 1108716598.686375 1108716598.771526 0.085151 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 "Private network" 7 192.168.170.8 07 "Private network" 7 132 37 37 32340 32072 4 1072 874.0541 280.4827 0 0.013896 0.002301379 0.003496052 434.5222 379795.9 0 0.004160715 0x00 11 0 0x43232544 0x080d 60_0_0 0xc7 0x0000 17 17 4096 4096 4096 4096Here are the two flows, but they indicate there are more streams hidden.
The maximum announced number of in/out streams (sctpIS and sctpOS) is 17, while the actual data channels (sctpMaxDSNum) is 11.
A list of all chunk types can be acquired by invoking the following tawk command:
The packet mode shows all SCTP streams information in one packet aggregated into one column separated by ; (sctpChunkType_Sid_Flags_Len):
This column reports chunk type, the stream ID, the chunk flags and the chunk length.
We will discuss more about this later
head -n 10 ~/results/sctp-multi_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktLen l7Len sctpVTag sctpChkSum sctpChunkType_sid_flags_numDPkts_len_tsn_pid sctpErrType sctpNChunks sctpWin sctpStat l7Content
1 1 0x0400000001004000 1108716598.686079 0.000000 0.000000 0.000000 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 78 32 0x00000000 0x3761a746 1_0_0x00_0_32_65535_1560164255_110011_ 0x0000 1 65535 0x00 ... C#%D........\.7......\f......
2 1 0x0400000001004001 1108716598.686375 0.000000 0.000296 0.000000 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 174 128 0x43232544 0xc9018524 2_0_0x00_0_128_4096_13844_110011_ 0x0000 1 4096 0x00 ..................6....h..............6.C#%D........\.7................?.'.......v..U...,>|5...............\b...8...\b...\b........
3 1 0x0400000001004000 1108716598.686862 0.000783 0.000487 0.000783 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 150 104 0x00000eb0 0xb85148ea 10_0_0x00_0_104_0_0_0_ 0x0000 1 0 0x00 \n..h..............6.C#%D........\.7................?.'.......v..U...,>|5...............\b...8...\b...\b....
4 1 0x0400000001004001 1108716598.687080 0.000705 0.000218 0.000705 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 50 4 0x43232544 0xceec2d79 11_0_0x00_0_4_0_0_0_ 0x0000 1 0 0x00 ....
5 1 0x0400000001004000 1108716598.688291 0.001429 0.001211 0.002212 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 1102 1056 0x00000eb0 0xcfbb0406 0_0_0x07_1_528_0_1560164255_0_;0_1_0x07_2_528_0_1560164256_0_ 0x0000 2 0 0x00 ....\.7.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................\.7.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
6 1 0x0400000001004001 1108716598.688538 0.001458 0.000247 0.002163 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 1118 1072 0x43232544 0xce0c78b4 3_0_0x00_0_16_4096_1560164256_0_;0_0_0x07_1_528_0_13844_0_;0_1_0x07_2_528_0_13845_0_ 0x0000 3 0 0x00 ....\.7...............6...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................6.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
7 1 0x0400000001004000 1108716598.689195 0.000904 0.000657 0.003116 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 1102 1056 0x00000eb0 0xaafc4c8d 0_2_0x07_3_528_0_1560164257_0_;0_3_0x07_4_528_0_1560164258_0_ 0x0000 2 0 0x00 ....\.7.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................\.7.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
8 1 0x0400000001004001 1108716598.689402 0.000864 0.000207 0.003027 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 1118 1072 0x43232544 0xe5c3f9f1 3_0_0x00_2_16_4096_1560164258_0_;0_2_0x07_3_528_0_13846_0_;0_3_0x07_4_528_0_13847_0_ 0x0000 3 0 0x00 ....\.7...............6...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................6.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
9 1 0x0400000001004000 1108716598.690095 0.000900 0.000693 0.004016 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 1102 1056 0x00000eb0 0xd949ce4f 0_4_0x07_5_528_0_1560164259_0_;0_5_0x07_6_528_0_1560164260_0_ 0x0000 2 0 0x00 ....\.7.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................\.7.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Let’s see what protocols and ports information we have:
lsx sctp-multi_protocols.txt# Total packets: 74 # Total bytes: 67816 (67.82 K) # L2/3 Protocol Packets Bytes Description 0x0800 74 [100.00%] 67816 [100.00%] Internet Protocol version 4 (IPv4) # Total IPv4 packets: 74 [100.00%] # Total IPv6 packets: 0 [0.00%] # L4 Protocol Packets Bytes Description 132 74 [100.00%] 67816 [100.00%] Stream Control Transmission Protocol # Total TCP packets: 0 [0.00%] # Total TCP bytes: 0 [0.00%] # Total UDP packets: 0 [0.00%] # Total UDP bytes: 0 [0.00%]
Oups, no layer 4 SCTP packet info? Why???
By default we switched the SCTP statistics in protoStats off, as most users did not need it.
So let’s switch it on and rerun t2 without packet mode to save time (If you had a 100 GB pcap, then you
would realize the difference :-))
t2conf protoStats -D SCTP_STAT=1 && t2build protoStats
t2 -r ~/data/sctp-multi.pcap -w ~/results/sctp/
Looking into the protocols file note that the SCTP has now an entry for port 7, the Echo protocol, including packet count. Nevertheless, the Description Echo is misleading, as SCTP ports are not compliant with the standard TCP/UDP port designation.
lsx sctp-multi_protocols.txt# Total packets: 74 # Total bytes: 67816 (67.82 K) # L2/3 Protocol Packets Bytes Description 0x0800 74 [100.00%] 67816 [100.00%] Internet Protocol version 4 (IPv4) # Total IPv4 packets: 74 [100.00%] # Total IPv6 packets: 0 [0.00%] # L4 Protocol Packets Bytes Description 132 74 [100.00%] 67816 [100.00%] Stream Control Transmission Protocol # Total TCP packets: 0 [0.00%] # Total TCP bytes: 0 [0.00%] # Total UDP packets: 0 [0.00%] # Total UDP bytes: 0 [0.00%] # Total SCTP packets: 74 [100.00%] # Total SCTP bytes: 67816 (67.82 K) [100.00%] # SCTP Port Packets Bytes Description 7 74 [100.00%] 67816 [100.00%] Echo
Now let’s look what happens when we activate the SCTP dissect mode of T2 core, meaning that we add the SCTP stream ID to the flow hash.
