Skip to content
forked from Enchufa2/Rtins

Tools for Sniffing, Reading, and Parsing Network Packet Capture (PCAP) Files in R

License

Notifications You must be signed in to change notification settings

jimeharrisjr/Rtins

 
 

Repository files navigation

Rtins: Tools for Sniffing, Reading, and Parsing Network Packet Capture (PCAP) Files in R

The Rtins package provides tools for analysing network captures in R on top of libtins, a high-level, multiplatform C++ network packet decoding and crafting library.

Installation

This fork of Rtins requires the data.table R package for accelerated handling of large data sets. (https://cran.r-project.org/web/packages/data.table/index.html) You need to install the libtins library first. And as a minimum requirement, libtins needs the development package of libpcap (or WinPcap for Windows). On Linux,

# install libpcap-devel, openssl-devel is also recommended
git clone https://github.com/mfontanini/libtins.git
mkdir libtins/build
cd libtins/build
cmake .. -DCMAKE_INSTALL_PREFIX=/usr
make
sudo make install

Please, refer to the libtins documentation for the installation in other platforms. Then, Rtins can be installed using devtools:

devtools::install_github("jimeharrisjr/Rtins")

Usage

library(Rtins)

fname <- system.file("pcaps/http.cap", package="Rtins")
pcap <- read_pcap(fname)
head(pcap)
#>       tv_sec tv_usec layer_1_size  layer_1_id       layer_1_src
#> 1 1084443427  311224           62 ETHERNET_II 00:00:01:00:00:00
#> 2 1084443428  222534           62 ETHERNET_II fe:ff:20:00:01:00
#> 3 1084443428  222534           60 ETHERNET_II 00:00:01:00:00:00
#> 4 1084443428  222534          533 ETHERNET_II 00:00:01:00:00:00
#> 5 1084443428  783340           60 ETHERNET_II fe:ff:20:00:01:00
#> 6 1084443428  993643         1434 ETHERNET_II fe:ff:20:00:01:00
#>         layer_1_dst layer_2_size layer_2_id     layer_2_src
#> 1 fe:ff:20:00:01:00           48         IP 145.254.160.237
#> 2 00:00:01:00:00:00           48         IP  65.208.228.223
#> 3 fe:ff:20:00:01:00           40         IP 145.254.160.237
#> 4 fe:ff:20:00:01:00          519         IP 145.254.160.237
#> 5 00:00:01:00:00:00           40         IP  65.208.228.223
#> 6 00:00:01:00:00:00         1420         IP  65.208.228.223
#>       layer_2_dst layer_3_size layer_3_id layer_3_src layer_3_dst
#> 1  65.208.228.223           28        TCP        3372          80
#> 2 145.254.160.237           28        TCP          80        3372
#> 3  65.208.228.223           20        TCP        3372          80
#> 4  65.208.228.223          499        TCP        3372          80
#> 5 145.254.160.237           20        TCP          80        3372
#> 6 145.254.160.237         1400        TCP          80        3372
#>   payload_size
#> 1            0
#> 2            0
#> 3            0
#> 4          479
#> 5            0
#> 6         1380
summary(pcap)
#> File info
#>   Capture file   : /home/xxx/R/x86_64-redhat-linux-gnu-library/3.4/Rtins/pcaps/http.cap
#>   Filter applied : 
#>   Layers decoded : 3
#>   Length (bytes) : 25803
#> 
#> Time info
#>   First packet   : 2004-05-13 10:17:07
#>   Last packet    : 2004-05-13 10:17:37
#> 
#> Statistics
#>   Packets        : 43
#>   Time span (s)  : 30.3937
#>   Average pps    : 1.414767
#>   Average Mbps   : 0.006635848
head(read_pcap(fname, "udp port 53"))
#>       tv_sec tv_usec layer_1_size  layer_1_id       layer_1_src
#> 1 1084443429  864896           89 ETHERNET_II 00:00:01:00:00:00
#> 2 1084443430  225414          188 ETHERNET_II fe:ff:20:00:01:00
#>         layer_1_dst layer_2_size layer_2_id     layer_2_src
#> 1 fe:ff:20:00:01:00           75         IP 145.254.160.237
#> 2 00:00:01:00:00:00          174         IP   145.253.2.203
#>       layer_2_dst layer_3_size layer_3_id layer_3_src layer_3_dst
#> 1   145.253.2.203           55        UDP        3009          53
#> 2 145.254.160.237          154        UDP          53        3009
#>   payload_size
#> 1           47
#> 2          146

You can also sniff, packets, DNS queries, and responses with sniff_pcap, sniff_dns, and sniff_reply functions

pcap<-sniff_pcap('eth0',filter = 'tcp and dst port 80', num=10)
dns<-sniff_dns('eth0', num=5)
dns_reply<-sniff_reply('eth0',num=5)

About

Tools for Sniffing, Reading, and Parsing Network Packet Capture (PCAP) Files in R

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 72.6%
  • R 17.9%
  • M4 9.3%
  • Shell 0.2%