From e86dcbcf10729f36b5a92f81bf4709250f8cf781 Mon Sep 17 00:00:00 2001 From: David Kaufmann Date: Fri, 15 Jan 2016 16:25:29 +0100 Subject: [PATCH] exercise2.tex --- report/exercise2.tex | 80 +++++++++++++++++++++++++++----------------- 1 file changed, 50 insertions(+), 30 deletions(-) diff --git a/report/exercise2.tex b/report/exercise2.tex index ef7ab90..521608d 100644 --- a/report/exercise2.tex +++ b/report/exercise2.tex @@ -1,43 +1,63 @@ -\section{Exercise 2} +\section{Exercise 2 - Task 1} \subsection{Rep:2.a} -pcap-ng format to pcap for scapy -editcap -F libpcap team15\_ex21.pcap ex21.pcap +First we converted the file {\tt team15\_ex21.pcap} from the pcap-ng format to the pcap format to be able to use it with {\tt scapy}. +\fbox{\parbox{{\textwidth} +}} +\begin{lstlisting} +user@host ~ % editcap -F libpcap team15_ex21.pcap ex21.pcap +\end{lstlisting} -filter out large flows (>=400 packets) +Then we filtered out the large flows with more or equal than 400 packets. -./readflows.py -% (src, dst) : (srctodst, dsttosrc) -%{('113.15.85.25', '179.160.238.111'): (463, 0), -% ('114.176.157.191', '221.72.61.209'): (541, 0), -% ('134.134.122.170', '179.187.246.122'): (419, 0), -% ('179.187.53.117', '129.49.173.82'): (472, 0), -% ('211.2.138.61', '144.66.241.253'): (462, 151), -% ('221.100.234.92', '161.194.49.146'): (547, 0), -% ('8.73.98.88', '144.66.191.77'): (535, 0)} - -split into separate files - -(ip.addr == 113.15.85.25 and ip.addr == 179.160.238.111) % large_flow_1.pcap -(ip.addr == 114.176.157.191 and ip.addr == 221.72.61.209) % large_flow_2.pcap -(ip.addr == 134.134.122.170 and ip.addr == 179.187.246.122) % large_flow_3.pcap -(ip.addr == 179.187.53.117 and ip.addr == 129.49.173.82) % large_flow_4.pcap -(ip.addr == 211.2.138.61 and ip.addr == 144.66.241.253) % large_flow_5.pcap -(ip.addr == 221.100.234.92 and ip.addr == 161.194.49.146) % large_flow_6.pcap -(ip.addr == 8.73.98.88 and ip.addr == 144.66.191.77) % large_flow_7.pcap - -generate csv from wireshark for full pcap - -generate graphs: +% TODO include readflows.py-source + +\begin{lstlisting} +user@host ~ % ./readflows.py +{('113.15.85.25', '179.160.238.111'): (463, 0), + ('114.176.157.191', '221.72.61.209'): (541, 0), + ('134.134.122.170', '179.187.246.122'): (419, 0), + ('179.187.53.117', '129.49.173.82'): (472, 0), + ('211.2.138.61', '144.66.241.253'): (462, 151), + ('221.100.234.92', '161.194.49.146'): (547, 0), + ('8.73.98.88', '144.66.191.77'): (535, 0)} +\end{lstlisting} + +(Format: {\tt (src, dst) : (srctodst, dsttosrc)}) + +We then split the pcap into different files for each stream using the following filter expressions into the files {\tt large\_flow\_\{1..7\}.pcap}: +\begin{lstlisting} +(ip.addr == 113.15.85.25 and ip.addr == 179.160.238.111) +(ip.addr == 114.176.157.191 and ip.addr == 221.72.61.209) +(ip.addr == 134.134.122.170 and ip.addr == 179.187.246.122) +(ip.addr == 179.187.53.117 and ip.addr == 129.49.173.82) +(ip.addr == 211.2.138.61 and ip.addr == 144.66.241.253) +(ip.addr == 221.100.234.92 and ip.addr == 161.194.49.146) +(ip.addr == 8.73.98.88 and ip.addr == 144.66.191.77) +\end{lstlisting} + +We also did generate csv files for all pcap files. + +Then we generated graphs to visualize the respective flows and found that the second flow has suspicious source ports, alternating between two values ({\tt 5950} and {\tt 5960}). + +% TODO include gnuplot-source + +% TODO include image large\_flow\_2.png -cat large\_flow\_2.dehexed.csv | awk -F, '{print \$8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g' > bits -./bitstobytes.py +% TODO include bitstobytes.py-source + +\begin{lstlisting} +user@host ~ % ./decimal_only.sh large_flow_2.csv > large_flow_2.dehexed.csv +user@host ~ % cat large_flow_2.dehexed.csv | awk -F, '{print \$8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g' +user@host ~ % ./bitstobytes.py +\end{lstlisting} \subsection{Rep:2.b} -Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott) +\fbox{\parbox{\textwidth{{Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott)}} +\section{Exercise 2 - Task 2} \subsection{Rep:2.c} pcap-ng format to pcap for scapy -- 2.43.0