def stat_logouts(self, time_slot):
""" Get a dict of users and their logout freq
Args:
time_slot (tuple(datetime)): a tuple of two
specifying the start and end time as datetime
Returns:
dict(str->int): user vs how many times he logs out
"""
r = {}
start, end = time_slot
for login in self.last:
if login['time_out'] and start <= login['time_out'] < end:
dict_acc(r, {login['user']: 1})
return r
def stat_authfailures(self, time_slot):
""" Get a dict of users and their freq of authentication failure
Args:
time_slot (tuple(datetime)): a tuple of two
specifying the start and end time as datetime
Returns:
dict(str->int): user vs how many times he failed to log in
"""
r = {}
start, end = time_slot
for authfailure in self.lastb:
if start <= authfailure['time_in'] < end:
dict_acc(r, {authfailure['user']: 1})
return r
def stat_logins(self, time_slot):
""" Get a dict of users and their login freq
Args:
time_slot (tuple(datetime)): a tuple of two
specifying the start and end time as datetime
Returns:
dict(str->int): user vs how many times he successful logs in
"""
r = {}
start, end = time_slot
for login in self.last:
if start <= login['time_in'] < end:
dict_acc(r, {login['user']: 1})
return r
def stat_logouts(self, time_slot=None):
""" Get a dict of users and their logout freq
Args:
time_slot (optional[tuple(datetime)]): a tuple of two
specifying the start and end time as datetime
Returns:
dict(str->int): user vs how many times he logs out
"""
r = {}
start, end = time_slot
for logout in self.logouts:
if start <= logout['time_out'] < end:
dict_acc(r, {logout['user']: 1})
return r
def stat_logins(self, time_slot=None):
""" Get a dict of users and their login freq
Args:
time_slot (optional[tuple(datetime)]): a tuple of two
specifying the start and end time as datetime
Returns:
dict(str->int): user vs how many times he successful logs in
"""
r = {}
start, end = time_slot
for login in self.logins:
if start <= login['time_in'] < end:
dict_acc(r, {login['user']: 1})
return r
def stat_authfailures(self, time_slot=None):
""" Get a dict of users and their freq of authentication failure
Args:
time_slot (optional[tuple(datetime)]): a tuple of two
specifying the start and end time as datetime
Returns:
dict(str->int): user vs how many times he failed to log in
"""
r = {}
start, end = time_slot
for authfailure in self.authf:
if start <= authfailure['time_in'] < end:
dict_acc(r, {authfailure['user']: 1})
return r
def stat_logouts(self, time_slot):
""" Get a dict of users and their logout freq
Args:
time_slot (tuple(datetime)): a tuple of two
specifying the start and end time as datetime
Returns:
dict(str->int): user vs how many times he logs out
"""
r = {}
start, end = time_slot
for login in self.last:
if login is not None:
if login['time_out'] and start <= login['time_out'] < end:
dict_acc(r, {login['user']: 1})
return r
def stat_http_resp_ips(self, time_slot=None, content_type=None):
def _filter(p):
if 'http' not in p:
return False
if 'response' not in p.http.field_names:
return False
if time_slot is not None:
start, end = time_slot
if float(p.sniff_timestamp) < start or \
float(p.sniff_timestamp) >= end:
return False
if content_type is not None and 'content_type' in p.http.field_names:
if p.http.content_type.lower() not in content_type:
return False
return True
packets = self.packets
packets = filter(_filter, packets)
ips = {}
for p in packets:
utils.dict_acc(ips, {p.ip.src: 1})
return ips
def stat_macs(self, time_slot=None, ip=None):
"""Get a dict of MAC addresses with the freq it appears
Args:
time_slot (optional[tuple]): a tuple of two specifying the
start and end time in the format of timestamp
ip (optional[list(str)]):
Returns:
dict{str->int}: mac addresses and the freq it appears
"""
packets = self.packets
if time_slot:
start, end = time_slot
