summaryrefslogtreecommitdiff
path: root/bro-script
diff options
context:
space:
mode:
authorAndreas Lindhé <andreas@lindhe.io>2017-10-11 08:47:50 +0200
committerAndreas Lindhé <andreas@lindhe.io>2017-10-11 08:47:50 +0200
commitda9544a4dba273d1cada460f3064d9e1ff21b44e (patch)
treea4280500e713216b49fdd46786f30eee3d60adb8 /bro-script
parent89ea70298caff759b719ab0855ad2cd48dfee0ca (diff)
downloadmidbro-da9544a4dba273d1cada460f3064d9e1ff21b44e.tar.gz
midbro-da9544a4dba273d1cada460f3064d9e1ff21b44e.tar.bz2
Move files from bro-script directory
Diffstat (limited to 'bro-script')
-rw-r--r--bro-script/README9
-rw-r--r--bro-script/pasad-parsed.bro96
-rw-r--r--bro-script/pasad-parsed.log100
-rw-r--r--bro-script/pasad-simple.bro56
-rw-r--r--bro-script/pasad-simple.log100
5 files changed, 0 insertions, 361 deletions
diff --git a/bro-script/README b/bro-script/README
deleted file mode 100644
index 15f121e..0000000
--- a/bro-script/README
+++ /dev/null
@@ -1,9 +0,0 @@
-This directory contains a baseline implementation of the package parser
-implemented as a Bro script. A .bro file contains a script that can be
-executed on a Modbus pcap dump. A .log file contains an example for an
-output file generated by this script. By convention, the sample log file
-should contain the first 100 lines of a real log file obtained from running
-the script on packets_00014_20161128135616.cap.
-
-Currently, the scripts only handle the read_holding_registers event. Other
-events can handled by simply copying and adapting the existing handlers.
diff --git a/bro-script/pasad-parsed.bro b/bro-script/pasad-parsed.bro
deleted file mode 100644
index 88b1be1..0000000
--- a/bro-script/pasad-parsed.bro
+++ /dev/null
@@ -1,96 +0,0 @@
-## Implementation that outputs the register identification and the register
-## value. The correct register count is not checked and might lead to indexing
-## errors.
-
-module Pasad;
-
-## DATA STRUCTURES
-
-export {
- redef enum Log::ID += { LOG };
-
- type Transaction: record {
- start_address: count;
- quantity: count;
- };
-
- type TransactionTable: table[count] of Transaction;
-
- type Info: record {
- transactions: TransactionTable &default=TransactionTable();
- };
-
- type Entry: record {
- ip: addr &log;
- uid: count &log;
- regtype: string &log;
- address: count &log;
- register: count &log;
- };
-}
-
-redef record connection += {
- pasad: Info &default=Info();
-};
-
-## CUSTOM EVENTS
-
-event pasad_entry(entry: Entry)
- {
- Log::write(Pasad::LOG, entry);
- }
-
-event pasad_unmatched(tid: count)
- {
- print fmt("Unmatched response: tid=%d", tid);
- }
-
-## CUSTOM FUNCTIONS
-
-function pasad_generate_events(transaction: Transaction, c: connection, headers: ModbusHeaders, registers: ModbusRegisters, regtype: string)
- {
- # TODO: check registers size
- local i = 0;
- while ( i < transaction$quantity )
- {
- local entry = Entry(
- $ip=c$id$orig_h,
- $uid=headers$uid,
- $regtype=regtype,
- $address=transaction$start_address + i,
- $register=registers[i]
- );
- event pasad_entry(entry);
- ++i;
- }
- }
-
-## EVENT HANDLERS
-
-event bro_init() &priority=5
- {
- Log::create_stream(Pasad::LOG, [$columns=Entry, $path="pasad-parsed"]);
- }
-
-event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
- {
- local tid = headers$tid;
- local transaction = Transaction(
- $start_address=start_address,
- $quantity=quantity
- );
- c$pasad$transactions[tid] = transaction;
- }
-
