See https://johannes.homepc.org/packet10.pcap

Is this traffic:
- Malicious?
- Unusual?
- Normal?

Why?

This is not so much about which category you assign to the traffic, but more about you explaining your decision. Figure out as much about it as possible. The traffic is unaltered. 10.64.10.18 is an IP address behind a NAT router.

Reasonably good answers to this months challenge will be added to our February Raspberry Pi drawing.

and btw... my next public "Intrusion Detection in Depth" (SEC503) class will be in Madrid in March https://www.sans.org/event/madrid-march-2019/course/intrusion-detection-in-depth . 17.0.0.0/8 is owned by Apple and all traffic to that netblock is typically associated with Apple's applications (remember some applications like iTunes exist on operating systems other than iOS/macOS).

Solution:

	First of all, this is "normal" traffic. Apple uses this port for Siri and Spotlight suggestions. While this wasn't obvious from the packet capture, the traffic came from an Apple (macOS) device. The traffic is encrypted, so there isn't much that can be said about the content of the message. But there are a few odd things about it:

- This isn't normal SSL/TLS traffic. It could be continuation of SSL/TLS traffic, but there is no indication of a handshake.
- The SYN packet contains data. This has become more common in recent years as protocols try to limit latency. Often this is associated with TCP Fast Open, but in this case, the TCP Fast Open "cookie" options are missing.
- Port 5228 is assigned per IANA to "HP Virtual Room Service". No idea if this is still in use. It was assigned in 2009, and there doesn't appear to be an RFC associated with it.
- Personally, I would consider the TCP options for the SYN packet to be a bit unusual. The only option used is a timestamp. no selective acknowledgement, no window scale not even a maximum segment size. The SYN-ACK is a bit more "normal".
- it appears that the payload size is limited to 1280 bytes. which happens to be the minimum MTU required for IPv6. But I may be looking too much into this.


Some references:
- Ports used by Apple: https://support.apple.com/en-us/HT202944
- TCP Fast Open: https://tools.ietf.org/html/rfc7413
- TCP RFC: https://tools.ietf.org/html/rfc793