TCPDUMP And CICFlowMeter Save
These scripts conduct TCPDUMP in harmony with CICFlowMeter to operation real-time traffic capturing and converting in csv file.
Introduction
This project is about capturing packets flow through a network interface, save each specific-size chunk into a PCAP file, and then automatically convert it to the feature-extracted CSV file by CICFlowMeter-3.0.
The CSV is meant to be analysed for intrusion detection. You can find further detail at the website of CIC.
- This repository is maintained Pasakorn Tiwatthanont, [email protected].
- Thank you for guiding relevant tools to Mr. Preecha Pangsuban [email protected].
Usage
Quick Start
For trying, just run:
try_me.sh
To Run Literally
Calling capture_interface_pcap.sh will capture the packets since the beginning until specific time in the script, periodically. Each time that PCAP file is saved, the script convert_pcap_csv.sh will be called the converter, CICFlowMeter.
capture_interface_pcap.sh <interface> <pcap_output_dir> [priviledged_user_name]
For example:
capture_interface_pcap.sh wlan0 pcap
or
capture_interface_pcap.sh eth0 output_dir bobuser
To Run on Startup
Edit the working directory in file pcap2ciclog.service, and also the executed script shoud be refered with absolute path:
...
[Service]
WorkingDirectory=/home/../../TCPDUMP_and_CICFlowMeter
ExecStart=/home/../../TCPDUMP_and_CICFlowMeter/pcap2ciclog.sh
...
Then, link it into the directory /lib/systemd/system:
cd /lib/systemd/system
sudo ln -sf <the-dir>/pcap2ciclog.service
Enable the service:
sudo systemctl enable pcap2ciclog.service
Finally, let's get started!
sudo systemctl start pcap2ciclog.service
Note on Issues
To Fix the Permission Denied Problem
In some case of using on Ubuntu with Apparmor, you may has a 'permission denied' issue when tcpdump tries to execute a script. It is a security measure. To relax, please add the following line into file /etc/apparmor.d/usr.sbin.tcpdump:
/usr/sbin/tcpdump {
...
# for -z
/**/* ixr, # <-- add me!
...
}
Then, restart the service:
sudo service apparmor restart
To Fix java.lang.UnsatisfiedLinkError Problem
Due to the libpcap-dev package was not installed. The error will be shown:
Exception in thread "main" java.lang.UnsatisfiedLinkError: com.slytechs.library.NativeLibrary.dlopen(Ljava/lang/String;)J
at com.slytechs.library.NativeLibrary.dlopen(Native Method)
at com.slytechs.library.NativeLibrary.<init>(Unknown Source)
at com.slytechs.library.JNILibrary.<init>(Unknown Source)
at com.slytechs.library.JNILibrary.loadLibrary(Unknown Source)
at com.slytechs.library.JNILibrary.register(Unknown Source)
at com.slytechs.library.JNILibrary.register(Unknown Source)
at com.slytechs.library.JNILibrary.register(Unknown Source)
at org.jnetpcap.Pcap.<clinit>(Unknown Source)
at cic.cs.unb.ca.jnetpcap.PacketReader.config(PacketReader.java:58)
at cic.cs.unb.ca.jnetpcap.PacketReader.<init>(PacketReader.java:52)
at cic.cs.unb.ca.ifm.CICFlowMeter.main(CICFlowMeter.java:93)
Please install via:
sudo apt install libpcap-dev
For furture OSs, please follow the guildline on https://javatutorial.net/capture-network-packages-java.
To Build CICFlowMeter Command-line Version
The forked and revised version of ISCX/CICFlowMeter can be found at https://github.com/iPAS/CICFlowMeter. Nevertheless, in case you need to know how to make it by yourself, or if the next version need the maintenance again, the guidance is directed by the following clues.
Get CICFlowMeter
git clone https://github.com/ISCX/CICFlowMeter.git
Then, go inside.
Get Gradle (option)
chmod +x gradlew
./gradlew
However, this is not neccessary in case you already have it.
Update CICFlowMeter
In CICFlowMeter directory, please:
git fetch --all
git reset original/master --hard
All code will be renew as the original repository. All revised files will be gone, even yours.
Build CICFlowMeter
-
Edit the build.gradle file, enable to find JNetPCAP package:
-
Add a new repository:
repositories { ... maven { url "http://clojars.org/repo/" } } -
Reversion the dependency:
dependencies { ... // compile group: 'org.jnetpcap', name: 'jnetpcap', version:'1.4.1' compile group: 'jnetpcap', name: 'jnetpcap', version: '1.4.r1425-1g'
-
-
To make the command-line enable:
-
Change all occurences of the following:
cic.cs.unb.ca.ifm.Appto
cic.cs.unb.ca.ifm.CICFlowMeter -
Exclude the GUI besides include the command-line source file:
sourceSets { main { java { srcDir 'src' // exclude '**/CICFlowMeter.java' exclude '**/App.java' } } } -
Edit the code src/main/java/cic/cs/unb/ca/ifm/CICFlowMeter.java by looking at my CICFlowMeter.java.
-
-
Then, build the project:
gradle build
Test Running CICFlowMeter
-
To run via Gradle:
gradle runThe result might be shown like the following:
type Jar type JavaExec :compileJava UP-TO-DATE :processResources UP-TO-DATE :classes UP-TO-DATE :run cic.cs.unb.ca.ifm.CICFlowMeter Sorry,no pcap files can be found under: <...some path...> BUILD SUCCESSFUL Total time: 0.936 secs
Install
The built package is in directory CICFlowMeter_repo/build/distributions/. Get and place in a directory that fit.
Update the Runner Script
After the distribution package was gotten, unpack and revise the code in script CICFlowMeter-3.0/bin/CICFlowMeter:
-
Change the reference to libraries with real path:
DEFAULT_JVM_OPTS='"-Djava.library.path=../lib/native"'to
DEFAULT_JVM_OPTS='"-Djava.library.path='$APP_HOME/lib/native'"' -
Call to command-line instead of GUI application:
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $CIC_FLOW_METER_OPTS -classpath "\"$CLASSPATH\"" cic.cs.unb.ca.ifm.App "$APP_ARGS"to
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $CIC_FLOW_METER_OPTS -classpath "\"$CLASSPATH\"" cic.cs.unb.ca.ifm.CICFlowMeter "$APP_ARGS"
To Build CICFlowMeter-4
- gradle and maven are required
Open Source Agenda Badge
