No. Time Source Destination Protocol Length Info 3137 30.833312000 10.241.212.151 10.241.209.195 TCP 66 34549 > ftp [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 Frame 3137: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.533615000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.533615000 seconds [Time delta from previous captured frame: 0.005786000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 30.833312000 seconds] Frame Number: 3137 Frame Length: 66 bytes (528 bits) Capture Length: 66 bytes (528 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 52 Identification: 0x0890 (2192) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f7 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 0, Len: 0 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 0 (relative sequence number) Header length: 32 bytes Flags: 0x002 (SYN) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...0 .... = Acknowledgment: Not set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish request (SYN): server port ftp] [Message: Connection establish request (SYN): server port ftp] [Severity level: Chat] [Group: Sequence] .... .... ...0 = Fin: Not set Window size value: 8192 [Calculated window size: 8192] Checksum: 0xbc63 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted Maximum segment size: 1460 bytes Kind: MSS size (2) Length: 4 MSS Value: 1460 No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Window scale: 2 (multiply by 4) Kind: Window Scale (3) Length: 3 Shift count: 2 [Multiplier: 4] No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) TCP SACK Permitted Option: True Kind: SACK Permission (4) Length: 2 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 34 08 90 40 00 80 06 00 00 0a f1 d4 97 0a f1 .4..@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 41 00 00 00 00 80 02 .........A...... 0030 20 00 bc 63 00 00 02 04 05 b4 01 03 03 02 01 01 ..c............ 0040 04 02 .. No. Time Source Destination Protocol Length Info 3138 30.833887000 10.241.209.195 10.241.212.151 TCP 60 ftp > 34549 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 Frame 3138: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.534190000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.534190000 seconds [Time delta from previous captured frame: 0.000575000 seconds] [Time delta from previous displayed frame: 0.000575000 seconds] [Time since reference or first frame: 30.833887000 seconds] Frame Number: 3138 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: TCP SYN/FIN] [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Padding: 0000 Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 44 Identification: 0xe3b3 (58291) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9fdb [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 0, Ack: 1, Len: 0 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 0 (relative sequence number) Acknowledgment number: 1 (relative ack number) Header length: 24 bytes Flags: 0x012 (SYN, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port ftp] [Message: Connection establish acknowledge (SYN+ACK): server port ftp] [Severity level: Chat] [Group: Sequence] .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] Checksum: 0x533d [validation disabled] [Good Checksum: False] [Bad Checksum: False] Options: (4 bytes), Maximum segment size Maximum segment size: 1460 bytes Kind: MSS size (2) Length: 4 MSS Value: 1460 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3137] [The RTT to ACK the segment was: 0.000575000 seconds] 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 00 .6.A.f.#......E. 0010 00 2c e3 b3 40 00 3b 06 9f db 0a f1 d1 c3 0a f1 .,..@.;......... 0020 d4 97 00 15 86 f5 7c 61 eb 17 fc d5 9d 42 60 12 ......|a.....B`. 0030 ff ff 53 3d 00 00 02 04 05 b4 00 00 ..S=........ No. Time Source Destination Protocol Length Info 3139 30.833918000 10.241.212.151 10.241.209.195 TCP 54 34549 > ftp [ACK] Seq=1 Ack=1 Win=64240 Len=0 Frame 3139: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.534221000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.534221000 seconds [Time delta from previous captured frame: 0.000031000 seconds] [Time delta from previous displayed frame: 0.000031000 seconds] [Time since reference or first frame: 30.833918000 seconds] Frame Number: 3139 Frame Length: 54 bytes (432 bits) Capture Length: 54 bytes (432 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 40 Identification: 0x0891 (2193) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x3602 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 1, Ack: 1, Len: 0 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 1 (relative sequence number) Acknowledgment number: 1 (relative ack number) Header length: 20 bytes Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 64240 [Calculated window size: 64240] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc57 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3138] [The RTT to ACK the segment was: 0.000031000 seconds] 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 28 08 91 40 00 80 06 00 00 0a f1 d4 97 0a f1 .(..@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 42 7c 61 eb 18 50 10 .........B|a..P. 0030 fa f0 bc 57 00 00 ...W.. No. Time Source Destination Protocol Length Info 3140 30.845730000 10.241.209.195 10.241.212.151 FTP 125 Response: 220 bono FTP server (Version 4.2 Thu Apr 17 02:03:14 CDT 2008) ready. Frame 3140: 125 bytes on wire (1000 bits), 125 bytes captured (1000 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.546033000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.546033000 seconds [Time delta from previous captured frame: 0.011812000 seconds] [Time delta from previous displayed frame: 0.011812000 seconds] [Time since reference or first frame: 30.845730000 seconds] Frame Number: 3140 Frame Length: 125 bytes (1000 bits) Capture Length: 125 bytes (1000 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 111 Identification: 0xe3b5 (58293) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9f86 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 1, Ack: 1, Len: 71 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 1 (relative sequence number) [Next sequence number: 72 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x4655 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [Bytes in flight: 71] File Transfer Protocol (FTP) 220 bono FTP server (Version 4.2 Thu Apr 17 02:03:14 CDT 2008) ready.\r\n Response code: Service ready for new user (220) Response arg: bono FTP server (Version 4.2 Thu Apr 17 02:03:14 CDT 2008) ready. 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 6f e3 b5 40 00 3b 06 9f 86 0a f1 d1 c3 0a f1 .o..@.;......... 0020 d4 97 00 15 86 f5 7c 61 eb 18 fc d5 9d 42 50 18 ......|a.....BP. 0030 ff ff 46 55 00 00 32 32 30 20 62 6f 6e 6f 20 46 ..FU..220 bono F 0040 54 50 20 73 65 72 76 65 72 20 28 56 65 72 73 69 TP server (Versi 0050 6f 6e 20 34 2e 32 20 54 68 75 20 41 70 72 20 31 on 4.2 Thu Apr 1 0060 37 20 30 32 3a 30 33 3a 31 34 20 43 44 54 20 32 7 02:03:14 CDT 2 0070 30 30 38 29 20 72 65 61 64 79 2e 0d 0a 008) ready... No. Time Source Destination Protocol Length Info 3141 30.846224000 10.241.212.151 10.241.209.195 FTP 65 Request: USER root Frame 3141: 65 bytes on wire (520 bits), 65 bytes captured (520 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.546527000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.546527000 seconds [Time delta from previous captured frame: 0.000494000 seconds] [Time delta from previous displayed frame: 0.000494000 seconds] [Time since reference or first frame: 30.846224000 seconds] Frame Number: 3141 Frame Length: 65 bytes (520 bits) Capture Length: 65 bytes (520 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 51 Identification: 0x0892 (2194) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f6 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 1, Ack: 72, Len: 11 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 1 (relative sequence number) [Next sequence number: 12 (relative sequence number)] Acknowledgment number: 72 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 64169 [Calculated window size: 64169] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc62 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3140] [The RTT to ACK the segment was: 0.000494000 seconds] [Bytes in flight: 11] File Transfer Protocol (FTP) USER root\r\n Request command: USER Request arg: root 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 33 08 92 40 00 80 06 00 00 0a f1 d4 97 0a f1 .3..@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 42 7c 61 eb 5f 50 18 .........B|a._P. 0030 fa a9 bc 62 00 00 55 53 45 52 20 72 6f 6f 74 0d ...b..USER root. 0040 0a . No. Time Source Destination Protocol Length Info 3142 30.850371000 10.241.209.195 10.241.212.151 FTP 87 Response: 331 Password required for root. Frame 3142: 87 bytes on wire (696 bits), 87 bytes captured (696 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.550674000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.550674000 seconds [Time delta from previous captured frame: 0.004147000 seconds] [Time delta from previous displayed frame: 0.004147000 seconds] [Time since reference or first frame: 30.850371000 seconds] Frame Number: 3142 Frame Length: 87 bytes (696 bits) Capture Length: 87 bytes (696 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 73 Identification: 0xe3b6 (58294) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9fab [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 72, Ack: 12, Len: 33 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 72 (relative sequence number) [Next sequence number: 105 (relative sequence number)] Acknowledgment number: 12 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x942f [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3141] [The RTT to ACK the segment was: 0.004147000 seconds] [Bytes in flight: 33] File Transfer Protocol (FTP) 331 Password required for root.\r\n Response code: User name okay, need password (331) Response arg: Password required for root. 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 49 e3 b6 40 00 3b 06 9f ab 0a f1 d1 c3 0a f1 .I..@.;......... 0020 d4 97 00 15 86 f5 7c 61 eb 5f fc d5 9d 4d 50 18 ......