T2 in SCTP stream dissect mode
The anteater has a unique flow concept for SCTP, which dissects the chunk streams and converts them
into T2 flows. In order to enable this function the SCTP stream dissect mode has to be
enabled via the SCTP_ACTIVATE constant in the core configuration of networkHeaders.h.
It is off by default, to optimize performance for the default user.
tranalyzer2
vi src/networkHeaders.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
...
#define SCTP_ACTIVATE 0 // 0: standard flows
// 1: activate SCTP chunk streams -> flows
// 2: activate SCTP association -> flows
// 3: activate SCTP Chunk & association -> flows
#define SCTP_STATFINDEX 1 // 0: findex increments
// 1: findex constant for all SCTP streams in a packet
...
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...SCTP_ACTIVATE has several modes. If set to 1 the chunk stream ID is added
to the flow hash, hence each data chunk stream is sorted into one unique flow.
Option 2 activates the association mode, thus the verification tag is added
to the flow. And in mode 3, both will be added to the flow. Note, that 2 and especially
3 might collide with the port and IP address hash content. So it is advisable
to think before what you want to aggregate. E.g. for mode 3 the aggregation
of the IP and ports should be switched off via AGGREGATIONFLAG in tranalyzer.h.
As they are redundant. In mode 2, if AGGREGATIONFLAG is set to ignore IPs and
ports you must be aware that now several flows are aggregated into one SCTP association
flow, hence content flags and content itself is aggregated as well. Just to let
you know, that the concept is powerful, but you need to know what you want
to achieve.
So enable SCTP chunk stream in the core and re-invoke t2 with the -s option.
t2conf tranalyzer2 -D SCTP_ACTIVATE=1 && t2build -R
t2 -r ~/data/sctp-multi.pcap -w ~/results/ -s
Note, in the fourth line SCTP indicates that the core now dissects the protocol and creates independent flows for each SCTP stream.
And now T2 creates 24 flows (12 A flows and 12 B flows) or 12 communication streams.
Move to your results window again and open the ~/results/sctp-multi_flows.txt file.
Note that every flow is labeled with the same flowInd (1), as all SCTP stream flows are
from one original flow. But sctpDSNum denotes the stream ID, or SCTP Data Stream Number.
tcol ~/results/sctp-multi_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm sctpStat sctpDSNum sctpPID sctpVTag sctpTypeBF sctpCntD_I_A sctpCFlags sctpCCBF sctpASIP sctpIS sctpOS sctpIARW sctpIARWMin sctpIARWMax sctpARW
A 1 0x0400000001004000 1108716598.697367 1108716598.751383 0.054016 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - "-" 7 192.168.170.56 - "-" 7 132 4 4 2048 2048 512 512 512 0 0 0.019717 0.013504 0.005976828 74.05213 37914.69 0 0 0x00 11 0 0x00000eb0 0x0001 4_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.700651 1108716598.756477 0.055826 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 "Private network" 7 192.168.170.8 07 "Private network" 7 132 4 4 2048 2048 512 512 512 0 0 0.022678 0.0139565 0.006462127 71.6512 36685.41 0 0 0x00 11 0 0x43232544 0x0001 4_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.688291 1108716598.751383 0.063092 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - "-" 7 192.168.170.56 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.018223 0.0126184 0.005361295 79.24935 40575.67 0 0 0x00 1 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.688538 1108716598.756477 0.067939 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.023467 0.0135878 0.006479933 73.59544 37680.86 0 0 0x00 1 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.689195 1108716598.752140 0.062945 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.01898 0.012589 0.005557677 79.43443 40670.43 0 0 0x00 2 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.689402 1108716598.756727 0.067325 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.023467 0.013465 0.006579555 74.26662 38024.51 0 0 0x00 2 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.689195 1108716598.753271 0.064076 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.019201 0.0128152 0.005597543 78.03234 39952.56 0 0 0x00 3 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.689402 1108716598.756967 0.067565 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.021079 0.013513 0.00608459 74.00281 37889.44 0 0 0x00 3 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.690095 1108716598.753271 0.063176 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.019201 0.0126352 0.005108401 79.14398 40521.72 0 0 0x00 4 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.693336 1108716598.756967 0.063631 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.021079 0.0127262 0.005697675 78.57806 40231.96 0 0 0x00 4 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.690095 1108716598.760341 0.070246 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.020442 0.0140492 0.005889928 71.17843 36443.36 0 0 0x00 5 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.693336 1108716598.770863 0.077527 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.02454 0.0155054 0.007011673 64.49366 33020.75 0 0 0x00 5 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.693263 1108716598.760341 0.067078 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.020442 0.0134156 0.005683439 74.54008 38164.52 0 0 0x00 6 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.693951 1108716598.770863 0.076912 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.02454 0.0153824 0.006592538 65.00936 33284.79 0 0 0x00 6 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.693263 1108716598.761549 0.068286 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.019427 0.0136572 0.005618318 73.22145 37489.38 0 0 0x00 7 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.693951 1108716598.771163 0.077212 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.024675 0.0154424 0.006634399 64.75677 33155.47 0 0 0x00 7 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.693735 1108716598.761549 0.067814 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - "-" 7 192.168.170.56 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.021395 0.0135628 0.00574128 73.73109 37750.32 0 0 0x00 8 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.694007 1108716598.771163 0.077156 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 "Private network" 7 192.168.170.8 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.024451 0.0154312 0.007122566 64.80377 33179.53 0 0 0x00 8 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.694950 1108716598.762308 0.067358 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.021395 0.0134716 0.005884205 74.23023 38005.88 0 0 0x00 9 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.700250 1108716598.771310 0.071060 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.024598 0.014212 0.007284279 70.36308 36025.89 0 0 0x00 9 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.686079 1108716598.763435 0.077356 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 24 41 18776 34356 16 1072 782.3333 347.4483 0 0.008278 0.003223167 0.002523227 310.2539 242722 -0.2615385 -0.293232 0x00 0 0 0x00000eb0 0x040b 6_1_0 0xc7 0x0000 17 17 65535 65535 65535 65535
B 1 0x0400000001004001 1108716598.686375 1108716598.771526 0.085151 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 "Private network" 7 192.168.170.8 07 "Private network" 7 132 41 24 34356 18776 4 1072 837.9512 288.5713 0 0.013896 0.002076854 0.003394506 481.4976 403471.5 0.2615385 0.293232 0x00 0 0 0x43232544 0x080d 6_0_0 0xc7 0x0000 17 17 4096 4096 4096 4096
A 1 0x0400000001004000 1108716598.694950 1108716598.763435 0.068485 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.022134 0.013697 0.005530534 73.00869 37380.45 0 0 0x00 10 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.700597 1108716598.771526 0.070929 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.022732 0.0141858 0.005774313 70.49303 36092.43 0 0 0x00 10 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0If you look at the packets file you will see that the flowInd is always 1 and there are several packet numbers
with the same pktNo. Now every chunk has its own packet line and thus is easier to post process. Moreover all
T2 plugins can now operate on SCTP packets/flows like in other protocols e.g. TCP and selection by tawk according to flows and streams
is facilitated.
