def get_country_to_packet_count(stream): """ Counts the number of packets the host has sent to or received from different countries. If an ip address cannot be mapped to a country it is mapped to unknown. Args: packets (list): List of TSAPacket objects Returns: A dictionary where the keys are names of countries and the values are the number of packets from / to that country. """ # Get dictionary of ip addresses to counts, minus host IP address ip_counts = get_ip_to_packet_count(stream) host_ip_addr = get_host_ip_addr(stream, ip_counts) ip_counts.pop(host_ip_addr, None) # Coalesce country packet counts using ip count dict country_counts = {UNKNOWN: 0} for ip, count in ip_counts.items(): country_name = get_country_name(ip) if country_name: if country_name in country_counts: country_counts[country_name] += count else: country_counts[country_name] = count else: country_counts[UNKNOWN] += 1 return country_counts
def get_country_to_traffic_size(stream): """ Size of traffic in bytes that the host has sent to or received from different countries. If an ip address cannot be mapped to a country it is mapped to unknown. Args: packets (list): List of TSAPacket objects Returns: A dictionary where the keys are names of countries and the values are the size of traffic (in bytes) received from / sent to that country. """ # Get dictionary of ip addresses to counts, minus host IP address ip_traffic_size = get_ip_to_total_traffic_size(stream) host_ip_addr = get_host_ip_addr(stream) ip_traffic_size.pop(host_ip_addr, None) # Coalesce country packet counts using ip count dict country_traffic_sizes = {UNKNOWN: 0} for ip, traffic_size in ip_traffic_size.items(): country_name = get_country_name(ip) if country_name: if country_name in country_traffic_sizes: country_traffic_sizes[country_name] += traffic_size else: country_traffic_sizes[country_name] = traffic_size else: country_traffic_sizes[UNKNOWN] += 1 return country_traffic_sizes
def get_tldn_to_security_info(stream): """ Returns a dictionary relating Top Level Domain Names (tldn) to dictionaries containing security info gathered by p0f. Each dictionary containing security info will have the following fields, with missing or undetermined fields having a value of None: os_name: name of the OS host is using os_full_name: name and version of the OS host is using app_name: name of the HTTP application host is using app_full_name: name and version of the application host is using language: system language link_type: network link type (e.g. 'Ethernet', 'DSL', ...) num_hops: network distance in packet hops uptime: estimated uptime of the system (in minutes) """ ip_security_info = get_ip_to_security_info(stream) ip_fqdn = get_ip_to_fqdns(stream) host_ip_addr = get_host_ip_addr(stream) ip_security_info.pop(host_ip_addr, None) tldn_security_info = aggregate_on_dns(ip_security_info, ip_fqdn, is_numeric=False) return tldn_security_info
def get_tldn_to_traffic_size(stream): """ Computes the size of traffic in bytes that the host has sent to or received from each Fully Qualified Domain Name (fqdns), aggregated. Args: packets (list): List of TSAPacket objects Returns: A dictionary where the keys are tld domains and the values are the size of traffic received from / to that tld domain. """ ip_traffic_size = get_ip_to_total_traffic_size(stream) ip_fqdns = get_ip_to_fqdns(stream) host_ip_addr = get_host_ip_addr(stream) ip_traffic_size.pop(host_ip_addr, None) fqdn_alias_count = aggregate_on_dns(ip_traffic_size, ip_fqdns) return fqdn_alias_count
def get_tldn_to_packet_count(stream): """ Counts the number of packets the host has sent to or received from each Fully Qualified Domain Name (fqdns), aggregated. Args: packets (list): List of TSAPacket objects Returns: A dictionary where the keys are tld domains and the values are the number of packets from / to that tld domain. """ # Get dictionary of ip addrs to counts / fqdns, minus host IP address ip_counts = get_ip_to_packet_count(stream) ip_fqdns = get_ip_to_fqdns(stream) host_ip_addr = get_host_ip_addr(stream, ip_counts) ip_counts.pop(host_ip_addr, None) fqdn_alias_count = aggregate_on_dns(ip_counts, ip_fqdns) return fqdn_alias_count
def get_tldn_to_country_names(stream): """ Returns a dictionary relating Top Level Domain Names (tldn) to a list of country names its servers are believed to be in. Args: packets (list): List of TSAPacket objects Returns: A dictionary where the keys are tld domains and the values are lists of country names """ ip_country_names = get_ip_to_country_name(stream) ip_fqdns = get_ip_to_fqdns(stream) host_ip_addr = get_host_ip_addr(stream) ip_country_names.pop(host_ip_addr, None) tldn_country_names = aggregate_on_dns(ip_country_names, ip_fqdns, is_numeric=False) return tldn_country_names