|a._...MP. 0030 ff ff 94 2f 00 00 33 33 31 20 50 61 73 73 77 6f .../..331 Passwo 0040 72 64 20 72 65 71 75 69 72 65 64 20 66 6f 72 20 rd required for 0050 72 6f 6f 74 2e 0d 0a root... No. Time Source Destination Protocol Length Info 3143 30.850569000 10.241.212.151 10.241.209.195 FTP 67 Request: PASS cx2000 Frame 3143: 67 bytes on wire (536 bits), 67 bytes captured (536 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.550872000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.550872000 seconds [Time delta from previous captured frame: 0.000198000 seconds] [Time delta from previous displayed frame: 0.000198000 seconds] [Time since reference or first frame: 30.850569000 seconds] Frame Number: 3143 Frame Length: 67 bytes (536 bits) Capture Length: 67 bytes (536 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 53 Identification: 0x0893 (2195) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f3 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 12, Ack: 105, Len: 13 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 12 (relative sequence number) [Next sequence number: 25 (relative sequence number)] Acknowledgment number: 105 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 64136 [Calculated window size: 64136] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc64 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3142] [The RTT to ACK the segment was: 0.000198000 seconds] [Bytes in flight: 13] File Transfer Protocol (FTP) PASS cx2000\r\n Request command: PASS Request arg: cx2000 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 35 08 93 40 00 80 06 00 00 0a f1 d4 97 0a f1 .5..@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 4d 7c 61 eb 80 50 18 .........M|a..P. 0030 fa 88 bc 64 00 00 50 41 53 53 20 63 78 32 30 30 ...d..PASS cx200 0040 30 0d 0a 0.. No. Time Source Destination Protocol Length Info 3144 30.851388000 10.241.209.195 10.241.212.151 TCP 60 ftp > 34549 [ACK] Seq=105 Ack=25 Win=65535 Len=0 Frame 3144: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.551691000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.551691000 seconds [Time delta from previous captured frame: 0.000819000 seconds] [Time delta from previous displayed frame: 0.000819000 seconds] [Time since reference or first frame: 30.851388000 seconds] Frame Number: 3144 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Padding: 000000000000 Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 40 Identification: 0xe3b7 (58295) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9fcb [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 105, Ack: 25, Len: 0 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 105 (relative sequence number) Acknowledgment number: 25 (relative ack number) Header length: 20 bytes Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x6a7a [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3143] [The RTT to ACK the segment was: 0.000819000 seconds] 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 28 e3 b7 40 00 3b 06 9f cb 0a f1 d1 c3 0a f1 .(..@.;......... 0020 d4 97 00 15 86 f5 7c 61 eb 80 fc d5 9d 5a 50 10 ......|a.....ZP. 0030 ff ff 6a 7a 00 00 00 00 00 00 00 00 ..jz........ No. Time Source Destination Protocol Length Info 3145 30.872975000 10.241.209.195 10.241.212.151 FTP 138 Response: 230-Last unsuccessful login: Mon Aug 10 15:51:52 EST 2015 on ssh from 10.13.46.162 Frame 3145: 138 bytes on wire (1104 bits), 138 bytes captured (1104 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.573278000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.573278000 seconds [Time delta from previous captured frame: 0.021587000 seconds] [Time delta from previous displayed frame: 0.021587000 seconds] [Time since reference or first frame: 30.872975000 seconds] Frame Number: 3145 Frame Length: 138 bytes (1104 bits) Capture Length: 138 bytes (1104 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 124 Identification: 0xe3b8 (58296) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9f76 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 105, Ack: 25, Len: 84 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 105 (relative sequence number) [Next sequence number: 189 (relative sequence number)] Acknowledgment number: 25 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xdbfd [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [Bytes in flight: 84] File Transfer Protocol (FTP) 230-Last unsuccessful login: Mon Aug 10 15:51:52 EST 2015 on ssh from 10.13.46.162\r\n Response code: User logged in, proceed (230) Response arg: Last unsuccessful login: Mon Aug 10 15:51:52 EST 2015 on ssh from 10.13.46.162 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 7c e3 b8 40 00 3b 06 9f 76 0a f1 d1 c3 0a f1 .|..@.;..v...... 0020 d4 97 00 15 86 f5 7c 61 eb 80 fc d5 9d 5a 50 18 ......|a.....ZP. 0030 ff ff db fd 00 00 32 33 30 2d 4c 61 73 74 20 75 ......230-Last u 0040 6e 73 75 63 63 65 73 73 66 75 6c 20 6c 6f 67 69 nsuccessful logi 0050 6e 3a 20 4d 6f 6e 20 41 75 67 20 31 30 20 31 35 n: Mon Aug 10 15 0060 3a 35 31 3a 35 32 20 45 53 54 20 32 30 31 35 20 :51:52 EST 2015 0070 6f 6e 20 73 73 68 20 66 72 6f 6d 20 31 30 2e 31 on ssh from 10.1 0080 33 2e 34 36 2e 31 36 32 0d 0a 3.46.162.. No. Time Source Destination Protocol Length Info 3146 30.873100000 10.241.209.195 10.241.212.151 FTP 130 Response: 230-Last login: Sun Aug 16 15:24:37 EST 2015 on /dev/pts/0 from lab-hop176 Frame 3146: 130 bytes on wire (1040 bits), 130 bytes captured (1040 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.573403000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.573403000 seconds [Time delta from previous captured frame: 0.000125000 seconds] [Time delta from previous displayed frame: 0.000125000 seconds] [Time since reference or first frame: 30.873100000 seconds] Frame Number: 3146 Frame Length: 130 bytes (1040 bits) Capture Length: 130 bytes (1040 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 116 Identification: 0xe3b9 (58297) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9f7d [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 189, Ack: 25, Len: 76 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 189 (relative sequence number) [Next sequence number: 265 (relative sequence number)] Acknowledgment number: 25 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xa128 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [Bytes in flight: 160] File Transfer Protocol (FTP) 230-Last login: Sun Aug 16 15:24:37 EST 2015 on /dev/pts/0 from lab-hop176\r\n Response code: User logged in, proceed (230) Response arg: Last login: Sun Aug 16 15:24:37 EST 2015 on /dev/pts/0 from lab-hop176 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 74 e3 b9 40 00 3b 06 9f 7d 0a f1 d1 c3 0a f1 .t..@.;..}...... 0020 d4 97 00 15 86 f5 7c 61 eb d4 fc d5 9d 5a 50 18 ......|a.....ZP. 0030 ff ff a1 28 00 00 32 33 30 2d 4c 61 73 74 20 6c ...(..230-Last l 0040 6f 67 69 6e 3a 20 53 75 6e 20 41 75 67 20 31 36 ogin: Sun Aug 16 0050 20 31 35 3a 32 34 3a 33 37 20 45 53 54 20 32 30 15:24:37 EST 20 0060 31 35 20 6f 6e 20 2f 64 65 76 2f 70 74 73 2f 30 15 on /dev/pts/0 0070 20 66 72 6f 6d 20 6c 61 62 2d 68 6f 70 31 37 36 from lab-hop176 0080 0d 0a .. No. Time Source Destination Protocol Length Info 3147 30.873124000 10.241.212.151 10.241.209.195 TCP 54 34549 > ftp [ACK] Seq=25 Ack=265 Win=63976 Len=0 Frame 3147: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.573427000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.573427000 seconds [Time delta from previous captured frame: 0.000024000 seconds] [Time delta from previous displayed frame: 0.000024000 seconds] [Time since reference or first frame: 30.873124000 seconds] Frame Number: 3147 Frame Length: 54 bytes (432 bits) Capture Length: 54 bytes (432 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 40 Identification: 0x0894 (2196) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35ff (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 25, Ack: 265, Len: 0 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 25 (relative sequence number) Acknowledgment number: 265 (relative ack number) Header length: 20 bytes Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 63976 [Calculated window size: 63976] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc57 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3146] [The RTT to ACK the segment was: 0.000024000 seconds] 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 28 08 94 40 00 80 06 00 00 0a f1 d4 97 0a f1 .(..@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 5a 7c 61 ec 20 50 10 .........Z|a. P. 0030 f9 e8 bc 57 00 00 ...W.. No. Time Source Destination Protocol Length Info 3148 30.875615000 10.241.209.195 10.241.212.151 FTP 80 Response: 230 User root logged in. Frame 3148: 80 bytes on wire (640 bits), 80 bytes captured (640 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.575918000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.575918000 seconds [Time delta from previous captured frame: 0.002491000 seconds] [Time delta from previous displayed frame: 0.002491000 seconds] [Time since reference or first frame: 30.875615000 seconds] Frame Number: 3148 Frame Length: 80 bytes (640 bits) Capture Length: 80 bytes (640 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 66 Identification: 0xe3ba (58298) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9fae [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 265, Ack: 25, Len: 26 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 265 (relative sequence number) [Next sequence number: 291 (relative sequence number)] Acknowledgment number: 25 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x73a0 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [Bytes in flight: 26] File Transfer Protocol (FTP) 230 User root logged in.\r\n Response code: User logged in, proceed (230) Response arg: User root logged in. 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 42 e3 ba 40 00 3b 06 9f ae 0a f1 d1 c3 0a f1 .B..@.;......... 0020 d4 97 00 15 86 f5 7c 61 ec 20 fc d5 9d 5a 50 18 ......|a. ...ZP. 0030 ff ff 73 a0 00 00 32 33 30 20 55 73 65 72 20 72 ..s...230 User r 0040 6f 6f 74 20 6c 6f 67 67 65 64 20 69 6e 2e 0d 0a oot logged in... No. Time Source Destination Protocol Length Info 3149 30.875965000 10.241.212.151 10.241.209.195 FTP 60 Request: SYST Frame 3149: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.576268000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.576268000 seconds [Time delta from previous captured frame: 0.000350000 seconds] [Time delta from previous displayed frame: 0.000350000 seconds] [Time since reference or first frame: 30.875965000 seconds] Frame Number: 3149 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 46 Identification: 0x0895 (2197) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f8 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 25, Ack: 291, Len: 6 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 25 (relative sequence number) [Next sequence number: 31 (relative sequence number)] Acknowledgment number: 291 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 63950 [Calculated window size: 63950] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc5d [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3148] [The RTT to ACK the segment was: 0.000350000 seconds] [Bytes in flight: 6] File Transfer Protocol (FTP) SYST\r\n Request command: SYST 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 2e 08 95 40 00 80 06 00 00 0a f1 d4 97 0a f1 ....@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 5a 7c 61 ec 3a 50 18 .........Z|a.:P. 0030 f9 ce bc 5d 00 00 53 59 53 54 0d 0a ...]