3

I have an hour long PCAP file which has about 60 individual network attacks done on our test network here at work. Each attack comes from a unique IP address which was not used elsewhere during the hour.

I'd like to make 60 pcaps out of this one file, but also include the background traffic as well.

There's no real pattern to when the attacks occur (i.e. there could be 6 in the first minute, and then 1 could run for the next 10 minutes).

I can separate into files which just capture the attack, but I'm really interested in having the background traffic there as well.

To clarify my reason for needing this, I am using this data to attempt to train a machine learning based network sensor.

Evan
  • 177
  • 2
  • 8
  • So you want to separate them into timeframes that the attacks occurred? Check out [tshark](http://www.wireshark.org/docs/man-pages/tshark.html) – resmon6 Apr 30 '12 at 17:19
  • What do you mean by "background traffic"? Are the attack source IPs in a single subnet? – mgorven May 01 '12 at 00:43
  • @resmon6 Yes, I want to separate them into timeframes, but I don't have consistent time intervals which work for this. I've looked at tshark and editcap, but neither provide the functionality I need. I ended up manually finding good times to cut the pcap and then using tshark to cut at those times. – Evan May 01 '12 at 05:48
  • @mgorven The pcap is from the entrance router to a /24 subnet which is communicating with several other subnets on the network. The attacks are coming from a unique /24, but I want to include the non-attack traffic in each individual pcap and not just the traffic from the unique attacking IP. – Evan May 01 '12 at 05:50

3 Answers3

4

Assuming that you have the list of attack IPs in a file named attack-ips, the raw dump in capture.pcap, and that the attack range is 1.0.0.0/24, the following script using tcpdump should accomplish this:

while read ATTACKIP; do
    tcpdump -n -r capture.pcap -w "$ATTACKIP.pcap" "host $ATTACKIP or not net 1.0.0.0/24"
done < attack-ips

The filter selects traffic which is either to or from the attack IP, or neither to nor from the attack range (to exclude all the other attack IPs).

mgorven
  • 30,036
  • 7
  • 76
  • 121
  • Thanks, this is simple and easy way to go about it. Do you know a way to pull the time from the last occurrence of a particular IP? – Evan May 01 '12 at 06:15
  • 1
    `tcpdump -n -r capture.pcap host $ATTACKIP | tail -n1 | awk '{print $1}'` – mgorven May 01 '12 at 06:24
  • Awesome. I need to get better at using the tools at my disposal. This helps immensely. – Evan May 01 '12 at 06:36
1

You can use PcapSplitter which is part of the PcapPlusPlus package. You can use this tool to split the pcap file by client IP and in your case you'll probably get 60 files, each one containing one attack. Please use the tool as follows:

PcapSpliter.exe -f <YOUR_PCAP> -m client-ip

you didn't mention the OS you're using but this tool supports both Win32, Linux and Mac)

seladb
  • 408
  • 4
  • 12
0

SplitCap can split the packets for each individual IP address to a separate pcap files in just one command:

SplitCap.exe -r capture.pcap -s host

You will have one pcap file for each IP address in capture.pcap after this. Each file will contain all packets to and from that particular IP address. Sweet and simple!

SplitCap is free and is available here: http://www.netresec.com/?page=SplitCap

netresec
  • 29
  • 2