network trace analysis using python nevil brownlee
play

Network Trace analysis using Python Nevil Brownlee U Auckland | - PowerPoint PPT Presentation

Nov 24, 2023 •30 likes •320 views

Network Trace analysis using Python Nevil Brownlee U Auckland | WAND NZNOG 2015 Tutorial 26 January 2015 Introduction U s i n g N e t w o r k T r a c e s T h e r e a r e l o t s o f t o o l s t c p d u m p , w i r e s h a r k , l i

  1. Network Trace analysis using Python Nevil Brownlee U Auckland | WAND NZNOG 2015 Tutorial 26 January 2015

  2. Introduction ● U s i n g N e t w o r k T r a c e s – T h e r e a r e l o t s o f t o o l s ● t c p d u m p , w i r e s h a r k , l i b t r a c e , p y t h o n - l i b t r a c e , . . . – Why use python? ● to answer questions involving b i g traces ● to produce reports, plot, etc that are specific to your site/network/user(s) ● Assumptions – You understand network protocols well – You've already tried using python python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 2

  3. Python – Nevil's view ● python is deliberately simple-minded – It forces you to write many simple lines – Indenting as syntax (!) ● at least for classes and function declarations ● ; can separate multiple statements on same line ● emacs has syntax-colouring, and commands to move blocks of lines in or out ● python has a huge collection of modules – We'll only look at a few of them ● python-libtrace (of course) ● numpy, scipy and mathplotlib python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 3

  4. Python – Nevil's view (2) ● python has lots of built-in functions – You often need to use them for common operations, e.g. enumerate() to step through a python dictionary (i.e. hash) ● python o b j e c t s have a big set of pre-defined functions – e.g. for comparison and iteration – you have to understand these, and use them! python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 4

  5. Libtrace ● Web page http://wand.net.nz/trac/libtrace ● C library for analysing packet traces ● Reads and write compressed trace files directly (.gz or .bz2) ● URI specifies a 'trace', e.g. pcap:test.pcap.gz ● pcap:, pcapfile: or erf: for trace files ● live interfaces – linux int:, ring:, pcapint: BSD bpf: – documented in SupportedTraceFormats python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 5

  6. Libtrace utilities ● tracesplit – Can collect new traces from an interface ● tracesplit -c 10000 -m 1 -Zgzip -z5 pcap:eth5 \ pcapfile:10kpackets.pcap.gz ● reads packets from a pcap interface, writes 10kpackets to a single compressed pcap file – Can also split a trace file into smaller files ● traceanon – Anonymises IP addresses in packet headers ● traceanon -sd -c"x yz" pcapfile:10kp-raw.pcap \ pcapfile:10kp-anon.pcap ● -c "key" uses cryptopan with key 'x yz' ● -sd anonymises both source and destination addresses python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 6

  7. python-libtrace (plt) ● Python module providing access to fields in packets via libtrace ● plt provides a clean, object-oriented view of packets – Network layers are subclasses of Packet class ● Includes pldns and natkit – python access to NLnetLabs ldns C library – natkit; a collection of 'useful' tools for network analysis, i.e. ● get 2- and 4-byte integers from a ByteArray ● TCP sequence number arithmetic ● classes for building flow tables python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 7

  8. Installing python-libtrace ● Libtrace – Check that you have libz and libbz2 – Download latest libtrace from ● research.wand.net.nz/software/libtrace.php – Follow instructions in INSTALL file ● ldns – Requires latest version of openssl – Download ldns C library from ● www.nlnetlabs.nl/projects/ldns ● python – Requires python-dev – Can build for python 2 or 3 (I use python 2) – python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 8

  9. Installing python-libtrace (2) ● python-libtrace – Download latest python-libtrace (plt) from ● www.cs.auckland.ac.nz/~nevil – Follow instructions in INSTALL file ● tar zxf python-libtrace-x.y.tgz (currently 1.4) ● cd python-libtrace-1.4 ● make install-py2 # for python 2 # or py3 – Install will run tests, don't panic if some fail ● Tests compare output of test programs on your system with output on my development system ● Please send bug reports to me so that I can improve the testing! – N e v i l B r o w n l e e < n . b r o w n l e e @ a u c k l a n d . a c . n z > python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 9

