In [4]:
import subprocess
import pandas as pd
import matplotlib.pyplot as plt
import seaborn as sns
import json
import csv
from collections import Counter
import numpy as np
from datetime import datetime
import os
import warnings
warnings.filterwarnings('ignore')

# =========== –≠–¢–ê–ü 1: –ó–ê–ì–†–£–ó–ö–ê –î–ê–ù–ù–´–• ===========

def run_tshark_command(command):
    """
    –í—ã–ø–æ–ª–Ω—è–µ—Ç –∫–æ–º–∞–Ω–¥—É tshark –∏ –≤–æ–∑–≤—Ä–∞—â–∞–µ—Ç —Ä–µ–∑—É–ª—å—Ç–∞—Ç
    """
    try:
        result = subprocess.run(command, shell=True, capture_output=True, text=True)
        if result.returncode == 0:
            return result.stdout
        else:
            print(f"–û—à–∏–±–∫–∞ tshark: {result.stderr}")
            return None
    except Exception as e:
        print(f"–û—à–∏–±–∫–∞ –≤—ã–ø–æ–ª–Ω–µ–Ω–∏—è –∫–æ–º–∞–Ω–¥—ã: {e}")
        return None

def check_tshark_installed():
    """
    –ü—Ä–æ–≤–µ—Ä—è–µ—Ç, —É—Å—Ç–∞–Ω–æ–≤–ª–µ–Ω –ª–∏ tshark
    """
    try:
        result = subprocess.run("tshark --version", shell=True, capture_output=True, text=True)
        return result.returncode == 0
    except:
        return False

def extract_dns_from_pcap(pcap_file, packet_limit=None):
    """
    –ò–∑–≤–ª–µ–∫–∞–µ—Ç DNS-–∑–∞–ø—Ä–æ—Å—ã –∏–∑ pcap —Ñ–∞–π–ª–∞ —Å –ø–æ–º–æ—â—å—é tshark
    """
    print(f"–ò–∑–≤–ª–µ—á–µ–Ω–∏–µ DNS-–∑–∞–ø—Ä–æ—Å–æ–≤ –∏–∑ {pcap_file}...")
    
    # –§–æ—Ä–º–∏—Ä—É–µ–º –∫–æ–º–∞–Ω–¥—É tshark
    base_cmd = f"tshark -r {pcap_file} -Y dns -T fields"
    fields = [
        "-e frame.time",
        "-e ip.src",
        "-e ip.dst", 
        "-e dns.qry.name",
        "-e dns.qry.type",
        "-e dns.flags.rcode",
        "-e dns.count.queries",
        "-e dns.count.answers"
    ]
    
    if packet_limit:
        base_cmd += f" -c {packet_limit}"
    
    command = f"{base_cmd} {' '.join(fields)} -E header=y"
    
    # –í—ã–ø–æ–ª–Ω—è–µ–º –∫–æ–º–∞–Ω–¥—É
    output = run_tshark_command(command)
    
    if not output:
        return []
    
    # –ü–∞—Ä—Å–∏–º –≤—ã–≤–æ–¥
    dns_data = []
    lines = output.strip().split('\n')
    
    if len(lines) < 2:
        print("–ù–µ—Ç DNS-–∑–∞–ø—Ä–æ—Å–æ–≤ –≤ —Ñ–∞–π–ª–µ")
        return []
    
    # –ü—Ä–æ–ø—É—Å–∫–∞–µ–º –∑–∞–≥–æ–ª–æ–≤–æ–∫
    for line in lines[1:]:
        if line.strip():
            parts = line.split('\t')
            if len(parts) >= 8:
                dns_info = {
                    'timestamp': parts[0],
                    'source_ip': parts[1],
                    'dest_ip': parts[2],
                    'query_name': parts[3],
                    'query_type': parts[4],
                    'response_code': parts[5],
                    'query_count': parts[6],
                    'answer_count': parts[7]
                }
                dns_data.append(dns_info)
    
    print(f"–ò–∑–≤–ª–µ—á–µ–Ω–æ DNS-–∑–∞–ø—Ä–æ—Å–æ–≤: {len(dns_data)}")
    return dns_data

def extract_ip_connections(pcap_file, packet_limit=None):
    """
    –ò–∑–≤–ª–µ–∫–∞–µ—Ç IP-—Å–æ–µ–¥–∏–Ω–µ–Ω–∏—è –∏–∑ pcap —Ñ–∞–π–ª–∞
    """
    print(f"–ò–∑–≤–ª–µ—á–µ–Ω–∏–µ IP-—Å–æ–µ–¥–∏–Ω–µ–Ω–∏–π –∏–∑ {pcap_file}...")
    
    base_cmd = f"tshark -r {pcap_file} -Y ip -T fields"
    fields = [
        "-e frame.time",
        "-e ip.src",
        "-e ip.dst",
        "-e ip.proto",
        "-e frame.len",
        "-e tcp.srcport",
        "-e tcp.dstport",
        "-e udp.srcport", 
        "-e udp.dstport",
        "-e _ws.col.Protocol"
    ]
    
    if packet_limit:
        base_cmd += f" -c {packet_limit}"
    
    command = f"{base_cmd} {' '.join(fields)} -E header=y"
    
    output = run_tshark_command(command)
    
    if not output:
        return []
    
    ip_data = []
    lines = output.strip().split('\n')
    
    if len(lines) < 2:
        print("–ù–µ—Ç IP-—Å–æ–µ–¥–∏–Ω–µ–Ω–∏–π –≤ —Ñ–∞–π–ª–µ")
        return []
    
    for line in lines[1:]:
        if line.strip():
            parts = line.split('\t')
            if len(parts) >= 10:
                # –û–ø—Ä–µ–¥–µ–ª—è–µ–º –ø–æ—Ä—Ç –≤ –∑–∞–≤–∏—Å–∏–º–æ—Å—Ç–∏ –æ—Ç –ø—Ä–æ—Ç–æ–∫–æ–ª–∞
                protocol = parts[9] if len(parts) > 9 else "Unknown"
                src_port = parts[5] if parts[5] else (parts[7] if parts[7] else "Unknown")
                dst_port = parts[6] if parts[6] else (parts[8] if parts[8] else "Unknown")
                
                ip_info = {
                    'timestamp': parts[0],
                    'source_ip': parts[1],
                    'dest_ip': parts[2],
                    'ip_proto': parts[3],
                    'frame_len': int(parts[4]) if parts[4].isdigit() else 0,
                    'src_port': src_port,
                    'dst_port': dst_port,
                    'protocol': protocol
                }
                ip_data.append(ip_info)
    
    print(f"–ò–∑–≤–ª–µ—á–µ–Ω–æ IP-—Å–æ–µ–¥–∏–Ω–µ–Ω–∏–π: {len(ip_data)}")
    return ip_data

def extract_http_requests(pcap_file, packet_limit=None):
    """
    –ò–∑–≤–ª–µ–∫–∞–µ—Ç HTTP-–∑–∞–ø—Ä–æ—Å—ã –∏–∑ pcap —Ñ–∞–π–ª–∞
    """
    print(f"–ò–∑–≤–ª–µ—á–µ–Ω–∏–µ HTTP-–∑–∞–ø—Ä–æ—Å–æ–≤ –∏–∑ {pcap_file}...")
    
    base_cmd = f"tshark -r {pcap_file} -Y http.request -T fields"
    fields = [
        "-e frame.time",
        "-e ip.src",
        "-e ip.dst",
        "-e http.host",
        "-e http.request.method",
        "-e http.request.uri",
        "-e http.user_agent",
        "-e http.response.code"
    ]
    
    if packet_limit:
        base_cmd += f" -c {packet_limit}"
    
    command = f"{base_cmd} {' '.join(fields)} -E header=y"
    
    output = run_tshark_command(command)
    
    if not output:
        return []
    
    http_data = []
    lines = output.strip().split('\n')
    
    if len(lines) < 2:
        print("–ù–µ—Ç HTTP-–∑–∞–ø—Ä–æ—Å–æ–≤ –≤ —Ñ–∞–π–ª–µ")
        return []
    
    for line in lines[1:]:
        if line.strip():
            parts = line.split('\t')
            if len(parts) >= 8:
                http_info = {
                    'timestamp': parts[0],
                    'source_ip': parts[1],
                    'dest_ip': parts[2],
                    'host': parts[3],
                    'method': parts[4],
                    'uri': parts[5],
                    'user_agent': parts[6],
                    'response_code': parts[7] if len(parts) > 7 else ""
                }
                http_data.append(http_info)
    
    print(f"–ò–∑–≤–ª–µ—á–µ–Ω–æ HTTP-–∑–∞–ø—Ä–æ—Å–æ–≤: {len(http_data)}")
    return http_data

def get_packet_statistics(pcap_file):
    """
    –ü–æ–ª—É—á–∞–µ—Ç –æ–±—â—É—é —Å—Ç–∞—Ç–∏—Å—Ç–∏–∫—É –ø–æ pcap —Ñ–∞–π–ª—É
    """
    print(f"–ü–æ–ª—É—á–µ–Ω–∏–µ —Å—Ç–∞—Ç–∏—Å—Ç–∏–∫–∏ –ø–æ {pcap_file}...")
    