head -n 10 ~/results/sctp-multi_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktLen l7Len sctpVTag sctpChkSum sctpChunkType_sid_flags_numDPkts_len_tsn_pid sctpErrType sctpNChunks sctpWin sctpStat l7Content
1 1 0x0400000001004000 1108716598.686079 0.000000 0.000000 0.000000 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 78 32 0x00000000 0x3761a746 1_0_0x00_0_32_65535_1560164255_110011_ 0x0000 1 65535 0x00
2 1 0x0400000001004001 1108716598.686375 0.000000 0.000296 0.000000 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 174 128 0x43232544 0xc9018524 2_0_0x00_0_128_4096_13844_110011_ 0x0000 1 4096 0x00
3 1 0x0400000001004000 1108716598.686862 0.000783 0.000487 0.000783 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 150 104 0x00000eb0 0xb85148ea 10_0_0x00_0_104_0_0_0_ 0x0000 1 0 0x00
4 1 0x0400000001004001 1108716598.687080 0.000705 0.000218 0.000705 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 50 4 0x43232544 0xceec2d79 11_0_0x00_0_4_0_0_0_ 0x0000 1 0 0x00
5 1 0x0400000001004000 1108716598.688291 0.001429 0.001211 0.002212 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 1102 512 0x00000eb0 0xcfbb0406 0_0_0x07_1_528_0_1560164255_0_ 0x0000 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
5 1 0x0400000001004000 1108716598.688291 0.000000 0.000000 0.000000 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - - 7 192.168.170.56 - - 7 132 1102 512 0x00000eb0 0xcfbb0406 0_1_0x07_1_528_0_1560164256_0_ 0x0000 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
6 1 0x0400000001004001 1108716598.688538 0.001458 0.000247 0.002163 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 1118 1072 0x43232544 0xce0c78b4 3_0_0x00_0_16_4096_1560164256_0_ 0x0000 1 4096 0x00
6 1 0x0400000001004001 1108716598.688538 0.000000 0.000247 0.002163 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 1118 512 0x43232544 0xce0c78b4 0_0_0x07_1_528_0_13844_0_ 0x0000 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
6 1 0x0400000001004001 1108716598.688538 0.000000 0.000247 0.000000 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - - 7 192.168.170.8 - - 7 132 1118 512 0x43232544 0xce0c78b4 0_1_0x07_1_528_0_13845_0_ 0x0000 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................If you like every stream flow to be labelled with a separate index, then disable SCTP_STATFINDEX,
recompile and rerun t2:
t2conf tranalyzer2 -D SCTP_STATFINDEX=0 && t2build -R
t2 -r ~/data/sctp-multi.pcap -w ~/results/ -s
Now each flow stream has a different flowInd. So you can easily discern which packet belongs to which stream flow by the flowInd alone, unless
there are more packets. Nevertheless, if there are more flows of any protocol present to you, the flowInd to packet relation is then unique
but difficult to extract. If you want to treat streams individually independent of packet flow association, this is the mode of choice.