-event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters)
- {
- local tid = headers$tid;
- if ( tid !in c$pasad$transactions )
- {
- event pasad_unmatched(tid);
- return;
- }
- local transaction = c$pasad$transactions[tid];
- delete c$pasad$transactions[tid];
- pasad_generate_events(transaction, c, headers, registers, "h");
- }
diff --git a/bro-script/pasad-parsed.log b/bro-script/pasad-parsed.log
deleted file mode 100644
index dd7b1ba..0000000
--- a/bro-script/pasad-parsed.log
+++ /dev/null
@@ -1,100 +0,0 @@
-#separator \x09
-#set_separator ,
-#empty_field (empty)
-#unset_field -
-#path pasad-parsed
-#open 2017-10-03-11-12-43
-#fields ip uid regtype address register
-#types addr count string count count
-10.34.211.73 255 h 80 48979
-10.34.211.73 255 h 81 7282
-10.34.211.73 255 h 82 15636
-10.34.211.73 255 h 83 9709
-10.34.211.73 255 h 84 48404
-10.34.211.73 255 h 85 9709
-10.34.211.73 255 h 86 16943
-10.34.211.73 255 h 87 32237
-10.34.211.73 255 h 60 17173
-10.34.211.73 255 h 61 45657
-10.34.211.73 255 h 62 49927
-10.34.211.73 255 h 63 27307
-10.34.211.73 255 h 64 17146
-10.34.211.73 255 h 65 46421
-10.34.211.73 255 h 66 17120
-10.34.211.73 255 h 67 57951
-10.34.211.73 255 h 68 17107
-10.34.211.73 255 h 69 22452
-10.34.211.73 255 h 70 16795
-10.34.211.73 255 h 71 13653
-10.34.211.73 255 h 0 244
-10.34.211.73 255 h 1 32776
-10.34.211.73 255 h 2 9728
-10.34.211.73 255 h 68 0
-10.34.211.73 255 h 69 0
-10.34.211.73 255 h 70 0
-10.34.211.73 255 h 71 0
-10.34.211.73 255 h 72 0
-10.34.211.73 255 h 73 0
-10.34.211.73 255 h 50 2016
-10.34.211.73 255 h 51 11
-10.34.211.73 255 h 52 28
-10.34.211.73 255 h 53 13
-10.34.211.73 255 h 54 56
-10.34.211.73 255 h 55 15
-10.34.211.73 255 h 40 7
-10.34.211.73 255 h 41 0
-10.34.211.73 255 h 42 32768
-10.34.211.73 255 h 43 0
-10.34.211.73 255 h 44 0
-10.34.211.73 255 h 45 0
-10.34.211.73 255 h 50 2016
-10.34.211.73 255 h 51 11
-10.34.211.73 255 h 52 28
-10.34.211.73 255 h 53 13
-10.34.211.73 255 h 54 56
-10.34.211.73 255 h 55 15
-10.34.211.73 255 h 40 120
-10.34.211.73 255 h 41 1
-10.34.211.73 255 h 42 0
-10.34.211.73 255 h 43 0
-10.34.211.73 255 h 44 0
-10.34.211.73 255 h 45 0
-10.34.211.73 255 h 46 0
-10.34.211.69 1 h 0 31840
-10.34.211.69 1 h 1 27348
-10.34.211.69 1 h 2 32541
-10.34.211.69 1 h 3 6170
-10.34.211.69 1 h 4 26
-10.34.211.69 1 h 5 12311
-10.34.211.69 1 h 6 0
-10.34.211.69 1 h 7 0
-10.34.211.69 1 h 8 0
-10.34.211.69 1 h 9 0
-10.34.211.73 255 h 68 17000
-10.34.211.73 255 h 69 0
-10.34.211.73 255 h 70 17012
-10.34.211.73 255 h 71 0
-10.34.211.73 255 h 72 17008
-10.34.211.73 255 h 73 0
-10.34.211.73 255 h 74 15948
-10.34.211.73 255 h 75 52429
-10.34.211.73 255 h 68 17052
-10.34.211.73 255 h 69 0
-10.34.211.73 255 h 70 17048
-10.34.211.73 255 h 71 0
-10.34.211.73 255 h 72 17046
-10.34.211.73 255 h 73 0
-10.34.211.73 255 h 74 17042
-10.34.211.73 255 h 75 0
-10.34.211.73 255 h 76 16256
-10.34.211.73 255 h 77 0
-10.34.211.73 255 h 50 2016
-10.34.211.73 255 h 51 11
-10.34.211.73 255 h 52 28
-10.34.211.73 255 h 53 13
-10.34.211.73 255 h 54 56
-10.34.211.73 255 h 55 14
-10.34.211.73 255 h 40 263
-10.34.211.73 255 h 41 0
-10.34.211.73 255 h 42 0
-10.34.211.73 255 h 43 0
diff --git a/bro-script/pasad-simple.bro b/bro-script/pasad-simple.bro
deleted file mode 100644
index db3b4be..0000000
--- a/bro-script/pasad-simple.bro
+++ /dev/null
@@ -1,56 +0,0 @@
-## Simple implementation that outputs the raw request and response data
-## to a log file.
