# Exercise 2 ## From pcap to packets Login via `ssh` to the Lab Environment and `cd working_directory`. ### rep-10 Run the following command inside `working_directory`: `tcpdump -tt -c 10 -nr Ex2_team13.pcap` * `-tt` for timestamps * `-c 10` for showing the first 10 packets * `-n` for not converting addresses to names * `-r` for reading from pcap Last line (10th packet) says: `1546318980.014549 IP 203.74.52.109 > 200.130.97.12: ICMP echo request, id 16190, seq 4544, length 12` ### rep-11 After running the command `go-flows run features pcap2pkts.json export csv Ex2_team13.csv source libpcap Ex2_team13.pcap` we get the file `Ex2_team13.csv`. The following python script quickly extracts the `protocolIdentifier` and their occurrences: ```python import numpy as np import pandas as pd df = pd.read_csv(r'./Ex2_team13.csv') print(df['protocolIdentifier'].value_counts(sort=True)) ``` Output: ``` 6 889752 1 761985 17 124772 47 107355 58 1308 50 66 103 15 41 2 Name: protocolIdentifier, dtype: int64 ``` ### rep-12 After running the command `go-flows run features pcap2flows.json export csv Ex2flows_team13.csv source libpcap Ex2_team13.pcap` we get the file `Ex2flows_team13.csv`. The following python script quickly extracts the percentage of sources communicating with one or more than ten destinations: ```python import pandas as pd df = pd.read_csv(r'../data/Ex2flows_team13.csv') dataLength = len(df) singleDestinationFilter = df['distinct(destinationIPAddress)'] == 1 moreThan10DestinationsFilter = df['distinct(destinationIPAddress)'] > 10 percentageOfSingleDst = len(df[singleDestinationFilter]) / dataLength * 100 percentageOfMoreThan10Dst = len(df[moreThan10DestinationsFilter]) / dataLength * 100 print("Single Destination: {} %".format(round(percentageOfSingleDst, 3))) print("More than 10 destinations: {} %".format(round(percentageOfMoreThan10Dst, 3))) ``` Output: ``` Length of dataset: 209434 Single Destination: 94.901 % More than 10 destinations: 0.796 % ```