"""This class takes care of creating a PCAP file comprised of

selected traffic from the ISCX 2012 DDoS dataset. Traffic is

selected using the summary of flows from a XML file.

WARNING: The original PCAP file containing the DDoS traffic is

roughly 24GB in size. Processing the file will take a while.

"""

def __init__(self, pcap_file, input_dir, files):

"""Initialise.

:param pcap_file: PCAP file containing ISCX 2012 DDoS dataset

packets.

:param input_dir: Directory of the XML dataset files.

:param files: List of files to read in.

"""

self._pcap = pcap_file

self._input_dir = input_dir

self._files = files

self._raw_data = []

def create_pcap(self, output_pcap):

"""Read in the ISCX 2012 DDoS dataset file/s and create PCAP

files by picking packets matching flows within the dataset fles.

k-fold training and testing sets.

:param output_pcap: Path for the new PCAP file.

"""

self._load_data()

self._filter_pcap(output_pcap)

print("Exiting...")

def _load_data(self):

"""Read in the ISCX 2012 DDoS dataset and store the data.

"""

print("Loading ISCX 2012 DDoS dataset...")

for fname in self._files:

path = os.path.join(self._input_dir, fname)

raw_data = self._read_data(path)

self._raw_data.extend(raw_data)

def _read_data(self, fname):

"""Read data from an ISCX dataset XML.

:param fname: Name of the file to read the data from.

:return: The data.

"""

print("\tReading data from: {0}".format(fname))

data_etree = etree.parse(fname)

raw_data = self._etree_to_dict(data_etree)

print("\t\tLoading complete.")

return raw_data

def _etree_to_dict(self, etree):

"""Convert an XML etree into a list of dicts.

This method only takes care of elements, not attributes!

:param etree: Etree object to process

:return: Data as a list of dict.

"""

root = etree.getroot()

data = []

for flow in root:

flow_data = {}

for i in range(len(flow)):

flow_data[flow[i].tag] = flow[i].text

data.append(flow_data)

return data

def _filter_pcap(self, output_pcap):

"""Using a provided file with XML flow summaries, create a

new PCAP file with the flows in the XML file.

:param output_pcap: Path for the new PCAP file.

"""

try:

print("Opening file: {0}".format(self._pcap))

f = open(self._pcap)

raw_pcap = pcap.Reader(f)

pckt_num = 0

for ts, buf in raw_pcap:

pckt_num += 1

if not pckt_num%1000:

# Print every thousandth packets, just to monitor

# progress.

print("\tProcessing packet #{0}".format(pckt_num))

# Loop through packets in PCAP file

eth = ethernet.Ethernet(buf)

if eth.type != ETH_TYPE_IP:

# We are only interested in IP packets

continue

ip = eth.data

ip_src = socket.inet_ntop(socket.AF_INET, ip.src)

ip_dst = socket.inet_ntop(socket.AF_INET, ip.dst)

ip_proto = ip.p

match = False

for flow in self._raw_data:

# Does this packet match a flow in the raw data?

if ((ip_src == flow["source"] and ip_dst ==

flow["destination"]) or (ip_src ==

flow["destination"] and ip_dst == flow["source"])):

if ip_proto == IP_PROTO_TCP and flow["protocolName"] == "tcp_ip":

tcp = ip.data

if self._check_port_num(tcp.sport, tcp.dport,

flow["sourcePort"],

flow["destinationPort"]):

if self._check_timestamp(ts, flow["startDateTime"], flow["stopDateTime"]):

# We have found a match, stop looping

match = True

break

elif ip_proto == IP_PROTO_UDP and flow["protocolName"] == "udp_ip":

udp = ip.data

if self._check_port_num(udp.sport, udp.dport,

flow["sourcePort"],

flow["destinationPort"]):

if self._check_timestamp(ts, flow["startDateTime"], flow["stopDateTime"]):

# We have found a match, stop looping

match = True

break

elif ip_proto == IP_PROTO_ICMP and flow["protocolName"] == "icmp_ip":

if self._check_timestamp(ts, flow["startDateTime"], flow["stopDateTime"]):

# We have found a match, stop looping

break

match = True

elif ip_proto == IP_PROTO_IGMP and flow["protocolName"] == "igmp":

if self._check_timestamp(ts, flow["startDateTime"], flow["stopDateTime"]):

# We have found a match, stop looping

match = True

break

if match:

# The packet matches the flow. Append the packet data

# to the new PCAP file and move onto the next packet.

try:

print("\tWrting packet to file: {0}".format(output_pcap))

f_out = open(output_pcap, "ab")

pcap_out = pcap.Writer(f_out)

pcap_out.writepkt(buf, ts=ts)

except:

exc_type, exc_value, exc_traceback = sys.exc_info()

print("ERROR writing to file: {0}.\n\t"

"Exception: {1}, {2}, {3}".format(

output_pcap, exc_type, exc_value,

exc_traceback))

sys.exit(1)

finally:

f_out.close

except:

exc_type, exc_value, exc_traceback = sys.exc_info()

print("ERROR reading from file: {0}.\n\tException: {1}, "

"{2}, {3}".format(self._pcap, exc_type, exc_value,

exc_traceback))

sys.exit(1)

finally:

f.close()

def _check_port_num(self, pkt_src, pkt_dst, flow_src, flow_dst):

"""Do the port numbers of a packet match the port numbers of

either direction of a flow.

:param pkt_src: Source port number of a packet.

:param pkt_dst: Destination port number of a packet.

:param flow_src: Source port number of a flow.

:param flow_dst: Destination port number of a flow.

:return: True if there is a match, False otherwise.

"""

return ((int(pkt_src)==int(flow_src) and int(pkt_dst)==int(flow_dst))

or (int(pkt_src)==int(flow_dst) and int(pkt_dst)==int(flow_src)))

def _check_timestamp(self, pkt_ts, flow_start, flow_stop):

"""Check if the timestamp of a packet falls within the

duration of a flow's life.

:param pkt_ts: Timestamp of the packet to check.

:param flow_start: Start time of a flow.

:param flow_stop: Stop time of a flow.

:return: True if the packet's timestamp falls within the

duration of the flow. False otherwise.

"""

dt_ts = datetime.fromtimestamp(pkt_ts)

dt_start = datetime.strptime(flow_start, "%Y-%m-%dT%H:%M:%S")

dt_stop = datetime.strptime(flow_stop, "%Y-%m-%dT%H:%M:%S")