From 55713f8dd352d36849c9ab8293a7fca92c48159b Mon Sep 17 00:00:00 2001 From: rtrimana Date: Mon, 13 Nov 2017 11:20:32 -0800 Subject: [PATCH] Adding new analysis - incoming (not yet including outgoing) packets inter-arrival time --- parser/parse_inter_arrival_time.py | 125 +++++++++++++++++++++ plot_scripts/plot_ia_graph | 36 ++++++ plot_scripts/{plot_graph => plot_ts_graph} | 0 run_scripts/ia_analysis_run.sh | 31 +++++ 4 files changed, 192 insertions(+) create mode 100644 parser/parse_inter_arrival_time.py create mode 100644 plot_scripts/plot_ia_graph rename plot_scripts/{plot_graph => plot_ts_graph} (100%) create mode 100755 run_scripts/ia_analysis_run.sh diff --git a/parser/parse_inter_arrival_time.py b/parser/parse_inter_arrival_time.py new file mode 100644 index 0000000..798c7eb --- /dev/null +++ b/parser/parse_inter_arrival_time.py @@ -0,0 +1,125 @@ +#!/usr/bin/python + +""" +Script that takes a file (output by wireshark/tshark, in JSON format) and analyze +the packet inter-arrival times of a certain device at a certain time. +""" + +import sys +import json +import numpy as np +from collections import defaultdict +from dateutil import parser +from decimal import * + +JSON_KEY_SOURCE = "_source" +JSON_KEY_LAYERS = "layers" + +JSON_KEY_ETH = "eth" +JSON_KEY_ETH_DST = "eth.dst" +JSON_KEY_ETH_SRC = "eth.src" +JSON_KEY_FRAME = "frame" +JSON_KEY_FRAME_TIME = "frame.time_epoch" +TABLE_HEADER_X = "Packet number" +TABLE_HEADER_Y = "Time (seconds)" +INCOMING_APPENDIX = "_incoming" +OUTGOING_APPENDIX = "_outgoing" +FILE_APPENDIX = ".dat" + + +def save_to_file(tblheader, timestamp_list, filenameout): + """ Show summary of statistics of PCAP file + Args: + tblheader: header for the saved table + dictionary: dictionary to be saved + filename_out: file name to save + """ + # Appending, not overwriting! + f = open(filenameout, 'a') + # Write the table header + f.write("# " + tblheader + "\n") + f.write("# " + TABLE_HEADER_X + " " + TABLE_HEADER_Y + "\n") + # Write "0 0" if dictionary is empty + if not timestamp_list: + f.write("0 0") + f.close() + print "Writing zeroes to file: ", filenameout + return + ind = 0 + # Iterate over list and write index-value pairs + for val in timestamp_list: + # Space separated + f.write(str(ind) + " " + str(timestamp_list[ind]) + "\n") + ind += 1 + f.close() + print "Writing output to file: ", filenameout + + +def main(): + """ Main function + """ + if len(sys.argv) < 5: + print "Usage: python", sys.argv[0], " " + return + # Parse the file for the specified MAC address + timestamplist_incoming = parse_json(sys.argv[1], sys.argv[4]) + # Write statistics into file + print "=====================================================================" + print "==> Analyzing incoming traffic ..." + save_to_file(sys.argv[3] + INCOMING_APPENDIX, timestamplist_incoming, sys.argv[2] + INCOMING_APPENDIX + FILE_APPENDIX) + print "=====================================================================" + #print "==> Analyzing outgoing traffic ..." + #save_to_file(sys.argv[3] + OUTGOING_APPENDIX, timestamplist_outgoing, sys.argv[2] + OUTGOING_APPENDIX + FILE_APPENDIX) + #print "=====================================================================" + + +# Convert JSON file containing DNS traffic to a map in which a hostname points to its set of associated IPs. +def parse_json(filepath, macaddress): + """ Show summary of statistics of PCAP file + Args: + filepath: path of the read file + macaddress: MAC address of a device to analyze + """ + # Maps timestamps to frequencies of packets + timestamplist = list() + with open(filepath) as jf: + # Read JSON. + # data becomes reference to root JSON object (or in our case json array) + data = json.load(jf) + # Loop through json objects in data + # Each entry is a pcap entry (request/response (packet) and associated metadata) + # Preserve two pointers prev and curr to iterate over the timestamps + prev = None + curr = None + for p in data: + # p is a JSON object, not an index + layers = p[JSON_KEY_SOURCE][JSON_KEY_LAYERS] + # Get timestamp + frame = layers.get(JSON_KEY_FRAME, None) + timestamp = Decimal(frame.get(JSON_KEY_FRAME_TIME, None)) + # Get into the Ethernet address part + eth = layers.get(JSON_KEY_ETH, None) + # Skip any non DNS traffic + if eth is None: + print "[ WARNING: Packet has no ethernet address! ]" + continue + # Get source and destination MAC addresses + src = eth.get(JSON_KEY_ETH_SRC, None) + dst = eth.get(JSON_KEY_ETH_DST, None) + # Get and count the traffic for the specified MAC address + if dst == macaddress: + # Check if timestamp already exists in the map + # If yes, then just increment the frequency value... + print str(timestamp) + " - src:" + str(src) + " - dest:" + str(dst) + curr = timestamp + if prev is not None: + inter_arrival_time = curr - prev + timestamplist.append(inter_arrival_time) + prev = curr + + return timestamplist + + +if __name__ == '__main__': + main() + diff --git a/plot_scripts/plot_ia_graph b/plot_scripts/plot_ia_graph new file mode 100644 index 0000000..ced074e --- /dev/null +++ b/plot_scripts/plot_ia_graph @@ -0,0 +1,36 @@ +# Script to plot inter-arrival timestamp graphs for network traffic analysis +# +# by Rahmadi Trimananda (rahmadi.trimananda@uci.edu) +# Programming Language Research Group @ University of California, Irvine +# Fall 2017 + +# ************ # +# BASIC SETUP # +# ************ # +#set terminal postscript landscape "Arial, 18" +#set terminal postscript eps font 'Helvetica,20' enhanced color +set terminal pngcairo enhanced font 'Verdana,10' +set autoscale +unset key +unset log +unset label +set xtics auto +set ytics auto +set xlabel "Packet Number" +set ylabel "Time (seconds)" +set xrange [:] +set yrange [0:] + +# ***************** # +# PER DEVICE SETUP # +# ***************** # +# WeMo switch +#set output '../result/wemo_switch_incoming.ps' +#set output '../result/wemo_switch_incoming.eps' +set output '../result/wemo_switch_inter_arrival_incoming.png' +set title "WeMo Switch Inter-Arrival Incoming Traffic" +plot "../result/test_incoming.dat" using 1:2 with lines +#set output '../result/wemo_switch_outgoing.png' +#set title "WeMo Switch Inter-Arrival Outgoing Traffic" +#plot "../result/wemo_switch_outgoing.dat" using 1:2 with lines + diff --git a/plot_scripts/plot_graph b/plot_scripts/plot_ts_graph similarity index 100% rename from plot_scripts/plot_graph rename to plot_scripts/plot_ts_graph diff --git a/run_scripts/ia_analysis_run.sh b/run_scripts/ia_analysis_run.sh new file mode 100755 index 0000000..cc7ffc9 --- /dev/null +++ b/run_scripts/ia_analysis_run.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Check input arguments - we need 2 arguments +if [ $# -ne 2 ] + then + echo "Usage: ia_analysis_run.sh " + exit 1 +fi + +# Check result folder and create one if it does not exist yet +[ -d $2 ] || mkdir $2 + +# Run the analysis +python ../parser/parse_inter_arrival_time.py $1 $2/wemo_switch WeMo_Switch 94:10:3e:36:60:09 +python ../parser/parse_inter_arrival_time.py $1 $2/wemo_insight WeMo_Insight 14:91:82:25:10:77 +python ../parser/parse_inter_arrival_time.py $1 $2/tplink_switch TPLink_Switch 50:c7:bf:33:1f:09 +python ../parser/parse_inter_arrival_time.py $1 $2/dlink_switch DLink_Switch 90:8d:78:e3:81:0c +python ../parser/parse_inter_arrival_time.py $1 $2/amcrest_camera Amcrest_Camera 3c:ef:8c:6f:79:5a +python ../parser/parse_inter_arrival_time.py $1 $2/netgear_arlo_camera Netgear_Arlo_Camera 40:5d:82:2f:50:2a +python ../parser/parse_inter_arrival_time.py $1 $2/lifx_lightbulb_1 Lifx_LightBulb_1 d0:73:d5:12:8e:30 +python ../parser/parse_inter_arrival_time.py $1 $2/lifx_lightbulb_2 Lifx_LightBulb_2 d0:73:d5:02:41:da +python ../parser/parse_inter_arrival_time.py $1 $2/philips_hue Philips_Hue 00:17:88:69:ee:e4 +python ../parser/parse_inter_arrival_time.py $1 $2/tplink_lightbulb TPLink_LightBulb 50:c7:bf:59:d5:84 +python ../parser/parse_inter_arrival_time.py $1 $2/nxeco_sprinkler Nxeco_Sprinkler ac:cf:23:5a:9c:e2 +python ../parser/parse_inter_arrival_time.py $1 $2/blossom_sprinkler Blossom_Sprinkler e4:95:6e:b0:20:39 +python ../parser/parse_inter_arrival_time.py $1 $2/dlink_alarm DLink_Alarm c4:12:f5:de:38:20 +python ../parser/parse_inter_arrival_time.py $1 $2/dlink_motion_sensor DLink_Motion_Sensor c4:12:f5:e3:dc:17 +python ../parser/parse_inter_arrival_time.py $1 $2/nest_thermostat Nest_Thermostat 18:b4:30:bf:34:7e +python ../parser/parse_inter_arrival_time.py $1 $2/amazon_echo_dot Amazon_Echo_Dot 68:37:e9:d2:26:0d +python ../parser/parse_inter_arrival_time.py $1 $2/smartthings_hub SmartThings_Hub d0:52:a8:a3:60:0f + -- 2.34.1