From e86dcbcf10729f36b5a92f81bf4709250f8cf781 Mon Sep 17 00:00:00 2001
From: David Kaufmann <astra@ionic.at>
Date: Fri, 15 Jan 2016 16:25:29 +0100
Subject: [PATCH] exercise2.tex

---
 report/exercise2.tex | 80 +++++++++++++++++++++++++++-----------------
 1 file changed, 50 insertions(+), 30 deletions(-)

diff --git a/report/exercise2.tex b/report/exercise2.tex
index ef7ab90..521608d 100644
--- a/report/exercise2.tex
+++ b/report/exercise2.tex
@@ -1,43 +1,63 @@
 
-\section{Exercise 2}
+\section{Exercise 2 - Task 1}
 \subsection{Rep:2.a}
 
-pcap-ng format to pcap for scapy
-editcap -F libpcap team15\_ex21.pcap ex21.pcap
+First we converted the file {\tt team15\_ex21.pcap} from the pcap-ng format to the pcap format to be able to use it with {\tt scapy}.
+\fbox{\parbox{{\textwidth}
+}}
+\begin{lstlisting}
+user@host ~ % editcap -F libpcap team15_ex21.pcap ex21.pcap
+\end{lstlisting}
 
-filter out large flows (>=400 packets)
+Then we filtered out the large flows with more or equal than 400 packets.
 
-./readflows.py
-% (src, dst) : (srctodst, dsttosrc)
-%{('113.15.85.25', '179.160.238.111'): (463, 0),
-% ('114.176.157.191', '221.72.61.209'): (541, 0),
-% ('134.134.122.170', '179.187.246.122'): (419, 0),
-% ('179.187.53.117', '129.49.173.82'): (472, 0),
-% ('211.2.138.61', '144.66.241.253'): (462, 151),
-% ('221.100.234.92', '161.194.49.146'): (547, 0),
-% ('8.73.98.88', '144.66.191.77'): (535, 0)}
-
-split into separate files
-
-(ip.addr == 113.15.85.25 and ip.addr == 179.160.238.111) % large_flow_1.pcap
-(ip.addr == 114.176.157.191 and ip.addr == 221.72.61.209) % large_flow_2.pcap
-(ip.addr == 134.134.122.170 and ip.addr == 179.187.246.122) % large_flow_3.pcap
-(ip.addr == 179.187.53.117 and ip.addr == 129.49.173.82) % large_flow_4.pcap
-(ip.addr == 211.2.138.61 and ip.addr == 144.66.241.253) % large_flow_5.pcap
-(ip.addr == 221.100.234.92 and ip.addr == 161.194.49.146) % large_flow_6.pcap
-(ip.addr == 8.73.98.88 and ip.addr == 144.66.191.77) % large_flow_7.pcap
-
-generate csv from wireshark for full pcap
-
-generate graphs:
+% TODO include readflows.py-source
+
+\begin{lstlisting}
+user@host ~ % ./readflows.py
+{('113.15.85.25', '179.160.238.111'): (463, 0),
+ ('114.176.157.191', '221.72.61.209'): (541, 0),
+ ('134.134.122.170', '179.187.246.122'): (419, 0),
+ ('179.187.53.117', '129.49.173.82'): (472, 0),
+ ('211.2.138.61', '144.66.241.253'): (462, 151),
+ ('221.100.234.92', '161.194.49.146'): (547, 0),
+ ('8.73.98.88', '144.66.191.77'): (535, 0)}
+\end{lstlisting}
+
+(Format: {\tt (src, dst) : (srctodst, dsttosrc)})
+
+We then split the pcap into different files for each stream using the following filter expressions into the files {\tt large\_flow\_\{1..7\}.pcap}:
+\begin{lstlisting}
+(ip.addr == 113.15.85.25 and ip.addr == 179.160.238.111)
+(ip.addr == 114.176.157.191 and ip.addr == 221.72.61.209)
+(ip.addr == 134.134.122.170 and ip.addr == 179.187.246.122)
+(ip.addr == 179.187.53.117 and ip.addr == 129.49.173.82)
+(ip.addr == 211.2.138.61 and ip.addr == 144.66.241.253)
+(ip.addr == 221.100.234.92 and ip.addr == 161.194.49.146)
+(ip.addr == 8.73.98.88 and ip.addr == 144.66.191.77)
+\end{lstlisting}
+
+We also did generate csv files for all pcap files.
+
+Then we generated graphs to visualize the respective flows and found that the second flow has suspicious source ports, alternating between two values ({\tt 5950} and {\tt 5960}).
+
+% TODO include gnuplot-source
+
+% TODO include image
 large\_flow\_2.png
 
-cat large\_flow\_2.dehexed.csv | awk -F, '{print \$8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g' > bits
-./bitstobytes.py
+% TODO include bitstobytes.py-source
+
+\begin{lstlisting}
+user@host ~ % ./decimal_only.sh large_flow_2.csv > large_flow_2.dehexed.csv
+user@host ~ % cat large_flow_2.dehexed.csv | awk -F, '{print \$8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g'
+user@host ~ % ./bitstobytes.py
+\end{lstlisting}
 
 \subsection{Rep:2.b}
-Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott)
+\fbox{\parbox{\textwidth{{Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott)}}
 
+\section{Exercise 2 - Task 2}
 \subsection{Rep:2.c}
 
 pcap-ng format to pcap for scapy
-- 
2.43.0