Traffic_parse traffic characteristic analysis project

Project Introduction

To classify traffic, you need to extract the original characteristics of network traffic. The original features here include: packet length, packet arrival time interval, special header fields, and payload. . . and so on.
Python package parsing libraries such as pyshark and scapy are too difficult to use. The difficulty is mainly reflected in the fact that for the labeled transport layer protocol UDP/TCP, its attribute fields are changed. For example, NetBIOS, pyshark and scapy on UDP cannot be obtained by accessing udp.payload, which is really smart. So, write your own code to extract the required features.
A few more complaints : pyshark, scapy is rubbish! ! ! !

project address:

https://github.com/jmhIcoding/Traffic_parse

Project code:

The project code is at: https://github.com/jmhIcoding/Traffic_parse/tree/master/src The
VS project directory is at: https://github.com/jmhIcoding/Traffic_parse/tree/master/vsrc, you can directly use vs2013 to import, Then rebuild.

What features need to be extracted is in https://github.com/jmhIcoding/Traffic_parse/blob/master/src/util.cpp,
there is a DbgPrint function:

void DbgPrint(int level, void *header)
{
    
    
	ethII_header* eth_headerp = (ethII_header*)header;
	ip_header* ip_headerp = (ip_header*)header;
	udp_header* udp_headerp = (udp_header*)header;
	tcp_header* tcp_headerp = (tcp_header*)header;
	in_addr srcip, dstip;
	char srcip_dot[32] = {
    
     0 }, dstip_dot[32] = {
    
     0 };
	if(!(level & DEBUG_INFO))
	{
    
    
		return;
	}
	switch (level & DEBUG_INFO)
	{
    
    
	case eth_info:
		
		printf("EthII");
		for (int i = 0; i < sizeof(eth_headerp->destination); i++)
		{
    
    
			if (i == 0) printf("\tdst:");
			printf("%0.2X", eth_headerp->destination[i]);
			if (i < (sizeof(eth_headerp->destination) - 1)) printf(":");
		}
		for (int i = 0; i < sizeof(eth_headerp->source); i++)
		{
    
    
			if (i == 0) printf("\tsrc:");
			printf("%0.2X", eth_headerp->source[i]);
			if (i < (sizeof(eth_headerp->source) - 1)) printf(":");
		}
		printf("\ttype:%0.4X\n", eth_headerp->type);
		break;
	case tcp_info:
		printf("%d,%d,tcp,", tcp_headerp->sport, tcp_headerp->dport);
		break;
	case udp_info:
		printf("%d,%d,udp,", udp_headerp->sport, udp_headerp->dport);
		break;
	case ip_info:
		//printf("IP");
		srcip.S_un.S_addr = ip_headerp->saddr;
		dstip.S_un.S_addr = ip_headerp->daddr;
		//sprintf(srcip_dot, "%s", inet_ntoa(srcip));
		//sprintf(dstip_dot, "%s", inet_ntoa(dstip));
		//dont parse ip addr to xx.yy.zz.aa
		printf("%x,%x,", srcip.S_un.S_addr, dstip.S_un.S_addr);
		break;
	default:
		break;
	}
}

Modify directly here, what kind of information needs to be output in each layer.
Which layer needs to be resolved is done by controlling DEBUG_INFOthis macro in the util.h file .

#define eth_info	0x01
#define ip_info		0x02
#define tcp_info	0x04
#define udp_info	0x08
#define dns_info	0x10
#define http_info	0x20
#define https_info	0x40
#define raw_packet_info 0x80
//#define DEBUG_INFO (eth_info | ip_info | tcp_info | udp_info | dns_info | http_info | https_info)

#define DEBUG_INFO (ip_info|tcp_info|udp_info)

What functions are needed to expand by yourself.

other

This tool is still not as useful as my other parsing library: flowcontainer.

You can consider moving [flowcontainer: network flow information extraction library based on python3], address: https://blog.csdn.net/jmh1996/article/details/107148871