public final class PcapPacketUtils
extends java.lang.Object
PcapPacket
properties.Constructor and Description |
---|
PcapPacketUtils() |
Modifier and Type | Method and Description |
---|---|
static java.util.List<java.util.List<org.pcap4j.core.PcapPacket>> |
clusterToListOfPcapPackets(org.apache.commons.math3.stat.clustering.Cluster<PcapPacketPair> cluster)
Transform a
Cluster of PcapPacketPair objects into a List of List of
PcapPacket objects. |
static java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> |
concatSequences(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signatures,
java.util.List<Conversation> conversations)
Concatenate sequences in
List of List of List of PcapPacket objects. |
static java.util.List<java.util.List<org.pcap4j.core.PcapPacket>> |
extractRangeCorePoints(java.util.List<java.util.List<org.pcap4j.core.PcapPacket>> pairs,
double eps,
int minPts)
Extract core point range in the form of
List of List of PcapPacket objects. |
static java.lang.String |
getDestinationIp(org.pcap4j.core.PcapPacket packet)
Gets the destination IP (in decimal format) of an IPv4 packet.
|
static int |
getDestinationPort(org.pcap4j.core.PcapPacket packet)
Gets the destination port of a TCP packet.
|
static org.pcap4j.util.MacAddress |
getEthDstAddr(org.pcap4j.core.PcapPacket packet)
Gets the destination address of the Ethernet part of
packet . |
static org.pcap4j.util.MacAddress |
getEthSrcAddr(org.pcap4j.core.PcapPacket packet)
Gets the source address of the Ethernet part of
packet . |
static java.lang.String |
getSourceIp(org.pcap4j.core.PcapPacket packet)
Gets the source IP (in decimal format) of an IPv4 packet.
|
static int |
getSourcePort(org.pcap4j.core.PcapPacket packet)
Gets the source port of a TCP packet.
|
static boolean |
isAck(org.pcap4j.core.PcapPacket packet)
Checks if
packet wraps a TCP packet th at has the ACK flag set. |
static boolean |
isConservativeChecking(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signature,
java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> otherSignature,
double eps)
Check if there is any overlap between the signature stored in this class and another signature.
|
static boolean |
isDestination(org.pcap4j.core.PcapPacket packet,
java.lang.String ip,
int port)
Helper method to determine if the given combination of IP and port matches the destination of the given packet.
|
static boolean |
isDstIpLocal(org.pcap4j.core.PcapPacket packet)
Checks if the destination IP address of the
IpV4Packet contained in packet is a local address,
i.e., if it pertains to subnet 10.0.0.0/8, 172.16.0.0/16, or 192.168.0.0/16. |
static boolean |
isRangeBasedMatching(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signature,
double eps,
java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>>... otherSignatures)
Test the conservativeness of the signatures (basically whether we want strict or range-based matching).
|
static boolean |
isSource(org.pcap4j.core.PcapPacket packet,
java.lang.String ip,
int port)
Helper method to determine if the given combination of IP and port matches the source of the given packet.
|
static boolean |
isSrcIpLocal(org.pcap4j.core.PcapPacket packet)
Checks if the source IP address of the
IpV4Packet contained in packet is a local address, i.e.,
if it pertains to subnet 10.0.0.0/8, 172.16.0.0/16, or 192.168.0.0/16. |
static boolean |
isSyn(org.pcap4j.core.PcapPacket packet)
Checks if
packet wraps a TCP packet that has the SYN flag set. |
static boolean |
isTcp(org.pcap4j.core.PcapPacket packet)
Determines if a given
PcapPacket wraps a TcpPacket . |
static void |
printSignatures(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signatures,
java.io.PrintWriter resultsWriter,
boolean printToOutput)
Print signatures in
List of List of List of PcapPacket objects. |
static void |
removeSequenceFromSignature(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signatures,
int sequenceIndex)
Remove a sequence in a signature object.
|
static java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> |
sortSequences(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signatures)
Sort the sequences in the
List of List of List of PcapPacket objects. |
static java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> |
useRangeBasedMatching(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signature,
java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> corePointRange)
Test the conservativeness of the signatures (basically whether we want strict or range-based matching).