..SYST.. No. Time Source Destination Protocol Length Info 3150 30.876156000 10.241.209.195 10.241.212.151 FTP 89 Response: 215 UNIX Type: L8 Version: BSD-44 Frame 3150: 89 bytes on wire (712 bits), 89 bytes captured (712 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.576459000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.576459000 seconds [Time delta from previous captured frame: 0.000191000 seconds] [Time delta from previous displayed frame: 0.000191000 seconds] [Time since reference or first frame: 30.876156000 seconds] Frame Number: 3150 Frame Length: 89 bytes (712 bits) Capture Length: 89 bytes (712 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 75 Identification: 0xe3bb (58299) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9fa4 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 291, Ack: 31, Len: 35 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 291 (relative sequence number) [Next sequence number: 326 (relative sequence number)] Acknowledgment number: 31 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x8ce1 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3149] [The RTT to ACK the segment was: 0.000191000 seconds] [Bytes in flight: 35] File Transfer Protocol (FTP) 215 UNIX Type: L8 Version: BSD-44\r\n Response code: NAME system type (215) Response arg: UNIX Type: L8 Version: BSD-44 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 4b e3 bb 40 00 3b 06 9f a4 0a f1 d1 c3 0a f1 .K..@.;......... 0020 d4 97 00 15 86 f5 7c 61 ec 3a fc d5 9d 60 50 18 ......|a.:...`P. 0030 ff ff 8c e1 00 00 32 31 35 20 55 4e 49 58 20 54 ......215 UNIX T 0040 79 70 65 3a 20 4c 38 20 56 65 72 73 69 6f 6e 3a ype: L8 Version: 0050 20 42 53 44 2d 34 34 0d 0a BSD-44.. No. Time Source Destination Protocol Length Info 3151 30.879823000 10.241.212.151 10.241.209.195 FTP 59 Request: PWD Frame 3151: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.580126000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.580126000 seconds [Time delta from previous captured frame: 0.003667000 seconds] [Time delta from previous displayed frame: 0.003667000 seconds] [Time since reference or first frame: 30.879823000 seconds] Frame Number: 3151 Frame Length: 59 bytes (472 bits) Capture Length: 59 bytes (472 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 45 Identification: 0x0896 (2198) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f8 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 31, Ack: 326, Len: 5 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 31 (relative sequence number) [Next sequence number: 36 (relative sequence number)] Acknowledgment number: 326 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 63915 [Calculated window size: 63915] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc5c [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3150] [The RTT to ACK the segment was: 0.003667000 seconds] [Bytes in flight: 5] File Transfer Protocol (FTP) PWD\r\n Request command: PWD 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 2d 08 96 40 00 80 06 00 00 0a f1 d4 97 0a f1 .-..@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 60 7c 61 ec 5d 50 18 .........`|a.]P. 0030 f9 ab bc 5c 00 00 50 57 44 0d 0a ...\..PWD.. No. Time Source Destination Protocol Length Info 3152 30.880116000 10.241.209.195 10.241.212.151 FTP 85 Response: 257 "/" is current directory. Frame 3152: 85 bytes on wire (680 bits), 85 bytes captured (680 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.580419000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.580419000 seconds [Time delta from previous captured frame: 0.000293000 seconds] [Time delta from previous displayed frame: 0.000293000 seconds] [Time since reference or first frame: 30.880116000 seconds] Frame Number: 3152 Frame Length: 85 bytes (680 bits) Capture Length: 85 bytes (680 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 71 Identification: 0xe3bc (58300) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9fa7 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 326, Ack: 36, Len: 31 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 326 (relative sequence number) [Next sequence number: 357 (relative sequence number)] Acknowledgment number: 36 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xcd73 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3151] [The RTT to ACK the segment was: 0.000293000 seconds] [Bytes in flight: 31] File Transfer Protocol (FTP) 257 "/" is current directory.\r\n Response code: PATHNAME created (257) Response arg: "/" is current directory. 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 47 e3 bc 40 00 3b 06 9f a7 0a f1 d1 c3 0a f1 .G..@.;......... 0020 d4 97 00 15 86 f5 7c 61 ec 5d fc d5 9d 65 50 18 ......|a.]...eP. 0030 ff ff cd 73 00 00 32 35 37 20 22 2f 22 20 69 73 ...s..257 "/" is 0040 20 63 75 72 72 65 6e 74 20 64 69 72 65 63 74 6f current directo 0050 72 79 2e 0d 0a ry... No. Time Source Destination Protocol Length Info 3153 30.880530000 10.241.212.151 10.241.209.195 FTP 60 Request: FEAT Frame 3153: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.580833000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.580833000 seconds [Time delta from previous captured frame: 0.000414000 seconds] [Time delta from previous displayed frame: 0.000414000 seconds] [Time since reference or first frame: 30.880530000 seconds] Frame Number: 3153 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 46 Identification: 0x0897 (2199) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f6 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 36, Ack: 357, Len: 6 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 36 (relative sequence number) [Next sequence number: 42 (relative sequence number)] Acknowledgment number: 357 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 63884 [Calculated window size: 63884] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc5d [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3152] [The RTT to ACK the segment was: 0.000414000 seconds] [Bytes in flight: 6] File Transfer Protocol (FTP) FEAT\r\n Request command: FEAT 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 2e 08 97 40 00 80 06 00 00 0a f1 d4 97 0a f1 ....@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 65 7c 61 ec 7c 50 18 .........e|a.|P. 0030 f9 8c bc 5d 00 00 46 45 41 54 0d 0a ...]..FEAT.. No. Time Source Destination Protocol Length Info 3154 30.880753000 10.241.209.195 10.241.212.151 FTP 91 Response: 500 'FEAT': command not understood. Frame 3154: 91 bytes on wire (728 bits), 91 bytes captured (728 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.581056000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.581056000 seconds [Time delta from previous captured frame: 0.000223000 seconds] [Time delta from previous displayed frame: 0.000223000 seconds] [Time since reference or first frame: 30.880753000 seconds] Frame Number: 3154 Frame Length: 91 bytes (728 bits) Capture Length: 91 bytes (728 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 77 Identification: 0xe3bd (58301) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9fa0 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 357, Ack: 42, Len: 37 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 357 (relative sequence number) [Next sequence number: 394 (relative sequence number)] Acknowledgment number: 42 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x27fd [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3153] [The RTT to ACK the segment was: 0.000223000 seconds] [Bytes in flight: 37] File Transfer Protocol (FTP) 500 'FEAT': command not understood.\r\n Response code: Syntax error, command unrecognized (500) Response arg: 'FEAT': command not understood. 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 4d e3 bd 40 00 3b 06 9f a0 0a f1 d1 c3 0a f1 .M..@.;......... 0020 d4 97 00 15 86 f5 7c 61 ec 7c fc d5 9d 6b 50 18 ......|a.|...kP. 0030 ff ff 27 fd 00 00 35 30 30 20 27 46 45 41 54 27 ..'...500 'FEAT' 0040 3a 20 63 6f 6d 6d 61 6e 64 20 6e 6f 74 20 75 6e : command not un 0050 64 65 72 73 74 6f 6f 64 2e 0d 0a derstood... No. Time Source Destination Protocol Length Info 3155 30.881169000 10.241.212.151 10.241.209.195 FTP 68 Request: OPTS UTF8 on Frame 3155: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.581472000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.581472000 seconds [Time delta from previous captured frame: 0.000416000 seconds] [Time delta from previous displayed frame: 0.000416000 seconds] [Time since reference or first frame: 30.881169000 seconds] Frame Number: 3155 Frame Length: 68 bytes (544 bits) Capture Length: 68 bytes (544 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 54 Identification: 0x0898 (2200) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35ed (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 42, Ack: 394, Len: 14 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 42 (relative sequence number) [Next sequence number: 56 (relative sequence number)] Acknowledgment number: 394 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 63847 [Calculated window size: 63847] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc65 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3154] [The RTT to ACK the segment was: 0.000416000 seconds] [Bytes in flight: 14] File Transfer Protocol (FTP) OPTS UTF8 on\r\n Request command: OPTS Request arg: UTF8 on 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 36 08 98 40 00 80 06 00 00 0a f1 d4 97 0a f1 .6..@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 6b 7c 61 ec a1 50 18 .........k|a..P. 0030 f9 67 bc 65 00 00 4f 50 54 53 20 55 54 46 38 20 .g.e..OPTS UTF8 0040 6f 6e 0d 0a on.. No. Time Source Destination Protocol Length Info 3156 30.881355000 10.241.209.195 10.241.212.151 FTP 99 Response: 500 'OPTS UTF8 on': command not understood. Frame 3156: 99 bytes on wire (792 bits), 99 bytes captured (792 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.581658000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.581658000 seconds [Time delta from previous captured frame: 0.000186000 seconds] [Time delta from previous displayed frame: 0.000186000 seconds] [Time since reference or first frame: 30.881355000 seconds] Frame Number: 3156 Frame Length: 99 bytes (792 bits) Capture Length: 99 bytes (792 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 85 Identification: 0xe3be (58302) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9f97 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 394, Ack: 56, Len: 45 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 394 (relative sequence number) [Next sequence number: 439 (relative sequence number)] Acknowledgment number: 56 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xf389 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3155] [The RTT to ACK the segment was: 0.000186000 seconds] [Bytes in flight: 45] File Transfer Protocol (FTP) 500 'OPTS UTF8 on': command not understood.