__________________________oooo__oo____________________
_ooooo__oo_ooo___ooooo___oo_____oo_____ooooo__oo_ooo__
oo___oo_ooo___o_oo___oo_ooooo__oooo___oo____o_ooo___o_
oo______oo______oo___oo_oo______oo____ooooooo_oo______
oo______oo______oo___oo_oo______oo__o_oo______oo______
_ooooo__oo_______oooo_o_oo_______ooo___ooooo__oo______
______________________________________________________
Tools to Analyze and Visualize Network Packet Capture (PCAP) Files
Life’s too short to export to CSV/XML. There’s no reason R should not be able to read binary PCAP data.
You need the crafter C++ library installed and their site lists the other dependencies.
If there’s any hope for this to run on Windows (libcrafter
supports
Windows) it will be due to a Windows + (prbly some infosec) + #rstats
person tagging along on this project.
You can find some sample PCAP files:
The following functions are implemented:
read_pcap
: Read in a packet capture fileseq_in
: Find a (the first) sequence in a vectorsummary.crafter
: Print summary info about a packet capture(The pcap
in the functions below is the return value from a call to
read_pcap
.)
pcap$get_layer
: return a data.frame with the indicated protocol
layer from the pcap packetspcap$packet_info
: retrieve a data frame of high level packet infopcap$get_payload
: retrieve payload (if any) from a given packet
numberpcap$get_ips
: retrieve a list (with counts) of src/dst/all ips in
the capturepcap$summary
: summary info about the capture(There are actually more but they’re inside the pcap object and I just need to get them exposed. See the example below for usage.)
devtools::install_github("hrbrmstr/crafter")
library(crafter)
# current verison
packageVersion("crafter")
## [1] '0.1.6'
library(crafter)
library(dplyr)
library(ggplot2)
library(igraph)
# read in the "honeybot" packet capture from the "Capture the hacker 2013"
# competition (by Dr. David Day of Sheffield Hallam University) http://www.snaketrap.co.uk/
hbot <- read_pcap(system.file("pcaps/hbot.pcap", package="crafter"))
# high level statistics
summary(hbot)
## File
## Capture file : /Library/Frameworks/R.framework/Versions/3.4/Resources/library/crafter/pcaps/hbot.pcap
## Filter applied: [none]
## Length : 1204229 bytes
##
## Time
## First packet: 2013-01-09 15:33:20
## Last packet : 2013-01-12 15:19:20
##
## Statistics
## Packets : 5450
## Time span (s): 258360.620
## Average pps : 0.0
# look at general packet info
head(hbot$packet_info(), 15)
## # A tibble: 15 x 6
## num tv_sec tv_usec layer_count protocols packet_size
## <int> <int> <int> <int> <chr> <int>
## 1 1 1357913756 642112 4 Ethernet,IP,RawLayer,UDP 83
## 2 2 1357913756 652518 4 Ethernet,IP,RawLayer,UDP 195
## 3 3 1357913756 661374 4 Ethernet,IP,RawLayer,UDP 88
## 4 4 1357913756 768192 4 Ethernet,IP,RawLayer,UDP 61
## 5 5 1357913763 22726 4 Ethernet,IP,RawLayer,UDP 79
## 6 6 1357913763 32152 4 Ethernet,IP,RawLayer,UDP 95
## 7 7 1357913763 34026 7 Ethernet,IP,TCP,TCPOptionMaxSegSize,TCPOptionPad,TCPOptionSACKPerm… 62
## 8 8 1357913763 60454 7 Ethernet,IP,TCP,TCPOptionMaxSegSize,TCPOptionPad,TCPOptionSACKPerm… 62
## 9 9 1357913763 60517 3 Ethernet,IP,TCP 54
## 10 10 1357913763 61083 4 Ethernet,IP,RawLayer,TCP 162
## 11 11 1357913763 89809 3 Ethernet,IP,TCP 54
## 12 12 1357913763 90103 4 Ethernet,IP,RawLayer,TCP 452
## 13 13 1357913763 137534 4 Ethernet,IP,RawLayer,UDP 80
## 14 14 1357913763 147996 4 Ethernet,IP,RawLayer,UDP 96
## 15 15 1357913763 149377 7 Ethernet,IP,TCP,TCPOptionMaxSegSize,TCPOptionPad,TCPOptionSACKPerm… 62
# look at the IP layer packets
hbot_ip <- hbot$get_layer("IP")
