\section{Exercise 2 - Task 1}
\subsection{Rep:2.a}
+In order to use scapy we need to convert out pcap-ng dump to pcap.
+\begin{verbatim}
+$ editcap -F libpcap team15_ex21.pcapng team15_ex21.pcap
+\end{verbatim}
-First we converted the file {\tt team15\_ex21.pcap} from the pcap-ng format to the pcap format to be able to use it with {\tt scapy}.
-% TODO: fixme!
-%\fbox{\parbox{{\textwidth}
-%}}
-\begin{lstlisting}
-$ editcap -F libpcap team15_ex21.pcap ex21.pcap
-\end{lstlisting}
+We are only interested in flows with more (or equal) than 400 packets, each exported as a separate pcap file.
-Then we filtered out the large flows with more or equal than 400 packets.
+\begin{verbatim}
+$ ./somefilter.py | sh
+\end{verbatim}
-% TODO include readflows.py-source
+./somefilter.py
+\begin{redframe}\begin{scriptsize}\begin{verbatim}
+#!/usr/bin/env python
-\begin{lstlisting}
-$ ./readflows.py
-{('113.15.85.25', '179.160.238.111'): (463, 0),
- ('114.176.157.191', '221.72.61.209'): (541, 0),
- ('134.134.122.170', '179.187.246.122'): (419, 0),
- ('179.187.53.117', '129.49.173.82'): (472, 0),
- ('211.2.138.61', '144.66.241.253'): (462, 151),
- ('221.100.234.92', '161.194.49.146'): (547, 0),
- ('8.73.98.88', '144.66.191.77'): (535, 0)}
-\end{lstlisting}
+from scapy.all import *
-(Format: {\tt (src, dst) : (srctodst, dsttosrc)})
+def somefilter(pcapfile):
+ flows = dict()
+ for p in PcapReader(pcapfile):
+ if IP in p:
+ src = p[IP].src
+ dst = p[IP].dst
-We then split the pcap into different files for each stream using the following filter expressions into separate files:
-\begin{lstlisting}
-(ip.addr == 113.15.85.25 and ip.addr == 179.160.238.111)
-(ip.addr == 114.176.157.191 and ip.addr == 221.72.61.209)
-(ip.addr == 134.134.122.170 and ip.addr == 179.187.246.122)
-(ip.addr == 179.187.53.117 and ip.addr == 129.49.173.82)
-(ip.addr == 211.2.138.61 and ip.addr == 144.66.241.253)
-(ip.addr == 221.100.234.92 and ip.addr == 161.194.49.146)
-(ip.addr == 8.73.98.88 and ip.addr == 144.66.191.77)
-\end{lstlisting}
-
-We also did generate csv files for all pcap files.
+ if (src,dst) in flows:
+ flows[(src,dst)] +=1
+ else:
+ flows[(src,dst)] = 1
-Then we generated graphs to visualize the respective flows and found that the second flow has suspicious source ports, alternating between two values ({\tt 5950} and {\tt 5960}).
+ for flow,cnt in flows.items():
+ if cnt >= 400:
+ print 'tshark -r '+pcapfile+' -w "flow_'+flow[0]+'_'+flow[1]+'.pcap" -F pcap ' \
+ + '\'ip.src == '+flow[0]+' and ip.dst == '+flow[1]+'\''
-% TODO include gnuplot-source
+if __name__ == "__main__":
+ somefilter("team15_ex21.pcap")
+\end{verbatim}\end{scriptsize}\end{redframe}
-% TODO include image
-large\_flow\_2.png
+With Wireshark we poked around and exported the flows to csv to further investigate.
-% TODO include bitstobytes.py-source
+While poking around we came across an unexpected value of srcport.
+\begin{verbatim}
+$ ./srcfeat_power.py --input flow_114.176.157.191_221.72.61.209.csv --feature srcport
+# 114.176.157.191,541,2,1.5469339647025981
+\end{verbatim}
+There seemed to be 2 different srcports, occuring nearly equally often.
+We looked into it with Rapidminer and found a suspiciously alternating srcport jumping between \emph{\textbf{5950}} and \emph{\textbf{5960}}.
-\begin{lstlisting}
-$ awk -F, '{print $8}' large_flow_2.csv | sed -e 's/5950/0/' -e 's/5960/1/' -e 's/"//g'
-$ ./bitstobytes.py
-\end{lstlisting}
+\includegraphics[width=0.6\columnwidth,keepaspectratio]{content/e21_flow_114_176_157_191_221_72_61_209_srcport.png}
\subsection{Rep:2.b}
-%\fbox{\parbox{\textwidth{{Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott)}}
+The message is \emph{\textbf{Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott)}}
+
+\begin{redframe}\begin{scriptsize}\begin{verbatim}
+#!/usr/bin/env python
+
+import csv
+import binascii
+
+def somedecode(filename):
+ with open(filename, 'rb') as csvfile:
+ spamreader = csv.reader(csvfile, delimiter=',', quotechar='"')
+ header = None
+ bits = ""
+
+ for row in spamreader:
+ if header is None:
+ header = row
+ continue
+
+ if row[2] == '114.176.157.191' and row[10] == '5950':
+ bits += "0"
+ if row[2] == '114.176.157.191' and row[10] == '5960':
+ bits += "1"
+
+ bits = bits[:-(len(bits)%8)]
+ print binascii.unhexlify('%x' % int(bits, 2))
+
+if __name__ == "__main__":
+ somedecode("flow_114.176.157.191_221.72.61.209.csv")
+\end{verbatim}\end{scriptsize}\end{redframe}
+
\section{Exercise 2 - Task 2}
\subsection{Rep:2.c}
SomeNet / public repos / pub / jan / netsec2.git / commitdiff
