[SCM] Samba Shared Repository - branch master updated
Douglas Bagnall
dbagnall at samba.org
Wed Mar 1 08:02:02 UTC 2017
The branch, master has been updated
via b12562f script: Add test script for traffic_summary.pl
via 2b62caf script: Add script to provide an anonymous summary from tshark
via 0dc54a4 script: Add test data for traffic_summary.pl
from 6651b07 samdb: Fix a typo
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b12562fac096c0a1a76fa80942e3ab90d2d33547
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Feb 17 14:55:10 2017 +1300
script: Add test script for traffic_summary.pl
Add the test script for traffic_summary.pl, test data in previous
commit.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Wed Mar 1 09:01:07 CET 2017 on sn-devel-144
commit 2b62cafeacf79c83eabab5ba7ad85715997492a7
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Feb 17 10:51:43 2017 +1300
script: Add script to provide an anonymous summary from tshark
The tshark command needs to output a PDML XML stream, which this command will
read. The summary is intended not to expose private or customer data while
allowing a good view on the range and frequency of the network traffic.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0dc54a42e7d8d83397756ea73df977705ac30051
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Feb 17 10:49:16 2017 +1300
script: Add test data for traffic_summary.pl
This network capture summary tool will be added in the next commit
This sample is taken from make test under SOCKET_WRAPPER_PCAP_FILE
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
script/testdata/traffic_summary.expected | 29 +
script/testdata/traffic_summary.pdml | 4989 ++++++++++++++++++++++++++++++
script/tests/test_traffic_summary.sh | 47 +
script/traffic_summary.pl | 707 +++++
selftest/tests.py | 4 +
5 files changed, 5776 insertions(+)
create mode 100644 script/testdata/traffic_summary.expected
create mode 100644 script/testdata/traffic_summary.pdml
create mode 100755 script/tests/test_traffic_summary.sh
create mode 100755 script/traffic_summary.pl
Changeset truncated at 500 lines:
diff --git a/script/testdata/traffic_summary.expected b/script/testdata/traffic_summary.expected
new file mode 100644
index 0000000..b1db327
--- /dev/null
+++ b/script/testdata/traffic_summary.expected
@@ -0,0 +1,29 @@
+1486690576.530451000 11 0 1 2 nbns 0 query
+1486690578.137335000 06 0 3 3 kerberos 10 krb-as-req machine
+1486690578.141276000 06 0 3 3 kerberos 11 krb-as-rep
+1486690584.104038000 06 49 4 3 kerberos 10 krb-as-req user
+1486690584.108221000 06 49 3 4 kerberos 11 krb-as-rep
+1486690584.139378000 06 50 4 3 kerberos 14 krb-ap-req
+1486690584.143220000 06 50 3 4 kerberos 13 krb-tgs-rep
+1486690584.770344000 06 60 4 3 ldap 0 bindRequest 3 sasl 1.3.6.1.5.5.2
+1486690584.774978000 06 60 3 4 ldap 1 bindResponse
+1486690584.775218000 06 60 4 3 ldap 3 searchRequest (objectClass=*) rootDomainNamingContext,configurationNamingContext,schemaNamingContext,defaultNamingContext
+1486690584.775574000 06 60 4 3 ldap 3 searchRequest DC,DC,DC (objectSid) objectSid
+1486690586.238734000 06 92 4 3 ldap 3 searchRequest 2 WKGUID,DC,DC,DC (objectClass=*)
+1486934236.150107000 6 5 6 smb 255 No further commands (0xff)
+1486934236.150278000 6 6 5 dcerpc 11 Bind
+1486934236.201029000 6 6 5 srvsvc 15 NetShareEnumAll
+1486934237.552194000 11 30 7 3 browser 0x00000008 Browser Election Request (0x08)
+1486690678.178692000 06 1177 8 9 lsarpc 27 lsa_SetInformationTrustedDomain
+1486690679.853951000 06 1183 9 8 epm 3 Map
+1486690679.854842000 06 1184 9 8 rpc_netlogon 4 NetrServerReqChallenge
+1487197586.858394000 11 66 10 8 cldap 3 searchRequest (&(&(NtVer)(DnsDomain))(AAC)) NetLogon
+1487197586.864862000 06 12 10 8 smb2 0 Negotiate Protocol
+1487197588.515337000 11 76 10 11 dns 0 query
+1487197588.911149000 11 76 11 10 dns 1 response
+1487197589.619792000 06 29 10 10 dnsserver 9 DnssrvUpdateRecord2
+1487200690.757022000 06 10 4 3 samr 0 Connect
+1487200691.039416000 06 14 4 3 drsuapi 0 DsBind
+1486934584.809271000 11 322 12 7 smb_netlogon 0x00000012 SAM LOGON request from client (0x12)
+1486690719.940434000 06 1400 4 3 ldap 6 modifyRequest servicePrincipalName 2 replace
+1486690682.579057000 06 1207 4 3 ldap 0 bindRequest 0 simple
diff --git a/script/testdata/traffic_summary.pdml b/script/testdata/traffic_summary.pdml
new file mode 100644
index 0000000..ac56a24
--- /dev/null
+++ b/script/testdata/traffic_summary.pdml
@@ -0,0 +1,4989 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="pdml2html.xsl"?>
+<!-- You can find pdml2html.xsl in /usr/share/wireshark or at https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=pdml2html.xsl. -->
+<!-- Examples in this file are taken from a packet capture of make test -->
+<!-- where values where too large and of no interest they where replaced with "...elided..." -->
+<pdml version="0" creator="wireshark/2.0.2" time="Wed Feb 15 14:51:04 2017" capture_file="sample.pcap">
+
+<packet>
+ <proto name="geninfo" pos="0" showname="General information" size="78">
+ <field name="num" pos="0" show="1" showname="Number" value="1" size="78"/>
