In hrbrmstr/crafter: Tools to Analyze and Visualize Network Packet Capture ('PCAP') Files
knitr::opts_chunk$set(collapse=TRUE, comment="##", fig.retina=2, fig.path = "README_figs/README-", message=FALSE, warning=FALSE)
options(width=120)
__________________________oooo__oo____________________
_ooooo__oo_ooo___ooooo___oo_____oo_____ooooo__oo_ooo__
oo___oo_ooo___o_oo___oo_ooooo__oooo___oo____o_ooo___o_
oo______oo______oo___oo_oo______oo____ooooooo_oo______
oo______oo______oo___oo_oo______oo__o_oo______oo______
_ooooo__oo_______oooo_o_oo_______ooo___ooooo__oo______
______________________________________________________
crafter
Tools to Analyze and Visualize Network Packet Capture (PCAP) Files
Description
Life's too short to export to CSV/XML. There's no reason R should not be able to read binary PCAP data.
You need the crafter C++ library installed and their site lists the other dependencies.
If there's any hope for this to run on Windows (libcrafter supports Windows) it will be due to a Windows + (prbly some infosec) + #rstats person tagging along on this project.
You can find some sample PCAP files:
What's Inside The Tin?
The following functions are implemented:
read_pcap: Read in a packet capture fileseq_in: Find a (the first) sequence in a vectorsummary.crafter: Print summary info about a packet capture
(The pcap in the functions below is the return value from a call to read_pcap.)
pcap$get_layer: return a data.frame with the indicated protocol layer from the pcap packetspcap$packet_info: retrieve a data frame of high level packet infopcap$get_payload: retrieve payload (if any) from a given packet numberpcap$get_ips: retrieve a list (with counts) of src/dst/all ips in the capturepcap$summary: summary info about the capture
(There are actually more but they're inside the pcap object and I just need to get them exposed. See the example below for usage.)
Installation
devtools::install_github("hrbrmstr/crafter")
Usage
library(crafter)
# current verison
packageVersion("crafter")
library(crafter)
library(dplyr)
library(ggplot2)
library(igraph)
# read in the "honeybot" packet capture from the "Capture the hacker 2013"
# competition (by Dr. David Day of Sheffield Hallam University) http://www.snaketrap.co.uk/
hbot <- read_pcap(system.file("pcaps/hbot.pcap", package="crafter"))
# high level statistics
summary(hbot)
# look at general packet info
head(hbot$packet_info(), 15)
# look at the IP layer packets
hbot_ip <- hbot$get_layer("IP")
# have some semi-useless fun!
pairs <- count(hbot_ip, src, dst, protocol_name)
nodes <- unique(c(pairs$src, pairs$dst))
g <- graph_from_data_frame(pairs, directed=TRUE, vertices=nodes)
plot(g, layout=layout.circle, vertex.size=sqrt(degree(g)),
vertex.label=NA, edge.width=0.5, edge.arrow.width=0.5, edge.arrow.size=0.5)
# look at the data
head(hbot_ip, 10)
# look at the TCP layer packets
head(hbot$get_layer("TCP"), 5)
# this is probably a bit more useful
hbot_tcp <- hbot$get_layer("TCP")
src <- "192.168.0.200"
dst <- "91.199.212.171"
hbot_tcp %>%
filter((src==src & dst==dst) |
(src==dst | dst == src)) %>%
select(payload) -> pays
cat(paste0(pays$payload[1:25], collapse="\n"))
# look at the ICMP layer packets
head(hbot$get_layer("ICMP"), 20)
# see the protocol distribution
hbot$get_layer("IP") %>%
count(protocol_name) %>%
ggplot(aes(x=protocol_name, y=n)) +
geom_bar(stat="identity") +
labs(x=NULL, title="Honeybot IP Protocols") +
theme_bw()
Code of Conduct
Please note that this project is released with a Contributor Code of Conduct.
By participating in this project you agree to abide by its terms.
hrbrmstr/crafter documentation built on May 17, 2019, 4:56 p.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
knitr::opts_chunk$set(collapse=TRUE, comment="##", fig.retina=2, fig.path = "README_figs/README-", message=FALSE, warning=FALSE) options(width=120)
__________________________oooo__oo____________________ _ooooo__oo_ooo___ooooo___oo_____oo_____ooooo__oo_ooo__ oo___oo_ooo___o_oo___oo_ooooo__oooo___oo____o_ooo___o_ oo______oo______oo___oo_oo______oo____ooooooo_oo______ oo______oo______oo___oo_oo______oo__o_oo______oo______ _ooooo__oo_______oooo_o_oo_______ooo___ooooo__oo______ ______________________________________________________
crafter
Tools to Analyze and Visualize Network Packet Capture (PCAP) Files
Description
Life's too short to export to CSV/XML. There's no reason R should not be able to read binary PCAP data.
You need the crafter C++ library installed and their site lists the other dependencies.
If there's any hope for this to run on Windows (libcrafter supports Windows) it will be due to a Windows + (prbly some infosec) + #rstats person tagging along on this project.
You can find some sample PCAP files:
What's Inside The Tin?
The following functions are implemented:
read_pcap: Read in a packet capture fileseq_in: Find a (the first) sequence in a vectorsummary.crafter: Print summary info about a packet capture
(The pcap in the functions below is the return value from a call to read_pcap.)
pcap$get_layer: return a data.frame with the indicated protocol layer from the pcap packetspcap$packet_info: retrieve a data frame of high level packet infopcap$get_payload: retrieve payload (if any) from a given packet numberpcap$get_ips: retrieve a list (with counts) of src/dst/all ips in the capturepcap$summary: summary info about the capture
(There are actually more but they're inside the pcap object and I just need to get them exposed. See the example below for usage.)
Installation
devtools::install_github("hrbrmstr/crafter")
Usage
library(crafter) # current verison packageVersion("crafter") library(crafter) library(dplyr) library(ggplot2) library(igraph) # read in the "honeybot" packet capture from the "Capture the hacker 2013" # competition (by Dr. David Day of Sheffield Hallam University) http://www.snaketrap.co.uk/ hbot <- read_pcap(system.file("pcaps/hbot.pcap", package="crafter")) # high level statistics summary(hbot) # look at general packet info head(hbot$packet_info(), 15) # look at the IP layer packets hbot_ip <- hbot$get_layer("IP") # have some semi-useless fun! pairs <- count(hbot_ip, src, dst, protocol_name) nodes <- unique(c(pairs$src, pairs$dst)) g <- graph_from_data_frame(pairs, directed=TRUE, vertices=nodes)
plot(g, layout=layout.circle, vertex.size=sqrt(degree(g)), vertex.label=NA, edge.width=0.5, edge.arrow.width=0.5, edge.arrow.size=0.5)
# look at the data head(hbot_ip, 10) # look at the TCP layer packets head(hbot$get_layer("TCP"), 5) # this is probably a bit more useful hbot_tcp <- hbot$get_layer("TCP") src <- "192.168.0.200" dst <- "91.199.212.171" hbot_tcp %>% filter((src==src & dst==dst) | (src==dst | dst == src)) %>% select(payload) -> pays cat(paste0(pays$payload[1:25], collapse="\n")) # look at the ICMP layer packets head(hbot$get_layer("ICMP"), 20) # see the protocol distribution hbot$get_layer("IP") %>% count(protocol_name) %>% ggplot(aes(x=protocol_name, y=n)) + geom_bar(stat="identity") + labs(x=NULL, title="Honeybot IP Protocols") + theme_bw()
Code of Conduct
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.