Add hashing of packets

Author: Stefan Machmeier

example.py

@@ -1,5 +1,7 @@
 import matplotlib.pyplot as plt
 import numpy as np
+from scapy.all import (TCP, Packet, RandIP, RandIP6, RandMAC, Raw, rdpcap,
+                       sniff, wrpcap)
 
 from heifip.extractor import FIPExtractor
 from heifip.images.flow import FlowImage
@@ -10,25 +12,31 @@
 from heifip.images.packet import PacketImage
 from heifip.layers import PacketProcessorType
 
-extractor = FIPExtractor()
-imgs = extractor.create_image_from_file(
-    "/home/smachmeier/data/USTC-TFC2016-master/2_Session/AllLayers/FTP-ALL/FTP.pcap.TCP_1-1-221-163_51670_1-2-197-24_21.pcap",
-    PacketProcessorType.NONE,
-    MarkovTransitionMatrixFlow,
-    0, # min_image_dim
-    0, # max_image_dim
-    3, # min_packets
-    0, # max_packets
-    True, # remove_duplicates,
-    8
-    # 30, # dim
-    # 0, # fill
-    # True # auto_dim
-)
-i = 0
-for img in imgs:
-    extractor.save_image(img, f"/home/smachmeier/Documents/projects/heiFIP/data/benign/{i}.png")
-    i += 1
+# extractor = FIPExtractor()
+# imgs = extractor.create_image_from_file(
+#     "/home/smachmeier/data/better-split-binary/benign/BitTorrent-0710.pcap",
+#     PacketProcessorType.NONE,
+#     MarkovTransitionMatrixFlow,
+#     0, # min_image_dim
+#     0, # max_image_dim
+#     3, # min_packets
+#     0, # max_packets
+#     True, # remove_duplicates,
+#     8
+#     # 30, # dim
+#     # 0, # fill
+#     # True # auto_dim
+# )
+# i = 0
+# for img in imgs:
+#     extractor.save_image(img, f"/home/smachmeier/Documents/projects/heiFIP/data/benign/{i}.png")
+#     i += 1
+pcap = sniff(offline="/home/smachmeier/data/test-data/")
+for pkt in pcap:
+    # if Raw in pkt:
+    #     pkt[TCP].remove_payload()
+    pkt.show()
+    # wrpcap("/home/smachmeier/test.pcap", pkt, append=True)
 
 # fig = plt.figure(figsize=(16, 16))
 # columns = 4

heifip/extractor.py

@@ -13,6 +13,7 @@
                                        MarkovTransitionMatrixPacket)
 from heifip.images.packet import PacketImage
 from heifip.layers import PacketProcessor, PacketProcessorType
+from heifip.layers.packet import FIPPacket
 
 
 class FIPExtractor:
@@ -27,12 +28,12 @@ def verify(self, image, min_image_dim: int, max_image_dim: int, remove_duplicate
         if max_image_dim != 0 and (max_image_dim < image.shape[0] or max_image_dim < image.shape[1]):
             return False
 
-        if remove_duplicates:
-            im_str = image.tobytes()
-            if im_str in self.images_created:
-                return False 
-            else:
-                self.images_created.append(im_str)
+        # if remove_duplicates:
+        #     im_str = image.tobytes()
+        #     if im_str in self.images_created:
+        #         return False 
+        #     else:
+        #         self.images_created.append(im_str)
 
         return True
 
@@ -69,7 +70,7 @@ def create_image_from_file(
 
     def create_image_from_packet(
             self,
-            packets: [Packet],
+            packets: [FIPPacket],
             preprocessing_type: PacketProcessorType = PacketProcessorType.NONE,
             image_type: NetworkTrafficImage = PacketImage,
             min_image_dim: int = 0,
@@ -98,7 +99,7 @@ def create_image_from_packet(
 
     def __create_matrix(
             self,
-            packets: [Packet],
+            packets: [FIPPacket],
             preprocessing_type: PacketProcessorType = PacketProcessorType.NONE,
             image_type: NetworkTrafficImage = PacketImage,
             min_image_dim: int = 0,
@@ -179,7 +180,7 @@ def __create_matrix(
         return images
 
     def save_image(self, img, output_dir):
-        pil_img = PILImage.fromarray(self.convert(img, 0, 255, np.uint8))
+        pil_img = PILImage.fromarray(img)
         if not os.path.exists(os.path.realpath(os.path.dirname(output_dir))):
             try:
                 os.makedirs(os.path.realpath(os.path.dirname(output_dir)))

heifip/layers/__init__.py

@@ -1,10 +1,12 @@
 import os
+import pickle
 from abc import ABC
 from enum import Enum, unique
 from typing import Type
 