+ <field name="len" pos="0" show="78" showname="Frame Length" value="4e" size="78"/>
+ <field name="caplen" pos="0" show="78" showname="Captured Length" value="4e" size="78"/>
+ <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:16.530451000 NZDT" showname="Captured Time" value="1486690576.530451000" size="78"/>
+ </proto>
+ <proto name="frame" showname="Frame 1: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)" size="78" pos="0">
+ <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
+ <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:16.530451000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:16.530451000 NZDT"/>
+ <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
+ <field name="frame.time_epoch" showname="Epoch Time: 1486690576.530451000 seconds" size="0" pos="0" show="1486690576.530451000"/>
+ <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
+ <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
+ <field name="frame.time_relative" showname="Time since reference or first frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
+ <field name="frame.number" showname="Frame Number: 1" size="0" pos="0" show="1"/>
+ <field name="frame.len" showname="Frame Length: 78 bytes (624 bits)" size="0" pos="0" show="78"/>
+ <field name="frame.cap_len" showname="Capture Length: 78 bytes (624 bits)" size="0" pos="0" show="78"/>
+ <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
+ <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
+ <field name="frame.protocols" showname="Protocols in frame: raw:ip:udp:nbns" size="0" pos="0" show="raw:ip:udp:nbns"/>
+ </proto>
+ <proto name="raw" showname="Raw packet data" size="78" pos="0"/>
+ <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.255.255.255" size="20" pos="0">
+ <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
+ <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
+ <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
+ <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
+ <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
+ </field>
+ <field name="ip.len" showname="Total Length: 78" size="2" pos="2" show="78" value="004e"/>
+ <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
+ <field name="ip.flags" showname="Flags: 0x02 (Don't Fragment)" size="1" pos="6" show="0x00000002" value="40">
+ <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
+ <field name="ip.flags.df" showname=".1.. .... = Don't fragment: Set" size="1" pos="6" show="1" value="40"/>
+ <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
+ </field>
+ <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
+ <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
+ <field name="ip.proto" showname="Protocol: UDP (17)" size="1" pos="9" show="17" value="11"/>
+ <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
+ <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
+ <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
+ </field>
+ <field name="ip.src" showname="Source: 127.0.0.1" size="4" pos="12" show="127.0.0.1" value="7f000001"/>
+ <field name="ip.addr" showname="Source or Destination Address: 127.0.0.1" hide="yes" size="4" pos="12" show="127.0.0.1" value="7f000001"/>
+ <field name="ip.src_host" showname="Source Host: 127.0.0.1" hide="yes" size="4" pos="12" show="127.0.0.1" value="7f000001"/>
+ <field name="ip.host" showname="Source or Destination Host: 127.0.0.1" hide="yes" size="4" pos="12" show="127.0.0.1" value="7f000001"/>
+ <field name="ip.dst" showname="Destination: 127.255.255.255" size="4" pos="16" show="127.255.255.255" value="7fffffff"/>
+ <field name="ip.addr" showname="Source or Destination Address: 127.255.255.255" hide="yes" size="4" pos="16" show="127.255.255.255" value="7fffffff"/>
+ <field name="ip.dst_host" showname="Destination Host: 127.255.255.255" hide="yes" size="4" pos="16" show="127.255.255.255" value="7fffffff"/>
+ <field name="ip.host" showname="Source or Destination Host: 127.255.255.255" hide="yes" size="4" pos="16" show="127.255.255.255" value="7fffffff"/>
+ <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000001"/>
+ <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7fffffff"/>
+ </proto>
+ <proto name="udp" showname="User Datagram Protocol, Src Port: 14705 (14705), Dst Port: 137 (137)" size="8" pos="20">
+ <field name="udp.srcport" showname="Source Port: 14705" size="2" pos="20" show="14705" value="3971"/>
+ <field name="udp.dstport" showname="Destination Port: 137" size="2" pos="22" show="137" value="0089"/>
+ <field name="udp.port" showname="Source or Destination Port: 14705" hide="yes" size="2" pos="20" show="14705" value="3971"/>
+ <field name="udp.port" showname="Source or Destination Port: 137" hide="yes" size="2" pos="22" show="137" value="0089"/>
+ <field name="udp.length" showname="Length: 58" size="2" pos="24" show="58" value="003a"/>
+ <field name="udp.checksum" showname="Checksum: 0x0000 (none)" size="2" pos="26" show="0x00000000" value="0000">
+ <field name="udp.checksum_good" showname="Good Checksum: False" size="2" pos="26" show="0" value="0000"/>
+ <field name="udp.checksum_bad" showname="Bad Checksum: False" size="2" pos="26" show="0" value="0000"/>