-## Currently, this only handles the read_holding_registers event. Other
-## events can be handled similarily. This implementation assumes that
-## requests and responses are exchanged within the same connection. I am not
-## sure whether this really holds.
-
-module Pasad;
-
-export {
- redef enum Log::ID += { LOG };
-
- type Info: record {
- ts_request: time &log;
- ts_response: time &log &optional;
- rtype: string &log;
- tid_request: count &log;
- tid_response: count &log &optional;
- ip_orig: addr &log;
- ip_resp: addr &log;
- start_address: count &log;
- quantity: count &log;
- registers: ModbusRegisters &log &optional;
- };
-}
-
-redef record connection += {
- pasad: Info &optional;
-};
-
-event bro_init() &priority=5
- {
- Log::create_stream(Pasad::LOG, [$columns=Info, $path="pasad-simple"]);
- }
-
-event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
- {
- local rec: Info = [
- $ts_request=network_time(),
- $rtype="holding",
- $tid_request=headers$tid,
- $start_address=start_address,
- $quantity=quantity,
- $ip_orig=c$id$orig_h,
- $ip_resp=c$id$resp_h
- ];
- c$pasad = rec;
- }
-
-event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters)
- {
- c$pasad$tid_response = headers$tid;
- c$pasad$ts_response = network_time();
- c$pasad$registers = registers;
- Log::write(Pasad::LOG, c$pasad);
- }
diff --git a/bro-script/pasad-simple.log b/bro-script/pasad-simple.log
deleted file mode 100644
index 71bb1db..0000000
--- a/bro-script/pasad-simple.log
+++ /dev/null
@@ -1,100 +0,0 @@
-#separator \x09
-#set_separator ,
-#empty_field (empty)
-#unset_field -
-#path pasad-simple
-#open 2017-09-26-10-11-01
-#fields ts_request ts_response rtype tid_request tid_response ip_orig ip_resp start_address quantity registers
-#types time time string count count addr addr count count vector[count]
-1480337775.934099 1480337775.971379 holding 2538 2538 10.34.211.73 192.168.211.146 80 8 48979,7282,15636,9709,48404,9709,16943,32237
-1480337776.128206 1480337776.131736 holding 2547 2547 10.34.211.73 192.168.215.66 60 12 17173,45657,49927,27307,17146,46421,17120,57951,17107,22452,16795,13653
-1480337776.103192 1480337776.132496 holding 2542 2542 10.34.211.73 192.168.211.186 0 3 244,32776,9728
-1480337776.123186 1480337776.146508 holding 2546 2546 10.34.211.73 192.168.211.122 68 6 0,0,0,0,0,0
-1480337776.113180 1480337776.156409 holding 2544 2544 10.34.211.73 192.168.211.178 50 6 2016,11,28,13,56,15
-1480337776.134962 1480337776.158094 holding 2548 2548 10.34.211.73 192.168.211.130 40 6 7,0,32768,0,0,0
-1480337776.144883 1480337776.171089 holding 2549 2549 10.34.211.73 192.168.211.210 50 6 2016,11,28,13,56,15
-1480337776.118196 1480337776.171376 holding 2545 2545 10.34.211.73 192.168.211.194 40 7 120,1,0,0,0,0,0
-1480337776.096762 1480337776.172857 holding 41583 41583 10.34.211.69 192.168.211.218 0 10 31840,27348,32541,6170,26,12311,0,0,0,0
-1480337776.169475 1480337776.180976 holding 2554 2554 10.34.211.73 192.168.211.67 68 8 17000,0,17012,0,17008,0,15948,52429
-1480337776.174899 1480337776.185110 holding 2555 2555 10.34.211.73 192.168.211.82 68 10 17052,0,17048,0,17046,0,17042,0,16256,0
