##########################################################################################

       PAS-8: Rationalise fields in webtraffic.csv

##########################################################################################


Issue Type: New Feature 
-----------------------------------------------------------------------------------------

Issue Information
====================

Priority: Major					Status:      Closed
Resolution:  Done (2015-11-27 13:16:26)
Project: PCAP Analysis Script (PAS)


Reported By: btasker					
Assigned To: btasker

Components: 
	- Reports 

Affected Versions:		
	- 0.1  			


Targeted for fix in version: 
	- 0.1


Time Estimate: 17 minutes
Time Logged:   28 minutes


-----------------------------------------------------------------------------------------

Issue Description
==================

The meaning of a specific field in _webtraffic.csv_ currently differs depending on which
destination port is being used - the current version was thrown together quickly and
simply concatenates the output of earlier checks.

For example, for a HTTP connection, field 7 shows the request method (e.g. GET). However,
for HTTPS field 7 denotes the ciphersuite in use.

To make the CSV more useful, field definitions should be static across the file

-----------------------------------------------------------------------------------------

Issue Relations
================
	
	- relates to PAS-10: Take encapsulated IPv6 Traffic into account


-----------------------------------------------------------------------------------------

Activity
==========

	
-----------------------------------------------------------------------------------------
2015-11-24 14:27:43              
-----------------------------------------------------------------------------------------

btasker changed status from 'Open' to 'In Progress'
	
-----------------------------------------------------------------------------------------
2015-11-24 14:29:31              btasker
-----------------------------------------------------------------------------------------

Given that HTTP traffic currently supplies the most fields, it's probably best to let that
take priority, so I think the field structure should be


-- BEGIN SNIPPET --

epoch,src ip,dest ip, src port, dest port, FQDN, HTTP request method, Request Path, HTTP
Referer, HTTP useragent, http cookie, SNI Server name, SSL/TLS ciphersuite(s)

 -- END SNIPPET --
	
-----------------------------------------------------------------------------------------
2015-11-24 14:55:55              btasker
-----------------------------------------------------------------------------------------

The CSV is now structured using the format above. To keep searching the CSV for a FQDN
simple, where a name has been extracted from SNI it's also included in the FQDN field. 

Does make the SNI hostname field a little redundant, but I figure it's best to leave it in
to identify the source (in case some other method of picking out FQDNs is implemented
later)
	
-----------------------------------------------------------------------------------------
2015-11-24 14:56:01              
-----------------------------------------------------------------------------------------

btasker changed status from 'In Progress' to 'Open'
	
-----------------------------------------------------------------------------------------
2015-11-24 14:56:38              
-----------------------------------------------------------------------------------------

btasker changed timespent from '0 minutes' to '28 minutes'
	
-----------------------------------------------------------------------------------------
2015-11-24 14:56:52              
-----------------------------------------------------------------------------------------

btasker changed status from 'Open' to 'Resolved'
	
-----------------------------------------------------------------------------------------
2015-11-24 14:56:52              
-----------------------------------------------------------------------------------------

btasker added 'Done' to resolution
	
-----------------------------------------------------------------------------------------
2015-11-24 14:56:58              
-----------------------------------------------------------------------------------------

btasker changed status from 'Resolved' to 'Closed'
	
-----------------------------------------------------------------------------------------
2015-11-24 15:55:41              git
-----------------------------------------------------------------------------------------


-- BEGIN QUOTE --


Repo: PCAPAnalyseandReport
Commit: 974c971423384e722d1c9f43ee4a64e384a4eabb
Author: Ben Tasker <github@<Domain Hidden>>

Date: Tue Nov 24 14:54:41 2015 +0000
Commit Message: Rationalised CSV fields for PAS-8



Modified (-)(+)
-------
PCAP_Analysis.sh



-- END QUOTE --

*Webhook User-Agent*


-- BEGIN SNIPPET --

GitHub-Hookshot/333881f
 -- END SNIPPET --

https://github.com/bentasker/PCAPAnalyseandReport/commit/974c971423384e722d1c9f43ee4a64e384a4eabb


	
-----------------------------------------------------------------------------------------
2015-11-25 14:57:33              btasker
-----------------------------------------------------------------------------------------

The structure described above has been updated in PAS-10 to be

-- BEGIN SNIPPET --

epoch,ipv4 src ip,ipv4 dest ip, ipv6 src ip, ipv6 dest ip,src port, dest port, FQDN, HTTP
request method, Request Path, HTTP Referer, HTTP useragent, http cookie, SNI Server name,
SSL/TLS ciphersuite(s)

 -- END SNIPPET --
	
-----------------------------------------------------------------------------------------
2015-11-27 13:16:10              btasker
-----------------------------------------------------------------------------------------

Re-opening to assign to a component
	
-----------------------------------------------------------------------------------------
2015-11-27 13:16:10              
-----------------------------------------------------------------------------------------

btasker removed 'Done' from resolution
	
-----------------------------------------------------------------------------------------
2015-11-27 13:16:10              
-----------------------------------------------------------------------------------------

btasker changed status from 'Closed' to 'Reopened'
	
-----------------------------------------------------------------------------------------
2015-11-27 13:16:26              
-----------------------------------------------------------------------------------------

btasker changed status from 'Reopened' to 'Resolved'
	
-----------------------------------------------------------------------------------------
2015-11-27 13:16:26              
-----------------------------------------------------------------------------------------

btasker added 'Done' to resolution
	
-----------------------------------------------------------------------------------------
2015-11-27 13:16:31              
-----------------------------------------------------------------------------------------

btasker changed status from 'Resolved' to 'Closed'


-----------------------------------------------------------------------------------------

Worklog
========

 
-----------------------------------------------------------------------------------------
2015-11-24 14:56:38              btasker

28 minutes
-----------------------------------------------------------------------------------------

Implementing change and testing