Home

Awesome

Pcap_Features_Extraction

This program allow you to extract some features from pcap files.

Folders

You have to put some pcaps in respective folders.

Features Calculation

FeaturesCalc.py file contains the code to calculate the features. This program is thinked for two type of pcaps: Malware Pcaps and Legitimate Pcaps. There are 26 features:

CSV

The features are saved in a csv file.

Example

csv = CSV(file_name="features")
csv.create_empty_csv()
#Here i add the header of csv file.
csv.add_row(featuresCalc.get_features_name())
#Here i add a generic row.
features = featuresCalc.compute_features(array_of_pkts)
csv.add_row(features)

Attacker Calculation

AttackerCalc.py file computes an attacker from a malware pcap. The first ip in a malware pcap is probably the attacker because it starts the communication flow.

Packet Filter

PacketFilter.py file filters a packet.

Example

attacker = AttackerCalc(pcap=pcap)
ip_to_consider = attacker.compute_attacker()
ip_to_ignore = ["127.0.0.1"]

filter_1 = PacketFilter(ip_whitelist_filter=ip_to_consider, ip_blacklist_filter=[], TCP=True)

This filter accepts all the packets with ip: ip_to_consider which have TCP layer.

filter_2 = PacketFilter(ip_whitelist_filter=[], ip_blacklist_filter=ip_to_ignore, UDP=True)

This filter accepts all the packets which haven't ip: ip_to_ignore with UDP layer.

filter_3 = PacketFilter(ip_whitelist_filter=[], ip_blacklist_filter=[], IPv4=True)

This filter accepts all packets with IP layer. You can use these filters in the following way:

filter_1 = PacketFilter(ip_whitelist_filter=[], ip_blacklist_filter=[], TCP=True, UDP=False)
filter_2 = PacketFilter(ip_whitelist_filter=[], ip_blacklist_filter=[], TCP=False, UDP=True)
if ((filter_2.check_packet_filter(pkt) or filter_1.check_packet_filter(pkt)) is True):
    print("pkt accepted")

This code accepts a packet if it has a TCP Layer or UDP Layer.

Example Of Usage

In Main.py file there is an example of usage of this program. You can run it with:

python3 Main.py

This file creates a single csv every run. So if you put 4 pcaps in a generic folder (or in both folders), the Main.py file creates a single csv with features of 4 (or 8) pcaps.