dm secu

securite/dm/pcap_analyzer/src/main.rs

@@ -1,4 +1,9 @@
-use std::{collections::HashMap, error::Error, ops::AddAssign, path::PathBuf};
+use std::{
+	collections::{HashMap, HashSet},
+	error::Error,
+	ops::AddAssign,
+	path::PathBuf,
+};
 
 use clap::{Parser, Subcommand};
 use etherparse::{NetSlice, SlicedPacket};
@@ -24,6 +29,8 @@ fn main() -> Result<(), Box<dyn Error>> {
 			let mut first_timestamp = None;
 			let mut last_timestamp = None;
 			let mut protocols = HashMap::new();
+			let mut sources = HashMap::new();
+			let mut destinations = HashSet::new();
 
 			while let Ok(packet) = pcap.next_packet() {
 				total += 1;
@@ -39,9 +46,15 @@ fn main() -> Result<(), Box<dyn Error>> {
 				};
 
 				if let Some(NetSlice::Ipv4(ipv4)) = packet.net {
+					total_ipv4 += 1;
+
 					let protocol = ipv4.header().protocol();
 					protocols.entry(protocol).or_insert(0).add_assign(1);
-					total_ipv4 += 1;
+
+					let entry = sources.entry(ipv4.header().source()).or_insert((0, 0));
+					entry.0 += 1;
+					entry.1 += ipv4.payload().payload.len();
+					destinations.insert(ipv4.header().destination());
 				}
 			}
 
@@ -56,6 +69,7 @@ fn main() -> Result<(), Box<dyn Error>> {
 			let avg_packet = (last_timestamp - first_timestamp) / total as f64;
 			println!("Avg packet rate: {avg_packet: >14.4}");
 			println!("Errors:          {errs: >14}");
+			println!();
 
 			let mut protocols: Vec<_> = protocols.into_iter().collect();
 			protocols.sort_by_key(|(_, count)| *count);
@@ -64,6 +78,16 @@ fn main() -> Result<(), Box<dyn Error>> {
 				let contrib = (count as f64 / total as f64) * 100.;
 				println!("- {num:?} {count: >14} ({contrib:>6.2}%)");
 			}
+			println!();
+
+			let unique_sources = sources.len();
+			println!("Unique sources:           {unique_sources: >14.4}");
+			let unique_dests = destinations.len();
+			println!("Unique destinations:      {unique_dests: >14.4}");
+			let most_bytes = sources.iter().max_by_key(|(_, (_, bytes))| bytes).map(|(addr, _)| addr);
+			println!("Source with most bytes:   {most_bytes:?}");
+			let most_packets = sources.iter().max_by_key(|(_, (packs, _))| packs).map(|(addr, _)| addr);
+			println!("Source with most packets: {most_packets:?}");
 		}
 	}
 

securite/dm/rapport.md

@@ -170,6 +170,8 @@ pcap_analyzer ./trace2.pcap stats
 # Last timestamp:         1474309098.10
 # Avg packet rate:               0.0014
 # Errors:                       1717607
+# Main Protocols:
+# - 6 (TCP - Transmission Control)       28893393 ( 94.39%)
 ```
 
 La trace contient 28 893 393 paquets IPv4.
@@ -185,3 +187,22 @@ Le timestamp du premier paquet de la trace est 1 474 265 898.92 secondes.
 #### What is the average packet rate (in packets per second to two decimal places) of the trace (as Avg packet rate:)?
 
 Le taux de paquets de la trace est 0.0014 paquet par seconde.
+
+#### What is the packet protocol distribution?   (A table showing the 5 top protocols and their respective contributions is fine.)
+
+94.39% des paquets sont des paquets TCP. Les autres paquets n'ont pas d'entête IPv4.
+
+#### Plot a histogram of the packet size distribution (the Python numpy and matplot packages are installed on the Labtainer).
+
+...
+
+#### How many unique IPv4 source addresses are present in the trace (as Unique sources:)?
+#### How many unique IPv4 destination addresses are present in the trace (as Unique destinations:)?
+#### Create a cumulative distribution function (CDF) plot. The x-axis is the number of bytes sent and the y-axis is the cumulative fraction of sources.
+
+...
+
+#### Which source sent the most bytes (as Source with most bytes:)?
+#### Which source sent the most packets (as Source with most packets:)?  Based on your analysis of the trace:
+#### List 3 characteristics of the traffic that seem unusual to you.
+#### Provide a reasonable explanation for what traffic the trace represents, taking into account the unusual characteristics you have identified.