From 92f14a3ef73d389133b38b155b40812b63a4d6b1 Mon Sep 17 00:00:00 2001 From: David Kaufmann Date: Wed, 13 Jan 2016 02:39:19 +0100 Subject: [PATCH] updates --- exercise2/task2/decode_ipid.py | 8 +++-- exercise2/task2/plot_features | 66 +++++++++++++++++++++++++++++++--- exercise2/task2/readflows.py | 45 ++++++++++++++++++----- 3 files changed, 103 insertions(+), 16 deletions(-) diff --git a/exercise2/task2/decode_ipid.py b/exercise2/task2/decode_ipid.py index a112da9..3bcdcd5 100755 --- a/exercise2/task2/decode_ipid.py +++ b/exercise2/task2/decode_ipid.py @@ -7,13 +7,15 @@ from scapy.all import * logging.getLogger("scapy.runtime").setLevel(logging.WARN) from pprint import pprint import os +import sys # disable payload parsing (saves two seconds runtime^^) IP.payload_guess = [] bytes = bytearray() -for p in PcapReader('large_flow.pcap'): +#for p in PcapReader('large_flow.pcap'): +for p in PcapReader(sys.argv[1]): if IP in p: src = p[IP].src dst = p[IP].dst @@ -22,8 +24,8 @@ for p in PcapReader('large_flow.pcap'): bin = "{0:016b}".format(id) upper = int(bin[0:8], 2) lower = int(bin[8:16], 2) - print ("Upper: %s (%d), Lower: %s (%d)" % (bin[0:8], upper, bin[8:16], lower)) - print ("Full: %s" % (bin)) +# print ("Upper: %s (%d), Lower: %s (%d)" % (bin[0:8], upper, bin[8:16], lower)) +# print ("Full: %s" % (bin)) bytes.append(upper) bytes.append(lower) diff --git a/exercise2/task2/plot_features b/exercise2/task2/plot_features index 7fe95a4..a5c6b27 100644 --- a/exercise2/task2/plot_features +++ b/exercise2/task2/plot_features @@ -22,9 +22,67 @@ set xtics border out scale 1,0.5 nomirror rotate by -45 autojustify set title "Data" set datafile separator "," -#set output 'large_flow.png' -set output 'flows.png' +set output 'large_flow_01.png' plot \ - 'large_flow.dehexed.csv' using 7:xtic(1) title 'IPID large flow' ls 1, \ - 'small_flow.dehexed.csv' using 7:xtic(1) title 'IPID small flow' ls 2 + 'large_flow_01.dehexed.csv' using 7:xtic(1) title 'IPID' ls 1, \ + 'large_flow_01.dehexed.csv' using 9:xtic(1) title 'Dest port' ls 2 +set output 'large_flow_02.png' +plot \ + 'large_flow_02.dehexed.csv' using 7:xtic(1) title 'IPID' ls 1, \ + 'large_flow_02.dehexed.csv' using 9:xtic(1) title 'Dest port' ls 2 + +set output 'large_flow_03.png' +plot \ + 'large_flow_03.dehexed.csv' using 7:xtic(1) title 'IPID' ls 1, \ + 'large_flow_03.dehexed.csv' using 9:xtic(1) title 'Dest port' ls 2 + +set output 'large_flow_04.png' +plot \ + 'large_flow_04.dehexed.csv' using 7:xtic(1) title 'IPID' ls 1, \ + 'large_flow_04.dehexed.csv' using 9:xtic(1) title 'Dest port' ls 2 + +set output 'large_flow_05.png' +plot \ + 'large_flow_05.dehexed.csv' using 7:xtic(1) title 'IPID' ls 1, \ + 'large_flow_05.dehexed.csv' using 9:xtic(1) title 'Dest port' ls 2 + +set output 'large_flow_06.png' +plot \ + 'large_flow_06.dehexed.csv' using 7:xtic(1) title 'IPID' ls 1, \ + 'large_flow_06.dehexed.csv' using 9:xtic(1) title 'Dest port' ls 2 + +set output 'large_flow_07.png' +plot \ + 'large_flow_07.dehexed.csv' using 7:xtic(1) title 'IPID' ls 1, \ + 'large_flow_07.dehexed.csv' using 9:xtic(1) title 'Dest port' ls 2 + +set output 'large_flow_08.png' +plot \ + 