-1480337776.108212 1480337776.195739 holding 2543 2543 10.34.211.73 192.168.211.226 50 6 2016,11,28,13,56,14
-1480337776.149574 1480337776.206115 holding 2550 2550 10.34.211.73 192.168.211.162 40 7 263,0,0,0,0,0,0
-1480337776.195190 1480337776.220473 holding 2559 2559 10.34.211.73 192.168.211.186 70 6 2016,11,28,13,56,14
-1480337776.205354 1480337776.231626 holding 2561 2561 10.34.211.73 192.168.211.178 60 8 0,0,17267,15019,17074,38533,16827,2427
-1480337776.204301 1480337776.235686 holding 2560 2560 10.34.211.73 192.168.211.226 60 12 0,0,16240,0,16707,0,16960,16081,17041,62199,16849,47332
-1480337776.215341 1480337776.238091 holding 2563 2563 10.34.211.73 192.168.211.122 80 6 16867,48545,48720,38836,48770,24273
-1480337776.225171 1480337776.250126 holding 2565 2565 10.34.211.73 192.168.211.130 50 6 2016,11,28,13,56,15
-1480337776.230277 1480337776.252068 holding 2566 2566 10.34.211.73 192.168.211.210 60 8 16975,56798,17027,50517,16984,13350,16621,63109
-1480337776.178152 1480337776.252858 holding 41584 41584 10.34.211.69 192.168.211.218 58 10 16956,45056,16814,4096,16986,49152,17180,41984,0,0
-1480337776.210249 1480337776.264273 holding 2562 2562 10.34.211.73 192.168.211.194 68 8 0,0,0,0,0,0,0,0
-1480337776.235274 1480337776.277239 holding 2567 2567 10.34.211.73 192.168.211.162 50 6 2016,11,28,13,56,15
-1480337776.244236 1480337776.286747 holding 41588 41588 10.34.211.69 192.168.211.90 50 3 49152,0,0
-1480337776.239724 1480337776.305137 holding 41587 41587 10.34.211.69 192.168.212.74 50 3 1,0,0
-1480337776.280346 1480337776.312383 holding 2576 2576 10.34.211.73 192.168.211.186 80 6 16993,3098,16907,56957,17147,63329
-1480337776.290526 1480337776.315494 holding 2578 2578 10.34.211.73 192.168.211.178 68 8 0,0,0,0,0,0,0,0
-1480337776.285222 1480337776.315673 holding 2577 2577 10.34.211.73 192.168.211.226 72 8 16960,0,16952,0,17038,0,17042,0
-1480337776.299070 1480337776.324822 holding 41590 41590 10.34.211.69 192.168.211.90 60 6 2016,11,28,13,56,14
-1480337776.259216 1480337776.332727 holding 41585 41585 10.34.211.69 192.168.211.218 10 8 0,0,32,2048,0,3,0,0
-1480337776.295410 1480337776.334351 holding 2579 2579 10.34.211.73 192.168.211.194 80 8 0,0,0,0,0,0,0,0
-1480337776.315670 1480337776.344274 holding 2583 2583 10.34.211.73 192.168.211.210 68 8 0,0,0,0,0,0,0,0
-1480337776.310646 1480337776.345388 holding 2582 2582 10.34.211.73 192.168.211.130 60 8 0,0,48941,21845,16969,33071,16825,27307
-1480337776.308173 1480337776.351504 holding 41589 41589 10.34.211.69 192.168.212.74 60 6 2016,11,28,13,56,15
-1480337776.328087 1480337776.352746 holding 41592 41592 10.34.211.69 192.168.211.90 70 10 16539,13107,16616,41943,17329,983,17099,34079,16720,41943
-1480337776.320477 1480337776.360244 holding 2584 2584 10.34.211.73 192.168.211.162 68 8 0,0,0,0,0,0,0,0
-1480337776.355648 1480337776.379496 holding 2591 2591 10.34.211.73 192.168.211.186 86 8 0,0,0,0,16874,26215,0,0
-1480337776.357170 1480337776.389772 holding 41593 41593 10.34.211.69 192.168.211.90 80 16 17043,14418,16326,26214,16504,62915,16151,2621,16675,56099,18436,5504,16918,4821,16582,26214
-1480337776.381033 1480337776.403105 holding 2596 2596 10.34.211.73 192.168.211.130 68 6 0,0,0,0,0,0
