This project is about capturing packets flow through a network interface, save each specific-size chunk into a PCAP file, and then automatically convert it to the feature-extracted CSV file by CICFlowMeter-3.0.
The CSV is meant to be analysed for intrusion detection. You can find further detail at the website of CIC.
- This repository is maintained Pasakorn Tiwatthanont, ptiwatthanont@gmail.com.
- Thank you for guiding relevant tools to Mr. Preecha Pangsuban preecha@yru.ac.th.
For trying, just run:
try_me.sh
Calling capture_interface_pcap.sh will capture the packets since the beginning until specific time in the script, periodically. Each time that PCAP file is saved, the script convert_pcap_csv.sh will be called the converter, CICFlowMeter.
capture_interface_pcap.sh <interface> <pcap_output_dir> [priviledged_user_name]
For example:
capture_interface_pcap.sh wlan0 pcap
or
capture_interface_pcap.sh eth0 output_dir bobuser
Edit the working directory in file pcap2ciclog.service, and also the executed script shoud be refered with absolute path:
...
[Service]
WorkingDirectory=/home/../../TCPDUMP_and_CICFlowMeter
ExecStart=/home/../../TCPDUMP_and_CICFlowMeter/pcap2ciclog.sh
...
Then, link it into the directory /lib/systemd/system:
cd /lib/systemd/system
sudo ln -sf <the-dir>/pcap2ciclog.service
Enable the service:
sudo systemctl enable pcap2ciclog.service
Finally, let's get started!
sudo systemctl start pcap2ciclog.service
In some case of using on Ubuntu with Apparmor, you may has a 'permission denied' issue when tcpdump tries to execute a script. It is a security measure. To relax, please add the following line into file /etc/apparmor.d/usr.sbin.tcpdump:
/usr/sbin/tcpdump {
...
# for -z
/**/* ixr, # <-- add me!
...
}
Then, restart the service:
sudo service apparmor restart
Due to the libpcap-dev package was not installed. The error will be shown:
Exception in thread "main" java.lang.UnsatisfiedLinkError: com.slytechs.library.NativeLibrary.dlopen(Ljava/lang/String;)J
at com.slytechs.library.NativeLibrary.dlopen(Native Method)
at com.slytechs.library.NativeLibrary.<init>(Unknown Source)
at com.slytechs.library.JNILibrary.<init>(Unknown Source)
at com.slytechs.library.JNILibrary.loadLibrary(Unknown Source)
at com.slytechs.library.JNILibrary.register(Unknown Source)
at com.slytechs.library.JNILibrary.register(Unknown Source)
at com.slytechs.library.JNILibrary.register(Unknown Source)
at org.jnetpcap.Pcap.<clinit>(Unknown Source)
at cic.cs.unb.ca.jnetpcap.PacketReader.config(PacketReader.java:58)
at cic.cs.unb.ca.jnetpcap.PacketReader.<init>(PacketReader.java:52)
at cic.cs.unb.ca.ifm.CICFlowMeter.main(CICFlowMeter.java:93)
Please install via:
sudo apt install libpcap-dev
For furture OSs, please follow the guildline on https://javatutorial.net/capture-network-packages-java.
The forked and revised version of ISCX/CICFlowMeter can be found at https://github.com/iPAS/CICFlowMeter. Nevertheless, in case you need to know how to make it by yourself, or if the next version need the maintenance again, the guidance is directed by the following clues.
git clone https://github.com/ISCX/CICFlowMeter.git
Then, go inside.
chmod +x gradlew
./gradlew
However, this is not neccessary in case you already have it.
In CICFlowMeter directory, please:
git fetch --all
git reset original/master --hard
All code will be renew as the original repository. All revised files will be gone, even yours.
-
Edit the build.gradle file, enable to find JNetPCAP package:
-
Add a new repository:
repositories { ... maven { url "http://clojars.org/repo/" } }
-
Reversion the dependency:
dependencies { ... // compile group: 'org.jnetpcap', name: 'jnetpcap', version:'1.4.1' compile group: 'jnetpcap', name: 'jnetpcap', version: '1.4.r1425-1g'
-
-
To make the command-line enable:
-
Change all occurences of the following:
cic.cs.unb.ca.ifm.App
to
cic.cs.unb.ca.ifm.CICFlowMeter
-
Exclude the GUI besides include the command-line source file:
sourceSets { main { java { srcDir 'src' // exclude '**/CICFlowMeter.java' exclude '**/App.java' } } }
-
Edit the code src/main/java/cic/cs/unb/ca/ifm/CICFlowMeter.java by looking at my CICFlowMeter.java.
-
-
Then, build the project:
gradle build
-
To run via Gradle:
gradle run
The result might be shown like the following:
type Jar type JavaExec :compileJava UP-TO-DATE :processResources UP-TO-DATE :classes UP-TO-DATE :run cic.cs.unb.ca.ifm.CICFlowMeter Sorry,no pcap files can be found under: <...some path...> BUILD SUCCESSFUL Total time: 0.936 secs
The built package is in directory CICFlowMeter_repo/build/distributions/. Get and place in a directory that fit.
After the distribution package was gotten, unpack and revise the code in script CICFlowMeter-3.0/bin/CICFlowMeter:
-
Change the reference to libraries with real path:
DEFAULT_JVM_OPTS='"-Djava.library.path=../lib/native"'
to
DEFAULT_JVM_OPTS='"-Djava.library.path='$APP_HOME/lib/native'"'
-
Call to command-line instead of GUI application:
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $CIC_FLOW_METER_OPTS -classpath "\"$CLASSPATH\"" cic.cs.unb.ca.ifm.App "$APP_ARGS"
to
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $CIC_FLOW_METER_OPTS -classpath "\"$CLASSPATH\"" cic.cs.unb.ca.ifm.CICFlowMeter "$APP_ARGS"
- gradle and maven are required