python network案例 NSSA-220 Mini Project 2 Packet Capture Analysis Tool Packet Capture Analysis (PCA) Network engineers and security analysts are often interested in analyzing network packet captures to then analyze networkactivity
NSSA-220
Mini Project 2
Packet Capture Analysis Tool
Mini Project 2 Preliminaries
Done in teams of 3students
Declare your team on myCourses inthe Mini Project 2 Teams discussion area
You are required to submit peer reviews as part of this project to encourage reasonable contributions from eachteam member
Fair warning: do NOT wait to start this project. It will not go well if youdo!
This project and peer review forms are due on Sunday 12/9 at 11:59PM
Packet Capture Analysis (PCA)
Network engineers and security analysts are often interested in analyzing network packet captures to then analyze networkactivity
Network activity analysis may result in outcomes such as introducing additional network components for load balancing, new routes/paths through the network, or spinning up further analysis for confirming networking breaches
PCA continued
Typically, individuals and organizations will collect packet captures, but do nothing substantial with them
The purpose of this project is to create a Packet Capture Analysis (PCA) tool that computes metrics from these packet captures that could be used in decisionmaking
python network案例python network案例
Network Topology Diagram
Packets were captured at each of the 5 nodes in the topology. ICMP requests were manually sent between nodes using a simple schedule.
Internet Control Message Protocol (ICMP)
ICMP is used by the Internet Protocol to send error messages and operational/diagnostic information to devices in anetwork
We’ll focus on the messages generated by the pingprogram
Echo Request (ICMP Type 8message)
Echo Reply (ICMP Type 0message)
Used in tandem to verifyconnectivity between network devices
Echo Request Example
The Ethernet II frame contains the Destination and Source MAC, followed by the Type field, which indicates the upper layer protocol contained in the frame (IP in this case, indicated by 0x0800). Wireshark removes the Frame Checksum (FCS) from the frame. Notice that clicking on Ethernet II will highlight the related hex representation of its header at the bottom of the window.
ICMP operates on top of the Internet Protocol (at Layer 3) and is therefore contained within an Ethernet II frame/IP packet
Echo Request Example (cont.)
The IP packet contains all the standard IPv4 header fields. Most notably, the Protocol field (1 for ICMP) that indicates the upper layer protocol used, and the Source and Destination IP addresses. Again, the hex for the IPv4 header is highlighted below.
ICMP operates on top of the Internet Protocol (at Layer 3) and is therefore contained within an Ethernet II frame/IP packet
Echo Request Example (cont.)
The ICMP header shows that this packet is an Echo Request (Type 8) and its sequence number (14). In addition, the ICMP request contains 32 bytes of Data. Notice that the length of the entire FRAME is 74 bytes, but the data portion is only 32 bytes.
The Echo Request was sent at Time 0.000000. This time indicates the time since the packet capture session was started on the node.
Echo Reply Example
The ICMP header in Packet 2 shows that this packet is an Echo Reply (Type 0) and its sequence number (14). The only way that a node knows that it received a reply to a given Echo Request is by receiving this same sequence number in an Echo Reply from its originally intended destination IP address! The time difference between Packet 1 and 2 is 3.678 ms, which is the round trip time (RTT) for the “ping”.
The combination of Source/Destination IP and sequence number allows you to associate an Echo Request/Reply pair.
PCA Tool
The packet capture analysis tool will consist of three mainphases
Packet Filtering: keep only the packets we want toanalyze
Packet Parsing: read relevantpacket fields into memory for processing
Compute Metrics: using packet fieldsto compute metrics
Your task is to filter select ICMP packets out of packet captures containing ~8000 packets collected across 5 nodes and compute 13 metrics fromthem
PCA Phase 1 – Packet Filtering
You’ll be given one PCAP file per node (see Node*.pcap) and a raw text file derived from the PCAP (seeNode*.txt)
Capture files contain anywhere from 1300-1800packets
The packet filtering phase will filter the raw text file so that only ICMP Echo Request and ICMP Echo Reply packets remain and are placed in a new filtered output file (Node*_filtered.txt)
PCA Phase 2 – Packet Parsing
Before you can compute metrics, you must parse the filtered raw text files and read packet fields into yourtool
You may choose to parse the summary line text or the hex (bonus points will be awarded for parsing thehex)
The fields you need will be determined by the metrics you need tocompute
PCA Phase 3 – Compute Metrics
All 13 metrics you collect will be on a “per end node” basis. The end nodes in the topology are Nodes 1, 2, 3, 4. Node 5’s capture may be needed to calculate some of these
You will be calculating three categories ofmetrics
Data size metrics (8metrics)
Time based metrics (4metrics)
Distance metric (1metric)
Data Size Metrics
These metrics indicates how many packets a node sends/receive and the related amount of data/bytes sent/received
Number of Echo Requestssent
Number of Echo Requestsreceived
Number of Echo Repliessent
Number of Echo Repliesreceived
Data Size Metrics (cont.)
Total Echo Request bytessent
In bytes, based on the size of the“frame”
Total Echo Request bytesreceived
In bytes, based on the size of the“frame”
Total Echo Request datasent
In bytes, based on amount of data inthe ICMP payload
Total Echo Request datareceived
In bytes, based on amount of data inthe ICMP payload
Time Based Metrics
These metrics indicate how “quickly” data is getting through the network in terms of time andrate
Average Ping Round Trip Time(RTT)
Ping RTT is defined as the timebetween sending an Echo Request packet and receiving a corresponding Echo Reply packet from the destination
Measured inmilliseconds
Time Based Metrics (cont.)
Echo Request Througput (inkB/sec)
Defined as the sum of the frame sizes of all Echo Request packets sent by thenode divided by the sum of all Ping RTTs
Echo Request Goodput (inkB/sec)
Defined as the sum of the ICMP payloads of all Echo Request packets sent by the node divided by the sum of all PingRTTs
Time Based Metrics (cont.)
Average Reply Delay (in microseconds)
Defined as the time between the destination node receiving an Echo Request packet and sending an EchoReply packet back to the source
Distance Metric
Average number of hops per Echo Request
The hop count of an Echo Request is defined as the number of networks thatan Echo Request packet must traverse in order to reach its destination
Hop count will be 1 if the destination ison a node’s network or 3 if it has to go through routers to reach its destination
You cannot hard code this logic since it’s not accurate for any given network, just this topology. (Hint: think about Node 5or a field in the IP header)
General Code Structure
All of your code should originate in a file called packet_analyzer.py
Each project phase should be contained in their own .pyfiles
Packet Filtering inpy
Packet Parsing inpy
Compute Metrics inpy
See the provided .py files for how to properly import the project phases code into the maincode
PCA Tool Grading
See Mini Project 2 Grading Sheet for details
You can copy the table from the grading sheet to make your own table to keep track ofrequirements
Grades may be adjusted based upon peer reviews
Bonus points for heroiceffort
(Major) point loss for lack ofeffort
Project Submission
Submit a single zip file to your group’s project submissiondropbox
The zip file willcontain
All .pyfiles
Five raw inputfiles
Five filtered packet capturefiles
Output files containing the metrics computed for each end node (formatwill be provided)
Ask for help!
Don’t suffer in silence. Ask me or your TA for help sooner rather thanlater!
Attend my office hours or theTA’s
Make an appointment outside ofoffice hours
Send anemail
If you’re not sure if you’ve met a specific requirement, pleaseask!
python network案例 | Mini Project 2 Preliminaries
2020-01-09