search menu icon-carat-right cmu-wordmark

Baseline Network Flow Examples

Hi. This is Angela Horneman of the SEI's Situational Awareness team. I've generated service specific network flows to use as baseline examples for network analysis and am sharing them since others may find them helpful.

We have been looking at implementing Network Profiling in Analysis Pipeline to automatically generate lists of active servers and to alert when new IPs start acting as servers. As part of this initiative, we started looking at alternatives to using flags in the identification process, since not all collection methods capture TCP flag data. In this process, I looked for example network flows for verified services.

I found pcaps and some network flows that probably had the examples of the services, but I didn't find any network flows explicitly for most of the services we are profiling. Because of that, I generated my own examples and am sharing them since I am sure others will find them helpful. Stay tuned since further developments related to profiling methods should be coming in the near future.

I generated flows for TELNET, FTP, PPTP, DNS, HTTP, SSH, and NTP as services we are working to profile. For each TELNET, FTP, PPTP, DNS, and SSH, the servers were configured on a Fedora LinuxVM, equipped with YAF and SiLK. I generated flows with a Fedora Linux box as the client, and I repeated this with a Windows 7 Enterprise box as the client for most services. Flow fields in the examples are as seen in SiLK.

The examples appear below. Do you have samples of other services or do you access these services with other operating systems? If so, please share! Reach us online at http://www.cert.org/netsa/contact.cfm.

SSH

Fedora Linux

OpenSSH server, accessed with ssh command. Server is 10.10.0.1.

Client logged in, listed the directory, and then exited.

SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME
10.10.0.2 10.10.0.1 36257 22 6 42 5449 FSPA 48.01.120
10.10.0.1 10.10.0.2 22 36257 6 33 4829 FSPA 48.01.120

Windows 7 Enterprise

OpenSSH server, accessed with Putty. Server is 10.10.0.1.

Client logged in, listed the directory, and then exited.

SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME
10.10.0.2 10.10.0.1 22 61808 6 48 5256 FSPA 02:46.642
10.10.0.1 10.10.0.2 61808 22 6 45 7377 FSPA 02:46.642

TELNET

Fedora Linux

Accessed with telnet command. Server is 10.10.0.1.

Client logged in, listed the directory, and then exited.

SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME
10.10.0.2 10.10.0.1 37945 23 6 52 2947 FSPA 50:53.200
10.10.0.1 10.10.0.2 23 37945 6 37 2265 FSPA 50:53.200

Windows 7 Enterprise

Accessed with Putty. Server is 10.10.0.1.

Client logged in, listed the directory, and then exited.

SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME
10.10.0.2 10.10.0.1 61359 23 6 55 2317 FSPA 06:38.441
10.10.0.1 10.10.0.2 23 61359 6 42 2083 FSPA 06:38.441

Active FTP

Fedora Linux

VSFTP server, accessed with ftp command. Server is 10.10.0.2.

Client logged in, listed the directory, and then exited.

Flow 1 is command channel. Flow 2 is data channel.

FLOW SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME
1 10.10.0.1 10.10.0.2 43503 21 6 15 853 FSPA 08:14.690
1 10.10.0.2 10.10.0.1 21 43503 6 14 960 FSPA 08:14.690
2 10.10.0.2 10.10.0.1 20 51583 6 4 216 FSA 08:25.699
2 10.10.0.1 10.10.0.1 51583 20 6 2 112 FSA 08:25.699

Passive FTP

Fedora Linux

VSFTP server, accessed with ftp command. Server is 10.10.0.2.

Client logged in, listed the directory, and then exited.

Flow 1 is command channel. Flow 2 is data channel.

FLOW SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME
1 10.10.0.1 10.10.0.2 43507 21 6 15 836 FSPA 21:46.314
1 10.10.0.2 10.10.0.1 21 43507 6 14 956 FSPA 21:46.314
2 10.10.0.1 10.10.0.2 50224 10099 6 3 164 FSA 21:54.314
2 10.10.0.2 10.10.0.1 10099 50224 6 3 164 FSA 21:54.314

Windows 7 Enterprise

VSFTP server, accessed with cURL. Server is 10.10.0.2.

