Convenience functionality to annotate and reduce wireshark captures.
Project description
SharkReduce 🦈🔻
Utility to convert wireshark captures to useful datasets.
Installation
pip install sharkreduce
Steps to create reduced dataset
Step 1: Export capture using tshark
tshark -t e -Ndmnt -r all.pcapng -T fields \
-e frame.time \
-e eth.src_resolved \
-e eth.dst_resolved \
-e _ws.col.Source \
-e _ws.col.Destination \
-e _ws.col.Protocol \
-e tcp.len \
-e udp.length \
-e tcp.srcport \
-e tcp.dstport \
-e udp.srcport \
-e udp.dstport \
-e _ws.col.Time '(eth.type == 0x800) or (eth.type == 0x86dd)' > reduceme.tsv
Step 2: Fill device id file
Sharkreduce requires a device mac-address map file to create pretty reduced output.
Run it once to pre-fill the file with all mac IDs from your capture:
python3 -m sharkreduce -t 60000000 -n devices.yaml reduceme.tsv reduced.tsv
Note: -t 60000000 means that SharkReduce will create reduced bins of
connections up to 60 seconds.
Note: The command will initially create an empty reduced.tsv!
The command will create a file called devices.yaml which looks like this:
devices: []
ignore: {}
unclassified:
some-mac-adress:
- dns-name
- ip-adress
- etc.
For each unclassified mac address, you will see some aliases (IP/Hostname) which helps you to determine which device the MAC belongs to.
If the MAC belongs to a device you want to analyse, think of a good name
and create an entry under devices. Otherwise create an entry under ignored.
Do this for all unclassified MACs:
devices:
SuspiciousDevice:
- some-mac-address
- some-hostname
OtherInterestingDevice:
- other-mac
ignore:
- router-mac-address
- broadcast address
Step 3: Create initial reduced output.
Re-run
python3 -m sharkreduce -t 60000000 -n devices.yaml reduceme.tsv reduced.tsv
This time reduced.tsv should have a lot of data in it, with device identifiers
that look very readable to you.
Step 4: Create/fill activity file
In order to determine activity periods for your devices to correctly
fill the active_use column in the reduced output, you have to create an
activity file. You can initialise the file like this:
python3 -m sharkreduce --init-activity -t 3600000000 -n devices.yaml reduceme.tsv reduced.tsv
This will READ from reduced.tsv to create a file called activity.yaml,
where you can annotate your activity per device in ~1h intervals.
Set the active field to True where you think you have been actively using the device.
Step 5: Re-run sharkreduce with filled activity file
If it exists, sharkreduce will use the content of activity.yaml to
fill the active_use column. So you just need to re-run ...
python3 -m sharkreduce -t 60000000 -n devices.yaml reduceme.tsv reduced.tsv
Note: If you change the devices.yaml you have to re-do steps 3, 4 and 5.
Step 6: Party! 🥳
Your pretty reduced capture with annotated device names and activity is now
stored under reduced.tsv.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
