JWP-Binde-McRee-OConnor
JWP-Binde-McRee-OConnor
JWP-Binde-McRee-OConnor
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Assessing Outbound Traffic to Uncover Advanced Persistent Threat<br />
Appendix B - trackByGeo.py<br />
import scapy, GeoIP, sys<br />
from scapy.all import *<br />
gi = GeoIP.new(GeoIP.GEOIP_MEMORY_CACHE)<br />
dstCnt = {}<br />
srcCnt = {}<br />
def displayResults():<br />
dstItems = [(v,k) for k,v in dstCnt.items()]<br />
dstItems.sort()<br />
dstItems.reverse()<br />
dstItems = [(k,v) for v,k in dstItems]<br />
srcItems = [(v,k) for k,v in srcCnt.items()]<br />
srcItems.sort()<br />
srcItems.reverse()<br />
srcItems = [(k,v) for v,k in srcItems]<br />
# Print the results<br />
print "[*] Destination IP Address Summary for PCAP."<br />
for item in dstItems:<br />
print "[*] Destination Country: "+str(item[0])+", Packet Count: "+str(item[1])<br />
print ""<br />
print "[*] Source IP Address Summary for PCAP."<br />
for item in srcItems:<br />
print "[*] Source Country: "+str(item[0])+", Packet Count: "+str(item[1])<br />
def countPkt(pkt):<br />
if pkt.haslayer(IP):<br />
src=pkt.getlayer(IP).src<br />
dst=pkt.getlayer(IP).dst<br />
srcCo = gi.country_code_by_addr(src)<br />
dstCo = gi.country_code_by_addr(dst)<br />
if srcCo != None :<br />
if srcCo not in srcCnt: srcCnt[srcCo]=1<br />
else: srcCnt[srcCo]=srcCnt[srcCo]+1<br />
if dstCo != None:<br />
if dstCo not in dstCnt: dstCnt[dstCo]=1<br />
else: dstCnt[dstCo]=dstCnt[dstCo]+1<br />
# main<br />
if len(sys.argv) != 2:<br />
print "[*] Usage: trackByGeo.py "<br />
exit(0)<br />
filename=sys.argv[1]<br />
a=rdpcap(filename)<br />
for pkt in a:<br />
countPkt(pkt)<br />
displayResults()<br />
Page 30