Tcpdump is a pretty useful tool. Wireshark can also be used as an alternative.
code - https://github.com/pragya1990/traffic-analysis
Tcpdump stores the file in .pcap format. Using the pcap library functions, we can analyse the packets captured using tcpdump. More information can be found at 'man pcap'.
The program "pcap_program.c" reads the packets of a pcap file "packet.pcap".
It then maps the IP addresses to some numbers which are stores in map.txt.
The edges.txt file shows which IP addresses are talking to which one and for how many seconds and microseconds.
In the terminal, I executed the command : tcpdump -i 3 -c 15 -w /home/hp/Desktop/tcpdump/packets.pcap
It captures 15 IP packets and saves them to packets.pcap.
The total list of IP addresses as shown in terminal :
root@ubuntu:~# tcpdump -i 3 -c 15 -w /home/hp/Desktop/tcpdump/packets.pcap
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes
15 packets captured
15 packets received by filter
0 packets dropped by kernel
root@ubuntu:~# tcpdump -n -q -r /home/hp/Desktop/tcpdump/packets.pcap
reading from file /home/hp/Desktop/tcpdump/packets.pcap, link-type EN10MB (Ethernet)
16:45:45.464511 IP 209.85.231.83.443 > 192.168.1.2.59417: tcp 52
16:45:45.464568 IP 192.168.1.2.59417 > 209.85.231.83.443: tcp 0
16:45:49.471288 IP 192.168.1.2.56531 > 192.168.1.1.53: UDP, length 36
16:45:49.493679 IP 192.168.1.1.53 > 192.168.1.2.56531: UDP, length 180
16:45:49.494077 IP 192.168.1.2.46097 > 75.101.153.231.80: tcp 0
16:45:49.723182 IP 192.168.1.2.46098 > 75.101.153.231.80: tcp 0
16:45:49.836979 IP 75.101.153.231.80 > 192.168.1.2.46097: tcp 0
16:45:49.837062 IP 192.168.1.2.46097 > 75.101.153.231.80: tcp 0
16:45:49.837767 IP 192.168.1.2.46097 > 75.101.153.231.80: tcp 482
16:45:50.062293 IP 75.101.153.231.80 > 192.168.1.2.46098: tcp 0
16:45:50.062343 IP 192.168.1.2.46098 > 75.101.153.231.80: tcp 0
16:45:50.182085 IP 75.101.153.231.80 > 192.168.1.2.46097: tcp 0
16:45:50.184581 IP 75.101.153.231.80 > 192.168.1.2.46097: tcp 231
16:45:50.184612 IP 192.168.1.2.46097 > 75.101.153.231.80: tcp 0
16:45:50.185293 IP 75.101.153.231.80 > 192.168.1.2.46097: tcp 0
root@ubuntu:~/Desktop/tcpdump# gcc -lpcap -o pcap_program pcap_program.c
root@ubuntu:~/Desktop/tcpdump# ./pcap_program
After compiling the program and executing ./pcap. After compiling the program and executing ./pcap_program_program, two files map.txt and edges.txt were made.
In this program, I have taken one assumption that the packets have ether type IP. However, while running the program several times, I realised that sometimes packets with ARP protocol were also coming and this gave an error in the program as the pointer of the IP header was set according to the offset of the IP protocol at 14. I did overcome this problem by giving an offset of '0' for protocols other than IP, but its not always correct.
For finding the talking time of the IP addresses, I subtracted the time of two consecutive IP packets. I am not sure if this is how we get the talking time but it seems correct. The talking time of the last packet is not shown as we need the next packet to find its time.
We can also visualize this traffic using the igraph library and interesting data analytics could be done using these graphs by understanding the communication of the nodes, one of them being "Six degrees of separation". :)
code - https://github.com/pragya1990/traffic-analysis
Tcpdump stores the file in .pcap format. Using the pcap library functions, we can analyse the packets captured using tcpdump. More information can be found at 'man pcap'.
The program "pcap_program.c" reads the packets of a pcap file "packet.pcap".
It then maps the IP addresses to some numbers which are stores in map.txt.
The edges.txt file shows which IP addresses are talking to which one and for how many seconds and microseconds.
In the terminal, I executed the command : tcpdump -i 3 -c 15 -w /home/hp/Desktop/tcpdump/packets.pcap
It captures 15 IP packets and saves them to packets.pcap.
The total list of IP addresses as shown in terminal :
root@ubuntu:~# tcpdump -i 3 -c 15 -w /home/hp/Desktop/tcpdump/packets.pcap
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes
15 packets captured
15 packets received by filter
0 packets dropped by kernel
root@ubuntu:~# tcpdump -n -q -r /home/hp/Desktop/tcpdump/packets.pcap
reading from file /home/hp/Desktop/tcpdump/packets.pcap, link-type EN10MB (Ethernet)
16:45:45.464511 IP 209.85.231.83.443 > 192.168.1.2.59417: tcp 52
16:45:45.464568 IP 192.168.1.2.59417 > 209.85.231.83.443: tcp 0
16:45:49.471288 IP 192.168.1.2.56531 > 192.168.1.1.53: UDP, length 36
16:45:49.493679 IP 192.168.1.1.53 > 192.168.1.2.56531: UDP, length 180
16:45:49.494077 IP 192.168.1.2.46097 > 75.101.153.231.80: tcp 0
16:45:49.723182 IP 192.168.1.2.46098 > 75.101.153.231.80: tcp 0
16:45:49.836979 IP 75.101.153.231.80 > 192.168.1.2.46097: tcp 0
16:45:49.837062 IP 192.168.1.2.46097 > 75.101.153.231.80: tcp 0
16:45:49.837767 IP 192.168.1.2.46097 > 75.101.153.231.80: tcp 482
16:45:50.062293 IP 75.101.153.231.80 > 192.168.1.2.46098: tcp 0
16:45:50.062343 IP 192.168.1.2.46098 > 75.101.153.231.80: tcp 0
16:45:50.182085 IP 75.101.153.231.80 > 192.168.1.2.46097: tcp 0
16:45:50.184581 IP 75.101.153.231.80 > 192.168.1.2.46097: tcp 231
16:45:50.184612 IP 192.168.1.2.46097 > 75.101.153.231.80: tcp 0
16:45:50.185293 IP 75.101.153.231.80 > 192.168.1.2.46097: tcp 0
root@ubuntu:~/Desktop/tcpdump# gcc -lpcap -o pcap_program pcap_program.c
root@ubuntu:~/Desktop/tcpdump# ./pcap_program
After compiling the program and executing ./pcap. After compiling the program and executing ./pcap_program_program, two files map.txt and edges.txt were made.
In this program, I have taken one assumption that the packets have ether type IP. However, while running the program several times, I realised that sometimes packets with ARP protocol were also coming and this gave an error in the program as the pointer of the IP header was set according to the offset of the IP protocol at 14. I did overcome this problem by giving an offset of '0' for protocols other than IP, but its not always correct.
For finding the talking time of the IP addresses, I subtracted the time of two consecutive IP packets. I am not sure if this is how we get the talking time but it seems correct. The talking time of the last packet is not shown as we need the next packet to find its time.
We can also visualize this traffic using the igraph library and interesting data analytics could be done using these graphs by understanding the communication of the nodes, one of them being "Six degrees of separation". :)
No comments:
Post a Comment