Client logged in, checked the current path, listed the directory, and then exited.

Flow 1 is command channel. Flow 2 is data channel.

FLOW SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME
1 10.10.0.1 10.10.0.2 61597 21 6 13 774 FSPA 23:32.990
1 10.10.0.2 10.10.0.1 21 61597 6 12 561 FSPA 23:32.990
2 10.10.0.1 10.10.0.2 10091 61598 6 4 233 FSPA 23:33.005
2 10.10.0.2 10.10.0.1 61598 10091 6 4 172 FSA 23:33.005

PPTP

Fedora Linux

Created connection with pppd call pptpserver command. Server is 10.10.0.2.

Client created connection and then closed connection. Client closing connection did not immediately close the flow.

SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME DUR
10.10.0.1 10.10.0.2 57722 1723 6 11 936 FSPA 23:39.877 94.742
10.10.0.2 10.10.0.1 1723 57722 6 6 528 FSPA 23:39.877 94.742
10.10.0.1 10.10.0.2 0 0 47 10 540 23:40.890 0.530
10.10.0.2 10.10.0.1 0 0 47 10 566 23:40.890 0.530

Windows 7 Enterprise

Used Network and Sharing Center to create a connection. Server is 10.10.0.2.

Client created connection and then closed connection. Client closing connection did not immediately close the flow.

SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME DUR
10.10.0.1 10.10.0.2 61327 1723 6 10 824 FSPA 07:36.522 59.847
10.10.0.2 10.10.0.1 1723 61327 6 10 600 FSPA 07:36.522 59.847
10.10.0.1 10.10.0.2 0 0 47 53 5114 07:36.533 59.203
10.10.0.2 10.10.0.1 0 0 47 44 3277 07:36.533 59.203

DNS

Fedora Linux

Generated with ping command. Server is 10.10.0.2.

Client pinged google.com.

SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME
10.10.0.1 10.10.0.2 60275 53 17 1 56 02:43.290
10.10.0.2 10.10.0.1 53 60275 17 1 232 02:43.290

Windows 7 Enterprise

Generated with ping command. Client is 10.10.0.1.

Client pinged google.com.

SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME
10.10.0.1 173.194.121.3 63786 53 17 1 60 15:02.949
173.194.121.3 10.10.0.1 53 63786 17 1 276 15:02.949

HTTP

Fedora Linux

Accessed with cURL. Client is 10.10.0.1.

Client got www.cmu.edu.

SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME
10.10.0.1 128.2.42.52 47994 80 6 6 335 FSPA 18:37.558
128.2.42.52 10.10.0.1 80 47994 6 5 861 FSPA 18:37.558

Windows 7 Enterprise

Accessed with cURL. Client is 10.10.0.1.

Client got www.cmu.edu.

SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME
10.10.0.1 128.2.42.52 61953 80 6 5 287 FSPA 46:37.801
128.2.42.52 10.10.0.1 80 61953 6 5 869 FSPA 46:37.801

NTP

Fedora Linux

Client is 10.10.0.1.

Client automatically checked time. Note: Both client and server used port 123, instead of client using an ephemeral port.

SIP DIP SPORT SPORT PROTOCOL PACKETS BYTES FLAGS STIME
10.10.0.1 216.229.4.69 123 123 17 1 76 14:24.996
216.229.4.69 10.10.0.1 123 123 17 1 76 14:24.996

Windows 7 Enterprise

Client is 10.10.0.1.

Client automatically checked time. Received unreachable message.

SIP DIP SPORT DPORT PROTOCOL PACKETS BYTES FLAGS STIME
10.10.0.1 208.75.89.4 60696 123 17 1 76 23:11.397
10.10.0.1 10.10.0.1 0 771 17 2 112 23:11.398

Get updates on our latest work.

Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.

Subscribe Get our RSS feed