packets = filter(lambda p: start <= float(p.sniff_timestamp) < end,
packets)
macs = {}
for p in packets:
if 'ip' in p:
if ip and p.ip.src in ip:
utils.dict_acc(macs, {p.eth.src: 1})
if ip and p.ip.dst in ip:
utils.dict_acc(macs, {p.eth.dst: 1})
if not ip:
utils.dict_acc(macs, {
p.eth.src: 1,
p.eth.dst: 1,
})
return macs
def stat_macs(self, time_slot=None, ip=None):
"""Get a dict of MAC addresses with the freq it appears
Args:
time_slot (optional[tuple]): a tuple of two specifying the
start and end time in the format of timestamp
ip (optional[list(str)]):
Returns:
dict{str->int}: mac addresses and the freq it appears
"""
packets = self.packets
if time_slot:
start, end = time_slot
packets = filter(lambda p: start <= float(p.sniff_timestamp) < end,
packets)
macs = {}
for p in packets:
if 'ip' in p:
if ip and p.ip.src in ip:
utils.dict_acc(macs, {p.eth.src: 1})
if ip and p.ip.dst in ip:
utils.dict_acc(macs, {p.eth.dst: 1})
if not ip:
utils.dict_acc(macs, {
p.eth.src: 1,
p.eth.dst: 1,
})
return macs
def stat_http_resp_ips(self, time_slot=None, content_type=None):
def _filter(p):
if 'http' not in p:
return False
if 'response' not in p.http.field_names:
return False
if time_slot is not None:
start, end = time_slot
if float(p.sniff_timestamp) < start or \
float(p.sniff_timestamp) >= end:
return False
if content_type is not None and 'content_type' in p.http.field_names:
if p.http.content_type.lower() not in content_type:
return False
return True
packets = self.packets
packets = filter(_filter, packets)
ips = {}
for p in packets:
utils.dict_acc(ips, {p.ip.src: 1})
return ips
def stat_ips(self, time_slot=None, src_ip=None, dst_ip=None):
"""Get a dict of ips and their freq
It can be either src ip or dst ip. If src ip is specified,
then dst ips are returned, vice versa. If none is specified,
all unique ips will be returned.
Args:
time_slot (optional[tuple]): a tuple of two specifying the
start and end time in the format of timestamp
src_ip (optional[list(str), or single str]): src ip(s)
dst_ip (optional[list(str), or single str]): dst ip(s),
src_ip and dst_ip shouldn't be both specified
Returns:
dict{str->int}: ip addresses and freq
"""
packets = self.packets
ips = {}
packets = filter(lambda p: 'ip' in p, packets)
if time_slot:
start, end = time_slot
packets = filter(lambda p:
start <= float(p.sniff_timestamp) < end, packets)
if src_ip:
for p in packets:
if 'ip' in p and p.ip.src in src_ip:
utils.dict_acc(ips, {p.ip.dst: 1})
if dst_ip:
for p in packets:
if 'ip' in p and p.ip.dst in dst_ip:
utils.dict_acc(ips, {p.ip.src: 1})
if not src_ip and not dst_ip:
for p in packets:
if 'ip' in p:
utils.dict_acc(ips, {
p.ip.src: 1,
p.ip.dst: 1,
})
return ips
def stat_ips(self, time_slot=None, src_ip=None, dst_ip=None):
"""Get a dict of ips and their freq
It can be either src ip or dst ip. If src ip is specified,
then dst ips are returned, vice versa. If none is specified,
all unique ips will be returned.
Args:
time_slot (optional[tuple]): a tuple of two specifying the
start and end time in the format of timestamp
src_ip (optional[list(str), or single str]): src ip(s)
dst_ip (optional[list(str), or single str]): dst ip(s),
src_ip and dst_ip shouldn't be both specified
Returns:
dict{str->int}: ip addresses and freq
"""
packets = self.packets
ips = {}
packets = filter(lambda p: 'ip' in p, packets)
if time_slot:
start, end = time_slot
packets = filter(lambda p: start <= float(p.sniff_timestamp) < end,
packets)
if src_ip:
for p in packets:
if 'ip' in p and p.ip.src in src_ip:
utils.dict_acc(ips, {p.ip.dst: 1})
if dst_ip:
for p in packets:
if 'ip' in p and p.ip.dst in dst_ip:
utils.dict_acc(ips, {p.ip.src: 1})
if not src_ip and not dst_ip:
for p in packets:
if 'ip' in p:
utils.dict_acc(ips, {
p.ip.src: 1,
p.ip.dst: 1,
})
return ips
