From a59a08f20840d2e409fb0751d99f5ceb6f6b1047 Mon Sep 17 00:00:00 2001 From: rtrimana Date: Wed, 8 Nov 2017 10:21:43 -0800 Subject: [PATCH] Separating incoming and outgoing traffic for a more fine-grained analysis --- parser/parse_packet_frequency.py | 76 +++++++---- plot_scripts/plot_graph | 211 +++++++++++++++++++------------ run_scripts/ts_analysis_run.sh | 34 ++--- 3 files changed, 194 insertions(+), 127 deletions(-) diff --git a/parser/parse_packet_frequency.py b/parser/parse_packet_frequency.py index 5bc1a35..65ef976 100644 --- a/parser/parse_packet_frequency.py +++ b/parser/parse_packet_frequency.py @@ -21,10 +21,13 @@ JSON_KEY_FRAME = "frame" JSON_KEY_FRAME_TIME = "frame.time" TABLE_HEADER_X = "Timestamp (hh:mm:ss)" TABLE_HEADER_Y = "Packet frequency (pps)" +INCOMING_APPENDIX = "_incoming" +OUTGOING_APPENDIX = "_outgoing" +FILE_APPENDIX = ".dat" # Use this constant as a flag WINDOW_SIZE = 5 -USE_MOVING_AVERAGE = True +USE_MOVING_AVERAGE = False def moving_average(array, window=3): @@ -51,22 +54,23 @@ def moving_average(array, window=3): return retarr -def save_to_file(tbl_header, dictionary, filename_out): +def save_to_file(tblheader, dictionary, filenameout): """ Show summary of statistics of PCAP file Args: - tbl_header: header for the saved table + tblheader: header for the saved table dictionary: dictionary to be saved filename_out: file name to save """ # Appending, not overwriting! - f = open(filename_out, 'a') + f = open(filenameout, 'a') # Write the table header - f.write("# " + TABLE_HEADER_X + " " + TABLE_HEADER_Y + "\n"); + f.write("# " + tblheader + "\n") + f.write("# " + TABLE_HEADER_X + " " + TABLE_HEADER_Y + "\n") # Write "0 0" if dictionary is empty if not dictionary: - f.write("0 0"); + f.write("0 0") f.close() - print "Writing zeroes to file: ", filename_out + print "Writing zeroes to file: ", filenameout return if USE_MOVING_AVERAGE: @@ -88,7 +92,7 @@ def save_to_file(tbl_header, dictionary, filename_out): # Space separated f.write(str(key) + " " + str(dictionary[key]) + "\n") f.close() - print "Writing output to file: ", filename_out + print "Writing output to file: ", filenameout def main(): @@ -98,9 +102,15 @@ def main(): print "Usage: python", sys.argv[0], " " return # Parse the file for the specified MAC address - time_freq = parse_json(sys.argv[1], sys.argv[4]) + timefreq_incoming = parse_json(sys.argv[1], sys.argv[4], True) + timefreq_outgoing = parse_json(sys.argv[1], sys.argv[4], False) # Write statistics into file - save_to_file(sys.argv[3], time_freq, sys.argv[2]) + print "=====================================================================" + print "==> Analyzing incoming traffic ..." + save_to_file(sys.argv[3] + INCOMING_APPENDIX, timefreq_incoming, sys.argv[2] + INCOMING_APPENDIX + FILE_APPENDIX) + print "=====================================================================" + print "==> Analyzing outgoing traffic ..." + save_to_file(sys.argv[3] + OUTGOING_APPENDIX, timefreq_outgoing, sys.argv[2] + OUTGOING_APPENDIX + FILE_APPENDIX) print "=====================================================================" #for time in time_freq.keys(): #for key in sorted(time_freq): @@ -109,15 +119,17 @@ def main(): # Convert JSON file containing DNS traffic to a map in which a hostname points to its set of associated IPs. -def parse_json(file_path, mac_address): +def parse_json(filepath, macaddress, incomingoutgoing): """ Show summary