-from scapy.all import (Packet, RandIP, RandIP6, RandMAC, Raw, rdpcap, sniff,
-                       wrpcap)
+import cryptography
+from scapy.all import (Packet, RandIP, RandIP6, RandMAC, Raw, load_layer,
+                       rdpcap, sniff, wrpcap)
 from scapy.layers.dns import DNS
 from scapy.layers.http import HTTP, HTTPRequest, HTTPResponse
 from scapy.layers.inet import IP, TCP, UDP, Ether
@@ -41,7 +43,11 @@ def __init__(
         self,
         file_extension="pcap",
     ) -> None:
-        pass
+        self.hash_dict = set()
+        # if os.path.isfile('hashes_pkt.pkl'):
+        #     with open('hashes_pkt.pkl', 'rb') as f:
+        #         self.hash_dict = pickle.load(f)
+        load_layer("tls")
 
     def write_packet(self) -> None:
         # Write pcap
@@ -53,16 +59,19 @@ def read_packets_file(self, file: str, preprocessing_type: PacketProcessorType)
         # Read PCAP file with Scapy
         packets = []
         # TODO Only read max number of packets
-        pcap = sniff(offline=file)
+        pcap = sniff(offline=file, count=64)
         for pkt in pcap:
             # Start preprocessing for each packet
             processed_packet = self.__preprocessing(pkt, preprocessing_type)
             # TODO Run extract here to reduce amount of loops in code. Atm very inefficient for computation time and memory
             # In case packet returns None
             if processed_packet != None:
-                packets.append(processed_packet)
+                if not processed_packet.hash in self.hash_dict:
+                    self.hash_dict.add(processed_packet.hash)
+                    packets.append(processed_packet)
         return packets
 
+
     def read_packets_packet(self, packet: [Packet], preprocessing_type: PacketProcessorType) -> [FIPPacket]:
         # Read PCAP file with Scapy
         packets = []
@@ -71,7 +80,9 @@ def read_packets_packet(self, packet: [Packet], preprocessing_type: PacketProces
             processed_packet = self.__preprocessing(pkt, preprocessing_type)
             # In case packet returns None
             if processed_packet != None:
-                packets.append(processed_packet)
+                if not processed_packet.hash in self.hash_dict:
+                    self.hash_dict.add(processed_packet.hash)
+                    packets.append(processed_packet)
         return packets
 
     def __preprocessing(self, packet: Packet, preprocessing_type: PacketProcessorType) -> FIPPacket:
@@ -92,7 +103,7 @@ def __preprocessing(self, packet: Packet, preprocessing_type: PacketProcessorTyp
         elif Ether in fippacket.layer_map:
             fippacket = fippacket.convert(EtherPacket, fippacket)
 
-        if preprocessing_type == PacketProcessorType.HEADER:
+        if preprocessing_type == "HEADER":
             fippacket.header_preprocessing()
 
         return fippacket

heifip/layers/dns.py

@@ -1,3 +1,4 @@
+import hashlib
 from typing import Type
 
 from scapy.all import Packet
@@ -10,17 +11,18 @@
 class DNSPacket(TransportPacket):
     def __init__(self, packet: Packet, address_mapping={}, layer_map={}) -> None:
         TransportPacket.__init__(self, packet, address_mapping, layer_map)
+        self.hash = hashlib.md5(f"{self.packet[DNS].qr}".encode('utf-8')).hexdigest()
 
