merge

Dockerfile

@@ -1,21 +1,13 @@
 FROM ubuntu:18.04
 
-ARG mongoDbUser
-ARG mongoDbPassword
-ARG listenedIp
-ARG snifferTimeout
-
-ENV MONGO_DB_USER $mongoDbUser
-ENV MONGO_DB_PASSWORD $mongoDbPassword
 ENV DEBIAN_FRONTEND noninteractive
-ENV LISTENED_IP $listenedIp
-ENV SNIFFER_TIMEOUT $snifferTimeout
 
-COPY requirements.txt main.py sniffer.py analyse_tcp_packets.py ./
+RUN mkdir /app/
+COPY requirements.txt db.py main.py sniffer.py analyse_tcp_packets.py /app/
 
 RUN apt-get update && apt-get install -y \
     python3-pip \
     tshark \
-    && pip3 --no-cache-dir install -r requirements.txt
+    && pip3 --no-cache-dir install -r /app/requirements.txt
 
-CMD [ "python3" , "main.py" ]
+CMD [ "python3" , "/app/main.py" ]

analyse_tcp_packets.py

@@ -1,11 +1,13 @@
 import pyshark
 import socket
 import os
-from db import connect_to_cluster, save_element
+from db import save_element
 
 LISTENED_IP = os.getenv('LISTENED_IP')
 
 # Analyse a pkt to save it in the good key of our date structure
+
+
 def analyse_packets(pkt):
     if ('TCP' in pkt and 'IP' in pkt):
         # time when the packet was received
@@ -14,7 +16,7 @@ def analyse_packets(pkt):
         # If we already have the stream in the dict or not
         if (pkt.tcp.stream not in packet_dict):
             # Get the remote ip of the stream
-            ip = pkt.ip.dst if pkt.ip.dst != LISTENED_IP else pkt.ip.src
+            ip = pkt.ip.src if pkt.ip.src != LISTENED_IP else pkt.ip.dst
             save_new_stream(pkt.tcp.stream, timestamp, ip, pkt)
         else:
             time_delta = float(pkt.tcp.time_delta)
@@ -44,6 +46,8 @@ def get_packet_size(pkt):
     return int(pkt.length.raw_value, 16) * 0.000001
 
 # Save a new stream and its first packet in the dict
+
+
 def save_new_stream(stream_id, timestamp, ip, pkt):
     domain = reverse_dns(ip)
     packet_dict[stream_id] = {
@@ -58,11 +62,15 @@ def save_new_stream(stream_id, timestamp, ip, pkt):
     }
 
 # Send a group of packets that seems to be together to the DB
+
+
 def push_data(key):
     print('Push data: ' + str(packet_dict[key]))
     save_element(packet_dict[key])
 
 # Reverse DNS a remote IP
+
+
 def reverse_dns(ip):
     try:
         reversed_dns = socket.gethostbyaddr(ip)
@@ -86,10 +94,7 @@ def reverse_dns(ip):
 } """
 packet_dict = {}
 
-# Connect to MongoDB cluster
-connect_to_cluster()
-
-cap = pyshark.FileCapture('capture.pcap')
+cap = pyshark.FileCapture('./capture.pcap')
 cap.apply_on_packets(analyse_packets)
 
 # We push_data all the remaining streams in packet_dict

db.py

@@ -3,15 +3,12 @@
 
 MONGO_DB_USER = os.getenv('MONGO_DB_USER')
 MONGO_DB_PASSWORD = os.getenv('MONGO_DB_PASSWORD')
-analysed_packets = None
 
 # Connection to mongoDB
-def connect_to_cluster():
-    cluster = pymongo.MongoClient(
-        "mongodb+srv://{}:{}@cluster0-llznq.gcp.mongodb.net/test?retryWrites=true&w=majority".format(MONGO_DB_USER, MONGO_DB_PASSWORD))
-    capitrain_db = cluster['capitrain']
-    analysed_packets = capitrain_db["analysed_packets"]
-
+cluster = pymongo.MongoClient(
+    "mongodb+srv://{}:{}@cluster0-llznq.gcp.mongodb.net/test?retryWrites=true&w=majority".format(MONGO_DB_USER, MONGO_DB_PASSWORD))
+capitrain_db = cluster['capitrain']
+analysed_packets = capitrain_db["analysed_packets"]
 
 # Insert a document in our analysed_packets collection
 def save_element(element):

main.py

@@ -1,5 +1,6 @@
 from dotenv import load_dotenv
 load_dotenv()
+import db
 import sniffer
 print("sniffer done")
 import analyse_tcp_packets

requirements.txt

@@ -1,3 +1,4 @@
 pyshark==0.4.2.9
 pymongo==3.9.0
-python-dotenv==0.10.3
+dnspython==1.16.0
+python-dotenv==0.10.3

sniffer.py

@@ -1,12 +1,14 @@
 import pyshark
 import os
 
-SNIFFER_TIMEOUT = os.getenv('SNIFFER_TIMEOUT')
+SNIFFER_TIMEOUT = int(os.getenv('SNIFFER_TIMEOUT'))
 LISTENED_IP = os.getenv('LISTENED_IP')
+INTERFACE = os.getenv('INTERFACE')
+VPN_IP = os.getenv('VPN_IP')
 
-filter = "tcp&&(ip.dst==" + LISTENED_IP + "||ip.src==" + LISTENED_IP + ")"
+filter = "tcp&&(ip.dst==" + VPN_IP + "||ip.src==" + LISTENED_IP + ")"
 
 capture = pyshark.LiveCapture(
-    interface="eth0", output_file="./capture.pcap", display_filter=filter)
+    interface=INTERFACE, output_file="./capture.pcap", display_filter=filter)
 
 capture.sniff(timeout=SNIFFER_TIMEOUT)