of statistics of PCAP file Args: - file_path: path of the read file - mac_address: MAC address of a device to analyze + filepath: path of the read file + macaddress: MAC address of a device to analyze + incomingoutgoing: boolean to define whether we collect incoming or outgoing traffic + True = incoming, False = outgoing """ # Maps timestamps to frequencies of packets - time_freq = dict() - with open(file_path) as jf: + timefreq = dict() + with open(filepath) as jf: # Read JSON. # data becomes reference to root JSON object (or in our case json array) data = json.load(jf) @@ -128,7 +140,7 @@ def parse_json(file_path, mac_address): layers = p[JSON_KEY_SOURCE][JSON_KEY_LAYERS] # Get timestamp frame = layers.get(JSON_KEY_FRAME, None) - date_time = frame.get(JSON_KEY_FRAME_TIME, None) + datetime = frame.get(JSON_KEY_FRAME_TIME, None) # Get into the Ethernet address part eth = layers.get(JSON_KEY_ETH, None) # Skip any non DNS traffic @@ -139,19 +151,29 @@ def parse_json(file_path, mac_address): src = eth.get(JSON_KEY_ETH_SRC, None) dst = eth.get(JSON_KEY_ETH_DST, None) # Get just the time part - date_time_obj = parser.parse(date_time) + datetimeobj = parser.parse(datetime) # Remove the microsecond part - time_str = str(date_time_obj.time())[:8] - print str(time_str) + " - src:" + str(src) + " - dest:" + str(dst) + timestr = str(datetimeobj.time())[:8] + print str(timestr) + " - src:" + str(src) + " - dest:" + str(dst) # Get and count the traffic for the specified MAC address - if src == mac_address or dst == mac_address: - # Check if timestamp already exists in the map - # If yes, then just increment the frequency value... - if time_str in time_freq: - time_freq[time_str] = time_freq[time_str] + 1 - else: # If not, then put the value one there - time_freq[time_str] = 1 - return time_freq + if incomingoutgoing: + if dst == macaddress: + # Check if timestamp already exists in the map + # If yes, then just increment the frequency value... + if timestr in timefreq: + timefreq[timestr] = timefreq[timestr] + 1 + else: # If not, then put the value one there + timefreq[timestr] = 1 + else: + if src == macaddress: + # Check if timestamp already exists in the map + # If yes, then just increment the frequency value... + if timestr in timefreq: + timefreq[timestr] = timefreq[timestr] + 1 + else: # If not, then put the value one there + timefreq[timestr] = 1 + + return timefreq if __name__ == '__main__': diff --git a/plot_scripts/plot_graph b/plot_scripts/plot_graph index 12f2065..86020f8 100644 --- a/plot_scripts/plot_graph +++ b/plot_scripts/plot_graph @@ -29,122 +29,167 @@ set yrange [0:] # PER DEVICE SETUP # # ***************** # # WeMo switch -#set output 'wemo_switch.ps' -#set output 'wemo_switch.eps' -set output '../result/wemo_switch.png' -set title "WeMo Switch Time Series Plot of Packets" -plot "../result/wemo_switch.dat" using 1:2 with lines +#set output '../result/wemo_switch_incoming.ps' +#set output '../result/wemo_switch_incoming.eps' +set output '../result/wemo_switch_incoming.png' +set title "WeMo Switch Incoming Traffic" +plot "../result/wemo_switch_incoming.dat" using 1:2 with lines +set output '../result/wemo_switch_outgoing.png' +set title "WeMo Switch Outgoing Traffic" +plot "../result/wemo_switch_outgoing.dat" using 1:2 with lines -#set output 'wemo_switch2.ps' -#plot "wemo_switch.dat" using 1:2 - -# WeMo switch -#set output '../result/wemo_switch.ps' -#set