Comments on: Puzzle #1: Ann’s Bad AIM http://forensicscontest.com/2009/09/25/puzzle-1-anns-bad-aim "No Hard Drive? No Problem!" Tue, 20 Jul 2010 16:23:15 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Richard http://forensicscontest.com/2009/09/25/puzzle-1-anns-bad-aim/comment-page-1#comment-10 Richard Thu, 01 Oct 2009 01:31:39 +0000 http://forensicscontest.com/?p=3#comment-10 Shewfig "I especially like the AIM client on Sec558user’s PC downloading the advert starting in frame 227 – nice touch of realism" Could you post that for me? I missed that I think. Richard Shewfig “I especially like the AIM client on Sec558user’s PC downloading the advert starting in frame 227 – nice touch of realism”
Could you post that for me? I missed that I think.
Richard

]]> By: jonathan http://forensicscontest.com/2009/09/25/puzzle-1-anns-bad-aim/comment-page-1#comment-9 jonathan Wed, 30 Sep 2009 01:35:07 +0000 http://forensicscontest.com/?p=3#comment-9 @shewfig: It's an unfortunate fact of life for us: packets don't always flow by our sensors in the order in which they were sent -- or even the order in which they were received by their endpoints! :-( In this case you're probably right: buffering on a "switched network" (actually a VMware virtual network) caused them to show up out of order. But understand that this happens all the time across the long haul. Latencies vary by path, and packets get to have their very own paths sometimes, hence the whole point of packet-switched networks. Thank goodness we don't often have to reassemble them manually. :-) /jonathan @shewfig:

It’s an unfortunate fact of life for us: packets don’t always flow by our sensors in the order in which they were sent — or even the order in which they were received by their endpoints! :-(

In this case you’re probably right: buffering on a “switched network” (actually a VMware virtual network) caused them to show up out of order. But understand that this happens all the time across the long haul. Latencies vary by path, and packets get to have their very own paths sometimes, hence the whole point of packet-switched networks.

Thank goodness we don’t often have to reassemble them manually. :-)

/jonathan

]]> By: shewfig http://forensicscontest.com/2009/09/25/puzzle-1-anns-bad-aim/comment-page-1#comment-6 shewfig Tue, 29 Sep 2009 07:03:29 +0000 http://forensicscontest.com/?p=3#comment-6 What's up with frames # 15 and #16 being out of sequence? 15 is clearly the ACK to 16 (acking # 13), based both on sequence and TCP timestamp opt header, but the packet order capture is off. Is this an artifact of capturing on a switched network - frames buffered before forwarding on the receive port - or is it something more sinister? I especially like the AIM client on Sec558user's PC downloading the advert starting in frame 227 - nice touch of realism. What’s up with frames # 15 and #16 being out of sequence? 15 is clearly the ACK to 16 (acking # 13), based both on sequence and TCP timestamp opt header, but the packet order capture is off. Is this an artifact of capturing on a switched network – frames buffered before forwarding on the receive port – or is it something more sinister?

I especially like the AIM client on Sec558user’s PC downloading the advert starting in frame 227 – nice touch of realism.

]]> By: Richard http://forensicscontest.com/2009/09/25/puzzle-1-anns-bad-aim/comment-page-1#comment-5 Richard Tue, 29 Sep 2009 02:08:52 +0000 http://forensicscontest.com/?p=3#comment-5 Some other questions? Where were they to meet? Who did Ann love. The answers are in there as well, you need something other than pcaps to find it though. Nothing complhex. Eventually you will say ahh, ascii, Some other questions? Where were they to meet? Who did Ann love. The answers are in there as well, you need something other than pcaps to find it though. Nothing complhex. Eventually you will say ahh, ascii,

]]>