    # –û–±—â–µ–µ –∫–æ–ª–∏—á–µ—Å—Ç–≤–æ –ø–∞–∫–µ—Ç–æ–≤
    cmd_count = f"tshark -r {pcap_file} -q -z io,stat,0"
    output = run_tshark_command(cmd_count)
    
    if output:
        lines = output.split('\n')
        for line in lines:
            if "| Number of packets:" in line:
                parts = line.split(':')
                if len(parts) > 1:
                    packet_count = parts[1].strip().split('|')[0].strip()
                    print(f"–û–±—â–µ–µ –∫–æ–ª–∏—á–µ—Å—Ç–≤–æ –ø–∞–∫–µ—Ç–æ–≤: {packet_count}")
                    return int(packet_count)
    
    # –ï—Å–ª–∏ –Ω–µ —É–¥–∞–ª–æ—Å—å –ø–æ–ª—É—á–∏—Ç—å —á–µ—Ä–µ–∑ —Å—Ç–∞—Ç–∏—Å—Ç–∏–∫—É, –∏—Å–ø–æ–ª—å–∑—É–µ–º –ø—Ä–æ—Å—Ç–æ–π –ø–æ–¥—Å—á–µ—Ç
    cmd_simple = f"tshark -r {pcap_file} -T fields -e frame.number | tail -1"
    output = run_tshark_command(cmd_simple)
    if output and output.strip().isdigit():
        count = int(output.strip())
        print(f"–û–±—â–µ–µ –∫–æ–ª–∏—á–µ—Å—Ç–≤–æ –ø–∞–∫–µ—Ç–æ–≤: {count}")
        return count
    
    print("–ù–µ —É–¥–∞–ª–æ—Å—å –ø–æ–ª—É—á–∏—Ç—å —Å—Ç–∞—Ç–∏—Å—Ç–∏–∫—É –ø–∞–∫–µ—Ç–æ–≤")
    return 0

# =========== –≠–¢–ê–ü 2: –ê–ù–ê–õ–ò–ó –ò –í–´–Ø–í–õ–ï–ù–ò–ï –ü–û–î–û–ó–†–ò–¢–ï–õ–¨–ù–û–ô –ê–ö–¢–ò–í–ù–û–°–¢–ò ===========

def analyze_suspicious_patterns(dns_data, ip_data):
    """
    –ê–Ω–∞–ª–∏–∑–∏—Ä—É–µ—Ç –¥–∞–Ω–Ω—ã–µ –Ω–∞ –Ω–∞–ª–∏—á–∏–µ –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã—Ö –ø–∞—Ç—Ç–µ—Ä–Ω–æ–≤
    """
    print("\n=== –ê–ù–ê–õ–ò–ó –ü–û–î–û–ó–†–ò–¢–ï–õ–¨–ù–´–• –ü–ê–¢–¢–ï–†–ù–û–í ===")
    
    suspicious_ips = []
    suspicious_domains = []
    suspicious_patterns = []
    
    # 1. –ê–Ω–∞–ª–∏–∑ DNS-–∑–∞–ø—Ä–æ—Å–æ–≤
    if dns_data:
        dns_df = pd.DataFrame(dns_data)
        
        # –ß–∞—Å—Ç—ã–µ DNS-–∑–∞–ø—Ä–æ—Å—ã
        domain_counts = dns_df['query_name'].value_counts()
        frequent_domains = domain_counts[domain_counts > 10].index.tolist()
        
        # –ü–æ–∏—Å–∫ –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã—Ö –¥–æ–º–µ–Ω–æ–≤
        for domain in dns_df['query_name'].unique():
            if isinstance(domain, str):
                # –î–ª–∏–Ω–Ω—ã–µ –¥–æ–º–µ–Ω—ã (–≤–æ–∑–º–æ–∂–Ω—ã–π DGA)
                if len(domain) > 50:
                    suspicious_domains.append(domain)
                    suspicious_patterns.append(f"–î–ª–∏–Ω–Ω–æ–µ –¥–æ–º–µ–Ω–Ω–æ–µ –∏–º—è: {domain}")
                
                # –î–æ–º–µ–Ω—ã —Å —Ü–∏—Ñ—Ä–∞–º–∏ (–≤–æ–∑–º–æ–∂–Ω—ã–π DGA)
                import re
                if re.search(r'\d{5,}', domain):
                    suspicious_domains.append(domain)
                    suspicious_patterns.append(f"–î–æ–º–µ–Ω —Å –º–Ω–æ–∂–µ—Å—Ç–≤–æ–º —Ü–∏—Ñ—Ä: {domain}")
                
                # –î–æ–º–µ–Ω—ã —Å —Ä–∞–Ω–¥–æ–º–Ω—ã–º–∏ –ø–æ—Å–ª–µ–¥–æ–≤–∞—Ç–µ–ª—å–Ω–æ—Å—Ç—è–º–∏
                if re.search(r'[a-z]{10,}', domain) and not '.' in domain[10:]:
                    suspicious_domains.append(domain)
                    suspicious_patterns.append(f"–î–æ–º–µ–Ω —Å –¥–ª–∏–Ω–Ω–æ–π –ø–æ—Å–ª–µ–¥–æ–≤–∞—Ç–µ–ª—å–Ω–æ—Å—Ç—å—é –±—É–∫–≤: {domain}")
                
                # –ü–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã–µ TLD
                suspicious_tlds = ['.xyz', '.top', '.club', '.win', '.bid', '.loan', '.date']
                if any(domain.endswith(tld) for tld in suspicious_tlds):
                    suspicious_domains.append(domain)
                    suspicious_patterns.append(f"–î–æ–º–µ–Ω —Å –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã–º TLD: {domain}")
    
    # 2. –ê–Ω–∞–ª–∏–∑ IP-–∞–¥—Ä–µ—Å–æ–≤
    if ip_data:
        ip_df = pd.DataFrame(ip_data)
        
        # IP-–∞–¥—Ä–µ—Å–∞ —Å –±–æ–ª—å—à–∏–º –∫–æ–ª–∏—á–µ—Å—Ç–≤–æ–º —Å–æ–µ–¥–∏–Ω–µ–Ω–∏–π
        src_ip_counts = ip_df['source_ip'].value_counts()
        dest_ip_counts = ip_df['dest_ip'].value_counts()
        
        # –ß–∞—Å—Ç—ã–µ –∏—Å—Ç–æ—á–Ω–∏–∫–∏
        frequent_sources = src_ip_counts[src_ip_counts > 100].index.tolist()
        for ip in frequent_sources:
            suspicious_ips.append(ip)
            suspicious_patterns.append(f"–ß–∞—Å—Ç—ã–π –∏—Å—Ç–æ—á–Ω–∏–∫ —Ç—Ä–∞—Ñ–∏–∫–∞: {ip} ({src_ip_counts[ip]} –ø–∞–∫–µ—Ç–æ–≤)")
        