  10. python-libtrace documentation ● html documentation included in the distribution tarball, along with some simple example programs – In python-libtrace-1.4/doc – Also on web at ● www.cs.auckland.ac.nz/~nevil/python-libtrace – A page for each part or subclass within plt python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 10

  11. plt overview ● plt provides a class hierarchy for a Packet python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 11

  12. Tutorial plt programs ● This tutorial provides a set of programs, intended to show how to use python- libtrace (plt) ● My example traces have been anonymised using traceanon – 10,000 packets from a network edge, snap length 80 (i.e. only first 80 bytes) – smaller anonymised DNS traces ● As we work through them, I'll explain how they work, and the python and plt features they use ... python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 12

  13. p01_read_test.py ● Create a trace, start it ● Read its packets, count them ● Note: – import plt to use python-libtrace – Specify the trace URI – start() the trace ● must do this before trying to use it – iterate through the traces Packets ● python iterator loop using 'in' – close the trace (function with no parameters) – print the count; printf-style, format using '%' python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 13

  14. p02_count_ethertypes.py ● Count the number of packets for each ethertype in a trace ● Note: – ; separating two statements on same line – python dictionary for ethertypes seen – dictionary keys must be Strings (immutable) – value of dictionary items is just an integer – print dictionary in sorted() order ● no parameters → increasing order of item values – tuple of objects to print (et, ethertypes[et]) python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 14

  15. p03_count_protos.py ● Count the number of packets for each IP or IP6 protocol in a trace ● Note: – nested if statements – python dictionary for ethertypes seen – trace contains IP and IP6 packets – print dictionary in sorted() order ● key= expects a function parameter, protocols.get is a function that gets the value for each key ● reverse=True for descending order ('T' for python true) python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 15

  16. p04_transit_ip_pkts.py ● Count packets that are transiting a 'home' network ● Notes: – Using IPprefix methods, imported by plt – from_s() to make an IPprefix for 'home' – ignore IP6 packets in this example – have to set src_ and dst_prefix length to 32 – home.is_prefix(a) tests whether home is a prefix of a, i.e. a lies within home – print src_ and dst_prefixes for each new 'foreign' packet python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 16

  17. p05_tcp_fin_vs_reset.py ● Count the FIN and RESET flags in the trace's TCP packets ● Notes: – pkt.tcp gets a TCP object from a packet, it returns False if it wasn't TCP python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 17

  18. p06_http_fin_vs_reset.py ● Separate http FIN and RESTS counts from total FIN and RESET counts ● Notes: – Same as p05, but tests for http first python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 18

  19. p07_tcp_port_counts.py ● Looks for ports with highest byte counts ● Notes: – class port_counts to hold information for each port ● class functions (methods) have self as first parameter ● instance variables are prefixed with self. ● __init()__ creates a class object ● __str()__ prints the object – sorted()'s key is an anonymous function ● here k is lambda's only parameter python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 19

  20. p08_ports_fin_vs_reset.py ● Count FIN and RESET flags for each TCP port ● Notes: – Combination of p07 and p05 python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 20

  21. p09_pldns_demo.py ● Demonstration of pldns – working with DNS packets ● Notes: – must import pldns – it's not part of plt – reads 1kp-dns-anon file, 1k full DNS records – pldns.ldns() makes a pldns object from a packet's UDP payload ● ldns expects a complete packet! ● pldns has functions that return (python) lists of LdnsRR objects ● an LdnsRR object has attributes that return information about a DNS RR python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 21

  22. p10_pldns_count_dnssec.py ● Count DNS records that contain DNSSEC RRs ● Notes: – tuple for RR types (integers) – gets authority list of RRs for each packet – searches it for an RR in the tuple python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 22