     def header_preprocessing(self):
         # TODO: Fix issue with DNS processing
-        # if self.packet[DNS].qd:
-        #     self.__header_preprocessing_message_type(self.packet, "qd")
-        # if self.packet[DNS].an:
-        #     self.__header_preprocessing_message_type(self.packet, "an")
-        # if self.packet[DNS].ns:
-        #     self.__header_preprocessing_message_type(self.packet, "ns")
-        # if self.packet[DNS].ar:
-        #     self.__header_preprocessing_message_type(self.packet, "ar")
+        if self.packet[DNS].qd:
+            self.__header_preprocessing_message_type(self.packet, "qd")
+        if self.packet[DNS].an:
+            self.__header_preprocessing_message_type(self.packet, "an")
+        if self.packet[DNS].ns:
+            self.__header_preprocessing_message_type(self.packet, "ns")
+        if self.packet[DNS].ar:
+            self.__header_preprocessing_message_type(self.packet, "ar")
 
         layer_copy = self.packet[DNS]
 
@@ -51,23 +53,19 @@ def __header_preprocessing_message_type(self, packet: Packet, message_type: str)
         if message_type == "qd":
             new_message = CustomDNSQR(qname=message.qname, qtype=message.qtype)
 
-            message = message.payload
-            while message:
+            while message:=message.payload:
                 new_message /= CustomDNSQR(
                     qname=message.qname,
                     qtype=message.qtype,
                 )
         else:
-            if message_type != "ar":
-                new_message = CustomDNSRR(
-                    rrname=message.rrname, type=message.type, ttl=message.ttl
-                )
+            new_message = CustomDNSRR(
+                rrname=message.rrname, type=message.type
+            )
 
-                message = message.payload
-                while message:
-                    new_message /= CustomDNSRR(
-                        rrname=message.rrname, type=message.type, ttl=message.ttl
-                    )
+            while message:=message.payload:
+                new_message /= CustomDNSRR(
+                    rrname=message.rrname, type=message.type
+                )
 
-        if message_type != "ar":
-            setattr(packet[DNS], message_type, new_message)
+        setattr(packet[DNS], message_type, new_message)

heifip/layers/http.py

@@ -1,7 +1,8 @@
+import hashlib
 from typing import Type
 
 from scapy.all import Packet
-from scapy.layers.http import HTTPRequest, HTTPResponse
+from scapy.layers.http import HTTP, HTTPRequest, HTTPResponse
 
 from heifip.layers.transport import TransportPacket
 from heifip.plugins.header import (CustomHTTP, CustomHTTP_Request,
@@ -18,6 +19,10 @@ def header_preprocessing(self):
 class HTTPRequestPacket(HTTPPacket):
     def __init__(self, packet: Packet, address_mapping={}, layer_map={}):
         HTTPPacket.__init__(self, packet, address_mapping, layer_map)
+        # self.hash = hashlib.md5(f"{self.packet[HTTPRequest].Path},{self.packet[HTTPRequest].Method},{self.packet[HTTPRequest].Accept}".encode('utf-8')).hexdigest()
+        self.hash = hashlib.md5(f"{self.packet[HTTPRequest].Method},{self.packet[HTTPRequest].Accept}".encode('utf-8')).hexdigest()
+        if Raw in self.layer_map:
+            self.packet[HTTPRequest].remove_payload()
 
     def header_preprocessing(self):
         layer_copy = self.packet[HTTPRequest]
@@ -44,6 +49,10 @@ def header_preprocessing(self):
 class HTTPResponsePacket(HTTPPacket):
     def __init__(self, packet: Packet, address_mapping={}, layer_map={}):
         HTTPPacket.__init__(self, packet, address_mapping, layer_map)
+        # self.hash = hashlib.md5(f"{self.packet[HTTPResponse].Server},{self.packet[HTTPResponse].Status_Code},{self.packet[HTTPResponse].Connection}".encode('utf-8')).hexdigest()
+        self.hash = hashlib.md5(f"{self.packet[HTTPResponse].Status_Code},{self.packet[HTTPResponse].Connection}".encode('utf-8')).hexdigest()
+        if Raw in self.layer_map:
+            self.packet[HTTPResponse].remove_payload()
 
     def header_preprocessing(self):
         layer_copy = self.packet[HTTPResponse]

heifip/layers/ip.py

@@ -1,8 +1,11 @@
+import hashlib
 from typing import Type
 
-from scapy.all import Packet, RandIP, RandIP6
-from scapy.layers.inet import IP
+from scapy.all import Packet, RandIP, RandIP6, Raw
+from scapy.layers.http import HTTP
+from scapy.layers.inet import IP, TCP, UDP
 from scapy.layers.inet6 import IPv6
+from scapy.layers.tls.all import TLS
 