tcol ~/results/sctp-multi_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm sctpStat sctpDSNum sctpPID sctpVTag sctpTypeBF sctpCntD_I_A sctpCFlags sctpCCBF sctpASIP sctpIS sctpOS sctpIARW sctpIARWMin sctpIARWMax sctpARW
A 12 0x0400000001004000 1108716598.697367 1108716598.751383 0.054016 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - "-" 7 192.168.170.56 - "-" 7 132 4 4 2048 2048 512 512 512 0 0 0.019717 0.013504 0.005976828 74.05213 37914.69 0 0 0x00 11 0 0x00000eb0 0x0001 4_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 12 0x0400000001004001 1108716598.700651 1108716598.756477 0.055826 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 "Private network" 7 192.168.170.8 07 "Private network" 7 132 4 4 2048 2048 512 512 512 0 0 0.022678 0.0139565 0.006462127 71.6512 36685.41 0 0 0x00 11 0 0x43232544 0x0001 4_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 2 0x0400000001004000 1108716598.688291 1108716598.751383 0.063092 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - "-" 7 192.168.170.56 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.018223 0.0126184 0.005361295 79.24935 40575.67 0 0 0x00 1 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 2 0x0400000001004001 1108716598.688538 1108716598.756477 0.067939 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.023467 0.0135878 0.006479933 73.59544 37680.86 0 0 0x00 1 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 3 0x0400000001004000 1108716598.689195 1108716598.752140 0.062945 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.01898 0.012589 0.005557677 79.43443 40670.43 0 0 0x00 2 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 3 0x0400000001004001 1108716598.689402 1108716598.756727 0.067325 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.023467 0.013465 0.006579555 74.26662 38024.51 0 0 0x00 2 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 4 0x0400000001004000 1108716598.689195 1108716598.753271 0.064076 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.019201 0.0128152 0.005597543 78.03234 39952.56 0 0 0x00 3 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 4 0x0400000001004001 1108716598.689402 1108716598.756967 0.067565 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.021079 0.013513 0.00608459 74.00281 37889.44 0 0 0x00 3 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 5 0x0400000001004000 1108716598.690095 1108716598.753271 0.063176 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.019201 0.0126352 0.005108401 79.14398 40521.72 0 0 0x00 4 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 5 0x0400000001004001 1108716598.693336 1108716598.756967 0.063631 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.021079 0.0127262 0.005697675 78.57806 40231.96 0 0 0x00 4 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 6 0x0400000001004000 1108716598.690095 1108716598.760341 0.070246 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.020442 0.0140492 0.005889928 71.17843 36443.36 0 0 0x00 5 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 6 0x0400000001004001 1108716598.693336 1108716598.770863 0.077527 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.02454 0.0155054 0.007011673 64.49366 33020.75 0 0 0x00 5 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 7 0x0400000001004000 1108716598.693263 1108716598.760341 0.067078 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.020442 0.0134156 0.005683439 74.54008 38164.52 0 0 0x00 6 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 7 0x0400000001004001 1108716598.693951 1108716598.770863 0.076912 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.02454 0.0153824 0.006592538 65.00936 33284.79 0 0 0x00 6 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 8 0x0400000001004000 1108716598.693263 1108716598.761549 0.068286 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.019427 0.0136572 0.005618318 73.22145 37489.38 0 0 0x00 7 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 8 0x0400000001004001 1108716598.693951 1108716598.771163 0.077212 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.024675 0.0154424 0.006634399 64.75677 33155.47 0 0 0x00 7 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 9 0x0400000001004000 1108716598.693735 1108716598.761549 0.067814 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - "-" 7 192.168.170.56 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.021395 0.0135628 0.00574128 73.73109 37750.32 0 0 0x00 8 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 9 0x0400000001004001 1108716598.694007 1108716598.771163 0.077156 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 "Private network" 7 192.168.170.8 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.024451 0.0154312 0.007122566 64.80377 33179.53 0 0 0x00 8 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 10 0x0400000001004000 1108716598.694950 1108716598.762308 0.067358 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.021395 0.0134716 0.005884205 74.23023 38005.88 0 0 0x00 9 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 10 0x0400000001004001 1108716598.700250 1108716598.771310 0.071060 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.024598 0.014212 0.007284279 70.36308 36025.89 0 0 0x00 9 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.686079 1108716598.763435 0.077356 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 24 41 18776 34356 16 1072 782.3333 347.4483 0 0.008278 0.003223167 0.002523227 310.2539 242722 -0.2615385 -0.293232 0x00 0 0 0x00000eb0 0x040b 6_1_0 0xc7 0x0000 17 17 65535 65535 65535 65535
B 1 0x0400000001004001 1108716598.686375 1108716598.771526 0.085151 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 "Private network" 7 192.168.170.8 07 "Private network" 7 132 41 24 34356 18776 4 1072 837.9512 288.5713 0 0.013896 0.002076854 0.003394506 481.4976 403471.5 0.2615385 0.293232 0x00 0 0 0x43232544 0x080d 6_0_0 0xc7 0x0000 17 17 4096 4096 4096 4096
A 11 0x0400000001004000 1108716598.694950 1108716598.763435 0.068485 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.022134 0.013697 0.005530534 73.00869 37380.45 0 0 0x00 10 0 0x00000eb0 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 11 0x0400000001004001 1108716598.700597 1108716598.771526 0.070929 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.022732 0.0141858 0.005774313 70.49303 36092.43 0 0 0x00 10 0 0x43232544 0x0001 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0Now each flow owns an extra flowInd. Same for the packets.
head -n 10 ~/results/sctp-multi_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktLen l7Len sctpVTag sctpChkSum sctpChunkType_sid_flags_numDPkts_len_tsn_pid sctpErrType sctpNChunks sctpWin sctpStat l7Content
1 1 0x0400000001004000 1108716598.686079 0.000000 0.000000 0.000000 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 78 32 0x00000000 0x3761a746 1_0_0x00_0_32_65535_1560164255_110011_ 0x0000 1 65535 0x00
2 1 0x0400000001004001 1108716598.686375 0.000000 0.000296 0.000000 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 174 128 0x43232544 0xc9018524 2_0_0x00_0_128_4096_13844_110011_ 0x0000 1 4096 0x00
3 1 0x0400000001004000 1108716598.686862 0.000783 0.000487 0.000783 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 150 104 0x00000eb0 0xb85148ea 10_0_0x00_0_104_0_0_0_ 0x0000 1 0 0x00
4 1 0x0400000001004001 1108716598.687080 0.000705 0.000218 0.000705 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 50 4 0x43232544 0xceec2d79 11_0_0x00_0_4_0_0_0_ 0x0000 1 0 0x00
5 1 0x0400000001004000 1108716598.688291 0.001429 0.001211 0.002212 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 1102 512 0x00000eb0 0xcfbb0406 0_0_0x07_1_528_0_1560164255_0_ 0x0000 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
5 2 0x0400000001004000 1108716598.688291 0.000000 0.000000 0.000000 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - - 7 192.168.170.56 - - 7 132 1102 512 0x00000eb0 0xcfbb0406 0_1_0x07_1_528_0_1560164256_0_ 0x0000 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
6 1 0x0400000001004001 1108716598.688538 0.001458 0.000247 0.002163 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 1118 1072 0x43232544 0xce0c78b4 3_0_0x00_0_16_4096_1560164256_0_ 0x0000 1 4096 0x00
6 1 0x0400000001004001 1108716598.688538 0.000000 0.000247 0.002163 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 1118 512 0x43232544 0xce0c78b4 0_0_0x07_1_528_0_13844_0_ 0x0000 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
6 2 0x0400000001004001 1108716598.688538 0.000000 0.000247 0.000000 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - - 7 192.168.170.8 - - 7 132 1118 512 0x43232544 0xce0c78b4 0_1_0x07_1_528_0_13845_0_ 0x0000 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Now the packet numbers can be assigned also to the flow stream directly, they match now sctpChunk_Sid + 1 in this special case.