'large_flow_08.dehexed.csv' using 7:xtic(1) title 'IPID' ls 1, \ + 'large_flow_08.dehexed.csv' using 9:xtic(1) title 'Dest port' ls 2 + +set output 'large_flow_09.png' +plot \ + 'large_flow_09.dehexed.csv' using 7:xtic(1) title 'IPID' ls 1, \ + 'large_flow_09.dehexed.csv' using 9:xtic(1) title 'Dest port' ls 2 + +set output 'large_flow_10.png' +plot \ + 'large_flow_10.dehexed.csv' using 7:xtic(1) title 'IPID' ls 1, \ + 'large_flow_10.dehexed.csv' using 9:xtic(1) title 'Dest port' ls 2 + +set output 'large_flow_11.png' +plot \ + 'large_flow_11.dehexed.csv' using 7:xtic(1) title 'IPID' ls 1, \ + 'large_flow_11.dehexed.csv' using 9:xtic(1) title 'Dest port' ls 2 + +set output 'large_flow_12.png' +plot \ + 'large_flow_12.dehexed.csv' using 7:xtic(1) title 'IPID' ls 1, \ + 'large_flow_12.dehexed.csv' using 9:xtic(1) title 'Dest port' ls 2 + +set output 'large_flow_13.png' +plot \ + 'large_flow_13.dehexed.csv' using 7:xtic(1) title 'IPID' ls 1, \ + 'large_flow_13.dehexed.csv' using 9:xtic(1) title 'Dest port' ls 2 diff --git a/exercise2/task2/readflows.py b/exercise2/task2/readflows.py index 5949639..a1895b6 100755 --- a/exercise2/task2/readflows.py +++ b/exercise2/task2/readflows.py @@ -6,34 +6,61 @@ logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * logging.getLogger("scapy.runtime").setLevel(logging.WARN) from pprint import pprint +import os # disable payload parsing (saves two seconds runtime^^) IP.payload_guess = [] flowset = {} -for p in PcapReader('ex22.pcap'): +fcount = 0 +# V discards the wirelen... ( http://stackoverflow.com/questions/21752576/whole-packet-length-scapy ) +#for p in PcapReader('ex22.pcap'): +for pkt, (sec, usec, wirelen) in RawPcapReader('ex22.pcap'): + p = Ether(pkt) if IP in p: src = p[IP].src dst = p[IP].dst + #lenip = p[Ether].len lenip = p[IP].len - if lenip != 36: + if wirelen != 42: continue + fcount = fcount + 1 # print ("Src: %s (ether), Dest: %s (ip)" % (src, dst)) if (src,dst) in flowset: - i,o = flowset[(src,dst)] - flowset[(src,dst)] = (i+1,o) + i,o,l = flowset[(src,dst)] + if wirelen in l: + l[wirelen] = l[wirelen]+1 + else: + l[wirelen] = 1 + flowset[(src,dst)] = (i+1,o,l) elif (dst,src) in flowset: - i,o = flowset[(dst,src)] - flowset[(dst,src)] = (i,o+1) + i,o,l = flowset[(dst,src)] + if wirelen in l: + l[wirelen] = l[wirelen]+1 + else: + l[wirelen] = 1 + flowset[(dst,src)] = (i,o+1,l) else: - flowset[(src,dst)] = (1, 0) + flowset[(src,dst)] = (1,0,{wirelen: 1}) + +print("fcount: %d" % fcount) largeflows = {} +filecount = 0 for flow,counts in flowset.items(): - if counts[0]+counts[1] > 200: - largeflows[flow] = counts + if counts[0] > 200 or counts[1] > 200: + largeflows[flow] = (counts[0],counts[1]) + # extract each flow + if counts[0] > 200: + filecount = filecount + 1 + filename = "large_flow_%02d.pcap" % filecount + os.system('tshark -r ex22.pcap -w '+filename+' -F pcap "ip.src == '+flow[0]+' and ip.dst == '+flow[1]+' and frame.len == 42"') + if counts[1] > 200: + filecount = filecount + 1 + filename = "large_flow_%02d.pcap" % filecount + os.system('tshark -r ex22.pcap -w '+filename+' -F pcap "ip.src == '+flow[1]+' and ip.dst == '+flow[0]+' and frame.len == 42"') pprint(largeflows) -- 2.43.0