def main():
oParser = optparse.OptionParser(usage='usage: %prog [options]\n' + __description__, version='%prog ' + __version__)
oParser.add_option('-f', '--file', type='string', help='input PCAP file for processing')
oParser.add_option('-v', '--verbose', action="store_true", default=False, help='verbose logging on performed actions')
(options, args) = oParser.parse_args()
if options.file:
miner = pcap_miner(options.file)
print "== DNS Queries and Domains ==\n"
for dns in miner.get_dns_request_data():
print(dns['type'] + " - " + dns['request'] + " - " + dns['response'])
print "\n== Destination Addresses ==\n"
for ip in miner.get_destination_ip_details():
print(ip['ip_address'] + " - " + ip['owner'] + " - " + ip['asn'] + " - " + ip['block'])
print "\n== Request Dump ==\n"
for info in miner.get_http_request_data():
for key, value in info.items():
print(key + " - " + value)
print("\n")
print "\n== Flows ==\n"
for info in miner.get_flows():
print(info)
else:
oParser.print_help()
return
def generate(infile, outfile):
miner = pcap_miner(infile)
#file 1 - DNS queries and domains returned
f = open(outfile + "dns_queries.txt", "w")
for dns in miner.get_dns_request_data():
f.write(dns['type'] + " - " + dns['request'] + " - " +
dns['response'] + "\n")
f.close()
#file 2 - IPS of attackers without whois
f = open(outfile + "attacker_ips.txt", "w")
for ip in miner.get_destination_ips():
f.write(ip + "\n")
f.close()
#file 3 - IPs of attackers with whois
f = open(outfile + "attacker_ips_whois.txt", "w")
for ip in miner.get_destination_ip_details():
f.write(ip['ip_address'] + " - " + ip['owner'] + " - " + ip['asn'] +
" - " + ip['block'] + "\n")
f.close()
#file 4 - what you called HTTPrequests but it can be other port just the requests back forh part
f = open(outfile + "http_requests.txt", "w")
for info in miner.get_http_request_data():
if 'user-agent' not in info:
info['user-agent'] = " "
f.write(info['source_ip'] + " - " + info['destination_ip'] + " - " +
info['method'] + " - " + info['user-agent'] + " - " +
info['uri'] + "\n")
f.close()
#file 5 - whatever can be dumped from the request
f = open(outfile + "full_http_requests.txt", "w")
for info in miner.get_http_request_data():
for key, value in info.items():
f.write(key + " - " + value + "\n")
f.write("\n")
f.close()
#file 6 - dump flows
f = open(outfile + "flows.txt", "w")
for info in miner.get_flows():
f.write(info + "\n")
f.close()
#TTL distribution
f = open(outfile + "ttl_distribution.txt", "w")
for i in xrange(0, 255):
f.write(str(i) + ",")
f.write("\n" + str(','.join(map(str, miner.get_ttl_distribution()))))
f.close()
def main():
oParser = optparse.OptionParser(usage='usage: %prog [options]\n' + __description__, version='%prog ' + __version__)
oParser.add_option('-f', '--file', type='string', help='input PCAP file for processing')
oParser.add_option('-v', '--verbose', action="store_true", default=False, help='verbose logging on performed actions')
(options, args) = oParser.parse_args()
if options.file:
miner = pcap_miner(options.file)
print miner.summary2json()
else:
oParser.print_help()
return
def generate(infile, outfile):
miner = pcap_miner(infile)
#file 1 - DNS queries and domains returned
f = open(outfile + "dns_queries.txt","w")
for dns in miner.get_dns_request_data():
f.write(dns['type'] + " - " + dns['request'] + " - " + dns['response'] + "\n")
f.close()
#file 2 - IPS of attackers without whois
f = open(outfile + "attacker_ips.txt","w")
for ip in miner.get_destination_ips():
f.write(ip + "\n")
f.close()
#file 3 - IPs of attackers with whois
f = open(outfile + "attacker_ips_whois.txt","w")
for ip in miner.get_destination_ip_details():
f.write(ip['ip_address'] + " - " + ip['owner'] + " - " + ip['asn'] + " - " + ip['block'] + "\n")
f.close()
#file 4 - what you called HTTPrequests but it can be other port just the requests back forh part
f = open(outfile + "http_requests.txt","w")
for info in miner.get_http_request_data():
if 'user-agent' not in info:
info['user-agent'] = " "
f.write(info['source_ip'] + " - " + info['destination_ip'] + " - " + info['method'] + " - " + info['user-agent'] + " - " + info['uri'] + "\n")
f.close()
#file 5 - whatever can be dumped from the request
f = open(outfile + "full_http_requests.txt","w")
for info in miner.get_http_request_data():
for key, value in info.items():
f.write(key + " - " + value + "\n")
f.write("\n")
f.close()
#file 6 - dump flows
f = open(outfile + "flows.txt","w")
for info in miner.get_flows():
f.write(info + "\n")
f.close()
#TTL distribution
f = open(outfile + "ttl_distribution.txt","w")
for i in xrange(0,255):
f.write(str(i)+",")
f.write("\n"+str(','.join(map(str,miner.get_ttl_distribution()))))
f.close()
def main():
oParser = optparse.OptionParser(usage='usage: %prog [options]\n' +
__description__,
version='%prog ' + __version__)
oParser.add_option('-f',
'--file',
type='string',
help='input PCAP file for processing')
oParser.add_option('-v',
'--verbose',
action="store_true",
default=False,
help='verbose logging on performed actions')
(options, args) = oParser.parse_args()
if options.file:
miner = pcap_miner(options.file)
print "== DNS Queries and Domains ==\n"
for dns in miner.get_dns_request_data():
print(dns['type'] + " - " + dns['request'] + " - " +
dns['response'])
print "\n== Destination Addresses ==\n"
for ip in miner.get_destination_ip_details():
print(ip['ip_address'] + " - " + ip['owner'] + " - " + ip['asn'] +
" - " + ip['block'])
print "\n== Request Dump ==\n"
for info in miner.get_http_request_data():
for key, value in info.items():
print(key + " - " + value)
print("\n")
print "\n== Flows ==\n"
for info in miner.get_flows():
print(info)
print "\n== TTL distribution ==\n"
print miner.get_ttl_distribution()
else:
oParser.print_help()
return
