4 Script that takes a file (output by wireshark/tshark, in JSON format) and analyze
5 the traffic frequency of a certain device at a certain time.
10 from collections import defaultdict
11 from dateutil import parser
13 JSON_KEY_SOURCE = "_source"
14 JSON_KEY_LAYERS = "layers"
17 JSON_KEY_ETH_DST = "eth.dst"
18 JSON_KEY_ETH_SRC = "eth.src"
19 JSON_KEY_FRAME = "frame"
20 JSON_KEY_FRAME_TIME = "frame.time"
23 def save_to_file(tbl_header, dictionary, filename_out):
24 """ Show summary of statistics of PCAP file
26 tbl_header: header for the saved table
27 dictionary: dictionary to be saved
28 filename_out: file name to save
30 # Appending, not overwriting!
31 f = open(filename_out, 'a')
32 # Write the table header
33 f.write("\n\n" + str(tbl_header) + "\n");
34 # Iterate over dictionary and write (key, value) pairs
35 #for key, value in dictionary.iteritems():
36 for key in sorted(dictionary):
37 f.write(str(key) + ", " + str(dictionary[key]) + "\n")
40 print "Writing output to file: ", filename_out
47 print "Usage: python", sys.argv[0], "<input_file> <output_file> <device_name> <mac_address>"
49 # Parse the file for the specified MAC address
50 time_freq = parse_json(sys.argv[1], sys.argv[4])
51 # Write statistics into file
52 save_to_file(sys.argv[3], time_freq, sys.argv[2])
53 print "====================================================================="
54 #for time in time_freq.keys():
55 for key in sorted(time_freq):
56 print key, " => ", time_freq[key]
57 print "====================================================================="
60 # Convert JSON file containing DNS traffic to a map in which a hostname points to its set of associated IPs.
61 def parse_json(file_path, mac_address):
62 """ Show summary of statistics of PCAP file
64 file_path: path of the read file
65 mac_address: MAC address of a device to analyze
67 # Maps timestamps to frequencies of packets
69 with open(file_path) as jf:
71 # data becomes reference to root JSON object (or in our case json array)
73 # Loop through json objects in data
74 # Each entry is a pcap entry (request/response (packet) and associated metadata)
76 # p is a JSON object, not an index
77 layers = p[JSON_KEY_SOURCE][JSON_KEY_LAYERS]
79 frame = layers.get(JSON_KEY_FRAME, None)
80 date_time = frame.get(JSON_KEY_FRAME_TIME, None)
81 # Get into the Ethernet address part
82 eth = layers.get(JSON_KEY_ETH, None)
83 # Skip any non DNS traffic
85 print "[ WARNING: Packet has no ethernet address! ]"
87 # Get source and destination MAC addresses
88 src = eth.get(JSON_KEY_ETH_SRC, None)
89 dst = eth.get(JSON_KEY_ETH_DST, None)
90 # Get just the time part
91 date_time_obj = parser.parse(date_time)
92 # Remove the microsecond part
93 time_str = str(date_time_obj.time())[:8]
94 print str(time_str) + " - src:" + str(src) + " - dest:" + str(dst)
95 # Get and count the traffic for the specified MAC address
96 if src == mac_address or dst == mac_address:
97 # Check if timestamp already exists in the map
98 # If yes, then just increment the frequency value...
99 if time_str in time_freq:
100 time_freq[time_str] = time_freq[time_str] + 1
101 else: # If not, then put the value one there
102 time_freq[time_str] = 1
105 if __name__ == '__main__':