netsec-lab/ex2/README.md

Exercise 2

From pcap to packets

Login via ssh to the Lab Environment and cd working_directory.

rep-10

Run the following command inside working_directory:

tcpdump -tt -c 10 -nr Ex2_team13.pcap

• -tt for timestamps
• -c 10 for showing the first 10 packets
• -n for not converting addresses to names
• -r for reading from pcap

Last line (10th packet) says:

1546318980.014549 IP 203.74.52.109 > 200.130.97.12: ICMP echo request, id 16190, seq 4544, length 12

rep-11

After running the command

go-flows run features pcap2pkts.json export csv Ex2_team13.csv source libpcap Ex2_team13.pcap

we get the file Ex2_team13.csv.

The following python script quickly extracts the protocolIdentifier and their occurrences:

import numpy as np
import pandas as pd

df = pd.read_csv(r'./Ex2_team13.csv')

print(df['protocolIdentifier'].value_counts(sort=True))

Output:

6      889752
1      761985
17     124772
47     107355
58       1308
50         66
103        15
41          2
Name: protocolIdentifier, dtype: int64