+ </field>
+ <field name="udp.stream" showname="Stream index: 0" size="0" pos="28" show="0"/>
+ </proto>
+ <proto name="nbns" showname="NetBIOS Name Service" size="50" pos="28">
+ <field name="nbns.id" showname="Transaction ID: 0x29d6" size="2" pos="28" show="0x000029d6" value="29d6"/>
+ <field name="nbns.flags" showname="Flags: 0x0010, Opcode: Name query, Broadcast" size="2" pos="30" show="0x00000010" value="0010">
+ <field name="nbns.flags.response" showname="0... .... .... .... = Response: Message is a query" size="2" pos="30" show="0" value="0" unmaskedvalue="0010"/>
+ <field name="nbns.flags.opcode" showname=".000 0... .... .... = Opcode: Name query (0)" size="2" pos="30" show="0" value="0" unmaskedvalue="0010"/>
+ <field name="nbns.flags.truncated" showname=".... ..0. .... .... = Truncated: Message is not truncated" size="2" pos="30" show="0" value="0" unmaskedvalue="0010"/>
+ <field name="nbns.flags.recdesired" showname=".... ...0 .... .... = Recursion desired: Don't do query recursively" size="2" pos="30" show="0" value="0" unmaskedvalue="0010"/>
+ <field name="nbns.flags.broadcast" showname=".... .... ...1 .... = Broadcast: Broadcast packet" size="2" pos="30" show="1" value="FFFFFFFF" unmaskedvalue="0010"/>
+ </field>
+ <field name="nbns.count.queries" showname="Questions: 1" size="2" pos="32" show="1" value="0001"/>
+ <field name="nbns.count.answers" showname="Answer RRs: 0" size="2" pos="34" show="0" value="0000"/>
+ <field name="nbns.count.auth_rr" showname="Authority RRs: 0" size="2" pos="36" show="0" value="0000"/>
+ <field name="nbns.count.add_rr" showname="Additional RRs: 0" size="2" pos="38" show="0" value="0000"/>
+ <field name="" show="Queries" size="38" pos="40" value="20454d455045444542454d454545444341434143414341434143414341434141410000200001">
+ <field name="" show="LOCALDC<00>: type NB, class IN" size="38" pos="40" value="20454d455045444542454d454545444341434143414341434143414341434141410000200001">
+ <field name="nbns.name" showname="Name: LOCALDC<00> (Workstation/Redirector)" size="34" pos="40" show="LOCALDC<00>" value="20454d455045444542454d4545454443414341434143414341434143414341414100"/>
+ <field name="nbns.type" showname="Type: NB (32)" size="2" pos="74" show="32" value="0020"/>
+ <field name="nbns.class" showname="Class: IN (1)" size="2" pos="76" show="1" value="0001"/>
+ </field>
+ </field>
+ </proto>
+</packet>
+
+<packet>
+ <proto name="geninfo" pos="0" showname="General information" size="296">
+ <field name="num" pos="0" show="47" showname="Number" value="2f" size="296"/>
+ <field name="len" pos="0" show="296" showname="Frame Length" value="128" size="296"/>
+ <field name="caplen" pos="0" show="296" showname="Captured Length" value="128" size="296"/>
+ <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:18.137335000 NZDT" showname="Captured Time" value="1486690578.137335000" size="296"/>
+ </proto>
+ <proto name="frame" showname="Frame 47: 296 bytes on wire (2368 bits), 296 bytes captured (2368 bits)" size="296" pos="0">
+ <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
+ <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:18.137335000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:18.137335000 NZDT"/>
+ <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
+ <field name="frame.time_epoch" showname="Epoch Time: 1486690578.137335000 seconds" size="0" pos="0" show="1486690578.137335000"/>
+ <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000016000 seconds" size="0" pos="0" show="0.000016000"/>
+ <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000016000 seconds" size="0" pos="0" show="0.000016000"/>
+ <field name="frame.time_relative" showname="Time since reference or first frame: 1.606884000 seconds" size="0" pos="0" show="1.606884000"/>
+ <field name="frame.number" showname="Frame Number: 47" size="0" pos="0" show="47"/>
+ <field name="frame.len" showname="Frame Length: 296 bytes (2368 bits)" size="0" pos="0" show="296"/>
+ <field name="frame.cap_len" showname="Capture Length: 296 bytes (2368 bits)" size="0" pos="0" show="296"/>
+ <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
+ <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
+ <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
+ </proto>
+ <proto name="raw" showname="Raw packet data" size="296" pos="0"/>
+ <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.21, Dst: 127.0.0.21" size="20" pos="0">
+ <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
+ <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
+ <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
+ <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
+ <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
+ </field>
+ <field name="ip.len" showname="Total Length: 296" size="2" pos="2" show="296" value="0128"/>
+ <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
+ <field name="ip.flags" showname="Flags: 0x02 (Don't Fragment)" size="1" pos="6" show="0x00000002" value="40">
+ <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
+ <field name="ip.flags.df" showname=".1.. .... = Don't fragment: Set" size="1" pos="6" show="1" value="40"/>