If there are more flows around, this is not the case. Nevertheless, if you extracted a SCTP connection consisting of many streams,
this mode considerably facilitates the post processing with tawk:
head -n 10 ~/results/sctp-multi_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktLen l7Len sctpVTag sctpChunkType_sid_flags_numDPkts_len_tsn_pid sctpNChunks sctpWin sctpStat l7Content
1 1 0x0400000001004000 1108716598.686079 0.000000 0.000000 0.000000 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 78 32 0x00000000 1_0_0x00_0_32_1560164255_110011_ 1 65535 0x00
2 1 0x0400000001004001 1108716598.686375 0.000000 0.000296 0.000000 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 174 128 0x43232544 2_0_0x00_0_128_13844_110011_ 1 4096 0x00
3 1 0x0400000001004000 1108716598.686862 0.000783 0.000487 0.000783 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 150 104 0x00000eb0 10_0_0x00_0_104_0_0_ 1 0 0x00
4 1 0x0400000001004001 1108716598.687080 0.000705 0.000218 0.000705 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 50 4 0x43232544 11_0_0x00_0_4_0_0_ 1 0 0x00
5 1 0x0400000001004000 1108716598.688291 0.001429 0.001211 0.002212 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 1102 512 0x00000eb0 0_0_0x07_1_528_1560164255_0_ 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
5 2 0x0400000001004000 1108716598.688291 0.000000 0.000000 0.000000 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - - 7 192.168.170.56 - - 7 132 1102 512 0x00000eb0 0_1_0x07_1_528_1560164256_0_ 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
6 1 0x0400000001004001 1108716598.688538 0.001458 0.000247 0.002163 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 1118 1072 0x43232544 3_0_0x00_0_16_1560164256_0_ 1 4096 0x00
6 1 0x0400000001004001 1108716598.688538 0.000000 0.000247 0.002163 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 1118 512 0x43232544 0_0_0x07_1_528_13844_0_ 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
6 2 0x0400000001004001 1108716598.688538 0.000000 0.000247 0.000000 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - - 7 192.168.170.8 - - 7 132 1118 512 0x43232544 0_1_0x07_1_528_13845_0_ 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Note that different flowInd can originate from the same packet and now different streams in a packet have the same packet number, e.g. pktNo = 5.
Now lets try the SCTP association -> flows mode which aggregates all packets of an SCTP association into one flow, iff the default 4 tuple aggregation IPs and ports is disabled, the protocol is used to segregate the SCTP flows from all other protocols. See the Flexible Flow Aggregation tutorial.
So enable SCTP mode 2 and mask the IPs and the upper range or the ports, as the lower is default 1, then recompile and rerun t2 on the pcap.
t2conf tranalyzer2 -D SCTP_ACTIVATE=2 -D AGGREGATIONFLAG=0x1e -D SRCIP4CMSK=0 -D DSTIP4CMSK=0 -D SRCPORTHW=65535 -D DSTPORTHW=65535 && t2build -R
t2 -r ~/data/sctp-multi.pcap -w ~/results/sctp/sctp-multi -s
Note that basicStats only sees the network,
as the mask is now /0, the ports are all aggregated in one flow and only the SCTP association counts.
So we expect 2 flows, but we see 3, why?
tcol ~/results/sctp-multi_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm sctpStat sctpDSNum sctpPID sctpVTag sctpTypeBF sctpCntD_I_A sctpCFlags sctpCCBF sctpASIP sctpIS sctpOS sctpIARW sctpIARWMin sctpIARWMax sctpARW
A 1 0x0400000001004000 1108716598.686079 1108716598.686079 0.000000 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 0.0.0.0 - "-" 1 0.0.0.0 - "-" 1 132 1 0 32 0 32 32 32 0 0 0 0 0 0 0 1 1 0x00 0 0 0x00000000 0x0002 0_1_0 0x00 0x0000 17 17 65535 65535 65535 65535
A 3 0x0400000001004000 1108716598.686862 1108716598.763435 0.076573 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 0.0.0.0 - "-" 1 0.0.0.0 - "-" 1 132 77 0 46392 0 16 1072 602.4935 227.7843 0 0.007658 0.0009944546 0.001732412 1005.576 605853.2 1 1 0x00 11 0 0x00000eb0 0x0409 60_0_0 0xc7 0x0000 0 0 0 65535 65535 65317.21
A 2 0x0400000001004000 1108716598.686375 1108716598.771526 0.085151 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 0.0.0.0 - "-" 1 0.0.0.0 - "-" 1 132 95 0 62004 0 4 1072 652.6737 249.8183 0 0.013896 0.0008963263 0.00247492 1115.665 728165.2 1 1 0x00 11 0 0x43232544 0x080d 60_0_0 0xc7 0x0000 17 17 4096 4096 4096 4096Ahhh, the first flow contains the SCTP_CT_INIT packet where the verification tag is 0. Oups.