  23. p11_dns_find_our_servers.py ● Counts the nameservers in our 'home' network ● Notes: – combination of p04 and p10 – uses pldns to look for DNS request src_dests, i.e. incoming requests from other networks – counts are high for our site nameservers, but there are lots of unanswered requests to other hosts !? python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 23

  24. p12_dns_server_users.py ● Count users (i.e. requesting hosts) of a nameserver ● Notes: – h = str() # Need to tell python we want a string python trace analysis tutorial NZNOG 2015 Rotorua, 28 Jan 15 24

Recommend

Bojan Zdrnja, Nevil Brownlee and Duane Wessels Bojan Zdrnja , Nevil Brownlee and Duane

Bojan Zdrnja, Nevil Brownlee and Duane Wessels Bojan Zdrnja , Nevil Brownlee and Duane

Bojan Zdrnja, Nevil Brownlee and Duane Wessels Bojan Zdrnja , Nevil Brownlee and Duane Wessels The University of Auckland, New Zealand The Measurement Factory, Inc. y, DIMVA 2007, Lucerne, Switzerland Why do we need passive Why do we

380 views • 12 slides
Mechanisms are Performed in IPv6 Qinwen Hu qhu009@aucklanduni.ac.nz Nevil Brownlee

Mechanisms are Performed in IPv6 Qinwen Hu qhu009@aucklanduni.ac.nz Nevil Brownlee

How Interface ID Allocation Mechanisms are Performed in IPv6 Qinwen Hu qhu009@aucklanduni.ac.nz Nevil Brownlee n.brownlee@auckland.ac.nz 2015 Introduction Use customized IID allocation mechanisms can cause a network reconnaissance

682 views • 9 slides
Network Telescope Data Analysis: IBR Monitoring telescope/darknets/darkspace, 22 Mar 11 Nevil

Network Telescope Data Analysis: IBR Monitoring telescope/darknets/darkspace, 22 Mar 11 Nevil

Network Telescope Data Analysis: IBR Monitoring telescope/darknets/darkspace, 22 Mar 11 Nevil Brownlee IBR Monitoring CAIDA, 2011 p.1/17 Background, Earlier Work Moore, Shannon et al, CAIDA/UCSD, 2000..2006 telescope gives a whole-world

321 views • 17 slides
The Independent Stream an Introduction Nevil Brownlee Independent Submissions Editor IETF

The Independent Stream an Introduction Nevil Brownlee Independent Submissions Editor IETF

The Independent Stream an Introduction Nevil Brownlee Independent Submissions Editor IETF 98, 26 March 2017 All about the Independent Stream (InSt) History The InSt and its Editor (ISE) Relevant RFCs: 4846 and 6548 What does

498 views • 28 slides
Some Observations of Internet Stream Lifetimes CAIDA/WIDE, Los Angeles, 12 Mar 05 Nevil Brownlee

Some Observations of Internet Stream Lifetimes CAIDA/WIDE, Los Angeles, 12 Mar 05 Nevil Brownlee

Some Observations of Internet Stream Lifetimes CAIDA/WIDE, Los Angeles, 12 Mar 05 Nevil Brownlee CAIDA and The University of Auckland Internet Stream Lifetimes, CAIDA/WUDE 05 p.1/20 Overview Introduction, traffic flows Streams, stream

431 views • 20 slides
TIME PROTOCOLS? Ulrich Speidel, 'Etuate Cocker, Firas Ghazzi, Nevil Brownlee Department of

TIME PROTOCOLS? Ulrich Speidel, 'Etuate Cocker, Firas Ghazzi, Nevil Brownlee Department of

Etuate Cocker - ecoc005@auckland.ac.nz HOW SUSTAINABLE ARE VOIP AND OTHER REAL- TIME PROTOCOLS? Ulrich Speidel, 'Etuate Cocker, Firas Ghazzi, Nevil Brownlee Department of Computer Science, The University of Auckland Etuate Cocker -