\r\n Response code: Syntax error, command unrecognized (500) Response arg: 'OPTS UTF8 on': command not understood. 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 55 e3 be 40 00 3b 06 9f 97 0a f1 d1 c3 0a f1 .U..@.;......... 0020 d4 97 00 15 86 f5 7c 61 ec a1 fc d5 9d 79 50 18 ......|a.....yP. 0030 ff ff f3 89 00 00 35 30 30 20 27 4f 50 54 53 20 ......500 'OPTS 0040 55 54 46 38 20 6f 6e 27 3a 20 63 6f 6d 6d 61 6e UTF8 on': comman 0050 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 6f 6f 64 d not understood 0060 2e 0d 0a ... No. Time Source Destination Protocol Length Info 3157 30.881562000 10.241.212.151 10.241.209.195 FTP 64 Request: REST 100 Frame 3157: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.581865000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.581865000 seconds [Time delta from previous captured frame: 0.000207000 seconds] [Time delta from previous displayed frame: 0.000207000 seconds] [Time since reference or first frame: 30.881562000 seconds] Frame Number: 3157 Frame Length: 64 bytes (512 bits) Capture Length: 64 bytes (512 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 50 Identification: 0x0899 (2201) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f0 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 56, Ack: 439, Len: 10 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 56 (relative sequence number) [Next sequence number: 66 (relative sequence number)] Acknowledgment number: 439 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 63802 [Calculated window size: 63802] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc61 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3156] [The RTT to ACK the segment was: 0.000207000 seconds] [Bytes in flight: 10] File Transfer Protocol (FTP) REST 100\r\n Request command: REST Request arg: 100 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 32 08 99 40 00 80 06 00 00 0a f1 d4 97 0a f1 .2..@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 79 7c 61 ec ce 50 18 .........y|a..P. 0030 f9 3a bc 61 00 00 52 45 53 54 20 31 30 30 0d 0a .:.a..REST 100.. No. Time Source Destination Protocol Length Info 3158 30.881750000 10.241.209.195 10.241.212.151 FTP 122 Response: 350 Restarting at 100 Send STORE or RETRIEVE to initiate transfer. Frame 3158: 122 bytes on wire (976 bits), 122 bytes captured (976 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.582053000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.582053000 seconds [Time delta from previous captured frame: 0.000188000 seconds] [Time delta from previous displayed frame: 0.000188000 seconds] [Time since reference or first frame: 30.881750000 seconds] Frame Number: 3158 Frame Length: 122 bytes (976 bits) Capture Length: 122 bytes (976 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 108 Identification: 0xe3bf (58303) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9f7f [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 439, Ack: 66, Len: 68 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 439 (relative sequence number) [Next sequence number: 507 (relative sequence number)] Acknowledgment number: 66 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x7cea [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3157] [The RTT to ACK the segment was: 0.000188000 seconds] [Bytes in flight: 68] File Transfer Protocol (FTP) 350 Restarting at 100 Send STORE or RETRIEVE to initiate transfer.\r\n Response code: Requested file action pending further information (350) Response arg: Restarting at 100 Send STORE or RETRIEVE to initiate transfer. 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 6c e3 bf 40 00 3b 06 9f 7f 0a f1 d1 c3 0a f1 .l..@.;......... 0020 d4 97 00 15 86 f5 7c 61 ec ce fc d5 9d 83 50 18 ......|a......P. 0030 ff ff 7c ea 00 00 33 35 30 20 52 65 73 74 61 72 ..|...350 Restar 0040 74 69 6e 67 20 61 74 20 31 30 30 20 53 65 6e 64 ting at 100 Send 0050 20 53 54 4f 52 45 20 6f 72 20 52 45 54 52 49 45 STORE or RETRIE 0060 56 45 20 74 6f 20 69 6e 69 74 69 61 74 65 20 74 VE to initiate t 0070 72 61 6e 73 66 65 72 2e 0d 0a ransfer... No. Time Source Destination Protocol Length Info 3159 30.882078000 10.241.212.151 10.241.209.195 FTP 62 Request: REST 0 Frame 3159: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.582381000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.582381000 seconds [Time delta from previous captured frame: 0.000328000 seconds] [Time delta from previous displayed frame: 0.000328000 seconds] [Time since reference or first frame: 30.882078000 seconds] Frame Number: 3159 Frame Length: 62 bytes (496 bits) Capture Length: 62 bytes (496 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 48 Identification: 0x089a (2202) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f1 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 66, Ack: 507, Len: 8 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 66 (relative sequence number) [Next sequence number: 74 (relative sequence number)] Acknowledgment number: 507 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 63734 [Calculated window size: 63734] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc5f [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3158] [The RTT to ACK the segment was: 0.000328000 seconds] [Bytes in flight: 8] File Transfer Protocol (FTP) REST 0\r\n Request command: REST Request arg: 0 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 30 08 9a 40 00 80 06 00 00 0a f1 d4 97 0a f1 .0..@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 83 7c 61 ed 12 50 18 ..........|a..P. 0030 f8 f6 bc 5f 00 00 52 45 53 54 20 30 0d 0a ..._..REST 0.. No. Time Source Destination Protocol Length Info 3160 30.882241000 10.241.209.195 10.241.212.151 FTP 120 Response: 350 Restarting at 0 Send STORE or RETRIEVE to initiate transfer. Frame 3160: 120 bytes on wire (960 bits), 120 bytes captured (960 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.582544000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.582544000 seconds [Time delta from previous captured frame: 0.000163000 seconds] [Time delta from previous displayed frame: 0.000163000 seconds] [Time since reference or first frame: 30.882241000 seconds] Frame Number: 3160 Frame Length: 120 bytes (960 bits) Capture Length: 120 bytes (960 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 106 Identification: 0xe3c0 (58304) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9f80 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 507, Ack: 74, Len: 66 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 507 (relative sequence number) [Next sequence number: 573 (relative sequence number)] Acknowledgment number: 74 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xadd0 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3159] [The RTT to ACK the segment was: 0.000163000 seconds] [Bytes in flight: 66] File Transfer Protocol (FTP) 350 Restarting at 0 Send STORE or RETRIEVE to initiate transfer.\r\n Response code: Requested file action pending further information (350) Response arg: Restarting at 0 Send STORE or RETRIEVE to initiate transfer. 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 6a e3 c0 40 00 3b 06 9f 80 0a f1 d1 c3 0a f1 .j..@.;......... 0020 d4 97 00 15 86 f5 7c 61 ed 12 fc d5 9d 8b 50 18 ......|a......P. 0030 ff ff ad d0 00 00 33 35 30 20 52 65 73 74 61 72 ......350 Restar 0040 74 69 6e 67 20 61 74 20 30 20 53 65 6e 64 20 53 ting at 0 Send S 0050 54 4f 52 45 20 6f 72 20 52 45 54 52 49 45 56 45 TORE or RETRIEVE 0060 20 74 6f 20 69 6e 69 74 69 61 74 65 20 74 72 61 to initiate tra 0070 6e 73 66 65 72 2e 0d 0a nsfer... No. Time Source Destination Protocol Length Info 3161 30.882388000 10.241.212.151 10.241.209.195 FTP 60 Request: PASV Frame 3161: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.582691000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.582691000 seconds [Time delta from previous captured frame: 0.000147000 seconds] [Time delta from previous displayed frame: 0.000147000 seconds] [Time since reference or first frame: 30.882388000 seconds] Frame Number: 3161 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 46 Identification: 0x089b (2203) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f2 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 74, Ack: 573, Len: 6 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 74 (relative sequence number) [Next sequence number: 80 (relative sequence number)] Acknowledgment number: 573 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 63668 [Calculated window size: 63668] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc5d [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3160] [The RTT to ACK the segment was: 0.000147000 seconds] [Bytes in flight: 6] File Transfer Protocol (FTP) PASV\r\n Request command: PASV 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 2e 08 9b 40 00 80 06 00 00 0a f1 d4 97 0a f1 ....@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 8b 7c 61 ed 54 50 18 ..........|a.TP. 0030 f8 b4 bc 5d 00 00 50 41 53 56 0d 0a ...]..PASV.. No. Time Source Destination Protocol Length Info 3162 30.882626000 10.241.209.195 10.241.212.151 FTP 105 Response: 227 Entering Passive Mode (10,241,209,195,137,88) Frame 3162: 105 bytes on wire (840 bits), 105 bytes captured (840 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.582929000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.582929000 seconds [Time delta from previous captured frame: 0.000238000 seconds] [Time delta from previous displayed frame: 0.000238000 seconds] [Time since reference or first frame: 30.882626000 seconds] Frame Number: 3162 Frame Length: 105 bytes (840 bits) Capture Length: 105 bytes (840 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 91 Identification: 0xe3c1 (58305) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9f8e [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 573, Ack: 80, Len: 51 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 573 (relative sequence number) [Next sequence number: 624 (relative sequence number)] Acknowledgment number: 80 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xa2b4 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3161] [The RTT to ACK the segment was: 0.000238000 seconds] [Bytes in flight: 51] File Transfer Protocol (FTP) 227 Entering Passive Mode (10,241,209,195,137,88)\r\n Response code: Entering Passive Mode (227) Response arg: Entering Passive Mode (10,241,209,195,137,88) Passive IP address: 10.241.209.195 (10.241.209.195) Passive port: 35160 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 5b e3 c1 40 00 3b 06 9f 8e 0a f1 d1 c3 0a f1 .[..@.;......... 0020 d4 97 00 15 86 f5 7c 61 ed 54 fc d5 9d 91 50 18 ......