# have some semi-useless fun!
pairs <- count(hbot_ip, src, dst, protocol_name)
nodes <- unique(c(pairs$src, pairs$dst))
g <- graph_from_data_frame(pairs, directed=TRUE, vertices=nodes)
plot(g, layout=layout.circle, vertex.size=sqrt(degree(g)),
vertex.label=NA, edge.width=0.5, edge.arrow.width=0.5, edge.arrow.size=0.5)
# look at the data
head(hbot_ip, 10)
## # A tibble: 10 x 14
## num tv_sec tv_usec src dst protocol_name size header_len total_len ttl flags flag_bits dscp frag_ofs
## <int> <int> <int> <chr> <chr> <chr> <int> <int> <int> <int> <int> <chr> <int> <int>
## 1 1 1357913756 642112 192.1… 194.1… UDP 83 5 69 128 0 000 0 0
## 2 2 1357913756 652518 194.1… 192.1… UDP 195 5 181 253 2 010 0 0
## 3 3 1357913756 661374 192.1… 199.6… UDP 88 5 74 128 0 000 0 0
## 4 4 1357913756 768192 199.6… 192.1… UDP 61 5 47 51 2 010 0 0
## 5 5 1357913763 22726 192.1… 194.1… UDP 79 5 65 128 0 000 0 0
## 6 6 1357913763 32152 194.1… 192.1… UDP 95 5 81 253 2 010 0 0
## 7 7 1357913763 34026 192.1… 91.19… TCP 62 5 48 128 2 010 0 0
## 8 8 1357913763 60454 91.19… 192.1… TCP 62 5 48 49 2 010 0 0
## 9 9 1357913763 60517 192.1… 91.19… TCP 54 5 40 128 2 010 0 0
## 10 10 1357913763 61083 192.1… 91.19… TCP 162 5 148 128 2 010 0 0
# look at the TCP layer packets
head(hbot$get_layer("TCP"), 5)
## # A tibble: 5 x 24
## num tv_sec tv_usec src dst protocol_name srcport dstport seqnum acknum headersize payloadsize fin syn rst
## <int> <int> <int> <chr> <chr> <chr> <int> <int> <dbl> <dbl> <int> <int> <lgl> <lgl> <lgl>
## 1 7 1.36e⁹ 34026 192.… 91.1… TCP 1033 80 3.81e⁹ 0. 20 0 FALSE TRUE FALSE
## 2 8 1.36e⁹ 60454 91.1… 192.… TCP 80 1033 1.80e⁹ 3.81e⁹ 20 0 FALSE TRUE FALSE
## 3 9 1.36e⁹ 60517 192.… 91.1… TCP 1033 80 3.81e⁹ 1.80e⁹ 20 0 FALSE FALSE FALSE
## 4 10 1.36e⁹ 61083 192.… 91.1… TCP 1033 80 3.81e⁹ 1.80e⁹ 20 108 FALSE FALSE FALSE
## 5 11 1.36e⁹ 89809 91.1… 192.… TCP 80 1033 1.80e⁹ 3.81e⁹ 20 0 FALSE FALSE FALSE
## # ... with 9 more variables: psh <lgl>, ack <lgl>, urg <lgl>, ece <lgl>, cwr <lgl>, windowsize <dbl>, chksum <dbl>,
## # optsize <dbl>, payload <chr>
# this is probably a bit more useful
hbot_tcp <- hbot$get_layer("TCP")
src <- "192.168.0.200"
dst <- "91.199.212.171"
hbot_tcp %>%
filter((src==src & dst==dst) |
(src==dst | dst == src)) %>%
select(payload) -> pays
cat(paste0(pays$payload[1:25], collapse="\n"))
