diff --git a/Dockerfile b/Dockerfile index 7aaf679..cb33952 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,21 +1,13 @@ FROM ubuntu:18.04 -ARG mongoDbUser -ARG mongoDbPassword -ARG listenedIp -ARG snifferTimeout - -ENV MONGO_DB_USER $mongoDbUser -ENV MONGO_DB_PASSWORD $mongoDbPassword ENV DEBIAN_FRONTEND noninteractive -ENV LISTENED_IP $listenedIp -ENV SNIFFER_TIMEOUT $snifferTimeout -COPY requirements.txt main.py sniffer.py analyse_tcp_packets.py ./ +RUN mkdir /app/ +COPY requirements.txt db.py main.py sniffer.py analyse_tcp_packets.py /app/ RUN apt-get update && apt-get install -y \ python3-pip \ tshark \ - && pip3 --no-cache-dir install -r requirements.txt + && pip3 --no-cache-dir install -r /app/requirements.txt -CMD [ "python3" , "main.py" ] \ No newline at end of file +CMD [ "python3" , "/app/main.py" ] \ No newline at end of file diff --git a/analyse_tcp_packets.py b/analyse_tcp_packets.py index ea8b9f9..2cae57e 100644 --- a/analyse_tcp_packets.py +++ b/analyse_tcp_packets.py @@ -1,11 +1,13 @@ import pyshark import socket import os -from db import connect_to_cluster, save_element +from db import save_element LISTENED_IP = os.getenv('LISTENED_IP') # Analyse a pkt to save it in the good key of our date structure + + def analyse_packets(pkt): if ('TCP' in pkt and 'IP' in pkt): # time when the packet was received @@ -14,7 +16,7 @@ def analyse_packets(pkt): # If we already have the stream in the dict or not if (pkt.tcp.stream not in packet_dict): # Get the remote ip of the stream - ip = pkt.ip.dst if pkt.ip.dst != LISTENED_IP else pkt.ip.src + ip = pkt.ip.src if pkt.ip.src != LISTENED_IP else pkt.ip.dst save_new_stream(pkt.tcp.stream, timestamp, ip, pkt) else: time_delta = float(pkt.tcp.time_delta) @@ -44,6 +46,8 @@ def get_packet_size(pkt): return int(pkt.length.raw_value, 16) * 0.000001 # Save a new stream and its first packet in the dict + + def save_new_stream(stream_id, timestamp, ip, pkt): domain = reverse_dns(ip) packet_dict[stream_id] = { @@ -58,11 +62,15 @@ def save_new_stream(stream_id, timestamp, ip, pkt): } # Send a group of packets that seems to be together to the DB + + def push_data(key): print('Push data: ' + str(packet_dict[key])) save_element(packet_dict[key]) # Reverse DNS a remote IP + + def reverse_dns(ip): try: reversed_dns = socket.gethostbyaddr(ip) @@ -86,10 +94,7 @@ def reverse_dns(ip): } """ packet_dict = {} -# Connect to MongoDB cluster -connect_to_cluster() - -cap = pyshark.FileCapture('capture.pcap') +cap = pyshark.FileCapture('./capture.pcap') cap.apply_on_packets(analyse_packets) # We push_data all the remaining streams in packet_dict diff --git a/db.py b/db.py index 05183af..e9f4a98 100644 --- a/db.py +++ b/db.py @@ -3,15 +3,12 @@ MONGO_DB_USER = os.getenv('MONGO_DB_USER') MONGO_DB_PASSWORD = os.getenv('MONGO_DB_PASSWORD') -analysed_packets = None # Connection to mongoDB -def connect_to_cluster(): - cluster = pymongo.MongoClient( - "mongodb+srv://{}:{}@cluster0-llznq.gcp.mongodb.net/test?retryWrites=true&w=majority".format(MONGO_DB_USER, MONGO_DB_PASSWORD)) - capitrain_db = cluster['capitrain'] - analysed_packets = capitrain_db["analysed_packets"] - +cluster = pymongo.MongoClient( + "mongodb+srv://{}:{}@cluster0-llznq.gcp.mongodb.net/test?retryWrites=true&w=majority".format(MONGO_DB_USER, MONGO_DB_PASSWORD)) +capitrain_db = cluster['capitrain'] +analysed_packets = capitrain_db["analysed_packets"] # Insert a document in our analysed_packets collection def save_element(element): diff --git a/main.py b/main.py index 6baa832..08ad1c4 100644 --- a/main.py +++ b/main.py @@ -1,5 +1,6 @@ from dotenv import load_dotenv load_dotenv() +import db import sniffer print("sniffer done") import analyse_tcp_packets \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index d2cfc8d..1a9dace 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,4 @@ pyshark==0.4.2.9 pymongo==3.9.0 -python-dotenv==0.10.3 +dnspython==1.16.0 +python-dotenv==0.10.3 \ No newline at end of file diff --git a/results/capture.pcap b/results/capture.pcap index 19f23b1..2628419 100644 Binary files a/results/capture.pcap and b/results/capture.pcap differ diff --git a/sniffer.py b/sniffer.py index 2aa8e1d..09632c2 100644 --- a/sniffer.py +++ b/sniffer.py @@ -1,12 +1,14 @@ import pyshark import os -SNIFFER_TIMEOUT = os.getenv('SNIFFER_TIMEOUT') +SNIFFER_TIMEOUT = int(os.getenv('SNIFFER_TIMEOUT')) LISTENED_IP = os.getenv('LISTENED_IP') +INTERFACE = os.getenv('INTERFACE') +VPN_IP = os.getenv('VPN_IP') -filter = "tcp&&(ip.dst==" + LISTENED_IP + "||ip.src==" + LISTENED_IP + ")" +filter = "tcp&&(ip.dst==" + VPN_IP + "||ip.src==" + LISTENED_IP + ")" capture = pyshark.LiveCapture( - interface="eth0", output_file="./capture.pcap", display_filter=filter) + interface=INTERFACE, output_file="./capture.pcap", display_filter=filter) capture.sniff(timeout=SNIFFER_TIMEOUT)