        # –ß–∞—Å—Ç—ã–µ –ø–æ–ª—É—á–∞—Ç–µ–ª–∏
        frequent_destinations = dest_ip_counts[dest_ip_counts > 100].index.tolist()
        for ip in frequent_destinations:
            if ip not in suspicious_ips:
                suspicious_ips.append(ip)
                suspicious_patterns.append(f"–ß–∞—Å—Ç—ã–π –ø–æ–ª—É—á–∞—Ç–µ–ª—å —Ç—Ä–∞—Ñ–∏–∫–∞: {ip} ({dest_ip_counts[ip]} –ø–∞–∫–µ—Ç–æ–≤)")
        
        # –ü—Ä–∏–≤–∞—Ç–Ω—ã–µ IP-–∞–¥—Ä–µ—Å–∞, –æ–±—â–∞—é—â–∏–µ—Å—è —Å –≤–Ω–µ—à–Ω–∏–º –º–∏—Ä–æ–º
        private_ips = []
        for ip in ip_df['source_ip'].unique():
            if ip and (ip.startswith('10.') or ip.startswith('192.168.') or 
                      (ip.startswith('172.') and 16 <= int(ip.split('.')[1]) <= 31)):
                private_ips.append(ip)
        
        # –ü–æ–∏—Å–∫ –ø—Ä–∏–≤–∞—Ç–Ω—ã—Ö IP, –∫–æ—Ç–æ—Ä—ã–µ –æ–±—â–∞—é—Ç—Å—è —Å –ø—É–±–ª–∏—á–Ω—ã–º–∏
        for _, row in ip_df.iterrows():
            src = row['source_ip']
            dst = row['dest_ip']
            if src in private_ips and dst and not (dst.startswith('10.') or dst.startswith('192.168.') or 
                                                  (dst.startswith('172.') and 16 <= int(dst.split('.')[1]) <= 31)):
                suspicious_patterns.append(f"–ü—Ä–∏–≤–∞—Ç–Ω—ã–π IP {src} –æ–±—Ä–∞—â–∞–µ—Ç—Å—è –∫ –ø—É–±–ª–∏—á–Ω–æ–º—É {dst}")
    
    print(f"–ù–∞–π–¥–µ–Ω–æ –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã—Ö IP-–∞–¥—Ä–µ—Å–æ–≤: {len(suspicious_ips)}")
    print(f"–ù–∞–π–¥–µ–Ω–æ –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã—Ö –¥–æ–º–µ–Ω–æ–≤: {len(suspicious_domains)}")
    
    return suspicious_ips, suspicious_domains, suspicious_patterns

def extract_malicious_indicators(pcap_file):
    """
    –ò–∑–≤–ª–µ–∫–∞–µ—Ç –ø–æ—Ç–µ–Ω—Ü–∏–∞–ª—å–Ω—ã–µ –∏–Ω–¥–∏–∫–∞—Ç–æ—Ä—ã –∫–æ–º–ø—Ä–æ–º–µ—Ç–∞—Ü–∏–∏ (IOCs)
    """
    print("\n=== –ü–û–ò–°–ö –ü–û–¢–ï–ù–¶–ò–ê–õ–¨–ù–´–• –ò–ù–î–ò–ö–ê–¢–û–†–û–í –ö–û–ú–ü–†–û–ú–ï–¢–ê–¶–ò–ò ===")
    
    iocs = {
        'malicious_ips': [],
        'malicious_domains': [],
        'patterns': []
    }
    
    # –ò–∑–≤–µ—Å—Ç–Ω—ã–µ –ø–æ—Ä—Ç—ã –¥–ª—è malware (–ø—Ä–∏–º–µ—Ä—ã)
    malicious_ports = {
        4444: "–ú–µ—Ç–∞—Å–ø–ª–æ–∏—Ç/–ë—ç–∫–¥–æ—Ä",
        5555: "Android ADB/–ë—ç–∫–¥–æ—Ä",
        6666: "IRC –±–æ—Ç–Ω–µ—Ç",
        7777: "–ë—ç–∫–¥–æ—Ä",
        8080: "–ü—Ä–æ–∫—Å–∏/VPN",
        8443: "SSL –±—ç–∫–¥–æ—Ä",
        8888: "–ê–ª—å—Ç–µ—Ä–Ω–∞—Ç–∏–≤–Ω—ã–π HTTP/–ë—ç–∫–¥–æ—Ä",
        9999: "–ë—ç–∫–¥–æ—Ä",
        31337: "–≠–ª–∏—Ç–Ω—ã–π –ø–æ—Ä—Ç/–ë—ç–∫–¥–æ—Ä"
    }
    
    # –ü—Ä–æ–≤–µ—Ä–∫–∞ –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã—Ö –ø–æ—Ä—Ç–æ–≤
    cmd_ports = f"tshark -r {pcap_file} -Y 'tcp.port in {{4444 5555 6666 7777 8080 8443 8888 9999 31337}}' -T fields -e ip.src -e ip.dst -e tcp.port"
    output = run_tshark_command(cmd_ports)
    
    if output:
        lines = output.strip().split('\n')
        for line in lines:
            if line.strip():
                parts = line.split()
                if len(parts) >= 3:
                    src_ip, dst_ip, port = parts[0], parts[1], parts[2]
                    if port in malicious_ports:
                        iocs['patterns'].append(f"–ü–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã–π –ø–æ—Ä—Ç {port} ({malicious_ports[port]}): {src_ip} -> {dst_ip}")
                        iocs['malicious_ips'].extend([src_ip, dst_ip])
    
    # –ü–æ–∏—Å–∫ –∏–∑–≤–µ—Å—Ç–Ω—ã—Ö –≤—Ä–µ–¥–æ–Ω–æ—Å–Ω—ã—Ö –¥–æ–º–µ–Ω–æ–≤ (–ø—Ä–∏–º–µ—Ä—ã)
    malicious_keywords = ['malware', 'exploit', 'backdoor', 'botnet', 'c2', 'command', 'control']
    
    cmd_domains = f"tshark -r {pcap_file} -Y dns -T fields -e dns.qry.name"
    output = run_tshark_command(cmd_domains)
    
    if output:
        domains = output.strip().split('\n')
        for domain in domains:
            if any(keyword in domain.lower() for keyword in malicious_keywords):
                iocs['malicious_domains'].append(domain)
                iocs['patterns'].append(f"–î–æ–º–µ–Ω —Å –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã–º –∫–ª—é—á–µ–≤—ã–º —Å–ª–æ–≤–æ–º: {domain}")
    
    print(f"–ù–∞–π–¥–µ–Ω–æ –ø–æ—Ç–µ–Ω—Ü–∏–∞–ª—å–Ω—ã—Ö –∏–Ω–¥–∏–∫–∞—Ç–æ—Ä–æ–≤: {len(iocs['patterns'])}")
    return iocs

# =========== –≠–¢–ê–ü 3: –í–ò–ó–£–ê–õ–ò–ó–ê–¶–ò–Ø –†–ï–ó–£–õ–¨–¢–ê–¢–û–í ===========

def create_visualizations(dns_data, ip_data, suspicious_ips, suspicious_domains):
    """
    –°–æ–∑–¥–∞–µ—Ç –≤–∏–∑—É–∞–ª–∏–∑–∞—Ü–∏–∏ —Ä–µ–∑—É–ª—å—Ç–∞—Ç–æ–≤ –∞–Ω–∞–ª–∏–∑–∞
    """
    print("\n=== –°–û–ó–î–ê–ù–ò–ï –í–ò–ó–£–ê–õ–ò–ó–ê–¶–ò–ô ===")
    
    # –°–æ–∑–¥–∞–µ–º DataFrame
    dns_df = pd.DataFrame(dns_data) if dns_data else pd.DataFrame()
    ip_df = pd.DataFrame(ip_data) if ip_data else pd.DataFrame()
    