|a.T....P. 0030 ff ff a2 b4 00 00 32 32 37 20 45 6e 74 65 72 69 ......227 Enteri 0040 6e 67 20 50 61 73 73 69 76 65 20 4d 6f 64 65 20 ng Passive Mode 0050 28 31 30 2c 32 34 31 2c 32 30 39 2c 31 39 35 2c (10,241,209,195, 0060 31 33 37 2c 38 38 29 0d 0a 137,88).. No. Time Source Destination Protocol Length Info 3163 30.883036000 10.241.212.151 10.241.209.195 FTP 60 Request: LIST Frame 3163: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.583339000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.583339000 seconds [Time delta from previous captured frame: 0.000410000 seconds] [Time delta from previous displayed frame: 0.000410000 seconds] [Time since reference or first frame: 30.883036000 seconds] Frame Number: 3163 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 46 Identification: 0x089c (2204) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f1 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 80, Ack: 624, Len: 6 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 80 (relative sequence number) [Next sequence number: 86 (relative sequence number)] Acknowledgment number: 624 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 63617 [Calculated window size: 63617] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc5d [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3162] [The RTT to ACK the segment was: 0.000410000 seconds] [Bytes in flight: 6] File Transfer Protocol (FTP) LIST\r\n Request command: LIST 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 2e 08 9c 40 00 80 06 00 00 0a f1 d4 97 0a f1 ....@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 91 7c 61 ed 87 50 18 ..........|a..P. 0030 f8 81 bc 5d 00 00 4c 49 53 54 0d 0a ...]..LIST.. No. Time Source Destination Protocol Length Info 3164 30.883415000 10.241.212.151 10.241.209.195 TCP 66 34550 > 35160 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 Frame 3164: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.583718000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.583718000 seconds [Time delta from previous captured frame: 0.000379000 seconds] [Time delta from previous displayed frame: 0.000379000 seconds] [Time since reference or first frame: 30.883415000 seconds] Frame Number: 3164 Frame Length: 66 bytes (528 bits) Capture Length: 66 bytes (528 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 52 Identification: 0x089d (2205) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35ea (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34550 (34550), Dst Port: 35160 (35160), Seq: 0, Len: 0 Source port: 34550 (34550) Destination port: 35160 (35160) [Stream index: 17] Sequence number: 0 (relative sequence number) Header length: 32 bytes Flags: 0x002 (SYN) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...0 .... = Acknowledgment: Not set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 35160] [Message: Connection establish request (SYN): server port 35160] [Severity level: Chat] [Group: Sequence] .... .... ...0 = Fin: Not set Window size value: 8192 [Calculated window size: 8192] Checksum: 0xbc63 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted Maximum segment size: 1460 bytes Kind: MSS size (2) Length: 4 MSS Value: 1460 No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Window scale: 2 (multiply by 4) Kind: Window Scale (3) Length: 3 Shift count: 2 [Multiplier: 4] No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) TCP SACK Permitted Option: True Kind: SACK Permission (4) Length: 2 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 34 08 9d 40 00 80 06 00 00 0a f1 d4 97 0a f1 .4..@........... 0020 d1 c3 86 f6 89 58 7d 7f 3f ee 00 00 00 00 80 02 .....X}.?....... 0030 20 00 bc 63 00 00 02 04 05 b4 01 03 03 02 01 01 ..c............ 0040 04 02 .. No. Time Source Destination Protocol Length Info 3165 30.883637000 10.241.209.195 10.241.212.151 TCP 60 35160 > 34550 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 Frame 3165: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.583940000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.583940000 seconds [Time delta from previous captured frame: 0.000222000 seconds] [Time delta from previous displayed frame: 0.000222000 seconds] [Time since reference or first frame: 30.883637000 seconds] Frame Number: 3165 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: TCP SYN/FIN] [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Padding: 0000 Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 44 Identification: 0xe3c2 (58306) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9fcc [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 35160 (35160), Dst Port: 34550 (34550), Seq: 0, Ack: 1, Len: 0 Source port: 35160 (35160) Destination port: 34550 (34550) [Stream index: 17] Sequence number: 0 (relative sequence number) Acknowledgment number: 1 (relative ack number) Header length: 24 bytes Flags: 0x012 (SYN, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port 35160] [Message: Connection establish acknowledge (SYN+ACK): server port 35160] [Severity level: Chat] [Group: Sequence] .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] Checksum: 0x6d95 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Options: (4 bytes), Maximum segment size Maximum segment size: 1460 bytes Kind: MSS size (2) Length: 4 MSS Value: 1460 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3164] [The RTT to ACK the segment was: 0.000222000 seconds] 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 00 .6.A.f.#......E. 0010 00 2c e3 c2 40 00 3b 06 9f cc 0a f1 d1 c3 0a f1 .,..@.;......... 0020 d4 97 89 58 86 f6 76 5c 2a 2a 7d 7f 3f ef 60 12 ...X..v\**}.?.`. 0030 ff ff 6d 95 00 00 02 04 05 b4 00 00 ..m......... No. Time Source Destination Protocol Length Info 3166 30.883668000 10.241.212.151 10.241.209.195 TCP 54 34550 > 35160 [ACK] Seq=1 Ack=1 Win=64240 Len=0 Frame 3166: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.583971000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.583971000 seconds [Time delta from previous captured frame: 0.000031000 seconds] [Time delta from previous displayed frame: 0.000031000 seconds] [Time since reference or first frame: 30.883668000 seconds] Frame Number: 3166 Frame Length: 54 bytes (432 bits) Capture Length: 54 bytes (432 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 40 Identification: 0x089e (2206) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f5 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34550 (34550), Dst Port: 35160 (35160), Seq: 1, Ack: 1, Len: 0 Source port: 34550 (34550) Destination port: 35160 (35160) [Stream index: 17] Sequence number: 1 (relative sequence number) Acknowledgment number: 1 (relative ack number) Header length: 20 bytes Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 64240 [Calculated window size: 64240] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc57 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3165] [The RTT to ACK the segment was: 0.000031000 seconds] 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 28 08 9e 40 00 80 06 00 00 0a f1 d4 97 0a f1 .(..@........... 0020 d1 c3 86 f6 89 58 7d 7f 3f ef 76 5c 2a 2b 50 10 .....X}.?.v\*+P. 0030 fa f0 bc 57 00 00 ...W.. No. Time Source Destination Protocol Length Info 3167 30.884758000 10.241.209.195 10.241.212.151 FTP 96 Response: 150 Opening data connection for /bin/ls. Frame 3167: 96 bytes on wire (768 bits), 96 bytes captured (768 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.585061000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.585061000 seconds [Time delta from previous captured frame: 0.001090000 seconds] [Time delta from previous displayed frame: 0.001090000 seconds] [Time since reference or first frame: 30.884758000 seconds] Frame Number: 3167 Frame Length: 96 bytes (768 bits) Capture Length: 96 bytes (768 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 82 Identification: 0xe3c3 (58307) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9f95 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 624, Ack: 86, Len: 42 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 624 (relative sequence number) [Next sequence number: 666 (relative sequence number)] Acknowledgment number: 86 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x4e3e [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3163] [The RTT to ACK the segment was: 0.001722000 seconds] [Bytes in flight: 42] File Transfer Protocol (FTP) 150 Opening data connection for /bin/ls.\r\n Response code: File status okay; about to open data connection (150) Response arg: Opening data connection for /bin/ls. 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 52 e3 c3 40 00 3b 06 9f 95 0a f1 d1 c3 0a f1 .R..@.;......... 0020 d4 97 00 15 86 f5 7c 61 ed 87 fc d5 9d 97 50 18 ......|a......P. 0030 ff ff 4e 3e 00 00 31 35 30 20 4f 70 65 6e 69 6e ..N>..150 Openin 0040 67 20 64 61 74 61 20 63 6f 6e 6e 65 63 74 69 6f g data connectio 0050 6e 20 66 6f 72 20 2f 62 69 6e 2f 6c 73 2e 0d 0a n for /bin/ls... No. Time Source Destination Protocol Length Info 3168 30.918853000 10.241.209.195 10.241.212.151 FTP-DATA 140 FTP Data: 86 bytes Frame 3168: 140 bytes on wire (1120 bits), 140 bytes captured (1120 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.619156000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.619156000 seconds [Time delta from previous captured frame: 0.034095000 seconds] [Time delta from previous displayed frame: 0.034095000 seconds] [Time since reference or first frame: 30.918853000 seconds] Frame Number: 3168 Frame Length: 140 bytes (1120 bits) Capture Length: 140 bytes (1120 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp-data] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 126 Identification: 0xe3c7 (58311) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9f65 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 35160 (35160), Dst Port: 34550 (34550), Seq: 1, Ack: 1, Len: 86 Source port: 35160 (35160) Destination port: 34550 (34550) [Stream index: 17] Sequence number: 1 (relative sequence number) [Next sequence number: 87 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x7b90 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [Bytes in flight: 86] FTP Data (total 1915\r\ndrwxrwxr-x 2 root system 256 Oct 10 2013 .InstallAnywhere) 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 7e e3 c7 40 00 3b 06 9f 65 0a f1 d1 c3 0a f1 .~..@.;..e...... 0020 d4 97 89 58 86 f6 76 5c 2a 2b 7d 7f 3f ef 50 18 ...X..v\*+}.?.P. 0030 ff ff 7b 90 00 00 74 6f 74 61 6c 20 31 39 31 35 ..