Protocol Analysis

How to change the flow key definition?

Hello,

I working with jnetpcap in my research proyect I now I have a problem. I read in the javadoc of the JFlowkey definition that the flow key (the flows generation) is based on SRC/DST Ethernet address, SRC/DST IP, SRC/DST Port and Layer 4 protocol. The text that I read is the following:

"The criteria used for generating flow-keys is different for each packet based
on protocol headers present in the packet. As an example, a flow-key for a
Ethernet/Ip4/Tcp packet is generated based on source and destination ethernet
addresses, source and destination Ip4 address, the Ip4 protocol/type number
16 which signifies that next protocol is TCP and source and destination TCP
port numbers. The flow-key generated for this example is bidirectional,
meaning that packets belonging to the same TCP conversation in both
directions between System A and System B will have the exact same flow-key
generated."

I need to change the flow definition (the flow key heuristic) and I would like to consider only: SRC/DST IP address, SRC/DST PORT and L4 Protocol (TCP/UDP/ICMP) and I don't want to include the ethernet addresses. Is it possible? I was trying but I can't.

I would be very grateful for any possible help because I can't continue my proyect...

Thank you very much in advance.

Regards.

how to decode DNS protocol

As said above, how to decode the DNS protocol?

Can I create a TCP packet by combining mulitple TCP packets together?

Hi All,

I am new to jnetpcap.

I have a pcap file. I want to combine multiple TCP packets (say, some 10 to 20 packets. I know the maximum size of a TCP packet is 64K bytes.) in the pcap file into one TCP packet and save it in another pcap file.

Is it possible to do this using jnetpcap?

Thank you very much!

diffrentiate p2p know protocols from botnet traffic

Hi all,
have u guys heard about botnet? ya of course . what about p2p botnets?
there are new generation of botnets which use p2p network for their c&c communication system.
im doing research on how to differentiate file sharing known p2p protocol applications from botnet traffic which uses p2p protocols. which information in header or payload is only being used for p2p file sharing applications and not by botnets? what is very obvious difference in packets between those apps traffic and botnets? can it be size of packets?the time gap between data transfer?...

and some botnet p2p are using encryption like AES256 to encrypt communication between c&c and bots and among bots. is there any possibility to decrypt those data to find any evidence of their malicious activity?

any answer, would be appreciated, except spamming. u can send spam to my personal gmail email, i have special box for those Laughing out loud

thank you

Looking to get relative pcap timestamp, not arrival timestamp

Hi,

I'm new to JNetPcap. I have used it to reassemble some traffic for compliance purposes in the past, but now I am looking to use it for real time latency analysis for my trading network.

I know in wireshark, when I open a pcap , there is a hardware based timestamp from my Myricom SNF card, that is 0 indexed, not epoch indexed. I would like to access this timestamp from a JNetPcap, either a live or offline interface. Is this possible using JNetPcap, and where would this info be found?

System.out.println("UDP TIMESTAMP " + packet.getCaptureHeader().timestampInMicros());
Yields :

UDP TIMESTAMP 1414030087520274
UDP TIMESTAMP 1414030087520380

My pcap for the packets I am replaying indicates first packet marked at 0 and second packet marked at 8 usecs. Is wireshark using the same info and just 0 indexing it?

Regards,
Michael

Syndicate content