-1480337776.363053 1480337776.407348 holding 41591 41591 10.34.211.69 192.168.212.74 94 6 17035,64717,16796,27610,17031,14131
-1480337776.365324 1480337776.416503 holding 2593 2593 10.34.211.73 192.168.211.178 80 4 15597,2427,15873,12136
-1480337776.340063 1480337776.423765 holding 41586 41586 10.34.211.69 192.168.211.218 38 10 16950,4096,16900,32768,16798,8192,16608,0,16992,0
-1480337776.385390 1480337776.431254 holding 2597 2597 10.34.211.73 192.168.211.210 80 8 0,0,0,0,0,0,17095,27610
-1480337776.476201 1480337776.506120 holding 2606 2606 10.34.211.73 192.168.211.130 80 6 48592,0,48573,41263,48526,14564
-1480337776.506298 1480337776.518276 holding 2612 2612 10.34.211.73 192.168.211.67 40 6 1799,13431,32,2615,1591,1591
-1480337776.496191 1480337776.518469 holding 2610 2610 10.34.211.73 192.168.211.106 40 6 1031,0,32768,3,1,2
-1480337776.495616 1480337776.519869 holding 41595 41595 10.34.211.69 192.168.211.90 40 9 0,0,0,0,0,0,0,0,30
-1480337776.511294 1480337776.522899 holding 2613 2613 10.34.211.73 192.168.211.82 40 7 527,12543,0,563,1591,563,0
-1480337776.491221 1480337776.527134 holding 2609 2609 10.34.211.73 192.168.211.202 40 7 775,0,0,0,0,0,0
-1480337776.501350 1480337776.540895 holding 2611 2611 10.34.211.73 192.168.211.154 40 7 783,0,0,0,0,0,0
-1480337776.516193 1480337776.546865 holding 2614 2614 10.34.211.73 192.168.211.114 40 6 259,0,32768,0,0,0
-1480337776.554304 1480337776.579100 holding 2620 2620 10.34.211.73 192.168.211.122 40 6 263,0,32768,0,0,0
-1480337776.490946 1480337776.590021 holding 41594 41594 10.34.211.69 192.168.211.218 18 10 0,0,0,0,48669,28832,16167,8912,16164,48234
-1480337776.522267 1480337776.591382 holding 2615 2615 10.34.211.73 192.168.211.170 40 7 2063,0,32768,0,0,0,0
-1480337776.585015 1480337776.599260 holding 2626 2626 10.34.211.73 192.168.211.67 80 6 0,0,16784,0,16731,13107
-1480337776.589372 1480337776.599983 holding 2627 2627 10.34.211.73 192.168.211.82 80 8 0,0,17086,39322,0,0,0,0
-1480337776.574281 1480337776.606989 holding 2624 2624 10.34.211.73 192.168.211.202 50 6 2016,11,28,13,56,15
-1480337776.579367 1480337776.624210 holding 2625 2625 10.34.211.73 192.168.211.154 50 6 2016,11,28,13,56,15
-1480337776.599256 1480337776.635603 holding 2629 2629 10.34.211.73 192.168.211.226 40 7 3855,13567,192,1591,2615,2615,1591
-1480337776.609257 1480337776.643349 holding 2631 2631 10.34.211.73 192.168.211.98 40 6 7,0,0,0,0,0
-1480337776.604267 1480337776.649367 holding 2628 2628 10.34.211.73 192.168.211.170 50 6 2016,11,28,13,56,15
-1480337776.629206 1480337776.659118 holding 2635 2635 10.34.211.73 192.168.211.202 60 8 17056,37046,17260,57344,17029,48393,16890,15170
-1480337776.624205 1480337776.661266 holding 2634 2634 10.34.211.73 192.168.211.162 80 8 15696,38836,15568,38836,15568,38836,0,0
-1480337776.635896 1480337776.663986 holding 2636 2636 10.34.211.73 192.168.211.154 60 8 17151,13232,17213,31043,17068,41112,16708,64929
-1480337776.598093 1480337776.672871 holding 41596 41596 10.34.211.69 192.168.211.218 28 10 16071,19398,16346,45875,16946,16384,16959,8192,16913,20480
-1480337776.649253 1480337776.676361 holding 2639 2639 10.34.211.73 192.168.211.178 40 7 3087,0,32768,0,0,0,0