645 views • 27 slides
Cliques &amp; communities Network Analysis in Python I Cliques Social cliques:

Cliques &amp; communities Network Analysis in Python I Cliques Social cliques:

NETWORK ANALYSIS IN PYTHON I Cliques &amp; communities Network Analysis in Python I Cliques Social cliques: tightly-knit groups Network cliques: completely connected graphs Network Analysis in Python I Cliques Simplest

244 views • 20 slides
Introduction to networks Network Analysis in Python I Networks! Examples: Social

Introduction to networks Network Analysis in Python I Networks! Examples: Social

NETWORK ANALYSIS IN PYTHON I Introduction to networks Network Analysis in Python I Networks! Examples: Social Transportation Model relationships between entities Network Analysis in Python I Networks! Insights:

635 views • 34 slides
Differentially-Private Network Trace Analysis Frank McSherry and Ratul Mahajan Microsoft

Differentially-Private Network Trace Analysis Frank McSherry and Ratul Mahajan Microsoft

Differentially-Private Network Trace Analysis Frank McSherry and Ratul Mahajan Microsoft Research Overview . 1 Overview Question : Is it possible to conduct network trace analyses in a way that provides strict formal differential

496 views • 20 slides
Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network

Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network

Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network Security at Prague Embedded Systems Workshop (PESW 2019) June 28, 2019 Milan Cermak Institute of Computer Science, Masaryk University, Brno 2 3

440 views • 20 slides
Definitions &amp; basic recap Network Analysis in Python II Network/Graph Network = Graph

Definitions &amp; basic recap Network Analysis in Python II Network/Graph Network = Graph

NETWORK ANALYSIS IN PYTHON II Definitions &amp; basic recap Network Analysis in Python II Network/Graph Network = Graph = (nodes, edges) Directed or Undirected Facebook: Undirected Twi er: Directed networkx : API

357 views • 23 slides
Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets

Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets

Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets Network Traffic Measurement and Analysis Conference (TMA 2018) June 28, 2018 Milan Cermak et al. Institute of Computer Science, Masaryk University, Brno

575 views • 25 slides
Characterizing Performance and Fairness of Big Data Transfer Protocols on Long-haul Networks

Characterizing Performance and Fairness of Big Data Transfer Protocols on Long-haul Networks

Characterizing Performance and Fairness of Big Data Transfer Protocols on Long-haul Networks Nevil Brownlee &lt;n.brownlee@auckland.ac.nz&gt; Se-young Yu &lt;syu051@aucklanduni.ac.nz&gt; Aniket Mahanti &lt;a.mahanti@auckland.ac.nz&gt;

471 views • 7 slides
In The Wet by Nevil Shute Dartmouth Chapter of the Nevil Shute Society 01 February 2014

In The Wet by Nevil Shute Dartmouth Chapter of the Nevil Shute Society 01 February 2014

In The Wet by Nevil Shute Dartmouth Chapter of the Nevil Shute Society 01 February 2014 Summary Brief summary of the story? Main Characters? 2 1 Characters, Things &amp; Places Parson Roger Hargreaves Landsborough

606 views • 18 slides
Trace Level Automated Mercury Speciation Analysis Vivien Taylor, 1 Brian Jackson, 1 Annie

Trace Level Automated Mercury Speciation Analysis Vivien Taylor, 1 Brian Jackson, 1 Annie

Trace Level Automated Mercury Speciation Analysis Vivien Taylor, 1 Brian Jackson, 1 Annie Carter, 2 Colin Davies 2 1. Trace Element Core, Dartmouth College 2. Brooks Rand Labs Background Trace Level Automated Mercury Analysis EPA 1630

549 views • 25 slides
Degree centrality Network Analysis in Python I Important nodes Which nodes are important?

Degree centrality Network Analysis in Python I Important nodes Which nodes are important?