##
##
##
## GET /av/tvl/deletedvendors.txt HTTP/1.1
## Accept: */*
## Host: download.comodo.com
## Cache-Control: no-cache
##
##
##
## HTTP/1.1 302 Moved Temporarily
## Server: nginx
## Date: Fri, 11 Jan 2013 14:16:03 GMT
## Content-Type: text/html
## Content-Length: 154
## Connection: keep-alive
## Keep-Alive: timeout=1
## Location: http://downloads.comodo.com/av/tvl/deletedvendors.txt
##
## <html>
## <head><title>302 Found</title></head>
## <body bgcolor="white">
## <center><h1>302 Found</h1></center>
## <hr><center>nginx</center>
## </body>
## </html>
##
##
##
##
##
## GET /av/tvl/deletedvendors.txt HTTP/1.1
## Accept: */*
## Connection: Keep-Alive
## Cache-Control: no-cache
## Host: downloads.comodo.com
##
##
##
## HTTP/1.1 200 OK
## Server: nginx
## Date: Fri, 11 Jan 2013 14:16:03 GMT
## Content-Type: text/plain
## Content-Length: 4147
## Last-Modified: Wed, 19 Dec 2012 15:51:29 GMT
## Connection: keep-alive
## Keep-Alive: timeout=1
## Vary: Accept-Encoding
## X-CCACDN-Mirror-ID: t8edcgdown5
## Accept-Ranges: bytes
##
## Aignesberger Software GmbH
## Alienware Corporation
## ALIKET SOFTWARE CO., LTD.
## Ask.com
## Bolide Software
## ByteSphere Technologies LLC
## Conduit Ltd.
## CyberDefender Corp.
## Digital River, Inc.
## Eltima Software
## Esystech Indústria e Comércio Ltda
## Free Peers Inc.
## Holz Thomas
## Ilya Kheifets
## Kwinzy.com
## Le Software Man Ltd
## MeMedia
## MetaProducts Corporation
## Musiclab, LLC
## NCH Software
## NCH Swift Sound
## Nsasoft LLC.
## Patchou
## PC Drivers HeadQuarters, Inc
## RealVNC Ltd
## Rediff.com India Limited
## SoftDD Software
## Kwanzy.com
## ebiznetworks
## eBizNetworks Co.,Ltd.
## Happyscreensavers.com
## QueryExplorer.com
## SecureSoft
## ZinkSeek.com
## Zinkzo.com
## ZinkWink.com
## BrowserDiscover.com
## BrowserQuery.com
## BrowserSeek.com
## QueryBrowse.com
## QuestBrowse.com
## ResultBrowser.com
## ResultDns.com
## ResultTool.com
## ResultUrl.com
## Weemi.com
## WinkZink.com
## Wyeke.com
## Wyyo.com
## Computer Business Solutions, Inc.
## DNAML PTY LTD
## WhiteSmoke Inc
## WHENU.COM
## WHENU.COM INC
## Where's George? LLC
## QuestUrl.com
## CreativeToolbarSolutions.com
## Zwunzi.com
## ZwankySearch.com
## Zwangie.com
## Zwangi.com
## jdoctor
## jynetworks
## JiniInfo
## WeiSiTianYu Software Develop Service Center
## the best offers network
## , llc.
## eCode Sky Network Technology Co., Ltd.
## Alexa Internet
## eAcceleration Corporation
## The World Gate, Inc
## iWin, Inc
## COMARCH S.A.
## Vomba Network
## uvnc bvba
## WeatherBug
## Zhejiang HaoYing Network Co.,Ltd
## nanjing wangya computer co.
## NanJing WangYa Computer Co., Ltd.
## Beijing Huyangfeng Information Technology Co., Ltd.
## Bit Wise Publishing, LLC
## Brodin Asset Management
## Communication Horizons
## DREAMGROUP
## Effective Measure International Pty Ltd
## EVERYZONE. Inc.
## EZLinks Golf, Inc.
## Fisher-Price, Inc.
## FreeCause, Inc.
## Volker Feldmann Software GmbH
## Voltron Corporation
## Webteh d.o.o.
## Windowlink Ltd
## WINDOWSTOOL
## Windward Software Inc
## X2Net DEMO Certificate Only
## Xf trade LLP
## Zemerick Software, Inc.
## Windward Software Inc.
## FreeCause Inc.
## EVERYZONE. Inc.
## Make The Web Better, LLC
## MicroSmarts LLC
## MochaSoft Aps
## ORPALIS
## Quicken Australia
## Rapid Decision Corporation
## Reklosoft LLC
## Rhino Software Inc.
## Sharony Management Services Ltd.
## SmartLine Inc
## Snappy Fox Software
## System Update BR
## Teslain
## The Illumen Group, Inc.
## TurboPower Software Company
## UNIBANCO - UNIAO DE BANCOS BRASILEIROS S/A
## UUSEE Inc.
## UUSee Inc.
## UiTV Inc.
## VNN Networks, Inc.
## Viewpoint Corporation
## Visicom Media Inc.
## VoiceFive Networks, Inc.
## Voicefive Networks, Inc.
## mgoonmedia Inc
## mone
## AltrixSoft Ltd
## SafeApp Software, LLC
## Avalanche LLC
## globe7 inc
## Unilogix Solutions Pte. Ltd
## QUALTIVA TECHNOLOGIES LLC
## Advanced Search Technologies, Inc.
