The PCAP-file-parser allows for extracting useful information from pcap files, as well as detecting malicious traffic.

Additionally, it is extensible and new features can be added to it relatively easily.

Extracting info from pcap files

You can run the extract-packet-info.py script to extract various information from all pcap files within a specified folderpath.

python src/extract-packet-info.py --folderpath example-files/input/part1

Extracted information:

1. The number of packets in each PCAP file
2. The number of packets a src IP is associated with
3. The number of packets associated with a specific destination port
4. The number of distinct (src IP, destination port) tuples

Detecting malicious traffic

usage: probe-and-scan-detector.py [-h] -f FILEPATH -t TARGET_IP [-l PROBING_WIDTH] [-m PROBING_MINCOUNT] [-n SCANNING_WIDTH] [-p SCANNING_MINCOUNT]

options:
  -h, --help            show this help message and exit
  -f FILEPATH, --filepath FILEPATH
                        filename
  -t TARGET_IP, --target-ip TARGET_IP
                        target IP address

Probing:
  -l PROBING_WIDTH, --probing-width PROBING_WIDTH
                        width for probing, in seconds
  -m PROBING_MINCOUNT, --probing-mincount PROBING_MINCOUNT
                        minimum number of packets in probing

Scanning:
  -n SCANNING_WIDTH, --scanning-width SCANNING_WIDTH
                        the width for scanning, in portID
  -p SCANNING_MINCOUNT, --scanning-mincount SCANNING_MINCOUNT
                        minimum number of packets in scanning

Scanning

To check whether a target IP (192.168.2.240) had at least 5 distinct ports scanned within 10 seconds, you can run the following:

python3.12 src/probe-and-scan-detector.py -f example-files/input/part2/scanning1.pcap -t 192.168.2.240 --scanning-width 10 --scanning-mincount 5

The output will look similar to the following:

####Scanning####

src_ip='192.168.2.26'
scan_length=1000
Scanned ports: 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953,954,955,956,957,958,959,960,961,962,963,964,965,966,967,968,969,970,971,972,973,974,975,976,977,978,979,980,981,982,983,984,985,986,987,988,989,990,991,992,993,994,995,996,997,998,999,1000,1001,1002,1003,1004
#######

Probing

To verify if a target IP (192.168.2.240) was probed at least 20 times by the same src IP/port in a span of 100 seconds, you can run the following:

python src/probe-and-scan-detector.py -f example-files/input/part2/probing1.pcap -t 192.168.2.240 --probing-width 100 --probing-mincount 10

The output will look similar to the following:

####Probing####

src_ip='192.168.2.26'
port=22
chunk_length=40
Timestamps: 1521664991.819044,1521664991.819455,1521664991.819509,1521664991.840982,1521664992.70267,1521664992.70685,1521664992.70871,1521664992.90977,1521664992.321619,1521664992.322129,1521664992.3223,1521664992.343946,1521664992.573102,1521664992.573632,1521664992.573748,1521664992.593143,1521664992.824473,1521664992.824848,1521664992.825033,1521664992.844323,1521664993.75882,1521664993.7624,1521664993.76466,1521664993.9696,1521664993.327244,1521664993.327656,1521664993.327761,1521664993.350489,1521664993.578547,1521664993.578972,1521664993.579068,1521664993.599466,1521664993.829928,1521664993.830481,1521664993.830563,1521664993.852564,1521664994.81393,1521664994.81956,1521664994.82082,1521664994.104814

src_ip='172.217.9.234'
port=57153
chunk_length=11
Timestamps: 1521665047.475865,1521665047.494471,1521665047.495125,1521665047.51296,1521665047.512966,1521665047.513078,1521665047.51378,1521665047.515078,1521665047.515134,1521665047.515136,1521665047.534629

If you wish to both check for scanning and probing at once, you can.