Exercise 2
From pcap to packets
Login via ssh to the Lab Environment and cd working_directory.
rep-10
Run the following command inside working_directory:
tcpdump -tt -c 10 -nr Ex2_team13.pcap
-ttfor timestamps-c 10for showing the first 10 packets-nfor not converting addresses to names-rfor reading from pcap
Last line (10th packet) says:
1546318980.014549 IP 203.74.52.109 > 200.130.97.12: ICMP echo request, id 16190, seq 4544, length 12
rep-11
After running the command
go-flows run features pcap2pkts.json export csv Ex2_team13.csv source libpcap Ex2_team13.pcap
we get the file Ex2_team13.csv.
The following python script quickly extracts the protocolIdentifier and their occurrences:
import numpy as np
import pandas as pd
df = pd.read_csv(r'./Ex2_team13.csv')
print(df['protocolIdentifier'].value_counts(sort=True))
Output:
6 889752
1 761985
17 124772
47 107355
58 1308
50 66
103 15
41 2
Name: protocolIdentifier, dtype: int64
rep-12
After running the command
go-flows run features pcap2flows.json export csv Ex2flows_team13.csv source libpcap Ex2_team13.pcap
we get the file Ex2flows_team13.csv.
The following python script quickly extracts the percentage of sources communicating with one or more than ten destinations:
import pandas as pd
df = pd.read_csv(r'../data/Ex2flows_team13.csv')
dataLength = len(df)
singleDestinationFilter = df['distinct(destinationIPAddress)'] == 1
moreThan10DestinationsFilter = df['distinct(destinationIPAddress)'] > 10
percentageOfSingleDst = len(df[singleDestinationFilter]) / dataLength * 100
percentageOfMoreThan10Dst = len(df[moreThan10DestinationsFilter]) / dataLength * 100
print("Single Destination: {} %".format(round(percentageOfSingleDst, 3)))
print("More than 10 destinations: {} %".format(round(percentageOfMoreThan10Dst, 3)))
Output:
Length of dataset: 209434
Single Destination: 94.901 %
More than 10 destinations: 0.796 %