If you switch now to mode 3 then the result is the same as with mode 1, except when more IP streams are involved,
but I do not have traffic for that, which I can publish.
t2conf tranalyzer2 -D SCTP_ACTIVATE=3 && t2build -R
t2 -r ~/data/sctp-multi.pcap -w ~/results/sctp/sctp-multi -s... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 25 Number of processed A flows: 25 [100.00%] Number of request flows: 25 [100.00%] Total A/B flow asymmetry: 1.00 Total req/rply flow asymmetry: 1.00 ...
Then you have 25 instead of 24, for the same reasons. This is experimental, so have patience or give us hints how to improve the anteater.
Now we look into the plugin sctpDecode, which dissects more the chunk information, also currently experimental and programmed according to my needs, so please comment.
sctpDecode
This plugin was designed for a troubleshooting job we had to do at a customer. I will add more in due time, or please give feedback to the anteater email. Then, your request will be integrated.
So what can be configured? Move to the sctpDecode/src directory and open sctpDecode.h.
sctpDecode
vi src/sctpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define SCTP_CRCADL32CHK 0 // compute 1: CRC32 checksum, 2: ADLER checksum
#define SCTP_CHNKVAL 0 // 0: chunk type bit field,
// 1: chunk type value,
// 2: chunk type as string
#define SCTP_CHNKAGGR 0 // Aggregate chunk types, if SCTP_CHNKVAL > 0
#define SCTP_MAXCTYPE 15 // maximum chunk types to store/flow, if SCTP_CHNKVAL > 0
#define SCTP_ASMX 10 // maximum ASCONF IP
#define SCTP_MXADDR 5 // maximum
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...The plugin computes the different checksums in use, either CRC32 or Adler. By default they are disabled, because it adds unnecessary load if somebody is not interested in that.
Switch on CRC32 as our pcap uses CRC32.
Also reset SCTP_STATFINDEX to 1 via t2conf, recompile all and rerun t2 using again also the -s packet option.
t2conf tranalyzer2 -D SCTP_STATFINDEX=1
t2conf sctpDecode -D SCTP_CRCADL32CHK=1 -D SCTP_CHNKVAL=1
t2build -R
t2 -r ~/data/sctp-multi.pcap -w ~/results/sctp/ -s... -------------------------------------------------------------------------------- basicStats: Biggest L3 talker: 192.168.170.56: 41 [55.41%] packets basicStats: Biggest L3 talker: 192.168.170.56: 39074 (39.07 K) [57.62%] bytes sctpDecode: aggregated sctpCFlags=0xc7 -------------------------------------------------------------------------------- ...
The status reports that there are no checksum errors in sctpStat.
But there are communication errors regarding sequence and association numbers.
We had them earlier in the end report remember?
The sctpCFlags column with value 0xc7 is to be interpreted as follows: bit | sctpCFlags | Description ============================================================================= 0 | 0x01 | Last segment 1 | 0x02 | First segment 2 | 0x04 | Ordered delivery 6 | 0x40 | Transmission sequence number Error 7 | 0x80 | Association Sequence Number Error
Also the SCTP type bitfield in the end report is gone, because now we list the explicit types in the flow file.
If you look into the flow file, you will note that the bitfield is now replaced by the sctpType column listing all unique appearing SCTP
stream types separated by ;.
tcol ~/results/sctp-multi_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm sctpStat sctpDSNum sctpPID sctpVTag sctpType sctpCntD_I_A sctpCFlags sctpCCBF sctpASIP sctpIS sctpOS sctpIARW sctpIARWMin sctpIARWMax sctpARW
A 1 0x0400000001004000 1108716598.697367 1108716598.751383 0.054016 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - "-" 7 192.168.170.56 - "-" 7 132 4 4 2048 2048 512 512 512 0 0 0.019717 0.013504 0.005976828 74.05213 37914.69 0 0 0x00 11 0 0x00000eb0 0 4_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.700651 1108716598.756477 0.055826 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 "Private network" 7 192.168.170.8 07 "Private network" 7 132 4 4 2048 2048 512 512 512 0 0 0.022678 0.0139565 0.006462127 71.6512 36685.41 0 0 0x00 11 0 0x43232544 0 4_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.688291 1108716598.751383 0.063092 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - "-" 7 192.168.170.56 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.018223 0.0126184 0.005361295 79.24935 40575.67 0 0 0x00 1 0 0x00000eb0 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.688538 1108716598.756477 0.067939 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.023467 0.0135878 0.006479933 73.59544 37680.86 0 0 0x00 1 0 0x43232544 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.689195 1108716598.752140 0.062945 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.01898 0.012589 0.005557677 79.43443 40670.43 0 0 0x00 2 0 0x00000eb0 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.689402 1108716598.756727 0.067325 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.023467 0.013465 0.006579555 74.26662 38024.51 0 0 0x00 2 0 0x43232544 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.689195 1108716598.753271 0.064076 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.019201 0.0128152 0.005597543 78.03234 39952.56 0 0 0x00 3 0 0x00000eb0 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.689402 1108716598.756967 0.067565 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.021079 0.013513 0.00608459 74.00281 37889.44 0 0 0x00 3 0 0x43232544 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.690095 1108716598.753271 0.063176 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.019201 0.0126352 0.005108401 79.14398 40521.72 0 0 0x00 4 0 0x00000eb0 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.693336 1108716598.756967 0.063631 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.021079 0.0127262 0.005697675 78.57806 40231.96 0 0 0x00 4 0 0x43232544 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.690095 1108716598.760341 0.070246 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.020442 0.0140492 0.005889928 71.17843 36443.36 0 0 0x00 5 0 0x00000eb0 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.693336 1108716598.770863 0.077527 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.02454 0.0155054 0.007011673 64.49366 33020.75 0 0 0x00 5 0 0x43232544 