+ <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
+ </field>
+ <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
+ <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
+ <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
+ <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
+ <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
+ <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
+ </field>
+ <field name="ip.src" showname="Source: 127.0.0.21" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.src_host" showname="Source Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
+ <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000015"/>
+ <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
+ </proto>
+ <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14723 (14723), Dst Port: 88 (88), Seq: 1, Ack: 1, Len: 256" size="20" pos="20">
+ <field name="tcp.srcport" showname="Source Port: 14723" size="2" pos="20" show="14723" value="3983"/>
+ <field name="tcp.dstport" showname="Destination Port: 88" size="2" pos="22" show="88" value="0058"/>
+ <field name="tcp.port" showname="Source or Destination Port: 14723" hide="yes" size="2" pos="20" show="14723" value="3983"/>
+ <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="22" show="88" value="0058"/>
+ <field name="tcp.stream" showname="Stream index: 0" size="0" pos="20" show="0"/>
+ <field name="tcp.len" showname="TCP Segment Len: 256" size="1" pos="32" show="256" value="50"/>
+ <field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="24" show="1" value="00000001"/>
+ <field name="tcp.nxtseq" showname="Next sequence number: 257 (relative sequence number)" size="0" pos="20" show="257"/>
+ <field name="tcp.ack" showname="Acknowledgment number: 1 (relative ack number)" size="4" pos="28" show="1" value="00000001"/>
+ <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
+ <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
+ <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
+ <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
+ <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
+ <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
+ <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
+ <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
+ <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
+ <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
+ <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
+ <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
+ <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
+ </field>
+ <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
+ <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
+ <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
+ <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
+ <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
+ <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
+ </field>
+ <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
+ <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
+ <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000012000 seconds" size="0" pos="20" show="0.000012000"/>
+ <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 256" size="0" pos="20" show="256"/>
+ </field>
+ <field name="tcp.pdu.size" showname="PDU Size: 256" size="256" pos="40" show="256" value="000000fc6a81f93081f6a103020105a20302010aa350304e304ca103020102a24504433041a003020112a23a0438cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2e12cc397eb617687733caf785f07d6f23cf87adc9a1fc5cb1b3ca7e6d17cc86fa48197308194a00703050000000000a1153013a003020101a10c300a1b084c4f43414c444324a2131b1153414d42412e4558414d504c452e434f4da3263024a003020102a11d301b1b066b72627467741b1153414d42412e4558414d504c452e434f4da511180f32303137303231313031333631375aa70602043e9a5c0ea81a3018020112020111020110020105020117020103020102020101"/>
+ </proto>
+ <proto name="kerberos" showname="Kerberos" size="256" pos="40">
+ <field name="" show="Record Mark: 252 bytes" size="4" pos="40" value="000000fc">
+ <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="40" show="0" value="0" unmaskedvalue="000000fc"/>
+ <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0000 1111 1100 = Record Length: 252" size="4" pos="40" show="252" value="FC" unmaskedvalue="000000fc"/>
+ </field>
+ <field name="kerberos.as_req_element" showname="as-req" size="249" pos="47" show="" value="">
+ <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="54" show="5" value="05"/>
+ <field name="kerberos.msg_type" showname="msg-type: krb-as-req (10)" size="1" pos="59" show="10" value="0a"/>
+ <field name="kerberos.padata" showname="padata: 1 item" size="78" pos="64" show="1" value="304ca103020102a24504433041a003020112a23a0438cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2e12cc397eb617687733caf785f07d6f23cf87adc9a1fc5cb1b3ca7e6d17cc86f">
+ <field name="kerberos.PA_DATA_element" showname="PA-DATA PA-ENC-TIMESTAMP" size="78" pos="64" show="" value="">
+ <field name="kerberos.padata_type" showname="padata-type: kRB5-PADATA-ENC-TIMESTAMP (2)" size="1" pos="70" show="2" value="02">