    # –ù–∞—Å—Ç—Ä–æ–π–∫–∞ —Å—Ç–∏–ª—è
    plt.style.use('seaborn-v0_8-darkgrid')
    sns.set_palette("husl")
    
    # –°–æ–∑–¥–∞–µ–º —Ñ–∏–≥—É—Ä—É —Å –Ω–µ—Å–∫–æ–ª—å–∫–∏–º–∏ –≥—Ä–∞—Ñ–∏–∫–∞–º–∏
    fig = plt.figure(figsize=(18, 15))
    fig.suptitle('–ê–ù–ê–õ–ò–ó –°–ï–¢–ï–í–û–ì–û –¢–†–ê–§–ò–ö–ê - –û–¢–ß–ï–¢', fontsize=16, fontweight='bold')
    
    # –ì—Ä–∞—Ñ–∏–∫ 1: DNS –∑–∞–ø—Ä–æ—Å—ã –ø–æ –≤—Ä–µ–º–µ–Ω–∏
    if not dns_df.empty and 'timestamp' in dns_df.columns:
        ax1 = plt.subplot(3, 3, 1)
        try:
            dns_df['timestamp_dt'] = pd.to_datetime(dns_df['timestamp'])
            dns_df['minute'] = dns_df['timestamp_dt'].dt.floor('Min')
            dns_counts = dns_df.groupby('minute').size()
            
            if not dns_counts.empty:
                ax1.plot(dns_counts.index, dns_counts.values, marker='o', linewidth=2, markersize=4)
                ax1.set_title('DNS-–∑–∞–ø—Ä–æ—Å—ã –ø–æ –≤—Ä–µ–º–µ–Ω–∏', fontsize=12, fontweight='bold')
                ax1.set_xlabel('–í—Ä–µ–º—è')
                ax1.set_ylabel('–ö–æ–ª–∏—á–µ—Å—Ç–≤–æ –∑–∞–ø—Ä–æ—Å–æ–≤')
                ax1.tick_params(axis='x', rotation=45)
                ax1.grid(True, alpha=0.3)
        except Exception as e:
            print(f"–û—à–∏–±–∫–∞ –ø—Ä–∏ —Å–æ–∑–¥–∞–Ω–∏–∏ –≥—Ä–∞—Ñ–∏–∫–∞ DNS: {e}")
    
    # –ì—Ä–∞—Ñ–∏–∫ 2: –¢–æ–ø-10 –∑–∞–ø—Ä–∞—à–∏–≤–∞–µ–º—ã—Ö –¥–æ–º–µ–Ω–æ–≤
    if not dns_df.empty and 'query_name' in dns_df.columns:
        ax2 = plt.subplot(3, 3, 2)
        top_domains = dns_df['query_name'].value_counts().head(10)
        
        if not top_domains.empty:
            y_pos = np.arange(len(top_domains))
            bars2 = ax2.barh(y_pos, top_domains.values)
            ax2.set_yticks(y_pos)
            
            # –£–∫–æ—Ä–∞—á–∏–≤–∞–µ–º –¥–ª–∏–Ω–Ω—ã–µ –¥–æ–º–µ–Ω—ã –¥–ª—è –æ—Ç–æ–±—Ä–∞–∂–µ–Ω–∏—è
            labels = [d[:30] + '...' if len(d) > 30 else d for d in top_domains.index]
            ax2.set_yticklabels(labels, fontsize=8)
            ax2.set_title('–¢–æ–ø-10 –∑–∞–ø—Ä–∞—à–∏–≤–∞–µ–º—ã—Ö –¥–æ–º–µ–Ω–æ–≤', fontsize=12, fontweight='bold')
            ax2.set_xlabel('–ö–æ–ª–∏—á–µ—Å—Ç–≤–æ –∑–∞–ø—Ä–æ—Å–æ–≤')
            
            for i, (bar, count) in enumerate(zip(bars2, top_domains.values)):
                ax2.text(count, bar.get_y() + bar.get_height()/2, 
                        f' {count}', va='center', fontsize=8)
    
    # –ì—Ä–∞—Ñ–∏–∫ 3: –†–∞—Å–ø—Ä–µ–¥–µ–ª–µ–Ω–∏–µ –ø—Ä–æ—Ç–æ–∫–æ–ª–æ–≤
    if not ip_df.empty and 'protocol' in ip_df.columns:
        ax3 = plt.subplot(3, 3, 3)
        protocol_counts = ip_df['protocol'].value_counts().head(8)
        
        if not protocol_counts.empty:
            wedges, texts, autotexts = ax3.pie(protocol_counts.values, labels=protocol_counts.index,
                                               autopct='%1.1f%%', startangle=90)
            ax3.set_title('–†–∞—Å–ø—Ä–µ–¥–µ–ª–µ–Ω–∏–µ –ø—Ä–æ—Ç–æ–∫–æ–ª–æ–≤', fontsize=12, fontweight='bold')
            for autotext in autotexts:
                autotext.set_color('white')
                autotext.set_fontweight('bold')
    
    # –ì—Ä–∞—Ñ–∏–∫ 4: –¢–æ–ø-10 IP-–∞–¥—Ä–µ—Å–æ–≤ –∏—Å—Ç–æ—á–Ω–∏–∫–æ–≤
    if not ip_df.empty and 'source_ip' in ip_df.columns:
        ax4 = plt.subplot(3, 3, 4)
        top_sources = ip_df['source_ip'].value_counts().head(10)
        
        if not top_sources.empty:
            x_pos = np.arange(len(top_sources))
            bars4 = ax4.bar(x_pos, top_sources.values)
            ax4.set_title('–¢–æ–ø-10 IP-–∞–¥—Ä–µ—Å–æ–≤ –∏—Å—Ç–æ—á–Ω–∏–∫–æ–≤', fontsize=12, fontweight='bold')
            ax4.set_ylabel('–ö–æ–ª–∏—á–µ—Å—Ç–≤–æ –ø–∞–∫–µ—Ç–æ–≤')
            ax4.set_xticks(x_pos)
            
            # –£–∫–æ—Ä–∞—á–∏–≤–∞–µ–º IP –¥–ª—è –æ—Ç–æ–±—Ä–∞–∂–µ–Ω–∏—è
            labels = [ip[:15] + '...' if len(ip) > 15 else ip for ip in top_sources.index]
            ax4.set_xticklabels(labels, rotation=45, ha='right', fontsize=8)
            
            for bar, count in zip(bars4, top_sources.values):
                height = bar.get_height()
                ax4.text(bar.get_x() + bar.get_width()/2., height + 0.1,
                        f'{count}', ha='center', va='bottom', fontsize=8)
    
    # –ì—Ä–∞—Ñ–∏–∫ 5: –¢–æ–ø-10 IP-–∞–¥—Ä–µ—Å–æ–≤ –ø–æ–ª—É—á–∞—Ç–µ–ª–µ–π
    if not ip_df.empty and 'dest_ip' in ip_df.columns:
        ax5 = plt.subplot(3, 3, 5)
        top_dests = ip_df['dest_ip'].value_counts().head(10)
        
        if not top_dests.empty:
            x_pos = np.arange(len(top_dests))
            bars5 = ax5.bar(x_pos, top_dests.values)
            ax5.set_title('–¢–æ–ø-10 IP-–∞–¥—Ä–µ—Å–æ–≤ –ø–æ–ª—É—á–∞—Ç–µ–ª–µ–π', fontsize=12, fontweight='bold')
            ax5.set_ylabel('–ö–æ–ª–∏—á–µ—Å—Ç–≤–æ –ø–∞–∫–µ—Ç–æ–≤')
            ax5.set_xticks(x_pos)
            
            labels = [ip[:15] + '...' if len(ip) > 15 else ip for ip in top_dests.index]
            ax5.set_xticklabels(labels, rotation=45, ha='right', fontsize=8)
            
            for bar, count in zip(bars5, top_dests.values):
                height = bar.get_height()
                ax5.text(bar.get_x() + bar.get_width()/2., height + 0.1,
                        f'{count}', ha='center', va='bottom', fontsize=8)
    