|
public static org.pcap4j.util.MacAddress getEthSrcAddr(org.pcap4j.core.PcapPacket packet)
packet
.packet
- The packet for which the Ethernet source address is to be extracted.packet
.public static org.pcap4j.util.MacAddress getEthDstAddr(org.pcap4j.core.PcapPacket packet)
packet
.packet
- The packet for which the Ethernet destination address is to be extracted.packet
.public static boolean isTcp(org.pcap4j.core.PcapPacket packet)
PcapPacket
wraps a TcpPacket
.packet
- The PcapPacket
to inspect.true
if packet
wraps a TcpPacket
, false
otherwise.public static java.lang.String getSourceIp(org.pcap4j.core.PcapPacket packet)
packet
- The packet for which the IPv4 source address is to be extracted.packet
iff packet
wraps an
IpV4Packet
.java.lang.NullPointerException
- if packet
does not encapsulate an IpV4Packet
.public static java.lang.String getDestinationIp(org.pcap4j.core.PcapPacket packet)
packet
- The packet for which the IPv4 source address is to be extracted.packet
iff packet
wraps an
IpV4Packet
.java.lang.NullPointerException
- if packet
does not encapsulate an IpV4Packet
.public static int getSourcePort(org.pcap4j.core.PcapPacket packet)
packet
- The packet for which the source port is to be extracted.TcpPacket
encapsulated by packet
.java.lang.IllegalArgumentException
- if packet
does not encapsulate a TcpPacket
.public static int getDestinationPort(org.pcap4j.core.PcapPacket packet)
packet
- The packet for which the destination port is to be extracted.TcpPacket
encapsulated by packet
.java.lang.IllegalArgumentException
- if packet
does not encapsulate a TcpPacket
.public static boolean isSource(org.pcap4j.core.PcapPacket packet, java.lang.String ip, int port)
packet
- The packet to check.ip
- The IP to look for in the ip.src field of packet
.port
- The port to look for in the tcp.port field of packet
.true
if the given ip+port match the corresponding fields in packet
.public static boolean isDestination(org.pcap4j.core.PcapPacket packet, java.lang.String ip, int port)
packet
- The packet to check.ip
- The IP to look for in the ip.dst field of packet
.port
- The port to look for in the tcp.dstport field of packet
.true
if the given ip+port match the corresponding fields in packet
.public static boolean isSrcIpLocal(org.pcap4j.core.PcapPacket packet)
IpV4Packet
contained in packet
is a local address, i.e.,
if it pertains to subnet 10.0.0.0/8, 172.16.0.0/16, or 192.168.0.0/16.packet
- The packet for which the source IP address is to be examined.true
if packet
wraps a IpV4Packet
for which the source IP address is a local IP
address, false
otherwise.java.lang.NullPointerException
- if packet
does not encapsulate an IpV4Packet
.public static boolean isDstIpLocal(org.pcap4j.core.PcapPacket packet)
IpV4Packet
contained in packet
is a local address,
i.e., if it pertains to subnet 10.0.0.0/8, 172.16.0.0/16, or 192.168.0.0/16.packet
- The packet for which the destination IP address is to be examined.true
if packet
wraps a IpV4Packet
for which the destination IP address is a local
IP address, false
otherwise.java.lang.NullPointerException
- if packet
does not encapsulate an IpV4Packet
.public static boolean isSyn(org.pcap4j.core.PcapPacket packet)
packet
wraps a TCP packet that has the SYN flag set.packet
- A PcapPacket
that is suspected to contain a TcpPacket
for which the SYN flag is set.true
iff packet
contains a TcpPacket
for which the SYN flag is set,
false
otherwise.public static boolean isAck(org.pcap4j.core.PcapPacket packet)
packet
wraps a TCP packet th at has the ACK flag set.packet
- A PcapPacket
that is suspected to contain a TcpPacket
for which the ACK flag is set.true
iff packet
contains a TcpPacket
for which the ACK flag is set,
false
otherwise.public static java.util.List<java.util.List<org.pcap4j.core.PcapPacket>> clusterToListOfPcapPackets(org.apache.commons.math3.stat.clustering.Cluster<PcapPacketPair> cluster)
Cluster
of PcapPacketPair
objects into a List
of List
of
PcapPacket
objects.cluster
- A Cluster
of PcapPacketPair
objects that needs to be transformed.List
of List
of PcapPacket
objects as the result of the transformation.public static java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> concatSequences(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signatures, java.util.List<Conversation> conversations)
List
of List
of List
of PcapPacket
objects.
We cross-check these with List
of Conversation
objects to see
if two List
of PcapPacket
objects actually belong to the same Conversation
.signatures
- A List
of List
of List
of
PcapPacket
objects that needs to be checked and concatenated.conversations
- A List
of Conversation
objects as reference for concatenation.List
of List
of List
of
PcapPacket
objects as the result of the concatenation.public static java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> sortSequences(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signatures)
List
of List
of List
of PcapPacket
objects.
The purpose of this is to sort the order of sequences in the sequence list. For detection purposes, we need
to know if one sequence occurs earlier/later in time with respect to the other sequences for more confidence
in detecting the occurrence of an event.signatures
- A List
of List
of List
of PcapPacket
objects that needs sorting.
We assume that innermost List
of PcapPacket
objects have been sorted ascending
by timestamps. By the time we use this method, we should have sorted it when calling the
clusterToListOfPcapPackets
method.List
of List
of List
of PcapPacket
objects.public static void printSignatures(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signatures, java.io.PrintWriter resultsWriter, boolean printToOutput)
List
of List
of List
of PcapPacket
objects.signatures
- A List
of List
of List
of
PcapPacket
objects that needs to be printed.resultsWriter
- PrintWriter object to write into log file.printToOutput
- Boolean to decide whether to print out to screen or just log file.public static java.util.List<java.util.List<org.pcap4j.core.PcapPacket>> extractRangeCorePoints(java.util.List<java.util.List<org.pcap4j.core.PcapPacket>> pairs, double eps, int minPts)
List
of List
of PcapPacket
objects.pairs
- The pairs for core points extraction.eps
- Epsilon value for the DBSCAN algorithm.minPts
- minPts value for the DBSCAN algorithm.List
of List
of PcapPacket
objects that contains core points range
in the first and second element.public static boolean isRangeBasedMatching(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signature, double eps, java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>>... otherSignatures)
signature
- The signature we want to check and overwrite if needed.eps
- Epsilon value for the DBSCAN algorithm.otherSignatures
- Other signatures we want to check against this signature.public static java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> useRangeBasedMatching(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signature, java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> corePointRange)
signature
- The signature we want to check and overwrite if needed.corePointRange
- The core points range of this signature.public static boolean isConservativeChecking(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signature, java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> otherSignature, double eps)
signature
- A List
of List
of List
of PcapPacket
objects to be checked
for overlaps with the other signature.otherSignature
- A List
of List
of List
of PcapPacket
objects to be checked
for overlaps with the signature.eps
- Epsilon value for the DBSCAN algorithm.public static void removeSequenceFromSignature(java.util.List<java.util.List<java.util.List<org.pcap4j.core.PcapPacket>>> signatures, int sequenceIndex)
signatures
- A List
of List
of List
of
PcapPacket
objects.sequenceIndex
- An index for a sequence that consists of {List
of List
of
PcapPacket
objects.