+ <field name="kerberos.padata_value" showname="padata-value: 3041a003020112a23a0438cecfe4905d9670c770a992a464..." size="67" pos="75" show="30:41:a0:03:02:01:12:a2:3a:04:38:ce:cf:e4:90:5d:96:70:c7:70:a9:92:a4:64:5a:9c:47:7b:63:9c:fa:fa:d2:1b:a2:e1:2c:c3:97:eb:61:76:87:73:3c:af:78:5f:07:d6:f2:3c:f8:7a:dc:9a:1f:c5:cb:1b:3c:a7:e6:d1:7c:c8:6f" value="3041a003020112a23a0438cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2e12cc397eb617687733caf785f07d6f23cf87adc9a1fc5cb1b3ca7e6d17cc86f">
+ <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="81" show="18" value="12"/>
+ <field name="kerberos.cipher" showname="cipher: cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2..." size="56" pos="86" show="ce:cf:e4:90:5d:96:70:c7:70:a9:92:a4:64:5a:9c:47:7b:63:9c:fa:fa:d2:1b:a2:e1:2c:c3:97:eb:61:76:87:73:3c:af:78:5f:07:d6:f2:3c:f8:7a:dc:9a:1f:c5:cb:1b:3c:a7:e6:d1:7c:c8:6f" value="cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2e12cc397eb617687733caf785f07d6f23cf87adc9a1fc5cb1b3ca7e6d17cc86f"/>
+ </field>
+ </field>
+ </field>
+ </field>
+ <field name="kerberos.req_body_element" showname="req-body" size="151" pos="145" show="" value="">
+ <field name="ber.bitstring.padding" showname="Padding: 0" size="1" pos="152" show="0" value="00"/>
+ <field name="kerberos.kdc_options" showname="kdc-options: 00000000" size="4" pos="153" show="00:00:00:00" value="00000000">
+ <field name="kerberos.reserved" showname="0... .... = reserved: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.forwardable" showname=".0.. .... = forwardable: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.forwarded" showname="..0. .... = forwarded: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.proxiable" showname="...0 .... = proxiable: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.proxy" showname=".... 0... = proxy: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.allow-postdate" showname=".... .0.. = allow-postdate: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.postdated" showname=".... ..0. = postdated: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.unused7" showname=".... ...0 = unused7: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.renewable" showname="0... .... = renewable: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.unused9" showname=".0.. .... = unused9: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.unused10" showname="..0. .... = unused10: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.opt-hardware-auth" showname="...0 .... = opt-hardware-auth: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.request-anonymous" showname=".... ..0. = request-anonymous: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.canonicalize" showname=".... ...0 = canonicalize: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.constrained-delegation" showname="0... .... = constrained-delegation: False" size="1" pos="155" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.disable-transited-check" showname="..0. .... = disable-transited-check: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.renewable-ok" showname="...0 .... = renewable-ok: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.enc-tkt-in-skey" showname=".... 0... = enc-tkt-in-skey: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.renew" showname=".... ..0. = renew: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
+ <field name="kerberos.validate" showname=".... ...0 = validate: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
+ </field>
+ <field name="kerberos.cname_element" showname="cname" size="21" pos="159" show="" value="">
+ <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="165" show="1" value="01"/>
+ <field name="kerberos.name_string" showname="name-string: 1 item" size="10" pos="170" show="1" value="1b084c4f43414c444324">
+ <field name="kerberos.KerberosString" showname="KerberosString: LOCALDC$" size="8" pos="172" show="LOCALDC$" value="4c4f43414c444324"/>
+ </field>
+ </field>
+ <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="184" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
+ <field name="kerberos.sname_element" showname="sname" size="38" pos="203" show="" value="">
+ <field name="kerberos.name_type" showname="name-type: kRB5-NT-SRV-INST (2)" size="1" pos="209" show="2" value="02"/>
+ <field name="kerberos.name_string" showname="name-string: 2 items" size="27" pos="214" show="2" value="1b066b72627467741b1153414d42412e4558414d504c452e434f4d">
+ <field name="kerberos.KerberosString" showname="KerberosString: krbtgt" size="6" pos="216" show="krbtgt" value="6b7262746774"/>
+ <field name="kerberos.KerberosString" showname="KerberosString: SAMBA.EXAMPLE.COM" size="17" pos="224" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
+ </field>
+ </field>
+ <field name="kerberos.till" showname="till: 2017-02-11 01:36:17 (UTC)" size="15" pos="245" show="2017-02-11 01:36:17 (UTC)" value="32303137303231313031333631375a"/>
+ <field name="kerberos.nonce" showname="nonce: 1050303502" size="4" pos="264" show="1050303502" value="3e9a5c0e"/>
+ <field name="kerberos.etype" showname="etype: 8 items" size="24" pos="272" show="8" value="020112020111020110020105020117020103020102020101">
