def get_country_to_packet_count(stream):
"""
Counts the number of packets the host has sent to or received
from different countries. If an ip address cannot be mapped to
a country it is mapped to unknown.
Args:
packets (list): List of TSAPacket objects
Returns:
A dictionary where the keys are names of countries and the
values are the number of packets from / to that country.
"""
# Get dictionary of ip addresses to counts, minus host IP address
ip_counts = get_ip_to_packet_count(stream)
host_ip_addr = get_host_ip_addr(stream, ip_counts)
ip_counts.pop(host_ip_addr, None)
# Coalesce country packet counts using ip count dict
country_counts = {UNKNOWN: 0}
for ip, count in ip_counts.items():
country_name = get_country_name(ip)
if country_name:
if country_name in country_counts:
country_counts[country_name] += count
else:
country_counts[country_name] = count
else:
country_counts[UNKNOWN] += 1
return country_counts
def get_country_to_traffic_size(stream):
"""
Size of traffic in bytes that the host has sent to or received
from different countries. If an ip address cannot be mapped to
a country it is mapped to unknown.
Args:
packets (list): List of TSAPacket objects
Returns:
A dictionary where the keys are names of countries and the
values are the size of traffic (in bytes) received from / sent
to that country.
"""
# Get dictionary of ip addresses to counts, minus host IP address
ip_traffic_size = get_ip_to_total_traffic_size(stream)
host_ip_addr = get_host_ip_addr(stream)
ip_traffic_size.pop(host_ip_addr, None)
# Coalesce country packet counts using ip count dict
country_traffic_sizes = {UNKNOWN: 0}
for ip, traffic_size in ip_traffic_size.items():
country_name = get_country_name(ip)
if country_name:
if country_name in country_traffic_sizes:
country_traffic_sizes[country_name] += traffic_size
else:
country_traffic_sizes[country_name] = traffic_size
else:
country_traffic_sizes[UNKNOWN] += 1
return country_traffic_sizes
def get_tldn_to_security_info(stream):
"""
Returns a dictionary relating Top Level Domain Names (tldn) to
dictionaries containing security info gathered by p0f.
Each dictionary containing security info will have the following fields,
with missing or undetermined fields having a value of None:
os_name: name of the OS host is using
os_full_name: name and version of the OS host is using
app_name: name of the HTTP application host is using
app_full_name: name and version of the application host is using
language: system language
link_type: network link type (e.g. 'Ethernet', 'DSL', ...)
num_hops: network distance in packet hops
uptime: estimated uptime of the system (in minutes)
"""
ip_security_info = get_ip_to_security_info(stream)
ip_fqdn = get_ip_to_fqdns(stream)
host_ip_addr = get_host_ip_addr(stream)
ip_security_info.pop(host_ip_addr, None)
tldn_security_info = aggregate_on_dns(ip_security_info, ip_fqdn,
is_numeric=False)
return tldn_security_info
def get_tldn_to_traffic_size(stream):
"""
Computes the size of traffic in bytes that the host has sent to or
received from each Fully Qualified Domain Name (fqdns), aggregated.
Args:
packets (list): List of TSAPacket objects
Returns:
A dictionary where the keys are tld domains and the values are the
size of traffic received from / to that tld domain.
"""
ip_traffic_size = get_ip_to_total_traffic_size(stream)
ip_fqdns = get_ip_to_fqdns(stream)
host_ip_addr = get_host_ip_addr(stream)
ip_traffic_size.pop(host_ip_addr, None)
fqdn_alias_count = aggregate_on_dns(ip_traffic_size, ip_fqdns)
return fqdn_alias_count
def get_tldn_to_packet_count(stream):
"""
Counts the number of packets the host has sent to or received from each
Fully Qualified Domain Name (fqdns), aggregated.
Args:
packets (list): List of TSAPacket objects
Returns:
A dictionary where the keys are tld domains and the values are the
number of packets from / to that tld domain.
"""
# Get dictionary of ip addrs to counts / fqdns, minus host IP address
ip_counts = get_ip_to_packet_count(stream)
ip_fqdns = get_ip_to_fqdns(stream)
host_ip_addr = get_host_ip_addr(stream, ip_counts)
ip_counts.pop(host_ip_addr, None)
fqdn_alias_count = aggregate_on_dns(ip_counts, ip_fqdns)
return fqdn_alias_count
def get_tldn_to_country_names(stream):
"""
Returns a dictionary relating Top Level Domain Names (tldn) to
a list of country names its servers are believed to be in.
Args:
packets (list): List of TSAPacket objects
Returns:
A dictionary where the keys are tld domains and the values are lists
of country names
"""
ip_country_names = get_ip_to_country_name(stream)
ip_fqdns = get_ip_to_fqdns(stream)
host_ip_addr = get_host_ip_addr(stream)
ip_country_names.pop(host_ip_addr, None)
tldn_country_names = aggregate_on_dns(ip_country_names, ip_fqdns,
is_numeric=False)
return tldn_country_names