    # –ì—Ä–∞—Ñ–∏–∫ 6: –†–∞–∑–º–µ—Ä—ã –ø–∞–∫–µ—Ç–æ–≤
    if not ip_df.empty and 'frame_len' in ip_df.columns:
        ax6 = plt.subplot(3, 3, 6)
        # –§–∏–ª—å—Ç—Ä—É–µ–º –≤—ã–±—Ä–æ—Å—ã
        lengths = ip_df['frame_len'].astype(float)
        q1 = lengths.quantile(0.25)
        q3 = lengths.quantile(0.75)
        iqr = q3 - q1
        filtered_lengths = lengths[(lengths >= q1 - 1.5*iqr) & (lengths <= q3 + 1.5*iqr)]
        
        ax6.hist(filtered_lengths, bins=50, alpha=0.7, edgecolor='black')
        ax6.set_title('–†–∞—Å–ø—Ä–µ–¥–µ–ª–µ–Ω–∏–µ —Ä–∞–∑–º–µ—Ä–æ–≤ –ø–∞–∫–µ—Ç–æ–≤', fontsize=12, fontweight='bold')
        ax6.set_xlabel('–†–∞–∑–º–µ—Ä –ø–∞–∫–µ—Ç–∞ (–±–∞–π—Ç—ã)')
        ax6.set_ylabel('–ö–æ–ª–∏—á–µ—Å—Ç–≤–æ –ø–∞–∫–µ—Ç–æ–≤')
        ax6.grid(True, alpha=0.3)
    
    # –ì—Ä–∞—Ñ–∏–∫ 7: –°–µ—Ç–µ–≤–æ–π —Ç—Ä–∞—Ñ–∏–∫ –ø–æ –≤—Ä–µ–º–µ–Ω–∏
    if not ip_df.empty and 'timestamp' in ip_df.columns:
        ax7 = plt.subplot(3, 3, 7)
        try:
            ip_df['timestamp_dt'] = pd.to_datetime(ip_df['timestamp'])
            ip_df['minute'] = ip_df['timestamp_dt'].dt.floor('Min')
            traffic_counts = ip_df.groupby('minute').size()
            
            if not traffic_counts.empty:
                ax7.plot(traffic_counts.index, traffic_counts.values, marker='.', 
                        linewidth=1.5, color='red', alpha=0.7)
                ax7.set_title('–°–µ—Ç–µ–≤–æ–π —Ç—Ä–∞—Ñ–∏–∫ –ø–æ –≤—Ä–µ–º–µ–Ω–∏', fontsize=12, fontweight='bold')
                ax7.set_xlabel('–í—Ä–µ–º—è')
                ax7.set_ylabel('–ü–∞–∫–µ—Ç–æ–≤ –≤ –º–∏–Ω—É—Ç—É')
                ax7.tick_params(axis='x', rotation=45)
                ax7.grid(True, alpha=0.3)
        except Exception as e:
            print(f"–û—à–∏–±–∫–∞ –ø—Ä–∏ —Å–æ–∑–¥–∞–Ω–∏–∏ –≥—Ä–∞—Ñ–∏–∫–∞ —Ç—Ä–∞—Ñ–∏–∫–∞: {e}")
    
    # –ì—Ä–∞—Ñ–∏–∫ 8: –ü–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã–µ –∞–∫—Ç–∏–≤–Ω–æ—Å—Ç–∏
    ax8 = plt.subplot(3, 3, 8)
    categories = ['–ü–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã–µ IP', '–ü–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã–µ –¥–æ–º–µ–Ω—ã']
    values = [len(suspicious_ips), len(suspicious_domains)]
    
    bars8 = ax8.bar(categories, values, color=['#ff6b6b', '#ffa726'])
    ax8.set_title('–ü–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω–∞—è –∞–∫—Ç–∏–≤–Ω–æ—Å—Ç—å', fontsize=12, fontweight='bold')
    ax8.set_ylabel('–ö–æ–ª–∏—á–µ—Å—Ç–≤–æ')
    
    for bar, value in zip(bars8, values):
        height = bar.get_height()
        ax8.text(bar.get_x() + bar.get_width()/2., height + 0.1,
                f'{value}', ha='center', va='bottom', fontsize=10)
    
    # –ì—Ä–∞—Ñ–∏–∫ 9: –¢–∏–ø—ã DNS-–∑–∞–ø—Ä–æ—Å–æ–≤
    if not dns_df.empty and 'query_type' in dns_df.columns:
        ax9 = plt.subplot(3, 3, 9)
        query_types = dns_df['query_type'].value_counts().head(10)
        
        if not query_types.empty:
            # –ú–∞–ø–ø–∏–Ω–≥ —á–∏—Å–ª–æ–≤—ã—Ö —Ç–∏–ø–æ–≤ –∫ –Ω–∞–∑–≤–∞–Ω–∏—è–º
            type_names = {
                '1': 'A',
                '28': 'AAAA',
                '5': 'CNAME',
                '15': 'MX',
                '2': 'NS',
                '16': 'TXT',
                '6': 'SOA',
                '12': 'PTR'
            }
            
            labels = [type_names.get(str(t), str(t)) for t in query_types.index]
            bars9 = ax9.bar(range(len(query_types)), query_types.values)
            ax9.set_title('–¢–∏–ø—ã DNS-–∑–∞–ø—Ä–æ—Å–æ–≤', fontsize=12, fontweight='bold')
            ax9.set_ylabel('–ö–æ–ª–∏—á–µ—Å—Ç–≤–æ –∑–∞–ø—Ä–æ—Å–æ–≤')
            ax9.set_xticks(range(len(query_types)))
            ax9.set_xticklabels(labels, rotation=45, ha='right', fontsize=8)
            
            for bar, count in zip(bars9, query_types.values):
                height = bar.get_height()
                ax9.text(bar.get_x() + bar.get_width()/2., height + 0.1,
                        f'{count}', ha='center', va='bottom', fontsize=8)
    
    plt.tight_layout()
    plt.savefig('network_analysis_report.png', dpi=150, bbox_inches='tight')
    plt.show()
    
    print("‚úì –í–∏–∑—É–∞–ª–∏–∑–∞—Ü–∏–∏ —Å–æ—Ö—Ä–∞–Ω–µ–Ω—ã –≤ 'network_analysis_report.png'")

def save_results_to_files(dns_data, ip_data, suspicious_ips, suspicious_domains, suspicious_patterns):
    """
    –°–æ—Ö—Ä–∞–Ω—è–µ—Ç —Ä–µ–∑—É–ª—å—Ç–∞—Ç—ã –∞–Ω–∞–ª–∏–∑–∞ –≤ —Ñ–∞–π–ª—ã
    """
    print("\n=== –°–û–•–†–ê–ù–ï–ù–ò–ï –†–ï–ó–£–õ–¨–¢–ê–¢–û–í ===")
    
    # –°–æ—Ö—Ä–∞–Ω—è–µ–º DNS-–∑–∞–ø—Ä–æ—Å—ã –≤ CSV
    if dns_data:
        dns_df = pd.DataFrame(dns_data)
        dns_df.to_csv('dns_requests.csv', index=False, encoding='utf-8')
        print(f"‚úì DNS-–∑–∞–ø—Ä–æ—Å—ã —Å–æ—Ö—Ä–∞–Ω–µ–Ω—ã –≤ 'dns_requests.csv' ({len(dns_df)} –∑–∞–ø–∏—Å–µ–π)")
    
    # –°–æ—Ö—Ä–∞–Ω—è–µ–º IP-—Å–æ–µ–¥–∏–Ω–µ–Ω–∏—è –≤ CSV
    if ip_data:
        ip_df = pd.DataFrame(ip_data)
        ip_df.to_csv('ip_connections.csv', index=False, encoding='utf-8')
        print(f"‚úì IP-—Å–æ–µ–¥–∏–Ω–µ–Ω–∏—è —Å–æ—Ö—Ä–∞–Ω–µ–Ω—ã –≤ 'ip_connections.csv' ({len(ip_df)} –∑–∞–ø–∏—Å–µ–π)")
    