output '../result/wemo_switch.eps' -set output '../result/wemo_switch.png' -set title "WeMo Switch" -plot "../result/wemo_switch.dat" using 1:2 with lines # WeMo Insight -#set output '../result/wemo_insight.eps' -set output '../result/wemo_insight.png' -set title "WeMo Insight" -plot "../result/wemo_insight.dat" using 1:2 with lines +#set output '../result/wemo_insight_incoming.eps' +set output '../result/wemo_insight_incoming.png' +set title "WeMo Insight Incoming Traffic" +plot "../result/wemo_insight_incoming.dat" using 1:2 with lines +set output '../result/wemo_insight_outgoing.png' +set title "WeMo Insight Outgoing Traffic" +plot "../result/wemo_insight_outgoing.dat" using 1:2 with lines # TP-Link switch -#set output '../result/tplink_switch.eps' -set output '../result/tplink_switch.png' -set title "TP-Link Switch" -plot "../result/tplink_switch.dat" using 1:2 with lines +#set output '../result/tplink_switch_incoming.eps' +set output '../result/tplink_switch_incoming.png' +set title "TP-Link Switch Incoming Traffic" +plot "../result/tplink_switch_incoming.dat" using 1:2 with lines +set output '../result/tplink_switch_outgoing.png' +set title "TP-Link Switch Outgoing Traffic" +plot "../result/tplink_switch_outgoing.dat" using 1:2 with lines # D-Link switch -#set output '../result/dlink_switch.eps' -set output '../result/dlink_switch.png' -set title "D-Link Switch" -plot "../result/dlink_switch.dat" using 1:2 with lines +#set output '../result/dlink_switch_incoming.eps' +set output '../result/dlink_switch_incoming.png' +set title "D-Link Switch Incoming Traffic" +plot "../result/dlink_switch_incoming.dat" using 1:2 with lines +set output '../result/dlink_switch_outgoing.png' +set title "D-Link Switch Outgoing Traffic" +plot "../result/dlink_switch_outgoing.dat" using 1:2 with lines + # Amcrest camera -#set output '../result/amcrest_camera.eps' -set output '../result/amcrest_camera.png' -set title "Amcrest Camera" -plot "../result/amcrest_camera.dat" using 1:2 with lines +#set output '../result/amcrest_camera_incoming.eps' +set output '../result/amcrest_camera_incoming.png' +set title "Amcrest Camera Incoming Traffic" +plot "../result/amcrest_camera_incoming.dat" using 1:2 with lines +set output '../result/amcrest_camera_outgoing.png' +set title "Amcrest Camera Outgoing Traffic" +plot "../result/amcrest_camera_outgoing.dat" using 1:2 with lines # Netgear Arlo camera -#set output '../result/netgear_arlo_camera.eps' -set output '../result/netgear_arlo_camera.png' -set title "Netgear Arlo Camera" -plot "../result/netgear_arlo_camera.dat" using 1:2 with lines +#set output '../result/netgear_arlo_camera_incoming.eps' +set output '../result/netgear_arlo_camera_incoming.png' +set title "Netgear Arlo Camera Incoming Traffic" +plot "../result/netgear_arlo_camera_incoming.dat" using 1:2 with lines +set output '../result/netgear_arlo_camera_outgoing.png' +set title "Netgear Arlo Camera Outgoing Traffic" +plot "../result/netgear_arlo_camera_outgoing.dat" using 1:2 with lines # LiFX light bulb -#set output '../result/lifx_lightbulb_1.eps' -set output '../result/lifx_lightbulb_1.png' -set title "LiFX Light Bulb #1" -plot "../result/lifx_lightbulb_1.dat" using 1:2 with lines +#set output '../result/lifx_lightbulb_1_incoming.eps' +set output '../result/lifx_lightbulb_1_incoming.png' +set title "LiFX Light Bulb #1 Incoming Traffic" +plot "../result/lifx_lightbulb_1_incoming.dat" using 