{...total 1915 0040 0d 0a 64 72 77 78 72 77 78 72 2d 78 20 20 20 20 ..drwxrwxr-x 0050 32 20 72 6f 6f 74 20 20 20 20 20 73 79 73 74 65 2 root syste 0060 6d 20 20 20 20 20 20 20 20 20 20 32 35 36 20 4f m 256 O 0070 63 74 20 31 30 20 32 30 31 33 20 20 2e 49 6e 73 ct 10 2013 .Ins 0080 74 61 6c 6c 41 6e 79 77 68 65 72 65 tallAnywhere No. Time Source Destination Protocol Length Info 3169 30.920410000 10.241.209.195 10.241.212.151 FTP-DATA 1514 FTP Data: 1460 bytes Frame 3169: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.620713000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.620713000 seconds [Time delta from previous captured frame: 0.001557000 seconds] [Time delta from previous displayed frame: 0.001557000 seconds] [Time since reference or first frame: 30.920410000 seconds] Frame Number: 3169 Frame Length: 1514 bytes (12112 bits) Capture Length: 1514 bytes (12112 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp-data] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 1500 Identification: 0xe3c8 (58312) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9a06 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 35160 (35160), Dst Port: 34550 (34550), Seq: 87, Ack: 1, Len: 1460 Source port: 35160 (35160) Destination port: 34550 (34550) [Stream index: 17] Sequence number: 87 (relative sequence number) [Next sequence number: 1547 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Header length: 20 bytes Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xff6c [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [Bytes in flight: 1546] FTP Data (1460 bytes data) 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 05 dc e3 c8 40 00 3b 06 9a 06 0a f1 d1 c3 0a f1 ....@.;......... 0020 d4 97 89 58 86 f6 76 5c 2a 81 7d 7f 3f ef 50 10 ...X..v\*.}.?.P. 0030 ff ff ff 6c 00 00 0d 0a 64 72 77 78 72 2d 78 72 ...l....drwxr-xr 0040 2d 78 20 20 20 20 32 20 72 6f 6f 74 20 20 20 20 -x 2 root 0050 20 73 79 73 74 65 6d 20 20 20 20 20 20 20 20 20 system 0060 20 32 35 36 20 41 75 67 20 31 30 20 31 35 3a 34 256 Aug 10 15:4 0070 36 20 2e 61 70 70 73 79 6e 63 0d 0a 2d 72 77 78 6 .appsync..-rwx 0080 72 77 78 72 77 78 20 20 20 20 31 20 72 6f 6f 74 rwxrwx 1 root 0090 20 20 20 20 20 73 79 73 74 65 6d 20 20 20 20 20 system 00a0 20 20 20 31 30 37 32 33 20 41 75 67 20 31 37 20 10723 Aug 17 00b0 30 30 3a 30 37 20 2e 61 73 6b 66 6f 72 6e 61 6d 00:07 .askfornam 00c0 65 0d 0a 64 72 77 78 72 2d 78 72 2d 78 20 20 20 e..drwxr-xr-x 00d0 20 36 20 72 6f 6f 74 20 20 20 20 20 73 79 73 74 6 root syst 00e0 65 6d 20 20 20 20 20 20 20 20 20 20 32 35 36 20 em 256 00f0 41 70 72 20 30 31 20 32 30 31 34 20 20 2e 63 70 Apr 01 2014 .cp 0100 61 6e 0d 0a 2d 72 77 2d 2d 2d 2d 2d 2d 2d 20 20 an..-rw------- 0110 20 20 31 20 72 6f 6f 74 20 20 20 20 20 73 79 73 1 root sys 0120 74 65 6d 20 20 20 20 20 20 20 20 32 31 34 31 38 tem 21418 0130 20 41 75 67 20 31 36 20 31 35 3a 32 34 20 2e 68 Aug 16 15:24 .h 0140 69 73 74 6f 72 79 0d 0a 64 72 77 78 72 2d 78 72 istory..drwxr-xr 0150 2d 78 20 20 20 20 33 20 72 6f 6f 74 20 20 20 20 -x 3 root 0160 20 73 79 73 74 65 6d 20 20 20 20 20 20 20 20 20 system 0170 20 32 35 36 20 46 65 62 20 30 36 20 32 30 31 31 256 Feb 06 2011 0180 20 20 2e 6a 61 76 61 0d 0a 64 72 77 78 72 77 78 .java..drwxrwx 0190 72 77 78 20 20 20 20 32 20 72 6f 6f 74 20 20 20 rwx 2 root 01a0 20 20 73 79 73 74 65 6d 20 20 20 20 20 20 20 20 system 01b0 20 34 30 39 36 20 41 75 67 20 31 36 20 31 35 3a 4096 Aug 16 15: 01c0 32 36 20 2e 6c 61 62 0d 0a 2d 72 77 2d 72 2d 2d 26 .lab..-rw-r-- 01d0 72 2d 2d 20 20 20 20 31 20 72 6f 6f 74 20 20 20 r-- 1 root 01e0 20 20 73 79 73 74 65 6d 20 20 20 20 20 20 20 20 system 01f0 20 20 20 31 31 20 4a 75 6e 20 31 37 20 32 30 31 11 Jun 17 201 0200 33 20 20 2e 6d 68 5f 70 72 6f 66 69 6c 65 0d 0a 3 .mh_profile.. 0210 2d 72 77 2d 72 2d 2d 2d 2d 2d 20 20 20 20 31 20 -rw-r----- 1 0220 72 6f 6f 74 20 20 20 20 20 73 79 73 74 65 6d 20 root system 0230 20 20 20 20 20 20 20 20 20 20 32 31 20 44 65 63 21 Dec 0240 20 30 33 20 32 30 31 34 20 20 2e 6f 64 62 63 2e 03 2014 .odbc. 0250 69 6e 69 0d 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 ini..-rw-r--r-- 0260 20 20 20 31 20 72 6f 6f 74 20 20 20 20 20 73 79 1 root sy 0270 73 74 65 6d 20 20 20 20 20 20 20 20 20 20 33 37 stem 37 0280 31 20 4d 61 79 20 32 38 20 32 30 31 30 20 20 2e 1 May 28 2010 . 0290 70 72 6f 66 69 6c 65 0d 0a 2d 72 77 2d 72 2d 2d profile..-rw-r-- 02a0 2d 2d 2d 20 20 20 20 31 20 72 6f 6f 74 20 20 20 --- 1 root 02b0 20 20 73 79 73 74 65 6d 20 20 20 20 20 20 20 20 system 02c0 20 20 20 36 33 20 4a 75 6e 20 30 32 20 32 30 30 63 Jun 02 200 02d0 39 20 20 2e 72 68 6f 73 74 73 0d 0a 2d 72 77 2d 9 .rhosts..-rw- 02e0 2d 2d 2d 2d 2d 2d 20 20 20 20 31 20 72 6f 6f 74 ------ 1 root 02f0 20 20 20 20 20 73 79 73 74 65 6d 20 20 20 20 20 system 0300 20 20 20 20 31 30 32 34 20 4a 61 6e 20 32 33 20 1024 Jan 23 0310 32 30 31 32 20 20 2e 72 6e 64 0d 0a 2d 72 77 2d 2012 .rnd..-rw- 0320 2d 2d 2d 2d 2d 2d 20 20 20 20 31 20 72 6f 6f 74 ------ 1 root 0330 20 20 20 20 20 73 79 73 74 65 6d 20 20 20 20 20 system 0340 20 20 20 20 20 33 39 36 20 4a 75 6e 20 30 32 20 396 Jun 02 0350 32 30 30 39 20 20 2e 73 68 5f 68 69 73 74 6f 72 2009 .sh_histor 0360 79 0d 0a 64 72 77 78 72 2d 78 72 2d 78 20 20 20 y..drwxr-xr-x 0370 20 33 20 72 6f 6f 74 20 20 20 20 20 73 79 73 74 3 root syst 0380 65 6d 20 20 20 20 20 20 20 20 20 20 32 35 36 20 em 256 0390 4d 61 79 20 32 33 20 32 30 31 34 20 20 2e 73 71 May 23 2014 .sq 03a0 6c 61 6e 79 77 68 65 72 65 31 32 0d 0a 64 72 77 lanywhere12..drw 03b0 78 2d 2d 2d 2d 2d 2d 20 20 20 20 32 20 72 6f 6f x------ 2 roo 03c0 74 20 20 20 20 20 73 79 73 74 65 6d 20 20 20 20 t system 03d0 20 20 20 20 20 20 32 35 36 20 41 75 67 20 31 30 256 Aug 10 03e0 20 31 36 3a 33 37 20 2e 73 73 68 0d 0a 2d 72 77 16:37 .ssh..-rw 03f0 2d 72 2d 2d 72 2d 2d 20 20 20 20 31 20 72 6f 6f -r--r-- 1 roo 0400 74 20 20 20 20 20 73 79 73 74 65 6d 20 20 20 20 t system 0410 20 20 20 20 20 20 33 39 31 20 4d 61 72 20 31 33 391 Mar 13 0420 20 32 30 31 33 20 20 2e 73 73 68 2e 61 75 74 68 2013 .ssh.auth 0430 6f 72 69 7a 65 64 5f 6b 65 79 73 0d 0a 2d 72 77 orized_keys..-rw 0440 2d 2d 2d 2d 2d 2d 2d 20 20 20 20 31 20 72 6f 6f ------- 1 roo 0450 74 20 20 20 20 20 73 79 73 74 65 6d 20 20 20 20 t system 0460 20 20 20 20 20 31 31 37 35 20 41 75 67 20 31 32 1175 Aug 12 0470 20 31 30 3a 33 31 20 2e 76 69 5f 68 69 73 74 6f 10:31 .vi_histo 0480 72 79 0d 0a 2d 72 77 78 72 2d 78 72 2d 78 20 20 ry..-rwxr-xr-x 0490 20 20 31 20 72 6f 6f 74 20 20 20 20 20 73 79 73 1 root sys 04a0 74 65 6d 20 20 20 20 20 20 20 20 20 20 33 34 31 tem 341 04b0 20 4d 61 79 20 30 35 20 31 31 3a 30 33 20 33 32 May 05 11:03 32 04c0 2e 70 6c 0d 0a 64 72 77 78 72 77 78 72 77 78 20 .pl..drwxrwxrwx 04d0 20 20 20 32 20 72 6f 6f 74 20 20 20 20 20 73 79 2 root sy 04e0 73 74 65 6d 20 20 20 20 20 20 20 20 20 20 32 35 stem 25 04f0 36 20 41 75 67 20 31 33 20 31 30 3a 30 31 20 49 6 Aug 13 10:01 I 0500 4e 51 48 4f 4c 44 0d 0a 64 72 77 78 2d 2d 78 2d NQHOLD..drwx--x- 0510 2d 78 20 20 20 20 32 20 72 6f 6f 74 20 20 20 20 -x 2 root 0520 20 73 79 73 74 65 6d 20 20 20 20 20 20 20 20 20 system 0530 20 32 35 36 20 4a 75 6e 20 31 37 20 32 30 31 33 256 Jun 17 2013 0540 20 20 4d 61 69 6c 0d 0a 2d 72 77 78 2d 2d 2d 2d Mail..-rwx---- 0550 2d 2d 20 20 20 20 31 20 72 6f 6f 74 20 20 20 20 -- 1 root 0560 20 73 79 73 74 65 6d 20 20 20 20 20 20 20 20 20 system 0570 32 34 36 39 20 46 65 62 20 31 39 20 30 36 3a 32 2469 Feb 19 06:2 0580 32 20 50 65 72 66 4d 6f 6e 2e 70 6c 0d 0a 64 72 2 PerfMon.pl..dr 0590 77 78 72 77 78 72 77 78 20 20 20 20 32 20 72 6f wxrwxrwx 2 ro 05a0 6f 74 20 20 20 20 20 73 79 73 74 65 6d 20 20 20 ot system 05b0 20 20 20 20 20 20 34 30 39 36 20 41 75 67 20 31 4096 Aug 1 05c0 37 20 30 30 3a 30 37 20 57 45 42 73 63 72 69 70 7 00:07 WEBscrip 05d0 74 73 0d 0a 64 72 77 78 72 2d 78 72 2d 78 20 20 ts..drwxr-xr-x 05e0 20 20 32 20 72 6f 6f 74 20 20 2 root No. Time Source Destination Protocol Length Info 3170 30.920431000 10.241.212.151 10.241.209.195 TCP 54 34550 > 35160 [ACK] Seq=1 Ack=1547 Win=64240 Len=0 Frame 3170: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.620734000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.620734000 seconds [Time delta from previous captured frame: 0.000021000 seconds] [Time delta from previous displayed frame: 0.000021000 seconds] [Time since reference or first frame: 30.920431000 seconds] Frame Number: 3170 Frame Length: 54 bytes (432 bits) Capture Length: 54 bytes (432 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 40 Identification: 0x089f (2207) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f4 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34550 (34550), Dst Port: 35160 (35160), Seq: 1, Ack: 1547, Len: 0 Source port: 34550 (34550) Destination port: 35160 (35160) [Stream index: 17] Sequence number: 1 (relative sequence number) Acknowledgment number: 1547 (relative ack number) Header length: 20 bytes Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 64240 [Calculated window size: 64240] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc57 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3169] [The RTT to ACK the segment was: 0.000021000 seconds] 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 28 08 9f 40 00 80 06 00 00 0a f1 d4 97 0a f1 .(..@........... 0020 d1 c3 86 f6 89 58 7d 7f 3f ef 76 5c 30 35 50 10 .....X}.?.v\05P. 0030 fa f0 bc 57 00 00 ...W.. No. Time Source Destination Protocol Length Info 3171 30.920586000 10.241.209.195 10.241.212.151 FTP-DATA 99 FTP Data: 45 bytes Frame 3171: 99 bytes on wire (792 bits), 99 bytes captured (792 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.620889000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.620889000 seconds [Time delta from previous captured frame: 0.000155000 seconds] [Time delta from previous displayed frame: 0.000155000 seconds] [Time since reference or first frame: 30.920586000 seconds] Frame Number: 3171 Frame Length: 99 bytes (792 bits) Capture Length: 99 bytes (792 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp-data] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 85 Identification: 0xe3c9 (58313) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9f8c [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 35160 (35160), Dst Port: 34550 (34550), Seq: 1547, Ack: 1, Len: 45 Source port: 35160 (35160) Destination port: 34550 (34550) [Stream index: 17] Sequence number: 1547 (relative sequence number) [Next sequence number: 1592 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x30f6 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [Bytes in flight: 45] FTP Data ( system 256 Dec 10 2010 WORKSPACE) 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 55 e3 c9 40 00 3b 06 9f 8c 0a f1 d1 c3 0a f1 .U..@.;......... 0020 d4 97 89 58 86 f6 76 5c 30 35 7d 7f 3f ef 50 18 ...X..v\05}.?.P. 0030 ff ff 30 f6 00 00 20 20 20 73 79 73 74 65 6d 20 ..0... system 0040 20 20 20 20 20 20 20 20 20 32 35 36 20 44 65 63 256 Dec 0050 20 31 30 20 32 30 31 30 20 20 57 4f 52 4b 53 50 10 2010 WORKSP 0060 41 43 45 ACE No. Time Source Destination Protocol Length Info 3172 30.922455000 10.241.209.195 10.241.212.151 FTP-DATA 1514 FTP Data: 1460 bytes Frame 3172: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.622758000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.622758000 seconds [Time delta from previous captured frame: 0.001869000 seconds] [Time delta from previous displayed frame: 0.001869000 seconds] [Time since reference or first frame: 30.922455000 seconds] Frame Number: 3172 Frame Length: 1514 bytes (12112 bits) Capture Length: 1514 bytes (12112 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp-data] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 1500 Identification: 0xe3ca (58314) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9a04 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 35160 (35160), Dst Port: 34550 (34550), Seq: 1592, Ack: 1, Len: 1460 Source port: 35160 (35160) Destination port: 34550 (34550) [Stream index: 17] Sequence number: 1592 (relative sequence number) [Next sequence number: 3052 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Header length: 20 bytes Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xc7ef [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [Bytes in flight: 1505] FTP Data (1460 bytes data) 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 05 dc e3 ca 40 00 3b 06 9a 04 0a f1 d1 c3 0a f1 ....