##########################################################################################

       PAS-9: Unique list of IP/Ports

##########################################################################################


Issue Type: New Feature 
-----------------------------------------------------------------------------------------

Issue Information
====================

Priority: Major					Status:      Open
Resolution:  Unresolved
Project: PCAP Analysis Script (PAS)


Reported By: btasker					
Assigned To: btasker

Components: 
	- Data Correlation and Extraction 

Affected Versions:		
	- 0.1  			


Targeted for fix in version: 
	- 0.1


Time Estimate: 22 minutes
Time Logged:   23 minutes


-----------------------------------------------------------------------------------------

Issue Description
==================

It'd be good to generate a list of which IP's have been seen connecting to which ports.

Given there might be client connections coming into a monitored system, need to know which
end is the destination so that we don't clog up the file with client ports. So it'll have
to be based on the initial SYN so that we know exactly who is initiating the connection
and what the service port is.

-----------------------------------------------------------------------------------------

Issue Relations
================
	
	- blocks PAS-11: Call TShark only if a relevant port has been observed


-----------------------------------------------------------------------------------------

Activity
==========

	
-----------------------------------------------------------------------------------------
2015-11-25 15:25:03              btasker
-----------------------------------------------------------------------------------------

The changes made in PAS-10 need to be kept in mind. Where observed traffic is IPv4
encapsulated IPv6 we want the list to show the real (i.e. the IPv6) destination and not
the tunnel endpoint.

The simplest way to be sure is probably going to be to extract a full list and then have
three runs through the data

- Native IPv4
- Native IPv6
- Tunnelled IPv6

We still want to record that the tunnel endpoint was connected to though, so may need to
come up with some sort of indicator to mark it as such.
	
-----------------------------------------------------------------------------------------
2015-11-25 16:14:52              btasker
-----------------------------------------------------------------------------------------

Data will be output into a new report _dest-ip-ports.csv_ which has the following field
structure

-- BEGIN SNIPPET --

Dest IP, Dest Port, Tunnelled

 -- END SNIPPET --

- For both native IPv4 and IPv6, _Tunnelled_ will be _N_
- For IPv4 encapsulated IPv6, _Tunnelled_ will be _Y_
- For IPv4 addresses identified as a tunnel endpoint, port will be empty and _Tunnelled_
will be _T_
	
-----------------------------------------------------------------------------------------
2015-11-25 16:52:16              
-----------------------------------------------------------------------------------------

btasker changed timespent from '0 minutes' to '20 minutes'
	
-----------------------------------------------------------------------------------------
2015-11-25 16:53:41              git
-----------------------------------------------------------------------------------------


-- BEGIN QUOTE --


Repo: PCAPAnalyseandReport
Commit: c53b027773a2bcb820df7afb7545257f154e802b
Author: Ben Tasker <github@<Domain Hidden>>

Date: Wed Nov 25 16:51:41 2015 +0000
Commit Message: Generated list of destination IPs and ports for PAS-9



Modified (-)(+)
-------
PCAP_Analysis.sh



-- END QUOTE --

*Webhook User-Agent*


-- BEGIN SNIPPET --

GitHub-Hookshot/333881f
 -- END SNIPPET --

https://github.com/bentasker/PCAPAnalyseandReport/commit/c53b027773a2bcb820df7afb7545257f154e802b


	
-----------------------------------------------------------------------------------------
2015-11-25 17:02:36              btasker
-----------------------------------------------------------------------------------------

Still need to take non-TCP traffic into account, though I'd prefer if we can find a way to
avoid clogging the CSV with client ports.

I don't want to simply exclude high-numbered ports, because there's nothing to stop you
from having something listen on one of those and the resulting traffic would be excluded
from the reports.

Ideally it needs to be done in a way that's more or less protocol agnostic. With DNS (for
example) we can easily see whether it's a query or a response, but that means that just to
generate a list of dest IP/ports the script has to understand every protocol which might
be run over UDP.

That said, also want to think about whether other protocols should be included. Recording
ICMP echo requests (for example) would introduce a lot of noise, though by the same token
there might be cause to be interested in looking at what hosts have been pinged and how
regularly (leading up to looking at the ping payloads themselves to see if it's being used
for communication). There are other types of ICMP which might be of interest too.


Also, it occurred that the output of this feature can be used to help decide what other
tshark runs to perform later in the script, so I've raised PAS-11 to cover the
implementation of that. Can't do very much on it until a sensible solution has been found
for non-TCP traffic though.

	
-----------------------------------------------------------------------------------------
2015-11-25 17:05:41              git
-----------------------------------------------------------------------------------------


-- BEGIN QUOTE --


Repo: PCAPAnalyseandReport
Commit: f0c26c4f8edf91da8f2823af0b5de9cdcf7d27ea
Author: Ben Tasker <github@<Domain Hidden>>

Date: Wed Nov 25 17:04:52 2015 +0000
Commit Message: Updated docs to include dest-ip-ports.csv. See PAS-9



Modified (-)(+)
-------
Docs/Reports.md



-- END QUOTE --

*Webhook User-Agent*


-- BEGIN SNIPPET --

GitHub-Hookshot/333881f
 -- END SNIPPET --

https://github.com/bentasker/PCAPAnalyseandReport/commit/f0c26c4f8edf91da8f2823af0b5de9cdcf7d27ea


	
-----------------------------------------------------------------------------------------
2015-11-25 17:24:32              btasker
-----------------------------------------------------------------------------------------

I've added a new field to the CSV to record the protocol, so that it can more easily be
searched/filtered once support for other protocols is added
	
-----------------------------------------------------------------------------------------
2015-11-25 17:24:54              
-----------------------------------------------------------------------------------------

btasker changed timespent from '20 minutes' to '23 minutes'
	
-----------------------------------------------------------------------------------------
2015-11-25 17:25:41              git
-----------------------------------------------------------------------------------------


-- BEGIN QUOTE --


Repo: PCAPAnalyseandReport
Commit: 41b7cb226c680bfdedbab5c3b10732e29e8ca9f4
Author: Ben Tasker <github@<Domain Hidden>>

Date: Wed Nov 25 17:24:01 2015 +0000
Commit Message: Added Proto field to dest-ip-ports.csv for PAS-9



Modified (-)(+)
-------
Docs/Reports.md
PCAP_Analysis.sh



-- END QUOTE --

*Webhook User-Agent*


-- BEGIN SNIPPET --

GitHub-Hookshot/333881f
 -- END SNIPPET --

https://github.com/bentasker/PCAPAnalyseandReport/commit/41b7cb226c680bfdedbab5c3b10732e29e8ca9f4




-----------------------------------------------------------------------------------------

Worklog
========

 
-----------------------------------------------------------------------------------------
2015-11-25 16:52:16              btasker

20 minutes
-----------------------------------------------------------------------------------------

Implementing and testing
 
-----------------------------------------------------------------------------------------
2015-11-25 17:24:53              btasker

3 minutes
-----------------------------------------------------------------------------------------

Adding protocol field to CSV