-1480337776.654236 1480337776.677240 holding 2640 2640 10.34.211.73 192.168.211.98 50 6 2016,11,28,13,56,15
-1480337776.645288 1480337776.682747 holding 2638 2638 10.34.211.73 192.168.211.226 80 10 16384,0,16501,49807,0,0,0,0,16648,62914
-1480337776.660501 1480337776.698573 holding 2637 2637 10.34.211.73 192.168.211.170 60 8 17177,9421,17125,51883,17102,31554,16655,64322
-1480337776.671138 1480337776.701126 holding 2642 2642 10.34.211.73 192.168.211.202 68 8 0,0,0,0,0,0,0,0
-1480337776.684320 1480337776.706498 holding 2644 2644 10.34.211.73 192.168.211.98 60 8 17048,38426,48720,0,16986,11226,16895,6068
-1480337776.713660 1480337776.735618 holding 2647 2647 10.34.211.73 192.168.211.98 80 6 48561,50972,48365,2427,48621,2427
-1480337776.704169 1480337776.740641 holding 2643 2643 10.34.211.73 192.168.211.170 68 8 0,0,0,0,0,0,0,0
-1480337776.713186 1480337776.743142 holding 2645 2645 10.34.211.73 192.168.211.202 80 8 15597,2427,15597,2427,15597,2427,15597,2427
-1480337776.679076 1480337776.753232 holding 41597 41597 10.34.211.69 192.168.211.218 48 10 16720,0,16965,53248,16959,16384,16964,4096,16822,20480
-1480337776.746150 1480337776.781571 holding 2646 2646 10.34.211.73 192.168.211.170 80 8 15568,38836,15568,38836,0,0,0,0
-1480337776.875195 1480337776.912519 holding 2649 2649 10.34.211.73 192.168.211.186 0 3 244,40,9728
-1480337776.910345 1480337776.913669 holding 2656 2656 10.34.211.73 192.168.215.66 40 7 7,0,32768,0,0,0,0
-1480337776.880212 1480337776.915602 holding 2650 2650 10.34.211.73 192.168.211.226 50 6 2016,11,28,13,56,15
-1480337776.895199 1480337776.917131 holding 2653 2653 10.34.211.73 192.168.211.122 50 6 2016,11,28,13,56,15
-1480337776.870194 1480337776.922039 holding 2648 2648 10.34.211.73 192.168.211.154 68 8 0,0,0,0,0,0,0,0
-1480337776.890215 1480337776.930400 holding 2652 2652 10.34.211.73 192.168.211.194 50 6 2016,11,28,13,56,16
-1480337776.900279 1480337776.931123 holding 2654 2654 10.34.211.73 192.168.211.210 40 7 259,0,32768,0,0,0,0
-1480337776.885172 1480337776.936397 holding 2651 2651 10.34.211.73 192.168.211.178 50 6 2016,11,28,13,56,15
-1480337776.925970 1480337776.947376 holding 2659 2659 10.34.211.73 192.168.211.186 70 6 2016,11,28,13,56,15
-1480337776.905320 1480337776.956106 holding 2655 2655 10.34.211.73 192.168.211.162 40 7 263,0,32768,0,0,0,0
-1480337776.954233 1480337776.958002 holding 2664 2664 10.34.211.73 192.168.215.66 50 6 2016,11,28,13,56,15
-1480337776.940206 1480337776.965516 holding 2660 2660 10.34.211.73 192.168.211.178 60 8 0,0,17266,17977,17074,46118,16827,40353
-1480337776.925370 1480337776.967032 holding 2658 2658 10.34.211.73 192.168.211.154 80 8 15568,38836,0,0,0,0,0,0
-1480337776.944478 1480337776.967249 holding 2662 2662 10.34.211.73 192.168.211.122 60 8 17058,3234,17105,17749,16954,7282,16772,26700
-1480337776.935247 1480337776.974263 holding 2661 2661 10.34.211.73 192.168.211.194 60 8 0,0,17070,10923,17035,27762,16703,46118
-1480337776.915597 1480337776.975377 holding 2657 2657 10.34.211.73 192.168.211.146 40 7 2063,0,32768,0,0,0,0
-1480337776.976604 1480337776.979823 holding 2668 2668 10.34.211.73 192.168.215.66 60 12 17173,48796,49926,54917,17146,46421,17120,50366,17107,7282,16795,43994