> For the complete documentation index, see [llms.txt](https://eephillip.gitbook.io/zw2020-ctf-writeup/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://eephillip.gitbook.io/zw2020-ctf-writeup/writeup/man-or-machine.md).

# Man or Machine?

{% hint style="info" %}
This one is simple. There's a pcap which contains 100 SSH connections.

Only 1 of the connections was human driven. The rest weren't. All we want to know is the source port number for that 1 connection. You ONLY have 2 attempts, so don't bruteforce guess!

All the connections used the same client, server, and configurations. If everything is the same and the payload contents are encrypted, what else could you compare?
{% endhint %}

Lets run the pcap through the ssh protocols&#x20;

```c
@load base/protocols/ssh
@load base/frameworks/notice

redef exit_only_after_terminate = F;

event zeek_init(){

}
```

```c
.
├── 100-ssh.pcap
├── conn.log
├── main.zeek
├── packet_filter.log
└── ssh.log
```

Looking for interesting metrics in the log output. ssh.log doesn't show much. However in the conn.log we find the following line.

```c
1580833725.124151   CgvmB23cju7ppajiwf  127.0.0.1       54712   127.0.0.1          22   tcp      ssh       53.446830   7173      3274189        SF               -           -   0           ShAdDaFf    20466   1071413 34606   5073721 -   1:vp2K1lvIUDDpljQ8WIBn+8DF/Xs=
```

We find this entry had substantially more `orig_ip_bytes`

![](/files/-MJhKjHD0tLg2HjhOc7D)

{% hint style="success" %}
The solution

```
54712
```

{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://eephillip.gitbook.io/zw2020-ctf-writeup/writeup/man-or-machine.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.