NETWORK ANALYSIS IN PYTHON I Degree centrality Network Analysis in Python I Important nodes Which nodes are important? Degree centrality Betweenness centrality Network Analysis in Python I Important nodes Which centre

583 views • 23 slides
AIR QUALITY &amp; PYTHON: DEVELOPING ONLINE ANALYSIS TOOLS AIR QUALITY &amp; PYTHON TALK OUTLINE

AIR QUALITY &amp; PYTHON: DEVELOPING ONLINE ANALYSIS TOOLS AIR QUALITY &amp; PYTHON TALK OUTLINE

DOUGLAS FINCH @douglasfinch AIR QUALITY &amp; PYTHON: DEVELOPING ONLINE ANALYSIS TOOLS AIR QUALITY &amp; PYTHON TALK OUTLINE Who I am/ what I do A case study of using python for science, data analysis &amp; web development Making

297 views • 29 slides
NETWORK PROGRAMMING USING PYTHON C U A U H T E M O C C A R B A J A L I T E S M C E M A P R I L

NETWORK PROGRAMMING USING PYTHON C U A U H T E M O C C A R B A J A L I T E S M C E M A P R I L

NETWORK PROGRAMMING USING PYTHON C U A U H T E M O C C A R B A J A L I T E S M C E M A P R I L 0 6 , 2 0 1 3 1 NETWORK OVERVIEW Network Overview Python provides a wide assortment of network support Low-level programming with

1.6k views • 80 slides
Mining Markov Network Surrogates for Value-Added Optimisation Alexander Brownlee

Mining Markov Network Surrogates for Value-Added Optimisation Alexander Brownlee

Mining Markov Network Surrogates for Value-Added Optimisation Alexander Brownlee www.cs.stir.ac.uk/~sbr sbr@cs.stir.ac.uk Outline Value-added optimisation Markov network fitness model Mining the model Examples with benchmarks

532 views • 32 slides
AIR QUALITY &amp; PYTHON: DEVELOPING ONLINE ANALYSIS TOOLS AIR QUALITY &amp; PYTHON ABOUT ME

AIR QUALITY &amp; PYTHON: DEVELOPING ONLINE ANALYSIS TOOLS AIR QUALITY &amp; PYTHON ABOUT ME

DOUGLAS FINCH @douglasfinch AIR QUALITY &amp; PYTHON: DEVELOPING ONLINE ANALYSIS TOOLS AIR QUALITY &amp; PYTHON ABOUT ME Post-doctoral researcher in the School of Geochemistry SOFTWARE DEVELOPER Background in atmospheric chemistry

476 views • 23 slides
Fixing bugs in Python programs with Genetic Improvement Program size and search granularity

Fixing bugs in Python programs with Genetic Improvement Program size and search granularity

Saemundur Haraldsson John Woodward Sandy Brownlee Fixing bugs in Python programs with Genetic Improvement Program size and search granularity Overview of talk Developing a GI framework for Python programs Search granularity and

475 views • 29 slides
Trace elemental analysis solutions for your application June 6, 2018 OUTLINE Understanding

Trace elemental analysis solutions for your application June 6, 2018 OUTLINE Understanding

Trace elemental analysis solutions for your application June 6, 2018 OUTLINE Understanding how each technique works Components of instrument Selection Criteria Application Fields All these techniques can be used to measure trace

1.98k views • 62 slides
Adding value to optimisation by interrogating fitness models Alexander Brownlee

Adding value to optimisation by interrogating fitness models Alexander Brownlee

Adding value to optimisation by interrogating fitness models Alexander Brownlee www.cs.stir.ac.uk/~sbr sbr@cs.stir.ac.uk Outline &quot;Adding value&quot; Markov network fitness model Single-generation examples (recap)

230 views • 22 slides
Python 3 Divya Pai Object Oriented Analysis and Design S Python: History S It was started

Python 3 Divya Pai Object Oriented Analysis and Design S Python: History S It was started

Python 3 Divya Pai Object Oriented Analysis and Design S Python: History S It was started in the late 80s, implementation started in 1989 S Version 2.0 on 16 th October ,2000 S Development shifts to a more transparent, community

876 views • 29 slides

More recommend