PAS-9: Unique list of IP/Ports

Issue Information

Issue Type: New Feature
 
Priority: Major
Status: Open

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Unresolved
Affects Version: 0.1,
Target version: 0.1,

Created: 2015-11-22 13:10:55
Time Spent Working
Estimated:
 
45 minutes
Remaining:
  
22 minutes
Logged:
  
23 minutes


Description
It'd be good to generate a list of which IP's have been seen connecting to which ports.

Given there might be client connections coming into a monitored system, need to know which end is the destination so that we don't clog up the file with client ports. So it'll have to be based on the initial SYN so that we know exactly who is initiating the connection and what the service port is.


Issue Links

blocks PAS-11: Call TShark only if a relevant port has been observed
Toggle State Changes

Activity


2015-11-25 15:25:03
The changes made in PAS-10 need to be kept in mind. Where observed traffic is IPv4 encapsulated IPv6 we want the list to show the real (i.e. the IPv6) destination and not the tunnel endpoint.

The simplest way to be sure is probably going to be to extract a full list and then have three runs through the data

- Native IPv4
- Native IPv6
- Tunnelled IPv6

We still want to record that the tunnel endpoint was connected to though, so may need to come up with some sort of indicator to mark it as such.

2015-11-25 16:14:52
Data will be output into a new report dest-ip-ports.csv which has the following field structure 
Dest IP, Dest Port, Tunnelled


- For both native IPv4 and IPv6, Tunnelled will be N_
- For IPv4 encapsulated IPv6, _Tunnelled will be Y_
- For IPv4 addresses identified as a tunnel endpoint, port will be empty and _Tunnelled will be _T_

2015-11-25 16:52:16
btasker changed timespent from '0 minutes' to '20 minutes'

2015-11-25 16:53:41

Repo: PCAPAnalyseandReport
Commit: c53b027773a2bcb820df7afb7545257f154e802b
Author: Ben Tasker <github@<Domain Hidden>>

Date: Wed Nov 25 16:51:41 2015 +0000
Commit Message: Generated list of destination IPs and ports for PAS-9



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-25 17:02:36
Still need to take non-TCP traffic into account, though I'd prefer if we can find a way to avoid clogging the CSV with client ports.

I don't want to simply exclude high-numbered ports, because there's nothing to stop you from having something listen on one of those and the resulting traffic would be excluded from the reports.

Ideally it needs to be done in a way that's more or less protocol agnostic. With DNS (for example) we can easily see whether it's a query or a response, but that means that just to generate a list of dest IP/ports the script has to understand every protocol which might be run over UDP.

That said, also want to think about whether other protocols should be included. Recording ICMP echo requests (for example) would introduce a lot of noise, though by the same token there might be cause to be interested in looking at what hosts have been pinged and how regularly (leading up to looking at the ping payloads themselves to see if it's being used for communication). There are other types of ICMP which might be of interest too.


Also, it occurred that the output of this feature can be used to help decide what other tshark runs to perform later in the script, so I've raised PAS-11 to cover the implementation of that. Can't do very much on it until a sensible solution has been found for non-TCP traffic though.

2015-11-25 17:05:41

Repo: PCAPAnalyseandReport
Commit: f0c26c4f8edf91da8f2823af0b5de9cdcf7d27ea
Author: Ben Tasker <github@<Domain Hidden>>

Date: Wed Nov 25 17:04:52 2015 +0000
Commit Message: Updated docs to include dest-ip-ports.csv. See PAS-9



Modified (-)(+)
-------
Docs/Reports.md




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-25 17:24:32
I've added a new field to the CSV to record the protocol, so that it can more easily be searched/filtered once support for other protocols is added

2015-11-25 17:24:54
btasker changed timespent from '20 minutes' to '23 minutes'

2015-11-25 17:25:41

Repo: PCAPAnalyseandReport
Commit: 41b7cb226c680bfdedbab5c3b10732e29e8ca9f4
Author: Ben Tasker <github@<Domain Hidden>>

Date: Wed Nov 25 17:24:01 2015 +0000
Commit Message: Added Proto field to dest-ip-ports.csv for PAS-9



Modified (-)(+)
-------
Docs/Reports.md
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit

Work log

Ben Tasker
 Permalink
2015-11-25 16:52:16

Time Spent: 20 minutes
Log Entry: Implementing and testing
Ben Tasker
 Permalink
2015-11-25 17:24:53

Time Spent: 3 minutes
Log Entry: Adding protocol field to CSV