a flexible data processing and reporting system for packet capture files ignus van zyl (iggy)...
TRANSCRIPT
![Page 1: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/1.jpg)
A flexible data processing and reporting system for packet capture files
Ignus van Zyl (Iggy)
Overlord Supervisor: Barry Irwin
![Page 2: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/2.jpg)
Overview of project
• Internet Background Radiation• Darknet/Network telescopes• Packet capture (pcap) files• Identify dataset trends• Reporting
![Page 3: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/3.jpg)
Datasets being used
That means that there are 66 207 072 packets to mine for data across 5 datasets
![Page 4: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/4.jpg)
Hopefully the end result
• Don’t worry there will be pictures soon• A web based system• Utilising d3 and .json to create graphs in web
environment• Maybe even some textual reporting output• Takes in pcap, returns report of interesting
data and identified trends• Identify trends across multiple pcap files
![Page 5: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/5.jpg)
System view
Pcap file
Web interface
Data repository
System back-end
Pcap file Known security trends
Graph and text output
Graph and text output
Here pcap is parsed to json, pushed through to d3 and graphed beforebeing displayed for user
![Page 6: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/6.jpg)
Comparison of Datasets 146.x.x/24 and 155.x.x/24
Using tables and graphs derived from the pcap files
Remember source data may be spoofed, but other data is accurate
![Page 7: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/7.jpg)
Source IP addresses recorded
![Page 8: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/8.jpg)
Source Ports recorded
![Page 9: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/9.jpg)
Destination ports recorded
1346528
1097
![Page 10: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/10.jpg)
Comparison of graphs for 196. darknets
![Page 11: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/11.jpg)
Protocols used196.21.x/24 (1)
196.21.x/24 (2)
196.24.x/24
![Page 12: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/12.jpg)
Why does the graph look like this?
Worms such as Conficker and Sasser target port 445
Morto worm known to target port 3389 (RDP)
![Page 13: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/13.jpg)
146. vs 155. vs 196.146.x.x/24
155.x.x/24
196.21.x/24 (1)
![Page 14: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/14.jpg)
Category A and B
• Able to group datasets into categories• Idea comes from Nkumeleni thesis
• Category A is 146.x.x/24 and 155.x.x/24• Category B is 196.x.x/24• Groupings are made as a result of packet
distribution similarity
![Page 15: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/15.jpg)
![Page 16: A flexible data processing and reporting system for packet capture files Ignus van Zyl (Iggy) Overlord Supervisor: Barry Irwin](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d1f5503460f949f34ba/html5/thumbnails/16.jpg)
Questions?