1:2 with lines +set output '../result/lifx_lightbulb_1_outgoing.png' +set title "LiFX Light Bulb #1 Outgoing Traffic" +plot "../result/lifx_lightbulb_1_outgoing.dat" using 1:2 with lines # LiFX light bulb -#set output '../result/lifx_lightbulb_2.eps' -set output '../result/lifx_lightbulb_2.png' -set title "LiFX Light Bulb #2" -plot "../result/lifx_lightbulb_2.dat" using 1:2 with lines +#set output '../result/lifx_lightbulb_2_incoming.eps' +set output '../result/lifx_lightbulb_2_incoming.png' +set title "LiFX Light Bulb #2 Incoming Traffic" +plot "../result/lifx_lightbulb_2_incoming.dat" using 1:2 with lines +set output '../result/lifx_lightbulb_2_outgoing.png' +set title "LiFX Light Bulb #2 Outgoing Traffic" +plot "../result/lifx_lightbulb_2_outgoing.dat" using 1:2 with lines # Philips Hue -#set output '../result/philips_hue.eps' -set output '../result/philips_hue.png' -set title "Philips Hue" -plot "../result/philips_hue.dat" using 1:2 with lines +#set output '../result/philips_hue_incoming.eps' +set output '../result/philips_hue_incoming.png' +set title "Philips Hue Incoming Traffic" +plot "../result/philips_hue_incoming.dat" using 1:2 with lines +set output '../result/philips_hue_outgoing.png' +set title "Philips Hue Outgoing Traffic" +plot "../result/philips_hue_outgoing.dat" using 1:2 with lines # TP-Link Light Bulb -#set output '../result/tplink_lightbulb.eps' -set output '../result/tplink_lightbulb.png' -set title "TP-Link Light Bulb" -plot "../result/tplink_lightbulb.dat" using 1:2 with lines +#set output '../result/tplink_lightbulb_incoming.eps' +set output '../result/tplink_lightbulb_incoming.png' +set title "TP-Link Light Bulb Incoming Traffic" +plot "../result/tplink_lightbulb_incoming.dat" using 1:2 with lines +set output '../result/tplink_lightbulb_outgoing.png' +set title "TP-Link Light Bulb Outgoing Traffic" +plot "../result/tplink_lightbulb_outgoing.dat" using 1:2 with lines # Nxeco sprinkler -#set output '../result/nxeco_sprinkler.eps' -set output '../result/nxeco_sprinkler.png' -set title "Nxeco Sprinkler" -plot "../result/nxeco_sprinkler.dat" using 1:2 with lines +#set output '../result/nxeco_sprinkler_incoming.eps' +set output '../result/nxeco_sprinkler_incoming.png' +set title "Nxeco Sprinkler Incoming Traffic" +plot "../result/nxeco_sprinkler_incoming.dat" using 1:2 with lines +set output '../result/nxeco_sprinkler_outgoing.png' +set title "Nxeco Sprinkler Outgoing Traffic" +plot "../result/nxeco_sprinkler_outgoing.dat" using 1:2 with lines # Blossom sprinkler -#set output '../result/blossom_sprinkler.eps' -set output '../result/blossom_sprinkler.png' -set title "Blossom Sprinkler" -plot "../result/blossom_sprinkler.dat" using 1:2 with lines +#set output '../result/blossom_sprinkler_incoming.eps' +set output '../result/blossom_sprinkler_incoming.png' +set title "Blossom Sprinkler Incoming Traffic" +plot "../result/blossom_sprinkler_incoming.dat" using 1:2 with lines +set output '../result/blossom_sprinkler_outgoing.png' +set title "Blossom Sprinkler Outgoing Traffic" +plot "../result/blossom_sprinkler_outgoing.dat" using 1:2 with lines # D-Link alarm -#set output '../result/dlink_alarm.eps' -set output '../result/dlink_alarm.png' -set title "D-Link Alarm" -plot "../result/dlink_alarm.dat" using 1:2 with lines +#set output '../result/dlink_alarm_incoming.eps' +set output '../result/dlink_alarm_incoming.png' +set title "D-Link