# PCAP Data Retrieval and Filtering Notebook (Security Onion Import)

This Jupyter Notebook demonstrates how to retrieve and filter PCAP files from a remote server using the `paramiko` and `scp` libraries. The notebook covers the following main tasks:

1. Connecting to the remote server via SSH.
2. Retrieving PCAP files from the remote server.
3. Filtering the retrieved PCAP files based on specific conditions.

The notebook is designed to be executed in sequence, with each cell representing a specific task in the data retrieval and filtering process. It includes explanations, code comments, and sample output to help you understand and visualize each step.

**Prerequisites:**
- Python environment with required libraries installed (`paramiko`, `scp`, `pandas`).
- Access to a remote server with the necessary credentials.
- The `filter_pcap_script.py` script for filtering PCAP files should be available in the same directory.

Feel free to adapt and customize this notebook for your specific use case. Happy data retrieval and filtering!



# Import Libraries

In [3]:
import paramiko
import scp
import pandas as pd
from filter_pcap_script import filter_pcap


# Define Configuration Parameters

In [None]:
remote_host = "192.168.43.10"
remote_username = "wajdi"
remote_password = "0000"


# Retrieve and Download PCAP Files

In [11]:
pcap_info = pd.read_csv('./flow_info.csv')

for _, row in pcap_info.iterrows():
    import_id = row['import.id']
    log_id = row['log.id.uid']
    local_filename = f"./full_pcap_{log_id}.pcap"
    remote_pcap_path = f"/nsm/import/{import_id}/pcap/data.pcap"
    
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    try:
        ssh.connect(remote_host, username=remote_username, password=remote_password)
        print("Connected via SSH")
        with scp.SCPClient(ssh.get_transport()) as scp_client:
            scp_client.get(remote_pcap_path, local_filename)
            print("PCAP file retrieved")
    except (paramiko.AuthenticationException, paramiko.SSHException) as error:
        print("Error:", str(error))
    finally:
        ssh.close()


Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected vi

Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected via SSH
PCAP file retrieved
Connected vi

# Filter PCAP Files

In [15]:
flow_info = pd.read_csv('./flow_info.csv')

for _, row in flow_info.iterrows():
    connection_srcip, connection_dstip, src_port, dst_port, proto = row['source.ip'], row['destination.ip'], row['source.port'], row['destination.port'], row['network.transport']
    log_id = row["log.id.uid"]
    proto = proto.lower()
    filter_condition = (
        f"(ip.src == {connection_srcip} && {proto}.srcport == {src_port} && "
        f"ip.dst == {connection_dstip} && {proto}.dstport == {dst_port}) || "
        f"(ip.src == {connection_dstip} && {proto}.srcport == {dst_port} && "
        f"ip.dst == {connection_srcip} && {proto}.dstport == {src_port})"
    )
    input_path = f'./full_pcap_{log_id}.pcap'
    output_path = f'./filtered_pcap_{log_id}.pcap'
    !python filter_pcap_script.py $input_path $output_path "$filter_condition"


Filtered pcap saved to ./filtered_pcap_203297560709042.pcap
Filtered pcap saved to ./filtered_pcap_203297560709042.pcap
Filtered pcap saved to ./filtered_pcap_1804203672181747.pcap
Filtered pcap saved to ./filtered_pcap_598413082629892.pcap
Filtered pcap saved to ./filtered_pcap_1718789661686758.pcap
Filtered pcap saved to ./filtered_pcap_439340379060212.pcap
Filtered pcap saved to ./filtered_pcap_1503856613369083.pcap
Filtered pcap saved to ./filtered_pcap_1227368093728265.pcap
Filtered pcap saved to ./filtered_pcap_202588916476856.pcap
Filtered pcap saved to ./filtered_pcap_310555824063105.pcap
Filtered pcap saved to ./filtered_pcap_2118801499886961.pcap
Filtered pcap saved to ./filtered_pcap_39539132232217.pcap
Filtered pcap saved to ./filtered_pcap_998244587245707.pcap
Filtered pcap saved to ./filtered_pcap_535470451044991.pcap
Filtered pcap saved to ./filtered_pcap_536531366383629.pcap
Filtered pcap saved to ./filtered_pcap_1908657457283477.pcap
Filtered pcap saved to ./filtered_p

Filtered pcap saved to ./filtered_pcap_2175667934408691.pcap
Filtered pcap saved to ./filtered_pcap_1963679087545628.pcap
Filtered pcap saved to ./filtered_pcap_396131990976449.pcap
Filtered pcap saved to ./filtered_pcap_1645361886087896.pcap
Filtered pcap saved to ./filtered_pcap_1925383018711450.pcap
Filtered pcap saved to ./filtered_pcap_1343640438248438.pcap
Filtered pcap saved to ./filtered_pcap_1631042472194897.pcap
Filtered pcap saved to ./filtered_pcap_722598909381517.pcap
Filtered pcap saved to ./filtered_pcap_748506174141851.pcap
Filtered pcap saved to ./filtered_pcap_826708941095195.pcap
Filtered pcap saved to ./filtered_pcap_213701145286185.pcap
Filtered pcap saved to ./filtered_pcap_722839454359641.pcap
Filtered pcap saved to ./filtered_pcap_1913567599970835.pcap
Filtered pcap saved to ./filtered_pcap_411048455704771.pcap
Filtered pcap saved to ./filtered_pcap_1496433938453021.pcap
Filtered pcap saved to ./filtered_pcap_1941931571078528.pcap
Filtered pcap saved to ./filter