def stat_protocols(self, time_slot=None, src_ip=None, dst_ip=None):
"""Get a dict of protocols and freq
Args:
time_slot (optional[tuple]): a tuple of two specifying the
start and end time in the format of timestamp
src_ip (optional[list(str), or single str]): src ip(s)
dst_ip (optional[list(str), or single str]): dst ip(s)
Returns:
dict{str->int}: unique protocols
"""
packets = self.packets
protocols = {}
if time_slot:
start, end = time_slot
packets = filter(lambda p:
start <= float(p.sniff_timestamp) < end, packets)
if src_ip:
for p in packets:
if 'ip' in p and p.ip.src in src_ip:
utils.dict_acc(protocols, {p.frame_info.protocols: 1})
if dst_ip:
for p in packets:
if 'ip' in p and p.ip.dst in dst_ip:
utils.dict_acc(protocols, {p.frame_info.protocols: 1})
if not src_ip and not dst_ip:
for p in packets:
if 'ip' in p:
utils.dict_acc(protocols, {
p.frame_info.protocols: 1,
})
return protocols
def stat_protocols(self, time_slot=None, src_ip=None, dst_ip=None):
"""Get a dict of protocols and freq
Args:
time_slot (optional[tuple]): a tuple of two specifying the
start and end time in the format of timestamp
src_ip (optional[list(str), or single str]): src ip(s)
dst_ip (optional[list(str), or single str]): dst ip(s)
Returns:
dict{str->int}: unique protocols
"""
packets = self.packets
protocols = {}
if time_slot:
start, end = time_slot
packets = filter(lambda p: start <= float(p.sniff_timestamp) < end,
packets)
if src_ip:
for p in packets:
if 'ip' in p and p.ip.src in src_ip:
utils.dict_acc(protocols, {p.frame_info.protocols: 1})
if dst_ip:
for p in packets:
if 'ip' in p and p.ip.dst in dst_ip:
utils.dict_acc(protocols, {p.frame_info.protocols: 1})
if not src_ip and not dst_ip:
for p in packets:
if 'ip' in p:
utils.dict_acc(protocols, {
p.frame_info.protocols: 1,
})
return protocols
def stat_ports(self, time_slot=None, ip=None):
"""Get a dict of ports within the capture
Args:
time_slot (optional[tuple]): a tuple of two specifying the
start and end time in the format of timestamp
ip (optional[list(str), or single str]): the corresponding ip(s)
Returns:
dict{int->int}: unique ports
"""
packets = self.packets
ports = {}
if time_slot:
start, end = time_slot
packets = filter(lambda p:
start <= float(p.sniff_timestamp) < end, packets)
if ip:
packets = filter(lambda p: 'ip' in p, packets)
p_src = filter(lambda p: p.ip.src in ip, packets)
for p in p_src:
if 'tcp' in p:
utils.dict_acc(ports, {p.tcp.port: 1})
elif 'udp' in p:
utils.dict_acc(ports, {p.udp.port: 1})
p_dst = filter(lambda p: p.ip.dst in ip, packets)
for p in p_dst:
if 'tcp' in p:
utils.dict_acc(ports, {p.tcp.port: 1})
elif 'udp' in p:
utils.dict_acc(ports, {p.udp.port: 1})
else:
for p in packets:
if 'tcp' in p:
utils.dict_acc(ports, {p.tcp.port: 1})
elif 'udp' in p:
utils.dict_acc(ports, {p.udp.port: 1})
return ports
def stat_ports(self, time_slot=None, ip=None):
"""Get a dict of ports within the capture
Args:
time_slot (optional[tuple]): a tuple of two specifying the
start and end time in the format of timestamp
ip (optional[list(str), or single str]): the corresponding ip(s)
Returns:
dict{int->int}: unique ports
"""
packets = self.packets
ports = {}
if time_slot:
start, end = time_slot
packets = filter(lambda p: start <= float(p.sniff_timestamp) < end,
packets)
if ip:
packets = filter(lambda p: 'ip' in p, packets)
p_src = filter(lambda p: p.ip.src in ip, packets)
for p in p_src:
if 'tcp' in p:
utils.dict_acc(ports, {p.tcp.port: 1})
elif 'udp' in p:
utils.dict_acc(ports, {p.udp.port: 1})
p_dst = filter(lambda p: p.ip.dst in ip, packets)
for p in p_dst:
if 'tcp' in p:
utils.dict_acc(ports, {p.tcp.port: 1})
elif 'udp' in p:
utils.dict_acc(ports, {p.udp.port: 1})
else:
for p in packets:
if 'tcp' in p:
utils.dict_acc(ports, {p.tcp.port: 1})
elif 'udp' in p:
utils.dict_acc(ports, {p.udp.port: 1})
return ports