Latest revision as of 04:06, 31 August 2016

Conversations

Components

To analyze a wireless conversation, you need to be able to parse a few different pieces of information.

First is the source address. This will be a MAC address - you will not get an IP address unless you're on the same network and there is some kind of name resolution service available to turn a MAC address (Layer 2) into an IP address (Layer 3).

Show the Packet

Here is a dead-simple three-line script to show the full contents of the 120th packet:

from scapy.all import *

plist = rdpcap("airportSniffNERR6R.cap")

plist[120].show()

Getting Source/Destination Address

A simple script to pull out the source and destination of each packet using scapy is given below:

from scapy.all import *

plist = rdpcap("airportSniffNERR6R.cap")

getsrcdst = lambda x:(x.addr1, x.addr2, x.addr3)

for p in plist:
    try:
        c = getsrcdst(p)
        print c
    except AttributeError:
        pass

This script reads a relatively small pcap file and prints out the addr1, addr2, and addr3 fields for each packet. This can be used to build a list of MAC addresses.

Further parsing could be done to identify packets that are beacons from access points, to determine which MAC addresses are access points.

Conversation Analysis

Also see Statistical Analysis of Networks

In any conversation, there are two endpoints, A and B. Sometimes A is the source and B is the destination - A is sending data to B. And sometimes B is the source and A is the destination - B is sending data to A.

The relationship can be described with a network. A network is composed of dots, nor nodes, and lines, or edges. In our case, we are representing a conversation with nodes (entities like A and B) and edges (representing a relationship between entities). A conversation can be thought of as two nodes and two edges - one edge representing A to B, the other edge representing B to A.

Using the network representation, we can also think about it as two separate flow networks (see https://en.wikipedia.org/wiki/Flow_network): the first flow network is a series of nodes connected by edges representing data from the outside world (via routers or access points) to nodes, and the second flow network is nodes connected by edges representing data flowing outward.

To simplify starting out, we can ignore a particular dimension by simply integrating over it entirely. For example, to remove the temporal aspect of conversations - how the conversations evolve over time - we can loop over every packet and collect information about conversations and flows.

If we wanted to get temporal resolution, however, we could loop through each packet and create a time vector of conversations, with some averaging window like 30 seconds or 5 minutes.

Other applications:

Also, neat:

Flags

@@ Line 1: / Line 1: @@
 =Conversations=
-Scapy has a built-in conversations method. You'll need to build ImageMagick with X11: on the Mac, that's
+==Components==
+To analyze a wireless conversation, you need to be able to parse a few different pieces of information.
+First is the source address. This will be a MAC address - you will not get an IP address unless you're on the same network and there is some kind of name resolution service available to turn a MAC address (Layer 2) into an IP address (Layer 3).
+===Show the Packet===
+Here is a dead-simple three-line script to show the full contents of the 120th packet:
 <pre>
-brew uninstall imagemagick
+from scapy.all import *
-brew install imagemagick --with-x11
+plist = rdpcap("airportSniffNERR6R.cap")
+plist[120].show()
 </pre>
-Once we've done that, we can take a look at the existing method to print out a graph of all the conversations. This method is built into Scapy. We can utilize it to create our own conversations list, bypassing the graphing part and processing the information ourselves.
+===Getting Source/Destination Address===
+A simple script to pull out the source and destination of each packet using scapy is given below:
 <pre>
-    def conversations(self, getsrcdst=None,**kargs):
+from scapy.all import *
-        """Graphes a conversations between sources and destinations and display it
-        (using graphviz and imagemagick)
+plist = rdpcap("airportSniffNERR6R.cap")
-        getsrcdst: a function that takes an element of the list and return the source and dest
-                   by defaults, return source and destination IP
+getsrcdst = lambda x:(x.addr1, x.addr2, x.addr3)
-        type: output type (svg, ps, gif, jpg, etc.), passed to dot's "-T" option
-        target: filename or redirect. Defaults pipe to Imagemagick's display program
+for p in plist:
-        prog: which graphviz program to use"""
+    try:
-        if getsrcdst is None:
+        c = getsrcdst(p)
-            getsrcdst = lambda x:(x['IP'].src, x['IP'].dst)
+        print c
-        conv = {}
+    except AttributeError:
-        for p in self.res:
+         pass
-            p = self._elt2pkt(p)
-            try:
-                c = getsrcdst(p)
-            except:
-                #XXX warning()
-                continue
-            conv[c] = conv.get(c,0)+1
-        gr = 'digraph "conv" {\n'
-        for s,d in conv:
-            gr += '\t "%s" -> "%s"\n' % (s,d)
-         gr += "}\n"
-        return do_graph(gr, **kargs)
 </pre>
+This script reads a relatively small pcap file and prints out the addr1, addr2, and addr3 fields for each packet. This can be used to build a list of MAC addresses.
+Further parsing could be done to identify packets that are beacons from access points, to determine which MAC addresses are access points.
+=Conversation Analysis=
+Also see [[Statistical Analysis of Networks]]
+In any conversation, there are two endpoints, A and B. Sometimes A is the source and B is the destination - A is sending data to B. And sometimes B is the source and A is the destination - B is sending data to A.
+The relationship can be described with a network. A network is composed of dots, nor nodes, and lines, or edges. In our case, we are representing a conversation with nodes (entities like A and B) and edges (representing a relationship between entities). A conversation can be thought of as two nodes and two edges - one edge representing A to B, the other edge representing B to A.
+Using the network representation, we can also think about it as two separate flow networks (see https://en.wikipedia.org/wiki/Flow_network): the first flow network is a series of nodes connected by edges representing data from the outside world (via routers or access points) to nodes, and the second flow network is nodes connected by edges representing data flowing outward.
+To simplify starting out, we can ignore a particular dimension by simply integrating over it entirely. For example, to remove the temporal aspect of conversations - how the conversations evolve over time - we can loop over every packet and collect information about conversations and flows.
+If we wanted to get temporal resolution, however, we could loop through each packet and create a time vector of conversations, with some averaging window like 30 seconds or 5 minutes.
+Other applications:
+* https://en.wikipedia.org/wiki/Electrical_distribution
+* https://en.wikipedia.org/wiki/Pipe_network_analysis
+* https://en.wikipedia.org/wiki/Gas_networks_simulation
+Also, neat:
+* http://trisul.org/docs/ug/alerts/tband.html
+* http://trisul.org/features/#security_monitoring
+=Flags=
 {{ScapyFlag}}
+{{WirelessFlag}}

Scapy/Conversations: Difference between revisions

From charlesreid1