+ <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="274" show="18" value="12"/>
+ <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)" size="1" pos="277" show="17" value="11"/>
+ <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)" size="1" pos="280" show="16" value="10"/>
+ <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-MD5 (5)" size="1" pos="283" show="5" value="05"/>
+ <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)" size="1" pos="286" show="23" value="17"/>
+ <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD5 (3)" size="1" pos="289" show="3" value="03"/>
+ <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD4 (2)" size="1" pos="292" show="2" value="02"/>
+ <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-CRC (1)" size="1" pos="295" show="1" value="01"/>
+ </field>
+ </field>
+ </field>
+ </proto>
+</packet>
+
+<packet>
+ <proto name="geninfo" pos="0" showname="General information" size="1527">
+ <field name="num" pos="0" show="53" showname="Number" value="35" size="1527"/>
+ <field name="len" pos="0" show="1527" showname="Frame Length" value="5f7" size="1527"/>
+ <field name="caplen" pos="0" show="1527" showname="Captured Length" value="5f7" size="1527"/>
+ <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:18.141276000 NZDT" showname="Captured Time" value="1486690578.141276000" size="1527"/>
+ </proto>
+ <proto name="frame" showname="Frame 53: 1527 bytes on wire (12216 bits), 1527 bytes captured (12216 bits)" size="1527" pos="0">
+ <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
+ <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:18.141276000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:18.141276000 NZDT"/>
+ <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
+ <field name="frame.time_epoch" showname="Epoch Time: 1486690578.141276000 seconds" size="0" pos="0" show="1486690578.141276000"/>
+ <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.003784000 seconds" size="0" pos="0" show="0.003784000"/>
+ <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.003784000 seconds" size="0" pos="0" show="0.003784000"/>
+ <field name="frame.time_relative" showname="Time since reference or first frame: 1.610825000 seconds" size="0" pos="0" show="1.610825000"/>
+ <field name="frame.number" showname="Frame Number: 53" size="0" pos="0" show="53"/>
+ <field name="frame.len" showname="Frame Length: 1527 bytes (12216 bits)" size="0" pos="0" show="1527"/>
+ <field name="frame.cap_len" showname="Capture Length: 1527 bytes (12216 bits)" size="0" pos="0" show="1527"/>
+ <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
+ <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
+ <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
+ </proto>
+ <proto name="raw" showname="Raw packet data" size="1527" pos="0"/>
+ <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.21, Dst: 127.0.0.21" size="20" pos="0">
+ <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
+ <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
+ <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
+ <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
+ <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
+ </field>
+ <field name="ip.len" showname="Total Length: 1527" size="2" pos="2" show="1527" value="05f7"/>
+ <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
+ <field name="ip.flags" showname="Flags: 0x02 (Don't Fragment)" size="1" pos="6" show="0x00000002" value="40">
+ <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
+ <field name="ip.flags.df" showname=".1.. .... = Don't fragment: Set" size="1" pos="6" show="1" value="40"/>
+ <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
+ </field>
+ <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
+ <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
+ <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
+ <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
+ <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
+ <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
+ </field>
+ <field name="ip.src" showname="Source: 127.0.0.21" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.src_host" showname="Source Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
+ <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000015"/>
+ <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
+ </proto>
+ <proto name="tcp" showname="Transmission Control Protocol, Src Port: 88 (88), Dst Port: 14723 (14723), Seq: 1, Ack: 257, Len: 1487" size="20" pos="20">
+ <field name="tcp.srcport" showname="Source Port: 88" size="2" pos="20" show="88" value="0058"/>
+ <field name="tcp.dstport" showname="Destination Port: 14723" size="2" pos="22" show="14723" value="3983"/>
+ <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="20" show="88" value="0058"/>
+ <field name="tcp.port" showname="Source or Destination Port: 14723" hide="yes" size="2" pos="22" show="14723" value="3983"/>
+ <field name="tcp.stream" showname="Stream index: 0" size="0" pos="20" show="0"/>