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.693263 1108716598.760341 0.067078 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.020442 0.0134156 0.005683439 74.54008 38164.52 0 0 0x00 6 0 0x00000eb0 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.693951 1108716598.770863 0.076912 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.02454 0.0153824 0.006592538 65.00936 33284.79 0 0 0x00 6 0 0x43232544 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.693263 1108716598.761549 0.068286 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.019427 0.0136572 0.005618318 73.22145 37489.38 0 0 0x00 7 0 0x00000eb0 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.693951 1108716598.771163 0.077212 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.024675 0.0154424 0.006634399 64.75677 33155.47 0 0 0x00 7 0 0x43232544 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.693735 1108716598.761549 0.067814 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - "-" 7 192.168.170.56 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.021395 0.0135628 0.00574128 73.73109 37750.32 0 0 0x00 8 0 0x00000eb0 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.694007 1108716598.771163 0.077156 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 "Private network" 7 192.168.170.8 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.024451 0.0154312 0.007122566 64.80377 33179.53 0 0 0x00 8 0 0x43232544 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.694950 1108716598.762308 0.067358 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.021395 0.0134716 0.005884205 74.23023 38005.88 0 0 0x00 9 0 0x00000eb0 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.700250 1108716598.771310 0.071060 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.024598 0.014212 0.007284279 70.36308 36025.89 0 0 0x00 9 0 0x43232544 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.686079 1108716598.763435 0.077356 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 24 41 18776 34356 16 1072 782.3333 347.4483 0 0.008278 0.003223167 0.002523227 310.2539 242722 -0.2615385 -0.293232 0x00 0 0 0x00000eb0 1;10;0;3 6_1_0 0xc7 0x0000 17 17 65535 65535 65535 65535
B 1 0x0400000001004001 1108716598.686375 1108716598.771526 0.085151 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 "Private network" 7 192.168.170.8 07 "Private network" 7 132 41 24 34356 18776 4 1072 837.9512 288.5713 0 0.013896 0.002076854 0.003394506 481.4976 403471.5 0.2615385 0.293232 0x00 0 0 0x43232544 2;11;3;0 6_0_0 0xc7 0x0000 17 17 4096 4096 4096 4096
A 1 0x0400000001004000 1108716598.694950 1108716598.763435 0.068485 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.022134 0.013697 0.005530534 73.00869 37380.45 0 0 0x00 10 0 0x00000eb0 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.700597 1108716598.771526 0.070929 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.022732 0.0141858 0.005774313 70.49303 36092.43 0 0 0x00 10 0 0x43232544 0 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0Same happens to the packet file, so we go directly to the human readable config.
If you like a human readable output set SCTP_CHNKVAL to 2, recompile sctpDecode and rerun t2.
t2conf sctpDecode -D SCTP_CHNKVAL=2 && t2build sctpDecode
t2 -r ~/data/sctp-multi.pcap -w ~/results/sctp/sctp-multi -s
Now the type is human readable.
tcol ~/results/sctp-multi_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm sctpStat sctpDSNum sctpPID sctpVTag sctpTypeN sctpCntD_I_A sctpCFlags sctpCCBF sctpASIP sctpIS sctpOS sctpIARW sctpIARWMin sctpIARWMax sctpARW
A 1 0x0400000001004000 1108716598.697367 1108716598.751383 0.054016 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - "-" 7 192.168.170.56 - "-" 7 132 4 4 2048 2048 512 512 512 0 0 0.019717 0.013504 0.005976828 74.05213 37914.69 0 0 0x00 11 0 0x00000eb0 DATA 4_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.700651 1108716598.756477 0.055826 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 "Private network" 7 192.168.170.8 07 "Private network" 7 132 4 4 2048 2048 512 512 512 0 0 0.022678 0.0139565 0.006462127 71.6512 36685.41 0 0 0x00 11 0 0x43232544 DATA 4_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.688291 1108716598.751383 0.063092 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - "-" 7 192.168.170.56 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.018223 0.0126184 0.005361295 79.24935 40575.67 0 0 0x00 1 0 0x00000eb0 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.688538 1108716598.756477 0.067939 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.023467 0.0135878 0.006479933 73.59544 37680.86 0 0 0x00 1 0 0x43232544 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.689195 1108716598.752140 0.062945 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.01898 0.012589 0.005557677 79.43443 40670.43 0 0 0x00 2 0 0x00000eb0 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.689402 1108716598.756727 0.067325 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.023467 0.013465 0.006579555 74.26662 38024.51 0 0 0x00 2 0 0x43232544 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.689195 1108716598.753271 0.064076 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.019201 0.0128152 0.005597543 78.03234 39952.56 0 0 0x00 3 0 0x00000eb0 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.689402 1108716598.756967 0.067565 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.021079 0.013513 0.00608459 74.00281 37889.44 0 0 0x00 3 0 0x43232544 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.690095 1108716598.753271 0.063176 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.019201 0.0126352 0.005108401 79.14398 40521.72 0 0 0x00 4 0 0x00000eb0 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.693336 1108716598.756967 0.063631 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.021079 0.0127262 0.005697675 78.57806 40231.96 0 0 0x00 4 0 0x43232544 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.690095 1108716598.760341 0.070246 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.020442 0.0140492 0.005889928 71.17843 36443.36 0 0 0x00 5 0 0x00000eb0 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.693336 1108716598.770863 0.077527 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.02454 