@.;......... 0020 d4 97 89 58 86 f6 76 5c 30 62 7d 7f 3f ef 50 10 ...X..v\0b}.?.P. 0030 ff ff c7 ef 00 00 0d 0a 64 72 77 78 72 2d 78 2d ........drwxr-x- 0040 2d 2d 20 20 20 20 32 20 72 6f 6f 74 20 20 20 20 -- 2 root 0050 20 61 75 64 69 74 20 20 20 20 20 20 20 20 20 20 audit 0060 20 32 35 36 20 41 70 72 20 32 37 20 32 30 30 38 256 Apr 27 2008 0070 20 20 61 75 64 69 74 0d 0a 6c 72 77 78 72 77 78 audit..lrwxrwx 0080 72 77 78 20 20 20 20 31 20 62 69 6e 20 20 20 20 rwx 1 bin 0090 20 20 62 69 6e 20 20 20 20 20 20 20 20 20 20 20 bin 00a0 20 20 20 20 38 20 4a 75 6e 20 30 32 20 32 30 30 8 Jun 02 200 00b0 39 20 20 62 69 6e 20 2d 3e 20 2f 75 73 72 2f 62 9 bin -> /usr/b 00c0 69 6e 0d 0a 64 72 77 78 72 77 78 72 2d 78 20 20 in..drwxrwxr-x 00d0 20 20 35 20 72 6f 6f 74 20 20 20 20 20 73 79 73 5 root sys 00e0 74 65 6d 20 20 20 20 20 20 20 20 32 38 36 37 32 tem 28672 00f0 20 41 75 67 20 31 36 20 31 35 3a 32 34 20 64 65 Aug 16 15:24 de 0100 76 0d 0a 64 72 77 78 72 2d 78 72 2d 78 20 20 20 v..drwxr-xr-x 0110 33 36 20 72 6f 6f 74 20 20 20 20 20 73 79 73 74 36 root syst 0120 65 6d 20 20 20 20 20 20 20 20 20 38 31 39 32 20 em 8192 0130 41 75 67 20 31 33 20 31 33 3a 31 35 20 65 74 63 Aug 13 13:15 etc 0140 0d 0a 64 72 77 78 72 2d 78 72 2d 78 20 20 20 20 ..drwxr-xr-x 0150 38 20 62 69 6e 20 20 20 20 20 20 62 69 6e 20 20 8 bin bin 0160 20 20 20 20 20 20 20 20 20 20 34 30 39 36 20 4a 4096 J 0170 75 6c 20 33 30 20 32 31 3a 30 30 20 68 6f 6d 65 ul 30 21:00 home 0180 0d 0a 6c 72 77 78 72 77 78 72 77 78 20 20 20 20 ..lrwxrwxrwx 0190 31 20 62 69 6e 20 20 20 20 20 20 62 69 6e 20 20 1 bin bin 01a0 20 20 20 20 20 20 20 20 20 20 20 20 20 38 20 4a 8 J 01b0 75 6e 20 30 32 20 32 30 30 39 20 20 6c 69 62 20 un 02 2009 lib 01c0 2d 3e 20 2f 75 73 72 2f 6c 69 62 0d 0a 64 72 77 -> /usr/lib..drw 01d0 78 2d 2d 2d 2d 2d 2d 20 20 20 20 32 20 72 6f 6f x------ 2 roo 01e0 74 20 20 20 20 20 73 79 73 74 65 6d 20 20 20 20 t system 01f0 20 20 20 20 20 20 32 35 36 20 4a 75 6e 20 30 32 256 Jun 02 0200 20 32 30 30 39 20 20 6c 6f 73 74 2b 66 6f 75 6e 2009 lost+foun 0210 64 0d 0a 64 72 77 78 72 2d 78 72 2d 78 20 20 31 d..drwxr-xr-x 1 0220 33 39 20 62 69 6e 20 20 20 20 20 20 62 69 6e 20 39 bin bin 0230 20 20 20 20 20 20 20 20 20 20 20 38 31 39 32 20 8192 0240 41 75 67 20 31 33 20 31 33 3a 32 31 20 6c 70 70 Aug 13 13:21 lpp 0250 0d 0a 64 72 77 78 72 2d 78 72 2d 78 20 20 20 31 ..drwxr-xr-x 1 0260 35 20 62 69 6e 20 20 20 20 20 20 62 69 6e 20 20 5 bin bin 0270 20 20 20 20 20 20 20 20 20 20 34 30 39 36 20 4a 4096 J 0280 75 6e 20 32 32 20 31 34 3a 35 33 20 6d 6e 74 0d un 22 14:53 mnt. 0290 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 20 20 20 31 .-rw-r--r-- 1 02a0 20 72 6f 6f 74 20 20 20 20 20 73 79 73 74 65 6d root system 02b0 20 20 20 20 20 20 20 20 20 36 33 37 39 20 4d 61 6379 Ma 02c0 79 20 30 35 20 31 35 3a 34 32 20 6d 79 70 63 61 y 05 15:42 mypca 02d0 70 0d 0a 64 72 77 78 72 2d 78 72 2d 78 20 20 20 p..drwxr-xr-x 02e0 20 39 20 72 6f 6f 74 20 20 20 20 20 73 79 73 74 9 root syst 02f0 65 6d 20 20 20 20 20 20 20 20 20 20 32 35 36 20 em 256 0300 41 75 67 20 31 33 20 31 32 3a 35 35 20 6e 73 72 Aug 13 12:55 nsr 0310 0d 0a 64 72 77 78 72 2d 78 72 2d 78 20 20 20 32 ..drwxr-xr-x 2 0320 34 20 72 6f 6f 74 20 20 20 20 20 73 79 73 74 65 4 root syste 0330 6d 20 20 20 20 20 20 20 20 20 34 30 39 36 20 44 m 4096 D 0340 65 63 20 30 33 20 32 30 31 34 20 20 6f 70 74 0d ec 03 2014 opt. 0350 0a 64 72 2d 78 72 2d 78 72 2d 78 20 20 20 20 31 .dr-xr-xr-x 1 0360 20 72 6f 6f 74 20 20 20 20 20 73 79 73 74 65 6d root system 0370 20 20 20 20 20 20 20 20 20 20 20 20 30 20 41 75 0 Au 0380 67 20 31 37 20 30 37 3a 35 34 20 70 72 6f 63 0d g 17 07:54 proc. 0390 0a 64 72 77 78 72 2d 78 72 2d 78 20 20 20 20 34 .drwxr-xr-x 4 03a0 20 62 69 6e 20 20 20 20 20 20 62 69 6e 20 20 20 bin bin 03b0 20 20 20 20 20 20 20 20 20 20 32 35 36 20 46 65 256 Fe 03c0 62 20 30 39 20 32 30 31 32 20 20 73 62 69 6e 0d b 09 2012 sbin. 03d0 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 20 20 20 31 .-rw-r--r-- 1 03e0 20 72 6f 6f 74 20 20 20 20 20 73 79 73 74 65 6d root system 03f0 20 20 20 20 20 20 20 20 20 20 20 20 31 20 4a 75 1 Ju 0400 6e 20 31 30 20 31 33 3a 35 37 20 73 63 72 69 70 n 10 13:57 scrip 0410 74 0d 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 20 20 t..-rw-r--r-- 0420 20 31 20 72 6f 6f 74 20 20 20 20 20 73 79 73 74 1 root syst 0430 65 6d 20 20 20 20 20 20 20 36 36 33 34 37 36 20 em 663476 0440 41 75 67 20 31 31 20 31 33 3a 31 31 20 73 6d 69 Aug 11 13:11 smi 0450 74 2e 6c 6f 67 0d 0a 2d 72 77 2d 72 2d 2d 72 2d t.log..-rw-r--r- 0460 2d 20 20 20 20 31 20 72 6f 6f 74 20 20 20 20 20 - 1 root 0470 73 79 73 74 65 6d 20 20 20 20 20 20 20 20 33 38 system 38 0480 33 34 34 20 41 75 67 20 31 31 20 31 33 3a 30 37 344 Aug 11 13:07 0490 20 73 6d 69 74 2e 73 63 72 69 70 74 0d 0a 2d 72 smit.script..-r 04a0 77 2d 72 2d 2d 72 2d 2d 20 20 20 20 31 20 72 6f w-r--r-- 1 ro 04b0 6f 74 20 20 20 20 20 73 79 73 74 65 6d 20 20 20 ot system 04c0 20 20 20 20 20 35 31 31 39 33 20 41 75 67 20 31 51193 Aug 1 04d0 31 20 31 33 3a 30 37 20 73 6d 69 74 2e 74 72 61 1 13:07 smit.tra 04e0 6e 73 61 63 74 69 6f 6e 0d 0a 64 72 77 78 72 77 nsaction..drwxrw 04f0 78 72 77 78 20 20 33 31 33 20 72 6f 6f 74 20 20 xrwx 313 root 0500 20 20 20 73 79 73 74 65 6d 20 20 20 20 20 20 20 system 0510 20 20 20 33 33 31 20 4a 75 6c 20 32 37 20 30 39 331 Jul 27 09 0520 3a 33 32 20 73 6f 66 74 77 61 72 65 0d 0a 64 72 :32 software..dr 0530 77 78 72 2d 78 72 2d 78 20 20 20 20 32 20 72 6f wxr-xr-x 2 ro 0540 6f 74 20 20 20 20 20 73 79 73 74 65 6d 20 20 20 ot system 0550 20 20 20 20 20 20 20 32 35 36 20 4a 75 6e 20 30 256 Jun 0 0560 33 20 30 38 3a 34 38 20 73 6f 75 72 63 65 0d 0a 3 08:48 source.. 0570 64 72 77 78 72 2d 78 72 2d 78 20 20 20 20 35 20 drwxr-xr-x 5 0580 72 6f 6f 74 20 20 20 20 20 73 79 73 74 65 6d 20 root system 0590 20 20 20 20 20 20 20 20 34 30 39 36 20 4a 75 6e 4096 Jun 05a0 20 30 38 20 31 38 3a 34 38 20 74 65 6d 70 0d 0a 08 18:48 temp.. 05b0 64 72 77 78 72 77 78 72 2d 78 20 20 20 20 32 20 drwxrwxr-x 2 05c0 72 6f 6f 74 20 20 20 20 20 73 79 73 74 65 6d 20 root system 05d0 20 20 20 20 20 20 20 20 20 32 35 36 20 4a 75 6e 256 Jun 05e0 20 30 32 20 32 30 30 39 20 20 02 2009 No. Time Source Destination Protocol Length Info 3173 30.922470000 10.241.212.151 10.241.209.195 TCP 54 34550 > 35160 [ACK] Seq=1 Ack=3052 Win=64240 Len=0 Frame 3173: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.622773000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.622773000 seconds [Time delta from previous captured frame: 0.000015000 seconds] [Time delta from previous displayed frame: 0.000015000 seconds] [Time since reference or first frame: 30.922470000 seconds] Frame Number: 3173 Frame Length: 54 bytes (432 bits) Capture Length: 54 bytes (432 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 40 Identification: 0x08a0 (2208) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f3 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34550 (34550), Dst Port: 35160 (35160), Seq: 1, Ack: 3052, Len: 0 Source port: 34550 (34550) Destination port: 35160 (35160) [Stream index: 17] Sequence number: 1 (relative sequence number) Acknowledgment number: 3052 (relative ack number) Header length: 20 bytes Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 64240 [Calculated window size: 64240] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc57 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3172] [The RTT to ACK the segment was: 0.000015000 seconds] 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 28 08 a0 40 00 80 06 00 00 0a f1 d4 97 0a f1 .(..@........... 0020 d1 c3 86 f6 89 58 7d 7f 3f ef 76 5c 36 16 50 10 .....X}.?.v\6.P. 0030 fa f0 bc 57 00 00 ...W.. No. Time Source Destination Protocol Length Info 3174 30.922731000 10.241.209.195 10.241.212.151 FTP-DATA 277 FTP Data: 223 bytes Frame 3174: 277 bytes on wire (2216 bits), 277 bytes captured (2216 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.623034000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.623034000 seconds [Time delta from previous captured frame: 0.000261000 seconds] [Time delta from previous displayed frame: 0.000261000 seconds] [Time since reference or first frame: 30.922731000 seconds] Frame Number: 3174 Frame Length: 277 bytes (2216 bits) Capture Length: 277 bytes (2216 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp-data] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 263 Identification: 0xe3cb (58315) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9ed8 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 35160 (35160), Dst Port: 34550 (34550), Seq: 3052, Ack: 1, Len: 223 Source port: 35160 (35160) Destination port: 34550 (34550) [Stream index: 17] Sequence number: 3052 (relative sequence number) [Next sequence number: 3275 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xa2a2 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [Bytes in flight: 223] FTP Data (223 bytes data) 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 01 07 e3 cb 40 00 3b 06 9e d8 0a f1 d1 c3 0a f1 ....@.;......... 0020 d4 97 89 58 86 f6 76 5c 36 16 7d 7f 3f ef 50 18 ...X..v\6.}.?.P. 0030 ff ff a2 a2 00 00 74 66 74 70 62 6f 6f 74 0d 0a ......tftpboot.. 