## Zugo Ltd
## AOS
##
## Technologies, Inc.
## Ascentive LLC
## AtelierWeb Software
## Axolotl Online Inc.
## CentralGest, SA
## AJSystems.com Inc.
## NetRatings, Inc.
## Patrick Jansen
## Telemate
## SecurityFriday Co. Ltd.
## InfoWorks Technology Company
## PPLive Corporation
## RealVNC Limited
## PartyGaming Services
## Market Precision, Inc.
## Max Secure Software India Pvt. Ltd.
## Smart PC Solutions, Inc.
## Max Secure Software
## Smart Soft
## Famatech Corp.
## Zemana Information Technologies Industry Limited
## DataMystic
## Xionix
## Ammyy Group
## 北京聚金振业科技有限公司
## Eorezo
## Media Get LLC
## Vittalia Internet S.L
## J2networks
## Suzhou Shijie Software Co., LTD
## Fuzhou TianxiaChuangshi Digital Co.,Ltd.
## Safe Decision, Inc
## Athena IT Limited
## Passware Inc. Limited
## Yoics, Inc
## SmartCode Solutions
## Dubai Click LLC
## Alexander Avdonin
## AtomPark Software JSV
## WebMinds, Inc
## winwinnetworks
## World Multimedia Group
## WorldWinner.com, Inc.
## mIRC Co. Ltd.
## Alactro LLC
## Solimba Aplicaciones S.L.
## REDACCENIR SL
## Koyote-Lab Inc.
## MusicLab LLC
## iMesh Inc.
## Sun River Systems, Inc.
## SRC Technologies
## Solid Quest Inc.
## Claria Corporation
## Smart Line Incorporated
## SARL POINTDEV
## Recovery Toolbox, Inc.
## Daniel Offer
## DDX SOFTWARE, INC
## DeskToolsSoft
## Device Doctor Software Inc.
## Media Labs Limited
## Pixel-Tech s.c. J. Pytowski, P.Kubarek
## PconPoint.com
## d & p media GmbH
## ElectraSoft
## WEB PICK - INTERNET HOLDINGS LTD
## Screaming Bee
## 보안연구소(주)
## Softonic International
## Alawar Entertainment Inc
## LLC
## Mail.Ru
## A&B Software LLC
## W3i, LLC
## Roy Morgan Research
# look at the ICMP layer packets
head(hbot$get_layer("ICMP"), 20)
## # A tibble: 20 x 12
## num tv_sec tv_usec src dst protocol_name identifier seqnum icmptype icmpname code chksum
## <int> <int> <int> <chr> <chr> <chr> <dbl> <dbl> <int> <chr> <int> <dbl>
## 1 197 1357916383 467873 192.168.0.200 192.168.0.1 ICMP 512. 256. 8 Echo 0 19036.
## 2 199 1357916383 574201 192.168.0.1 192.168.0.2… ICMP 512. 256. 0 Echo Rep… 0 21084.
## 3 200 1357916384 494965 192.168.0.200 192.168.0.1 ICMP 512. 512. 8 Echo 0 18780.
## 4 201 1357916384 496694 192.168.0.1 192.168.0.2… ICMP 512. 512. 0 Echo Rep… 0 20828.
## 5 202 1357916385 511023 192.168.0.200 192.168.0.1 ICMP 512. 768. 8 Echo 0 18524.
## 6 203 1357916385 512659 192.168.0.1 192.168.0.2… ICMP 512. 768. 0 Echo Rep… 0 20572.
## 7 204 1357916386 512477 192.168.0.200 192.168.0.1 ICMP 512. 1024. 8 Echo 0 18268.
## 8 205 1357916386 514069 192.168.0.1 192.168.0.2… ICMP 512. 1024. 0 Echo Rep… 0 20316.
## 9 3045 1357902753 893262 192.168.0.200 192.168.0.1 ICMP 512. 256. 8 Echo 0 19036.
## 10 3046 1357902753 894501 192.168.0.1 192.168.0.2… ICMP 512. 256. 0 Echo Rep… 0 21084.
## 11 3047 1357902754 899395 192.168.0.200 192.168.0.1 ICMP 512. 512. 8 Echo 0 18780.
## 12 3048 1357902754 901673 192.168.0.1 192.168.0.2… ICMP 512. 512. 0 Echo Rep… 0 20828.
## 13 3049 1357902755 899459 192.168.0.200 192.168.0.1 ICMP 512. 768. 8 Echo 0 18524.
## 14 3050 1357902755 902850 192.168.0.1 192.168.0.2… ICMP 512. 768. 0 Echo Rep… 0 20572.
## 15 3053 1357902762 856809 192.168.0.200 173.194.67.… ICMP 512. 1024. 8 Echo 0 18268.
## 16 3054 1357902762 881106 173.194.67.106 192.168.0.2… ICMP 512. 1024. 0 Echo Rep… 0 20316.
## 17 3055 1357902763 870699 192.168.0.200 173.194.67.… ICMP 512. 1280. 8 Echo 0 18012.
## 18 3056 1357902763 894322 173.194.67.106 192.168.0.2… ICMP 512. 1280. 0 Echo Rep… 0 20060.
## 19 3057 1357902764 886429 192.168.0.200 173.194.67.… ICMP 512. 1536. 8 Echo 0 17756.
## 20 3058 1357902764 913482 173.194.67.106 192.168.0.2… ICMP 512. 1536. 0 Echo Rep… 0 19804.
# see the protocol distribution
hbot$get_layer("IP") %>%
count(protocol_name) %>%
ggplot(aes(x=protocol_name, y=n)) +
geom_bar(stat="identity") +
labs(x=NULL, title="Honeybot IP Protocols") +
theme_bw()
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.