    # –°–æ—Ö—Ä–∞–Ω—è–µ–º –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã–µ –Ω–∞—Ö–æ–¥–∫–∏
    with open('suspicious_findings.txt', 'w', encoding='utf-8') as f:
        f.write("="*80 + "\n")
        f.write("–û–¢–ß–ï–¢ –û –ü–û–î–û–ó–†–ò–¢–ï–õ–¨–ù–û–ô –°–ï–¢–ï–í–û–ô –ê–ö–¢–ò–í–ù–û–°–¢–ò\n")
        f.write("="*80 + "\n\n")
        
        f.write("–°–ì–ï–ù–ï–†–ò–†–û–í–ê–ù–û: " + datetime.now().strftime("%Y-%m-%d %H:%M:%S") + "\n")
        f.write("="*80 + "\n\n")
        
        f.write("1. –ü–û–î–û–ó–†–ò–¢–ï–õ–¨–ù–´–ï IP-–ê–î–†–ï–°–ê\n")
        f.write("-" * 40 + "\n")
        if suspicious_ips:
            for ip in suspicious_ips:
                f.write(f"  ‚Ä¢ {ip}\n")
        else:
            f.write("  –ù–µ –æ–±–Ω–∞—Ä—É–∂–µ–Ω–æ\n")
        
        f.write("\n2. –ü–û–î–û–ó–†–ò–¢–ï–õ–¨–ù–´–ï –î–û–ú–ï–ù–ù–´–ï –ò–ú–ï–ù–ê\n")
        f.write("-" * 40 + "\n")
        if suspicious_domains:
            for domain in suspicious_domains[:50]:  # –û–≥—Ä–∞–Ω–∏—á–∏–≤–∞–µ–º –≤—ã–≤–æ–¥
                f.write(f"  ‚Ä¢ {domain}\n")
        else:
            f.write("  –ù–µ –æ–±–Ω–∞—Ä—É–∂–µ–Ω–æ\n")
        
        f.write("\n3. –û–ë–ù–ê–†–£–ñ–ï–ù–ù–´–ï –ü–ê–¢–¢–ï–†–ù–´ –£–ì–†–û–ó\n")
        f.write("-" * 40 + "\n")
        if suspicious_patterns:
            for i, pattern in enumerate(suspicious_patterns[:50], 1):  # –û–≥—Ä–∞–Ω–∏—á–∏–≤–∞–µ–º –≤—ã–≤–æ–¥
                f.write(f"  {i:2d}. {pattern}\n")
        else:
            f.write("  –ù–µ –æ–±–Ω–∞—Ä—É–∂–µ–Ω–æ\n")
        
        f.write("\n" + "="*80 + "\n")
        f.write("–†–ï–ö–û–ú–ï–ù–î–ê–¶–ò–ò –ü–û –ë–ï–ó–û–ü–ê–°–ù–û–°–¢–ò:\n")
        f.write("-" * 40 + "\n")
        f.write("1. –ü—Ä–æ–≤–µ—Ä—å—Ç–µ –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã–µ IP-–∞–¥—Ä–µ—Å–∞ –Ω–∞ blacklists\n")
        f.write("2. –ò—Å—Å–ª–µ–¥—É–π—Ç–µ –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã–µ –¥–æ–º–µ–Ω—ã –Ω–∞ –ø—Ä–µ–¥–º–µ—Ç –≤—Ä–µ–¥–æ–Ω–æ—Å–Ω–æ—Å—Ç–∏\n")
        f.write("3. –ù–∞—Å—Ç—Ä–æ–π—Ç–µ –ø—Ä–∞–≤–∏–ª–∞ —Ñ–∞–π–µ—Ä–≤–æ–ª–∞ –¥–ª—è –±–ª–æ–∫–∏—Ä–æ–≤–∫–∏ –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã—Ö –∞–¥—Ä–µ—Å–æ–≤\n")
        f.write("4. –£—Å—Ç–∞–Ω–æ–≤–∏—Ç–µ –º–æ–Ω–∏—Ç–æ—Ä–∏–Ω–≥ –¥–ª—è –æ–±–Ω–∞—Ä—É–∂–µ–Ω–∏—è –ø–æ–¥–æ–±–Ω—ã—Ö –ø–∞—Ç—Ç–µ—Ä–Ω–æ–≤\n")
        f.write("5. –ü—Ä–æ–≤–µ–¥–∏—Ç–µ –ø—Ä–æ–≤–µ—Ä–∫—É —Å–∏—Å—Ç–µ–º –Ω–∞ –Ω–∞–ª–∏—á–∏–µ –∫–æ–º–ø—Ä–æ–º–µ—Ç–∞—Ü–∏–∏\n")
    
    print("‚úì –ü–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã–µ –Ω–∞—Ö–æ–¥–∫–∏ —Å–æ—Ö—Ä–∞–Ω–µ–Ω—ã –≤ 'suspicious_findings.txt'")
    
    # –°–æ—Ö—Ä–∞–Ω—è–µ–º –∫—Ä–∞—Ç–∫–∏–π –æ—Ç—á–µ—Ç –≤ JSON
    report = {
        'timestamp': datetime.now().isoformat(),
        'suspicious_ips_count': len(suspicious_ips),
        'suspicious_domains_count': len(suspicious_domains),
        'suspicious_patterns_count': len(suspicious_patterns),
        'top_suspicious_ips': suspicious_ips[:10],
        'top_suspicious_domains': suspicious_domains[:10],
        'analysis_summary': {
            'total_dns_queries': len(dns_data) if dns_data else 0,
            'total_ip_connections': len(ip_data) if ip_data else 0,
            'suspicious_activity_detected': len(suspicious_ips) > 0 or len(suspicious_domains) > 0
        }
    }
    
    with open('analysis_report.json', 'w', encoding='utf-8') as f:
        json.dump(report, f, indent=2, ensure_ascii=False)
    
    print("‚úì –ö—Ä–∞—Ç–∫–∏–π –æ—Ç—á–µ—Ç —Å–æ—Ö—Ä–∞–Ω–µ–Ω –≤ 'analysis_report.json'")

def generate_command_line_report(dns_data, ip_data, suspicious_ips, suspicious_domains, iocs):
    """
    –ì–µ–Ω–µ—Ä–∏—Ä—É–µ—Ç –æ—Ç—á–µ—Ç –¥–ª—è –≤—ã–≤–æ–¥–∞ –≤ –∫–æ–º–∞–Ω–¥–Ω–æ–π —Å—Ç—Ä–æ–∫–µ
    """
    print("\n" + "="*80)
    print("–û–¢–ß–ï–¢ –ü–û –ê–ù–ê–õ–ò–ó–£ –°–ï–¢–ï–í–û–ì–û –¢–†–ê–§–ò–ö–ê")
    print("="*80)
    
    # –û–±—â–∞—è —Å—Ç–∞—Ç–∏—Å—Ç–∏–∫–∞
    print(f"\nüìä –û–ë–©–ê–Ø –°–¢–ê–¢–ò–°–¢–ò–ö–ê:")
    print(f"   ‚Ä¢ DNS-–∑–∞–ø—Ä–æ—Å—ã: {len(dns_data)}")
    print(f"   ‚Ä¢ IP-—Å–æ–µ–¥–∏–Ω–µ–Ω–∏—è: {len(ip_data)}")
    
    if ip_data:
        ip_df = pd.DataFrame(ip_data)
        unique_src = ip_df['source_ip'].nunique()
        unique_dst = ip_df['dest_ip'].nunique()
        print(f"   ‚Ä¢ –£–Ω–∏–∫–∞–ª—å–Ω—ã—Ö IP-–∏—Å—Ç–æ—á–Ω–∏–∫–æ–≤: {unique_src}")
        print(f"   ‚Ä¢ –£–Ω–∏–∫–∞–ª—å–Ω—ã—Ö IP-–ø–æ–ª—É—á–∞—Ç–µ–ª–µ–π: {unique_dst}")
    
    # –ü–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω–∞—è –∞–∫—Ç–∏–≤–Ω–æ—Å—Ç—å
    print(f"\n‚ö†Ô∏è  –ü–û–î–û–ó–†–ò–¢–ï–õ–¨–ù–ê–Ø –ê–ö–¢–ò–í–ù–û–°–¢–¨:")
    print(f"   ‚Ä¢ –ü–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã—Ö IP-–∞–¥—Ä–µ—Å–æ–≤: {len(suspicious_ips)}")
    print(f"   ‚Ä¢ –ü–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã—Ö –¥–æ–º–µ–Ω–æ–≤: {len(suspicious_domains)}")
    print(f"   ‚Ä¢ –ò–Ω–¥–∏–∫–∞—Ç–æ—Ä–æ–≤ –∫–æ–º–ø—Ä–æ–º–µ—Ç–∞—Ü–∏–∏: {len(iocs['patterns'])}")
    
