# Man or Machine?

{% hint style="info" %}
This one is simple. There's a pcap which contains 100 SSH connections.

Only 1 of the connections was human driven. The rest weren't. All we want to know is the source port number for that 1 connection. You ONLY have 2 attempts, so don't bruteforce guess!

All the connections used the same client, server, and configurations. If everything is the same and the payload contents are encrypted, what else could you compare?
{% endhint %}

Lets run the pcap through the ssh protocols 

```c
@load base/protocols/ssh
@load base/frameworks/notice

redef exit_only_after_terminate = F;

event zeek_init(){

}
```

```c
.
├── 100-ssh.pcap
├── conn.log
├── main.zeek
├── packet_filter.log
└── ssh.log
```

Looking for interesting metrics in the log output. ssh.log doesn't show much. However in the conn.log we find the following line.

```c
1580833725.124151   CgvmB23cju7ppajiwf  127.0.0.1       54712   127.0.0.1          22   tcp      ssh       53.446830   7173      3274189        SF               -           -   0           ShAdDaFf    20466   1071413 34606   5073721 -   1:vp2K1lvIUDDpljQ8WIBn+8DF/Xs=
```

We find this entry had substantially more `orig_ip_bytes`

![](https://3690043025-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJeilQajqHV4lFhF_rI%2F-MJhGwWlh42Uj-fvGukm%2F-MJhKjHD0tLg2HjhOc7D%2Fimage.png?alt=media\&token=aaa1c7ea-2552-4c60-aad6-672794f3e96e)

{% hint style="success" %}
The solution

```
54712
```

{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eephillip.gitbook.io/zw2020-ctf-writeup/writeup/man-or-machine.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.