0040 64 72 77 78 72 77 78 72 77 78 20 20 20 37 36 20 drwxrwxrwx 76 0050 62 69 6e 20 20 20 20 20 20 62 69 6e 20 20 20 20 bin bin 0060 20 20 20 20 20 20 20 31 32 32 38 38 20 41 75 67 12288 Aug 0070 20 31 37 20 30 37 3a 35 30 20 74 6d 70 0d 0a 6c 17 07:50 tmp..l 0080 72 77 78 72 77 78 72 77 78 20 20 20 20 31 20 72 rwxrwxrwx 1 r 0090 6f 6f 74 20 20 20 20 20 73 79 73 74 65 6d 20 20 oot system 00a0 20 20 20 20 20 20 20 20 20 32 31 20 4a 75 6e 20 21 Jun 00b0 30 32 20 32 30 30 39 20 20 75 6e 69 78 20 2d 3e 02 2009 unix -> 00c0 20 2f 75 73 72 2f 6c 69 62 2f 62 6f 6f 74 2f 75 /usr/lib/boot/u 00d0 6e 69 78 5f 36 34 0d 0a 64 72 77 78 72 2d 78 72 nix_64..drwxr-xr 00e0 2d 78 20 20 20 34 35 20 72 6f 6f 74 20 20 20 20 -x 45 root 00f0 20 73 79 73 74 65 6d 20 20 20 20 20 20 20 20 20 system 0100 34 30 39 36 20 41 75 67 20 31 33 20 31 33 3a 31 4096 Aug 13 13:1 0110 34 20 75 73 72 4 usr No. Time Source Destination Protocol Length Info 3175 30.922745000 10.241.209.195 10.241.212.151 FTP 78 Response: 226 Transfer complete. Frame 3175: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.623048000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.623048000 seconds [Time delta from previous captured frame: 0.000014000 seconds] [Time delta from previous displayed frame: 0.000014000 seconds] [Time since reference or first frame: 30.922745000 seconds] Frame Number: 3175 Frame Length: 78 bytes (624 bits) Capture Length: 78 bytes (624 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 64 Identification: 0xe3cc (58316) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9f9e [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34549 (34549), Seq: 666, Ack: 86, Len: 24 Source port: ftp (21) Destination port: 34549 (34549) [Stream index: 16] Sequence number: 666 (relative sequence number) [Next sequence number: 690 (relative sequence number)] Acknowledgment number: 86 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x98f6 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [Bytes in flight: 66] File Transfer Protocol (FTP) 226 Transfer complete.\r\n Response code: Closing data connection (226) Response arg: Transfer complete. 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 40 e3 cc 40 00 3b 06 9f 9e 0a f1 d1 c3 0a f1 .@..@.;......... 0020 d4 97 00 15 86 f5 7c 61 ed b1 fc d5 9d 97 50 18 ......|a......P. 0030 ff ff 98 f6 00 00 32 32 36 20 54 72 61 6e 73 66 ......226 Transf 0040 65 72 20 63 6f 6d 70 6c 65 74 65 2e 0d 0a er complete... No. Time Source Destination Protocol Length Info 3176 30.922765000 10.241.212.151 10.241.209.195 TCP 54 34549 > ftp [ACK] Seq=86 Ack=690 Win=63551 Len=0 Frame 3176: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.623068000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.623068000 seconds [Time delta from previous captured frame: 0.000020000 seconds] [Time delta from previous displayed frame: 0.000020000 seconds] [Time since reference or first frame: 30.922765000 seconds] Frame Number: 3176 Frame Length: 54 bytes (432 bits) Capture Length: 54 bytes (432 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 40 Identification: 0x08a1 (2209) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f2 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34549 (34549), Dst Port: ftp (21), Seq: 86, Ack: 690, Len: 0 Source port: 34549 (34549) Destination port: ftp (21) [Stream index: 16] Sequence number: 86 (relative sequence number) Acknowledgment number: 690 (relative ack number) Header length: 20 bytes Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 63551 [Calculated window size: 63551] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc57 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3175] [The RTT to ACK the segment was: 0.000020000 seconds] 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 28 08 a1 40 00 80 06 00 00 0a f1 d4 97 0a f1 .(..@........... 0020 d1 c3 86 f5 00 15 fc d5 9d 97 7c 61 ed c9 50 10 ..........|a..P. 0030 f8 3f bc 57 00 00 .?.W.. No. Time Source Destination Protocol Length Info 3177 30.922887000 10.241.209.195 10.241.212.151 FTP-DATA 119 FTP Data: 65 bytes Frame 3177: 119 bytes on wire (952 bits), 119 bytes captured (952 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.623190000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.623190000 seconds [Time delta from previous captured frame: 0.000122000 seconds] [Time delta from previous displayed frame: 0.000122000 seconds] [Time since reference or first frame: 30.922887000 seconds] Frame Number: 3177 Frame Length: 119 bytes (952 bits) Capture Length: 119 bytes (952 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:ftp-data] [Coloring Rule Name: TCP SYN/FIN] [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 105 Identification: 0xe3cd (58317) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9f74 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 35160 (35160), Dst Port: 34550 (34550), Seq: 3275, Ack: 1, Len: 65 Source port: 35160 (35160) Destination port: 34550 (34550) [Stream index: 17] Sequence number: 3275 (relative sequence number) [Next sequence number: 3340 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Header length: 20 bytes Flags: 0x019 (FIN, PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...1 = Fin: Set [Expert Info (Chat/Sequence): Connection finish (FIN)] [Message: Connection finish (FIN)] [Severity level: Chat] [Group: Sequence] Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xfd58 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [Bytes in flight: 289] FTP Data (65 bytes data) 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 69 e3 cd 40 00 3b 06 9f 74 0a f1 d1 c3 0a f1 .i..@.;..t...... 0020 d4 97 89 58 86 f6 76 5c 36 f5 7d 7f 3f ef 50 19 ...X..v\6.}.?.P. 0030 ff ff fd 58 00 00 0d 0a 64 72 77 78 72 2d 78 72 ...X....drwxr-xr 0040 2d 78 20 20 20 33 33 20 72 6f 6f 74 20 20 20 20 -x 33 root 0050 20 73 79 73 74 65 6d 20 20 20 20 20 20 20 20 20 system 0060 34 30 39 36 20 41 75 67 20 31 33 20 31 33 3a 31 4096 Aug 13 13:1 0070 34 20 76 61 72 0d 0a 4 var.. No. Time Source Destination Protocol Length Info 3178 30.922908000 10.241.212.151 10.241.209.195 TCP 54 34550 > 35160 [ACK] Seq=1 Ack=3341 Win=63952 Len=0 Frame 3178: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.623211000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.623211000 seconds [Time delta from previous captured frame: 0.000021000 seconds] [Time delta from previous displayed frame: 0.000021000 seconds] [Time since reference or first frame: 30.922908000 seconds] Frame Number: 3178 Frame Length: 54 bytes (432 bits) Capture Length: 54 bytes (432 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 40 Identification: 0x08a2 (2210) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f1 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34550 (34550), Dst Port: 35160 (35160), Seq: 1, Ack: 3341, Len: 0 Source port: 34550 (34550) Destination port: 35160 (35160) [Stream index: 17] Sequence number: 1 (relative sequence number) Acknowledgment number: 3341 (relative ack number) Header length: 20 bytes Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 63952 [Calculated window size: 63952] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc57 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3177] [The RTT to ACK the segment was: 0.000021000 seconds] 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 28 08 a2 40 00 80 06 00 00 0a f1 d4 97 0a f1 .(..@........... 0020 d1 c3 86 f6 89 58 7d 7f 3f ef 76 5c 37 37 50 10 .....X}.?.v\77P. 0030 f9 d0 bc 57 00 00 ...W.. No. Time Source Destination Protocol Length Info 3179 30.922954000 10.241.212.151 10.241.209.195 TCP 54 34550 > 35160 [FIN, ACK] Seq=1 Ack=3341 Win=63952 Len=0 Frame 3179: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.623257000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.623257000 seconds [Time delta from previous captured frame: 0.000046000 seconds] [Time delta from previous displayed frame: 0.000046000 seconds] [Time since reference or first frame: 30.922954000 seconds] Frame Number: 3179 Frame Length: 54 bytes (432 bits) Capture Length: 54 bytes (432 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: IntelCor_41:cf:66 (a0:36:9f:41:cf:66), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01) Address: All-HSRP-routers_01 (00:00:0c:07:ac:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.241.212.151 (10.241.212.151), Dst: 10.241.209.195 (10.241.209.195) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 40 Identification: 0x08a3 (2211) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x0000 [incorrect, should be 0x35f0 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 10.241.212.151 (10.241.212.151) Destination: 10.241.209.195 (10.241.209.195) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 34550 (34550), Dst Port: 35160 (35160), Seq: 1, Ack: 3341, Len: 0 Source port: 34550 (34550) Destination port: 35160 (35160) [Stream index: 17] Sequence number: 1 (relative sequence number) Acknowledgment number: 3341 (relative ack number) Header length: 20 bytes Flags: 0x011 (FIN, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...1 = Fin: Set [Expert Info (Chat/Sequence): Connection finish (FIN)] [Message: Connection finish (FIN)] [Severity level: Chat] [Group: Sequence] Window size value: 63952 [Calculated window size: 63952] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xbc57 [validation disabled] [Good Checksum: False] [Bad Checksum: False] 0000 00 00 0c 07 ac 01 a0 36 9f 41 cf 66 08 00 45 00 .......6.A.f..E. 0010 00 28 08 a3 40 00 80 06 00 00 0a f1 d4 97 0a f1 .(..@........... 0020 d1 c3 86 f6 89 58 7d 7f 3f ef 76 5c 37 37 50 11 .....X}.?.v\77P. 0030 f9 d0 bc 57 00 00 ...W.. No. Time Source Destination Protocol Length Info 3180 30.923162000 10.241.209.195 10.241.212.151 TCP 60 35160 > 34550 [ACK] Seq=3341 Ack=2 Win=65535 Len=0 Frame 3180: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2015 08:01:10.623465000 Eastern Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1439812870.623465000 seconds [Time delta from previous captured frame: 0.000208000 seconds] [Time delta from previous displayed frame: 0.000208000 seconds] [Time since reference or first frame: 30.923162000 seconds] Frame Number: 3180 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Cisco_88:04:00 (00:23:ac:88:04:00), Dst: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Destination: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) Address: IntelCor_41:cf:66 (a0:36:9f:41:cf:66) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_88:04:00 (00:23:ac:88:04:00) Address: Cisco_88:04:00 (00:23:ac:88:04:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Padding: 000000000000 Internet Protocol Version 4, Src: 10.241.209.195 (10.241.209.195), Dst: 10.241.212.151 (10.241.212.151) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 40 Identification: 0xe3ce (58318) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 59 Protocol: TCP (6) Header checksum: 0x9fb4 [correct] [Good: True] [Bad: False] Source: 10.241.209.195 (10.241.209.195) Destination: 10.241.212.151 (10.241.212.151) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 35160 (35160), Dst Port: 34550 (34550), Seq: 3341, Ack: 2, Len: 0 Source port: 35160 (35160) Destination port: 34550 (34550) [Stream index: 17] Sequence number: 3341 (relative sequence number) Acknowledgment number: 2 (relative ack number) Header length: 20 bytes Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 65535 [Calculated window size: 65535] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x7845 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 3179] [The RTT to ACK the segment was: 0.000208000 seconds] 0000 a0 36 9f 41 cf 66 00 23 ac 88 04 00 08 00 45 10 .6.A.f.#......E. 0010 00 28 e3 ce 40 00 3b 06 9f b4 0a f1 d1 c3 0a f1 .(..@.;......... 0020 d4 97 89 58 86 f6 76 5c 37 37 7d 7f 3f f0 50 10 ...X..v\77}.?.P. 0030 ff ff 78 45 00 00 00 00 00 00 00 00 ..xE........