0.0155054 0.007011673 64.49366 33020.75 0 0 0x00 5 0 0x43232544 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.693263 1108716598.760341 0.067078 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.020442 0.0134156 0.005683439 74.54008 38164.52 0 0 0x00 6 0 0x00000eb0 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.693951 1108716598.770863 0.076912 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.02454 0.0153824 0.006592538 65.00936 33284.79 0 0 0x00 6 0 0x43232544 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.693263 1108716598.761549 0.068286 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.019427 0.0136572 0.005618318 73.22145 37489.38 0 0 0x00 7 0 0x00000eb0 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.693951 1108716598.771163 0.077212 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.024675 0.0154424 0.006634399 64.75677 33155.47 0 0 0x00 7 0 0x43232544 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.693735 1108716598.761549 0.067814 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - "-" 7 192.168.170.56 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.021395 0.0135628 0.00574128 73.73109 37750.32 0 0 0x00 8 0 0x00000eb0 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.694007 1108716598.771163 0.077156 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 "Private network" 7 192.168.170.8 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.024451 0.0154312 0.007122566 64.80377 33179.53 0 0 0x00 8 0 0x43232544 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.694950 1108716598.762308 0.067358 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.021395 0.0134716 0.005884205 74.23023 38005.88 0 0 0x00 9 0 0x00000eb0 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.700250 1108716598.771310 0.071060 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.024598 0.014212 0.007284279 70.36308 36025.89 0 0 0x00 9 0 0x43232544 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
A 1 0x0400000001004000 1108716598.686079 1108716598.763435 0.077356 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 24 41 18776 34356 16 1072 782.3333 347.4483 0 0.008278 0.003223167 0.002523227 310.2539 242722 -0.2615385 -0.293232 0x00 0 0 0x00000eb0 INIT;COOKIE-ECHO;DATA;SACK 6_1_0 0xc7 0x0000 17 17 65535 65535 65535 65535
B 1 0x0400000001004001 1108716598.686375 1108716598.771526 0.085151 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 "Private network" 7 192.168.170.8 07 "Private network" 7 132 41 24 34356 18776 4 1072 837.9512 288.5713 0 0.013896 0.002076854 0.003394506 481.4976 403471.5 0.2615385 0.293232 0x00 0 0 0x43232544 INIT-ACK;COOKIE-ACK;SACK;DATA 6_0_0 0xc7 0x0000 17 17 4096 4096 4096 4096
A 1 0x0400000001004000 1108716598.694950 1108716598.763435 0.068485 1 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 "Private network" 7 192.168.170.56 07 "Private network" 7 132 5 5 2560 2560 512 512 512 0 0 0.022134 0.013697 0.005530534 73.00869 37380.45 0 0 0x00 10 0 0x00000eb0 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0
B 1 0x0400000001004001 1108716598.700597 1108716598.771526 0.070929 1 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - "-" 7 192.168.170.8 - "-" 7 132 5 5 2560 2560 512 512 512 0 0 0.022732 0.0141858 0.005774313 70.49303 36092.43 0 0 0x00 10 0 0x43232544 DATA 5_0_0 0x47 0x0000 0 0 0 4294967295 0 0Same happens to the sctpChunkType_sid_flags_numDPkts_len_tsn_pid field in the packet file. And note the sctpCalCRCChkSum similar to the tcpFlags plugin.
head -n 10 ~/results/sctp-multi_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pktLen l7Len sctpVTag sctpChkSum sctpCalCRCChkSum sctpChunkType_sid_flags_numDPkts_len_tsn_pid sctpErrType sctpNChunks sctpWin sctpStat l7Content
1 1 0x0400000001004000 1108716598.686079 0.000000 0.000000 0.000000 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 78 32 0x00000000 0x3761a746 0x3761a746 INIT_0_0x00_0_32_65535_1560164255_110011_ 0x0000 1 65535 0x00
2 1 0x0400000001004001 1108716598.686375 0.000000 0.000296 0.000000 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 174 128 0x43232544 0xc9018524 0xc9018524 INIT-ACK_0_0x00_0_128_4096_13844_110011_ 0x0000 1 4096 0x00
3 1 0x0400000001004000 1108716598.686862 0.000783 0.000487 0.000783 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 150 104 0x00000eb0 0xb85148ea 0xb85148ea COOKIE-ECHO_0_0x00_0_104_0_0_0_ 0x0000 1 0 0x00
4 1 0x0400000001004001 1108716598.687080 0.000705 0.000218 0.000705 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 50 4 0x43232544 0xceec2d79 0xceec2d79 COOKIE-ACK_0_0x00_0_4_0_0_0_ 0x0000 1 0 0x00
5 1 0x0400000001004000 1108716598.688291 0.001429 0.001211 0.002212 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 07 Private network 7 192.168.170.56 07 Private network 7 132 1102 512 0x00000eb0 0xcfbb0406 0xcfbb0406 DATA_0_0x07_1_528_0_1560164255_0_ 0x0000 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
5 1 0x0400000001004000 1108716598.688291 0.000000 0.000000 0.000000 3 eth:ipv4:sctp 00:e0:18:b1:0c:ad 00:60:08:45:e4:55 0x0800 192.168.170.8 - - 7 192.168.170.56 - - 7 132 1102 512 0x00000eb0 0xcfbb0406 0xcfbb0406 DATA_1_0x07_1_528_0_1560164256_0_ 0x0000 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
6 1 0x0400000001004001 1108716598.688538 0.001458 0.000247 0.002163 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 1118 1072 0x43232544 0xce0c78b4 0xce0c78b4 SACK_0_0x00_0_16_4096_1560164256_0_ 0x0000 1 4096 0x00
6 1 0x0400000001004001 1108716598.688538 0.000000 0.000247 0.002163 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 07 Private network 7 192.168.170.8 07 Private network 7 132 1118 512 0x43232544 0xce0c78b4 0xce0c78b4 DATA_0_0x07_1_528_0_13844_0_ 0x0000 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
6 1 0x0400000001004001 1108716598.688538 0.000000 0.000247 0.000000 3 eth:ipv4:sctp 00:60:08:45:e4:55 00:e0:18:b1:0c:ad 0x0800 192.168.170.56 - - 7 192.168.170.8 - - 7 132 1118 512 0x43232544 0xce0c78b4 0xce0c78b4 DATA_1_0x07_1_528_0_13845_0_ 0x0000 1 0 0x00 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Conclusion
Don’t forget to reset all config for the next tutorials so that the output between your T2 and the tutorial webpage matches. Here is the reset command:
t2conf -a --reset && t2build -R
Have fun experimenting.