    # –¢–æ–ø –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã—Ö IP
    if suspicious_ips:
        print(f"\nüî¥ –¢–û–ü-5 –ü–û–î–û–ó–†–ò–¢–ï–õ–¨–ù–´–• IP-–ê–î–†–ï–°–û–í:")
        for i, ip in enumerate(suspicious_ips[:5], 1):
            print(f"   {i}. {ip}")
    
    # –¢–æ–ø –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã—Ö –¥–æ–º–µ–Ω–æ–≤
    if suspicious_domains:
        print(f"\nüî¥ –¢–û–ü-5 –ü–û–î–û–ó–†–ò–¢–ï–õ–¨–ù–´–• –î–û–ú–ï–ù–û–í:")
        for i, domain in enumerate(suspicious_domains[:5], 1):
            print(f"   {i}. {domain}")
    
    # –ò–Ω–¥–∏–∫–∞—Ç–æ—Ä—ã –∫–æ–º–ø—Ä–æ–º–µ—Ç–∞—Ü–∏–∏
    if iocs['patterns']:
        print(f"\nüö® –û–ë–ù–ê–†–£–ñ–ï–ù–ù–´–ï –ò–ù–î–ò–ö–ê–¢–û–†–´ –ö–û–ú–ü–†–û–ú–ï–¢–ê–¶–ò–ò:")
        for i, pattern in enumerate(iocs['patterns'][:5], 1):
            print(f"   {i}. {pattern}")
    
    # –†–µ–∫–æ–º–µ–Ω–¥–∞—Ü–∏–∏
    print(f"\nüí° –†–ï–ö–û–ú–ï–ù–î–ê–¶–ò–ò:")
    if suspicious_ips or suspicious_domains or iocs['patterns']:
        print("   1. –ù–ï–ú–ï–î–õ–ï–ù–ù–û –ò–°–°–õ–ï–î–û–í–ê–¢–¨ —É–∫–∞–∑–∞–Ω–Ω—ã–µ IP –∏ –¥–æ–º–µ–Ω—ã")
        print("   2. –ü—Ä–æ–≤–µ—Ä–∏—Ç—å —Å–∏—Å—Ç–µ–º—ã –Ω–∞ –Ω–∞–ª–∏—á–∏–µ –≤—Ä–µ–¥–æ–Ω–æ—Å–Ω–æ–≥–æ –ü–û")
        print("   3. –ù–∞—Å—Ç—Ä–æ–∏—Ç—å –ø—Ä–∞–≤–∏–ª–∞ —Ñ–∞–π–µ—Ä–≤–æ–ª–∞ –¥–ª—è –±–ª–æ–∫–∏—Ä–æ–≤–∫–∏ –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã—Ö –∞–¥—Ä–µ—Å–æ–≤")
        print("   4. –£—Å–∏–ª–∏—Ç—å –º–æ–Ω–∏—Ç–æ—Ä–∏–Ω–≥ —Å–µ—Ç–µ–≤–æ–π –∞–∫—Ç–∏–≤–Ω–æ—Å—Ç–∏")
        print("   5. –û–±–Ω–æ–≤–∏—Ç—å –∞–Ω—Ç–∏–≤–∏—Ä—É—Å–Ω—ã–µ –±–∞–∑—ã –∏ –ø—Ä–æ–≤–µ—Å—Ç–∏ –ø–æ–ª–Ω–æ–µ —Å–∫–∞–Ω–∏—Ä–æ–≤–∞–Ω–∏–µ")
    else:
        print("   ‚úÖ –Ø–≤–Ω—ã—Ö –ø—Ä–∏–∑–Ω–∞–∫–æ–≤ –∫–æ–º–ø—Ä–æ–º–µ—Ç–∞—Ü–∏–∏ –Ω–µ –æ–±–Ω–∞—Ä—É–∂–µ–Ω–æ")
        print("   –†–µ–∫–æ–º–µ–Ω–¥—É–µ—Ç—Å—è –ø—Ä–æ–¥–æ–ª–∂–∏—Ç—å —Ä–µ–≥—É–ª—è—Ä–Ω—ã–π –º–æ–Ω–∏—Ç–æ—Ä–∏–Ω–≥")
    
    print("\n" + "="*80)
    print("üìÅ –°–û–ó–î–ê–ù–ù–´–ï –§–ê–ô–õ–´:")
    print("   ‚Ä¢ network_analysis_report.png - –í–∏–∑—É–∞–ª—å–Ω—ã–π –æ—Ç—á–µ—Ç")
    print("   ‚Ä¢ dns_requests.csv - DNS-–∑–∞–ø—Ä–æ—Å—ã")
    print("   ‚Ä¢ ip_connections.csv - IP-—Å–æ–µ–¥–∏–Ω–µ–Ω–∏—è")
    print("   ‚Ä¢ suspicious_findings.txt - –ü–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω—ã–µ –Ω–∞—Ö–æ–¥–∫–∏")
    print("   ‚Ä¢ analysis_report.json - –ö—Ä–∞—Ç–∫–∏–π –æ—Ç—á–µ—Ç –≤ JSON")
    print("="*80)

# =========== –û–°–ù–û–í–ù–ê–Ø –§–£–ù–ö–¶–ò–Ø ===========

def main():
    """
    –û—Å–Ω–æ–≤–Ω–∞—è —Ñ—É–Ω–∫—Ü–∏—è –¥–ª—è –∞–Ω–∞–ª–∏–∑–∞ —Å–µ—Ç–µ–≤–æ–≥–æ –¥–∞–º–ø–∞
    """
    print("="*80)
    print("–ê–ù–ê–õ–ò–ó–ê–¢–û–† –°–ï–¢–ï–í–´–• –î–ê–ú–ü–û–í (TSHARK VERSION)")
    print("="*80)
    
    # –ü—Ä–æ–≤–µ—Ä—è–µ–º, —É—Å—Ç–∞–Ω–æ–≤–ª–µ–Ω –ª–∏ tshark
    if not check_tshark_installed():
        print("‚ùå –û–®–ò–ë–ö–ê: tshark –Ω–µ —É—Å—Ç–∞–Ω–æ–≤–ª–µ–Ω –∏–ª–∏ –Ω–µ –Ω–∞–π–¥–µ–Ω –≤ PATH")
        print("\n–£—Å—Ç–∞–Ω–æ–≤–∏—Ç–µ Wireshark, –∫–æ—Ç–æ—Ä—ã–π –≤–∫–ª—é—á–∞–µ—Ç tshark:")
        print("  Windows: https://www.wireshark.org/download.html")
        print("  Linux: sudo apt-get install wireshark-tshark")
        print("  Mac: brew install wireshark")
        return
    
    print("‚úì tshark –æ–±–Ω–∞—Ä—É–∂–µ–Ω")
    
    # –£–∫–∞–∂–∏—Ç–µ –ø—É—Ç—å –∫ –≤–∞—à–µ–º—É —Ñ–∞–π–ª—É pcapng
    pcap_file = "traffic.pcapng"  # –ó–∞–º–µ–Ω–∏—Ç–µ –Ω–∞ –ø—É—Ç—å –∫ –≤–∞—à–µ–º—É —Ñ–∞–π–ª—É
    