+ <field name="tcp.len" showname="TCP Segment Len: 1487" size="1" pos="32" show="1487" value="50"/>
+ <field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="24" show="1" value="00000001"/>
+ <field name="tcp.nxtseq" showname="Next sequence number: 1488 (relative sequence number)" size="0" pos="20" show="1488"/>
+ <field name="tcp.ack" showname="Acknowledgment number: 257 (relative ack number)" size="4" pos="28" show="257" value="00000101"/>
+ <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
+ <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
+ <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
+ <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
+ <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
+ <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
+ <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
+ <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
+ <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
+ <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
+ <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
+ <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
+ <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
+ </field>
+ <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
+ <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
+ <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
+ <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
+ <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
+ <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
+ </field>
+ <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
+ <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
+ <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 47" size="0" pos="20" show="47"/>
+ <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.003941000 seconds" size="0" pos="20" show="0.003941000"/>
+ <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000012000 seconds" size="0" pos="20" show="0.000012000"/>
+ <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 1487" size="0" pos="20" show="1487"/>
+ </field>
+ <field name="tcp.pdu.size" showname="PDU Size: 1487" size="1487" pos="40" show="1487" value="...elided..."/>
+ </proto>
+ <proto name="kerberos" showname="Kerberos" size="1487" pos="40">
+ <field name="" show="Record Mark: 1483 bytes" size="4" pos="40" value="000005cb">
+ <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="40" show="0" value="0" unmaskedvalue="000005cb"/>
+ <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0101 1100 1011 = Record Length: 1483" size="4" pos="40" show="1483" value="5CB" unmaskedvalue="000005cb"/>
+ </field>
+ <field name="kerberos.as_rep_element" showname="as-rep" size="1479" pos="48" show="" value="">
+ <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="56" show="5" value="05"/>
+ <field name="kerberos.msg_type" showname="msg-type: krb-as-rep (11)" size="1" pos="61" show="11" value="0b"/>
+ <field name="kerberos.padata" showname="padata: 1 item" size="57" pos="66" show="1" value="3037a103020103a230042e53414d42412e4558414d504c452e434f4d686f73746c6f63616c64632e73616d62612e6578616d706c652e636f6d">
+ <field name="kerberos.PA_DATA_element" showname="PA-DATA PA-PW-SALT" size="57" pos="66" show="" value="">
+ <field name="kerberos.padata_type" showname="padata-type: kRB5-PADATA-PW-SALT (3)" size="1" pos="72" show="3" value="03">
+ <field name="kerberos.padata_value" showname="padata-value: 53414d42412e4558414d504c452e434f4d686f73746c6f63..." size="46" pos="77" show="53:41:4d:42:41:2e:45:58:41:4d:50:4c:45:2e:43:4f:4d:68:6f:73:74:6c:6f:63:61:6c:64:63:2e:73:61:6d:62:61:2e:65:78:61:6d:70:6c:65:2e:63:6f:6d" value="53414d42412e4558414d504c452e434f4d686f73746c6f63616c64632e73616d62612e6578616d706c652e636f6d">
+ <field name="kerberos.smb.nt_status" showname="NT Status: Unknown (0x424d4153)" size="4" pos="77" show="0x424d4153" value="53414d42"/>
+ <field name="kerberos.smb.unknown" showname="Unknown: 0x58452e41" size="4" pos="81" show="0x58452e41" value="412e4558"/>
+ <field name="kerberos.smb.unknown" showname="Unknown: 0x4c504d41" size="4" pos="85" show="0x4c504d41" value="414d504c"/>
+ </field>
+ </field>
+ </field>
+ </field>
+ <field name="kerberos.crealm" showname="crealm: SAMBA.EXAMPLE.COM" size="17" pos="127" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
+ <field name="kerberos.cname_element" showname="cname" size="21" pos="146" show="" value="">
+ <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="152" show="1" value="01"/>
+ <field name="kerberos.name_string" showname="name-string: 1 item" size="10" pos="157" show="1" value="1b084c4f43414c444324">
+ <field name="kerberos.KerberosString" showname="KerberosString: LOCALDC$" size="8" pos="159" show="LOCALDC$" value="4c4f43414c444324"/>
+ </field>
+ </field>
+ <field name="kerberos.ticket_element" showname="ticket" size="1105" pos="175" show="" value="">
+ <field name="kerberos.tkt_vno" showname="tkt-vno: 5" size="1" pos="183" show="5" value="05"/>
+ <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="188" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
+ <field name="kerberos.sname_element" showname="sname" size="38" pos="207" show="" value="">
