PAS-8: Rationalise fields in webtraffic.csv

Issue Information

Issue Type: New Feature
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Done (2015-11-27 13:16:26)
Affects Version: 0.1,
Target version: 0.1,
Components: Reports ,

Created: 2015-11-22 11:33:11
Time Spent Working
Estimated:
 
45 minutes
Remaining:
  
17 minutes
Logged:
  
28 minutes


Description
The meaning of a specific field in webtraffic.csv currently differs depending on which destination port is being used - the current version was thrown together quickly and simply concatenates the output of earlier checks.

For example, for a HTTP connection, field 7 shows the request method (e.g. GET). However, for HTTPS field 7 denotes the ciphersuite in use.

To make the CSV more useful, field definitions should be static across the file


Issue Links

relates to PAS-10: Take encapsulated IPv6 Traffic into account
Toggle State Changes

Activity


2015-11-24 14:27:43
btasker changed status from 'Open' to 'In Progress'

2015-11-24 14:29:31
Given that HTTP traffic currently supplies the most fields, it's probably best to let that take priority, so I think the field structure should be 

epoch,src ip,dest ip, src port, dest port, FQDN, HTTP request method, Request Path, HTTP Referer, HTTP useragent, http cookie, SNI Server name, SSL/TLS ciphersuite(s)

2015-11-24 14:55:55
The CSV is now structured using the format above. To keep searching the CSV for a FQDN simple, where a name has been extracted from SNI it's also included in the FQDN field.

Does make the SNI hostname field a little redundant, but I figure it's best to leave it in to identify the source (in case some other method of picking out FQDNs is implemented later)

2015-11-24 14:56:01
btasker changed status from 'In Progress' to 'Open'

2015-11-24 14:56:38
btasker changed timespent from '0 minutes' to '28 minutes'

2015-11-24 14:56:52
btasker changed status from 'Open' to 'Resolved'

2015-11-24 14:56:52
btasker added 'Done' to resolution

2015-11-24 14:56:58
btasker changed status from 'Resolved' to 'Closed'

2015-11-24 15:55:41

Repo: PCAPAnalyseandReport
Commit: 974c971423384e722d1c9f43ee4a64e384a4eabb
Author: Ben Tasker <github@<Domain Hidden>>

Date: Tue Nov 24 14:54:41 2015 +0000
Commit Message: Rationalised CSV fields for PAS-8



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-25 14:57:33
The structure described above has been updated in PAS-10 to be 
epoch,ipv4 src ip,ipv4 dest ip, ipv6 src ip, ipv6 dest ip,src port, dest port, FQDN, HTTP request method, Request Path, HTTP Referer, HTTP useragent, http cookie, SNI Server name, SSL/TLS ciphersuite(s)

2015-11-27 13:16:10
Re-opening to assign to a component

2015-11-27 13:16:10
btasker removed 'Done' from resolution

2015-11-27 13:16:10
btasker changed status from 'Closed' to 'Reopened'

2015-11-27 13:16:26
btasker changed status from 'Reopened' to 'Resolved'

2015-11-27 13:16:26
btasker added 'Done' to resolution

2015-11-27 13:16:31
btasker changed status from 'Resolved' to 'Closed'

Work log

Ben Tasker
 Permalink
2015-11-24 14:56:38

Time Spent: 28 minutes
Log Entry: Implementing change and testing