    # –ü—Ä–æ–≤–µ—Ä—è–µ–º —Å—É—â–µ—Å—Ç–≤–æ–≤–∞–Ω–∏–µ —Ñ–∞–π–ª–∞
    if not os.path.exists(pcap_file):
        print(f"\n‚ùå –§–∞–π–ª {pcap_file} –Ω–µ –Ω–∞–π–¥–µ–Ω!")
        print("\n–ü–æ–∂–∞–ª—É–π—Å—Ç–∞:")
        print("  1. –ü–æ–º–µ—Å—Ç–∏—Ç–µ –≤–∞—à pcapng —Ñ–∞–π–ª –≤ —Ç–µ–∫—É—â—É—é –ø–∞–ø–∫—É")
        print("  2. –ü–µ—Ä–µ–∏–º–µ–Ω—É–π—Ç–µ –µ–≥–æ –≤ 'traffic.pcapng'")
        print("  3. –ò–ª–∏ —É–∫–∞–∂–∏—Ç–µ –ø–æ–ª–Ω—ã–π –ø—É—Ç—å –≤ –ø–µ—Ä–µ–º–µ–Ω–Ω–æ–π pcap_file")
        print("\n–ü—Ä–∏–º–µ—Ä—ã —Ç–µ—Å—Ç–æ–≤—ã—Ö —Ñ–∞–π–ª–æ–≤ –º–æ–∂–Ω–æ —Å–∫–∞—á–∞—Ç—å:")
        print("  ‚Ä¢ https://wiki.wireshark.org/SampleCaptures")
        print("  ‚Ä¢ https://www.malware-traffic-analysis.net/")
        return
    
    print(f"‚úì –§–∞–π–ª {pcap_file} –Ω–∞–π–¥–µ–Ω")
    
    # –û–≥—Ä–∞–Ω–∏—á–µ–Ω–∏–µ –∫–æ–ª–∏—á–µ—Å—Ç–≤–∞ –ø–∞–∫–µ—Ç–æ–≤ –¥–ª—è –∞–Ω–∞–ª–∏–∑–∞ (None –¥–ª—è –≤—Å–µ—Ö)
    packet_limit = 10000  # –î–ª—è –±—ã—Å—Ç—Ä–æ–≥–æ –∞–Ω–∞–ª–∏–∑–∞
    
    # –≠–¢–ê–ü 1: –ò–∑–≤–ª–µ—á–µ–Ω–∏–µ –¥–∞–Ω–Ω—ã—Ö
    print("\n" + "="*80)
    print("–≠–¢–ê–ü 1: –ò–ó–í–õ–ï–ß–ï–ù–ò–ï –î–ê–ù–ù–´–• –ò–ó PCAP")
    print("="*80)
    
    dns_data = extract_dns_from_pcap(pcap_file, packet_limit)
    ip_data = extract_ip_connections(pcap_file, packet_limit)
    http_data = extract_http_requests(pcap_file, packet_limit)
    
    if not dns_data and not ip_data:
        print("\n‚ùå –ù–µ —É–¥–∞–ª–æ—Å—å –∏–∑–≤–ª–µ—á—å –¥–∞–Ω–Ω—ã–µ –∏–∑ —Ñ–∞–π–ª–∞")
        print("–ü—Ä–æ–≤–µ—Ä—å—Ç–µ, —á—Ç–æ —Ñ–∞–π–ª —Å–æ–¥–µ—Ä–∂–∏—Ç —Å–µ—Ç–µ–≤–æ–π —Ç—Ä–∞—Ñ–∏–∫")
        return
    
    # –≠–¢–ê–ü 2: –ê–Ω–∞–ª–∏–∑ –ø–æ–¥–æ–∑—Ä–∏—Ç–µ–ª—å–Ω–æ–π –∞–∫—Ç–∏–≤–Ω–æ—Å—Ç–∏
    print("\n" + "="*80)
    print("–≠–¢–ê–ü 2: –ê–ù–ê–õ–ò–ó –ü–û–î–û–ó–†–ò–¢–ï–õ–¨–ù–û–ô –ê–ö–¢–ò–í–ù–û–°–¢–ò")
    print("="*80)
    
    suspicious_ips, suspicious_domains, suspicious_patterns = analyze_suspicious_patterns(dns_data, ip_data)
    
    # –ü–æ–∏—Å–∫ –∏–Ω–¥–∏–∫–∞—Ç–æ—Ä–æ–≤ –∫–æ–º–ø—Ä–æ–º–µ—Ç–∞—Ü–∏–∏
    iocs = extract_malicious_indicators(pcap_file)
    
    # –≠–¢–ê–ü 3: –í–∏–∑—É–∞–ª–∏–∑–∞—Ü–∏—è –∏ —Å–æ—Ö—Ä–∞–Ω–µ–Ω–∏–µ —Ä–µ–∑—É–ª—å—Ç–∞—Ç–æ–≤
    print("\n" + "="*80)
    print("–≠–¢–ê–ü 3: –í–ò–ó–£–ê–õ–ò–ó–ê–¶–ò–Ø –ò –°–û–•–†–ê–ù–ï–ù–ò–ï –†–ï–ó–£–õ–¨–¢–ê–¢–û–í")
    print("="*80)
    
    create_visualizations(dns_data, ip_data, suspicious_ips, suspicious_domains)
    save_results_to_files(dns_data, ip_data, suspicious_ips, suspicious_domains, suspicious_patterns)
    
    # –ì–µ–Ω–µ—Ä–∞—Ü–∏—è –æ—Ç—á–µ—Ç–∞
    generate_command_line_report(dns_data, ip_data, suspicious_ips, suspicious_domains, iocs)
    
    print("\n" + "="*80)
    print("‚úÖ –ê–ù–ê–õ–ò–ó –ó–ê–í–ï–†–®–ï–ù –£–°–ü–ï–®–ù–û!")
    print("="*80)

# –ó–∞–ø—É—Å–∫ –∞–Ω–∞–ª–∏–∑–∞
if __name__ == "__main__":
    main()

Exception in thread Thread-6 (_readerthread):
Traceback (most recent call last):
  File [35m"c:\Users\Selecty\anaconda3\Lib\threading.py"[0m, line [35m1043[0m, in [35m_bootstrap_inner[0m
    [31mself.run[0m[1;31m()[0m
    [31m~~~~~~~~[0m[1;31m^^[0m
  File [35m"c:\Users\Selecty\anaconda3\Lib\site-packages\ipykernel\ipkernel.py"[0m, line [35m766[0m, in [35mrun_closure[0m
    [31m_threading_Thread_run[0m[1;31m(self)[0m
    [31m~~~~~~~~~~~~~~~~~~~~~[0m[1;31m^^^^^^[0m
  File [35m"c:\Users\Selecty\anaconda3\Lib\threading.py"[0m, line [35m994[0m, in [35mrun[0m
    [31mself._target[0m[1;31m(*self._args, **self._kwargs)[0m
    [31m~~~~~~~~~~~~[0m[1;31m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^[0m
  File [35m"c:\Users\Selecty\anaconda3\Lib\subprocess.py"[0m, line [35m1615[0m, in [35m_readerthread[0m
    buffer.append([31mfh.read[0m[1;31m()[0m)
                  [31m~~~~~~~[0m[1;31m^^[0m
  File [35m"<frozen codecs>"[0m, line [35m325[0m, in [35mdecod

–ê–ù–ê–õ–ò–ó–ê–¢–û–† –°–ï–¢–ï–í–´–• –î–ê–ú–ü–û–í (TSHARK VERSION)
‚ùå –û–®–ò–ë–ö–ê: tshark –Ω–µ —É—Å—Ç–∞–Ω–æ–≤–ª–µ–Ω –∏–ª–∏ –Ω–µ –Ω–∞–π–¥–µ–Ω –≤ PATH

–£—Å—Ç–∞–Ω–æ–≤–∏—Ç–µ Wireshark, –∫–æ—Ç–æ—Ä—ã–π –≤–∫–ª—é—á–∞–µ—Ç tshark:
  Windows: https://www.wireshark.org/download.html
  Linux: sudo apt-get install wireshark-tshark
  Mac: brew install wireshark


–Ø –Ω–µ –∑–Ω–∞—é –∫–∞–∫ –µ—â–µ –≤–∏–∑—É–∞–ª–∏–∑–∏—Ä–æ–≤–∞—Ç—å, —Ç–∞–∫ —á—Ç–æ —Ñ–æ—Ä–º–∞–ª—å–Ω–æ –Ω–∞—à–µ–ª —á—Ç–æ —Ç—Ä–µ–±–æ–≤–∞–ª–æ—Å—å.