+ <field name="kerberos.name_type" showname="name-type: kRB5-NT-SRV-INST (2)" size="1" pos="213" show="2" value="02"/>
+ <field name="kerberos.name_string" showname="name-string: 2 items" size="27" pos="218" show="2" value="1b066b72627467741b1153414d42412e4558414d504c452e434f4d">
+ <field name="kerberos.KerberosString" showname="KerberosString: krbtgt" size="6" pos="220" show="krbtgt" value="6b7262746774"/>
+ <field name="kerberos.KerberosString" showname="KerberosString: SAMBA.EXAMPLE.COM" size="17" pos="228" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
+ </field>
+ </field>
+ <field name="kerberos.enc_part_element" showname="enc-part" size="1031" pos="249" show="" value="">
+ <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="257" show="18" value="12"/>
+ <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="262" show="1" value="01"/>
+ <field name="kerberos.cipher" showname="cipher: 22e144d817a8c9e491c0eaa7aaf8e719ed4e92231d14006c..." size="1009" pos="271" show="...elided..." value="...elided..."/>
+ </field>
+ </field>
+ <field name="kerberos.enc_part_element" showname="enc-part" size="244" pos="1283" show="" value="">
+ <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="1290" show="18" value="12"/>
+ <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="1295" show="1" value="01"/>
+ <field name="kerberos.cipher" showname="cipher: 0131d06ef55ec3e3dd9a2de408afb6236c32fc6776e0cde6..." size="225" pos="1302" show="...elided..." value="...elided..."/>
+ </field>
+ </field>
+ </proto>
+</packet>
+
+<packet>
+ <proto name="geninfo" pos="0" showname="General information" size="301">
+ <field name="num" pos="0" show="2400" showname="Number" value="960" size="301"/>
+ <field name="len" pos="0" show="301" showname="Frame Length" value="12d" size="301"/>
+ <field name="caplen" pos="0" show="301" showname="Captured Length" value="12d" size="301"/>
+ <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.104038000 NZDT" showname="Captured Time" value="1486690584.104038000" size="301"/>
+ </proto>
+ <proto name="frame" showname="Frame 2400: 301 bytes on wire (2408 bits), 301 bytes captured (2408 bits)" size="301" pos="0">
+ <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
+ <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.104038000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.104038000 NZDT"/>
+ <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
+ <field name="frame.time_epoch" showname="Epoch Time: 1486690584.104038000 seconds" size="0" pos="0" show="1486690584.104038000"/>
+ <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000010000 seconds" size="0" pos="0" show="0.000010000"/>
+ <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000010000 seconds" size="0" pos="0" show="0.000010000"/>
+ <field name="frame.time_relative" showname="Time since reference or first frame: 7.573587000 seconds" size="0" pos="0" show="7.573587000"/>
+ <field name="frame.number" showname="Frame Number: 2400" size="0" pos="0" show="2400"/>
+ <field name="frame.len" showname="Frame Length: 301 bytes (2408 bits)" size="0" pos="0" show="301"/>
+ <field name="frame.cap_len" showname="Capture Length: 301 bytes (2408 bits)" size="0" pos="0" show="301"/>
+ <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
+ <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
+ <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
+ </proto>
+ <proto name="raw" showname="Raw packet data" size="301" pos="0"/>
+ <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
+ <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
+ <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
+ <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
+ <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
+ <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
+ </field>
+ <field name="ip.len" showname="Total Length: 301" size="2" pos="2" show="301" value="012d"/>
+ <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
+ <field name="ip.flags" showname="Flags: 0x02 (Don't Fragment)" size="1" pos="6" show="0x00000002" value="40">
+ <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
+ <field name="ip.flags.df" showname=".1.. .... = Don't fragment: Set" size="1" pos="6" show="1" value="40"/>
+ <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
+ </field>
+ <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
+ <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
+ <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
+ <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
+ <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
+ <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
+ </field>
+ <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
+ <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
+ <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
+ <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
+ <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
+ <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
--
Samba Shared Repository
More information about the samba-cvs
mailing list