label more IPs with hostnames #2
Description
The current version labels IPs with hostnames obtained from DNS and SNI (assuming TLS 1.2). However, there are still cases where the src_hostname or dst_hostname fields are empty, because the parser didn't see any corresponding IP-hostname mappings from DNS and SNI.
Here's one thing the user (say @Rameen-Mahmood) can do to mitigate this issue: Instead of parsing one pcap at a time, you can capture a bunch of pcaps (e.g., repeated experiments from the same app, or running tcpdump on multiple apps) and run this parser on the pcaps at the same time (e.g., python parser.py output.csv *.pcap). In this way, the parser can use DNS/SNI information extracted from one pcap and apply this IP-hostname mapping to other pcaps.
Still, I'd expect a number of IPs with no hostname labels. What I can do to mitigate this situation would be:
- query against a private passive DNS API to turn these IPs into hostnames (although this process could be error-prone especially if the IPs are on shared infrastructure)
- find the reverse DNS data (i.e., PTR records) for unlabeled IP addresses (although this process is moot in cases where the PTR records simply correspond to the IP address, e.g., the PTR record of
54.156.150.34isec2-54-156-150-34.compute-1.amazonaws.com, which is not useful and you could have used the IP address instead)