# Day 17

Learning Objectives

* Gain knowledge of the network traffic data format
* Understand the differences between full packet captures and network flows
* Learn how to process network flow data
* Discover the SiLK tool suite
* Gain hands-on experience in network flow analysis with SiLK

This room is again a very straightforward one with all commands and instructions already given. We just need to follow along and run them.

```
Which version of SiLK is installed on the VM? Submit Hint
[REDACTED]

ubuntu@ip-10-10-191-161:~/Desktop$ silk_config -v
[REDACTD]
    * Root of packed data tree:         /var/silk/data
    * Packing logic:                    Run-time plug-in
    * Timezone support:                 UTC
    * Available compression methods:    lzo1x [default], none, zlib
    * IPv6 network connections:         yes
    * IPv6 flow record support:         yes
    * IPset record compatibility:       3.14.0
    * IPFIX/NetFlow9/sFlow collection:  ipfix,netflow9,sflow
    * Transport encryption:             GnuTLS
    * PySiLK support:                   /usr/local/lib/python2.7/site-packages
    * Enable assert():                  no
Copyright (C) 2001-2020 by Carnegie Mellon University
GNU General Public License (GPL) Rights pursuant to Version 2, June 1991.
Some included library code covered by LGPL 2.1; see source for details.
Government Purpose License Rights (GPLR) pursuant to DFARS 252.227-7013.
Send bug reports, feature requests, and comments to netsa-help@cert.org.

```

```
What is the size of the flows in the count records?
[REDACTED]

rwfileinfo suspicious-flows.silk
suspicious-flows.silk:
  format(id)          FT_RWIPV6ROUTING(0x0c)
  version             16
  byte-order          littleEndian
  compression(id)     lzo1x(2)
  header-length       88
  .
  .
  .
  file-size           152366
  command-lines       
                   1  rwipfix2silk --silk-output=test.silk

```

{% code fullWidth="false" %}

```
What is the start time (sTime) of the sixth record in the file?
[REDACTED]

ubuntu@ip-10-10-191-161:~/Desktop$ rwcut suspicious-flows.silk --num-recs=6
sIP|dIP|sPort|dPort|pro|packets|bytes|flags|sTime|duration|eTime|sen|
[REDACTED]
```

{% endcode %}

{% code overflow="wrap" %}

```
What is the destination port of the sixth UDP record?
[REDACTED]

ubuntu@ip-10-10-191-161:~/Desktop$ rwcut suspicious-flows.silk --fields=protocol,sIP,sPort,dIP,dPort --num-recs=6

pro|            sIP|sPort|            dIP|dPort|
  6|175.215.235.223|   80|175.215.236.223| 3222|
  6|175.215.235.223|   80|175.215.236.223| 3220|
  6|175.215.235.223|   80|175.215.236.223| 3219|
  6|175.215.235.223|   80|175.215.236.223| 3218|
  6|175.215.235.223|   80|175.215.236.223| 3221|
  [REDACTED]
```

{% endcode %}

{% code overflow="wrap" %}

```
What is the record value (%) of the dport 53?
[REDACTED]

rwstats suspicious-flows.silk --fields=dPort --values=records,packets,bytes,sIP-Distinct,dIP-Distinct --count=10

INPUT: 11774 Records for 5713 Bins and 11774 Total Records
OUTPUT: Top 10 Bins by Records
[REDACTED]
```

{% endcode %}

{% code overflow="wrap" %}

```
What is the number of bytes transmitted by the top talker on the network?
[REDACTED]

buntu@ip-10-10-191-161:~/Desktop$ rwstats suspicious-flows.silk --fields=sIP --values=bytes --count=10 --top

INPUT: 11774 Records for 8 Bins and 1412597 Total Bytes
OUTPUT: Top 10 Bins by Bytes
[REDACTED]
```

{% endcode %}

{% code overflow="wrap" %}

```
What is the sTime value of the first DNS record going to port 53?
[REDACTED]

ubuntu@ip-10-10-191-161:~/Desktop$ rwfilter suspicious-flows.silk --saddress=175.175.173.221 --dport=53 --pass=stdout | rwcut --fields=sIP,dIP,stime | head -10

INPUT: 11774 Records for 9 Bins and 11774 Total Records
OUTPUT: Top 10 Bins by Records
[REDACTED]
```

{% endcode %}

{% code overflow="wrap" %}

```
What is the IP address of the host that the C2 potentially controls? (In defanged format: 123[.]456[.]789[.]0 )
[REDACTED]
```

{% endcode %}

{% code overflow="wrap" %}

```
Which IP address is suspected to be the flood attacker? (In defanged format: 123[.]456[.]789[.]0 )
[REDACTED]
```

{% endcode %}

{% code overflow="wrap" %}

```
What is the sent SYN packet's number of records?
[REDACTED]

ubuntu@ip-10-10-191-161:~/Desktop$ rwfilter suspicious-flows.silk --saddress=175.215.236.223 --pass=stdout | rwstats --fields=sIP,flag,dIP --count=10
[REDACTED]
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bunring.gitbook.io/ctf-writeups/try-hack-me/advent-of-cyber-2023/day-17.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.