 from heifip.layers.packet import EtherPacket
 from heifip.plugins.header import CustomIP, CustomIPv6
@@ -13,8 +16,18 @@ def __init__(self, packet: Packet, address_mapping={}, layer_map={}):
         EtherPacket.__init__(self, packet, address_mapping, layer_map)
         if IP in self.layer_map:
             self.__filter_ipv4()
+            self.hash = hashlib.md5(f"{self.packet[IP].version},{self.packet[IP].flags},{self.packet[IP].proto}".encode('utf-8')).hexdigest()
+            if TLS in self.layer_map and not (TCP in self.layer_map or UDP in self.layer_map):
+                self.packet[IP].remove_payload()
+            if Raw in self.layer_map and not (TCP in self.layer_map or UDP in self.layer_map or HTTP in self.layer_map):
+                self.packet[IP].remove_payload()
         elif IPv6 in self.layer_map:
             self.__filter_ipv6()
+            self.hash = hashlib.md5(f"{self.packet[IPv6].version},{self.packet[IPv6].tc},{self.packet[IPv6].hlim}".encode('utf-8')).hexdigest()
+            if TLS in self.layer_map and not (TCP in self.layer_map or UDP in self.layer_map):
+                self.packet[IPv6].remove_payload()
+            if Raw in self.layer_map and not (TCP in self.layer_map or UDP in self.layer_map or HTTP in self.layer_map):
+                self.packet[IPv6].remove_payload()
 
     def __filter_ipv4(self):
         previous_src = self.packet[IP].src

heifip/layers/packet.py

@@ -1,3 +1,4 @@
+import hashlib
 from typing import Type
 
 from scapy.all import Packet, RandMAC
@@ -8,6 +9,7 @@ class FIPPacket:
     def __init__(self, packet, address_mapping={}, layer_map={}):
         self.address_mapping = address_mapping
         self.packet = packet
+        self.hash = hashlib.md5().hexdigest()
 
         if layer_map == {}:
             self.layer_map = self.__get_layers()

heifip/layers/transport.py

@@ -1,7 +1,10 @@
+import hashlib
 from typing import Type
 
-from scapy.all import Packet
+from scapy.all import Packet, Raw
+from scapy.layers.http import HTTP, HTTPRequest, HTTPResponse
 from scapy.layers.inet import TCP, UDP
+from scapy.layers.tls.all import TLS
 
 from heifip.layers.ip import IPPacket
 from heifip.plugins.header import CustomTCP, CustomUDP
@@ -10,6 +13,19 @@
 class TransportPacket(IPPacket):
     def __init__(self, packet: Packet, address_mapping={}, layer_map={}):
         IPPacket.__init__(self, packet, address_mapping, layer_map)
+        if TCP in self.layer_map:
+            self.hash = hashlib.md5(f"{self.packet[TCP].flags},{self.packet[TCP].options}".encode('utf-8')).hexdigest()
+            if TLS in self.layer_map:
+                self.packet[TCP].remove_payload()
+            if Raw in self.layer_map and not HTTP in self.layer_map:
+                self.packet[TCP].remove_payload()
+        elif UDP in self.layer_map:
+            self.hash = hashlib.md5(f"{self.packet[UDP].name}".encode('utf-8')).hexdigest()
+            if TLS in self.layer_map:
+                self.packet[UDP].remove_payload()
+            if Raw in self.layer_map and not HTTP in self.layer_map:
+                self.packet[UDP].remove_payload()
+
 
     def header_preprocessing(self):
         if TCP in self.layer_map:

heifip/main.py

@@ -13,6 +13,8 @@
 from heifip.extractor import FIPExtractor
 from heifip.images.flow import FlowImage
 
+import pickle
+
 
 class Runner:
     def __init__(self, thread_number) -> None:
@@ -79,3 +81,5 @@ def run(
             thread.start()
         file_queue.join()
         pbar.close()
+        # with open('hashes_pkt.pkl', 'wb') as f:
+        #     pickle.dump(self.extractor.processor.hash_dict, f)