Alarm Incoming Traffic" +plot "../result/dlink_alarm_incoming.dat" using 1:2 with lines +set output '../result/dlink_alarm_outgoing.png' +set title "D-Link Alarm Outgoing Traffic" +plot "../result/dlink_alarm_outgoing.dat" using 1:2 with lines # D-Link alarm -#set output '../result/dlink_alarm.eps' -set output '../result/dlink_alarm.png' -set title "D-Link Alarm" -plot "../result/dlink_alarm.dat" using 1:2 with lines +#set output '../result/dlink_alarm_incoming.eps' +set output '../result/dlink_alarm_incoming.png' +set title "D-Link Alarm Incoming Traffic" +plot "../result/dlink_alarm_incoming.dat" using 1:2 with lines +set output '../result/dlink_alarm_outgoing.png' +set title "D-Link Alarm Outgoing Traffic" +plot "../result/dlink_alarm_outgoing.dat" using 1:2 with lines # D-Link motion sensor -#set output '../result/dlink_motion_sensor.eps' -set output '../result/dlink_motion_sensor.png' -set title "D-Link Motion Sensor" -plot "../result/dlink_motion_sensor.dat" using 1:2 with lines +#set output '../result/dlink_motion_sensor_incoming.eps' +set output '../result/dlink_motion_sensor_incoming.png' +set title "D-Link Motion Sensor Incoming Traffic" +plot "../result/dlink_motion_sensor_incoming.dat" using 1:2 with lines +set output '../result/dlink_motion_sensor_outgoing.png' +set title "D-Link Motion Sensor Outgoing" +plot "../result/dlink_motion_sensor_outgoing.dat" using 1:2 with lines # Nest Thermostat -#set output '../result/nest_thermostat.eps' -set output '../result/nest_thermostat.png' -set title "Nest Thermostat" -plot "../result/nest_thermostat.dat" using 1:2 with lines +#set output '../result/nest_thermostat_incoming.eps' +set output '../result/nest_thermostat_incoming.png' +set title "Nest Thermostat Incoming Traffic" +plot "../result/nest_thermostat_incoming.dat" using 1:2 with lines +set output '../result/nest_thermostat_outgoing.png' +set title "Nest Thermostat Outgoing Traffic" +plot "../result/nest_thermostat_outgoing.dat" using 1:2 with lines # Amazon Echo Dot -#set output '../result/amazon_echo_dot.eps' -set output '../result/amazon_echo_dot.png' -set title "Amazon Ech Odit" -plot "../result/amazon_echo_dot.dat" using 1:2 with lines +#set output '../result/amazon_echo_dot_incoming.eps' +set output '../result/amazon_echo_dot_incoming.png' +set title "Amazon Echo Dot Incoming Traffic" +plot "../result/amazon_echo_dot_incoming.dat" using 1:2 with lines +set output '../result/amazon_echo_dot_outgoing.png' +set title "Amazon Echo Dot Outgoing Traffic" +plot "../result/amazon_echo_dot_outgoing.dat" using 1:2 with lines # SmartThings hub -#set output '../result/smartthings_hub.eps' -set output '../result/smartthings_hub.png' -set title "SmartThings Hub" -plot "../result/smartthings_hub.dat" using 1:2 with lines - +#set output '../result/smartthings_hub_incoming.eps' +set output '../result/smartthings_hub_incoming.png' +set title "SmartThings Hub Incoming Traffic" +plot "../result/smartthings_hub_incoming.dat" using 1:2 with lines +set output '../result/smartthings_hub_outgoing.png' +set title "SmartThings Hub Outgoing Traffic" +plot "../result/smartthings_hub_outgoing.dat" using 1:2 with lines diff --git a/run_scripts/ts_analysis_run.sh b/run_scripts/ts_analysis_run.sh index a1fc157..1a57d4d 100755 --- a/run_scripts/ts_analysis_run.sh +++ b/run_scripts/ts_analysis_run.sh @@ -11,21 +11,21 @@ fi [ -d $2 ] || mkdir $2 # Run the analysis -python ../parser/parse_packet_frequency.py $1 $2/wemo_switch.dat WeMo_Switch 94:10:3e:36:60:09 -python ../parser/parse_packet_frequency.py $1 $2/wemo_insight.dat WeMo_Insight 14:91:82:25:10:77 -python ../parser/parse_packet_frequency.py $1 $2/tplink_switch.dat TPLink_Switch 50:c7:bf:33:1f:09 -python ../parser/parse_packet_frequency.py $1 $2/dlink_switch.dat DLink_Switch 90:8d:78:e3:81:0c -python ../parser/parse_packet_frequency.py $1 $2/amcrest_camera.dat Amcrest_Camera 3c:ef:8c:6f:79:5a -python ../parser/parse_packet_frequency.py $1 $2/netgear_arlo_camera.dat Netgear_Arlo_Camera 40:5d:82:2f:50:2a -python ../parser/parse_packet_frequency.py $1 $2/lifx_lightbulb_1.dat Lifx_LightBulb_1 d0:73:d5:12:8e:30 -python ../parser/parse_packet_frequency.py $1 $2/lifx_lightbulb_2.dat Lifx_LightBulb_2 d0:73:d5:02:41:da -python ../parser/parse_packet_frequency.py $1 $2/philips_hue.dat Philips_Hue 00:17:88:69:ee:e4 -python ../parser/parse_packet_frequency.py $1 $2/tplink_lightbulb.dat TPLink_LightBulb 50:c7:bf:59:d5:84 -python ../parser/parse_packet_frequency.py $1 $2/nxeco_sprinkler.dat Nxeco_Sprinkler ac:cf:23:5a:9c:e2 -python ../parser/parse_packet_frequency.py $1 $2/blossom_sprinkler.dat Blossom_Sprinkler e4:95:6e:b0:20:39 -python ../parser/parse_packet_frequency.py $1 $2/dlink_alarm.dat DLink_Alarm c4:12:f5:de:38:20 -python ../parser/parse_packet_frequency.py $1 $2/dlink_motion_sensor.dat DLink_Motion_Sensor c4:12:f5:e3:dc:17 -python ../parser/parse_packet_frequency.py $1 $2/nest_thermostat.dat Nest_Thermostat 18:b4:30:bf:34:7e -python ../parser/parse_packet_frequency.py $1 $2/amazon_echo_dot.dat Amazon_Echo_Dot 68:37:e9:d2:26:0d -python ../parser/parse_packet_frequency.py $1 $2/smartthings_hub.dat SmartThings_Hub d0:52:a8:a3:60:0f +python ../parser/parse_packet_frequency.py $1 $2/wemo_switch WeMo_Switch 94:10:3e:36:60:09 +python ../parser/parse_packet_frequency.py $1 $2/wemo_insight WeMo_Insight 14:91:82:25:10:77 +python ../parser/parse_packet_frequency.py $1 $2/tplink_switch TPLink_Switch 50:c7:bf:33:1f:09 +python ../parser/parse_packet_frequency.py $1 $2/dlink_switch DLink_Switch 90:8d:78:e3:81:0c +python ../parser/parse_packet_frequency.py $1 $2/amcrest_camera Amcrest_Camera 3c:ef:8c:6f:79:5a +python ../parser/parse_packet_frequency.py $1 $2/netgear_arlo_camera Netgear_Arlo_Camera 40:5d:82:2f:50:2a +python ../parser/parse_packet_frequency.py $1 $2/lifx_lightbulb_1 Lifx_LightBulb_1 d0:73:d5:12:8e:30 +python ../parser/parse_packet_frequency.py $1 $2/lifx_lightbulb_2 Lifx_LightBulb_2 d0:73:d5:02:41:da +python ../parser/parse_packet_frequency.py $1 $2/philips_hue Philips_Hue 00:17:88:69:ee:e4 +python ../parser/parse_packet_frequency.py $1 $2/tplink_lightbulb TPLink_LightBulb 50:c7:bf:59:d5:84 +python ../parser/parse_packet_frequency.py $1 $2/nxeco_sprinkler Nxeco_Sprinkler ac:cf:23:5a:9c:e2 +python ../parser/parse_packet_frequency.py $1 $2/blossom_sprinkler Blossom_Sprinkler e4:95:6e:b0:20:39 +python ../parser/parse_packet_frequency.py $1 $2/dlink_alarm DLink_Alarm c4:12:f5:de:38:20 +python ../parser/parse_packet_frequency.py $1 $2/dlink_motion_sensor DLink_Motion_Sensor c4:12:f5:e3:dc:17 +python ../parser/parse_packet_frequency.py $1 $2/nest_thermostat Nest_Thermostat 18:b4:30:bf:34:7e +python ../parser/parse_packet_frequency.py $1 $2/amazon_echo_dot Amazon_Echo_Dot 68:37:e9:d2:26:0d +python ../parser/parse_packet_frequency.py $1 $2/smartthings_hub SmartThings_Hub d0:52:a8:a3:60:0f -- 2.34.1