{"id":13775322,"url":"https://github.com/cedricol07/p2a","last_synced_at":"2025-05-11T07:32:28.868Z","repository":{"id":68577853,"uuid":"131968064","full_name":"CedricOL07/p2a","owner":"CedricOL07","description":"Parse Pcap for Anomalies","archived":false,"fork":false,"pushed_at":"2019-01-14T18:26:04.000Z","size":14957,"stargazers_count":13,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-11-17T10:39:45.221Z","etag":null,"topics":["anomaly-detection","forensics","libpcap","network-analysis","pcap","tcp","udp","wireshark"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CedricOL07.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-05-03T08:53:08.000Z","updated_at":"2024-02-25T00:00:02.000Z","dependencies_parsed_at":"2023-02-27T02:01:58.083Z","dependency_job_id":null,"html_url":"https://github.com/CedricOL07/p2a","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CedricOL07%2Fp2a","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CedricOL07%2Fp2a/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CedricOL07%2Fp2a/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CedricOL07%2Fp2a/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CedricOL07","download_url":"https://codeload.github.com/CedricOL07/p2a/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253533993,"owners_count":21923515,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anomaly-detection","forensics","libpcap","network-analysis","pcap","tcp","udp","wireshark"],"created_at":"2024-08-03T17:01:36.866Z","updated_at":"2025-05-11T07:32:28.498Z","avatar_url":"https://github.com/CedricOL07.png","language":"C","funding_links":[],"categories":["\u003ca id=\"f13469c9891173804423be4403b2c4ff\"\u003e\u003c/a\u003epcap"],"sub_categories":["\u003ca id=\"eb49514924c3f4bf2acf6f3a4436af13\"\u003e\u003c/a\u003e未分类"],"readme":"# p2a - Parse PCAP for Anomalies\n\nThis project aims at building an easy-to-use tool that will parse a `pcap` file to return any ambiguity found in the TCP packets. We are currently working on implementing UDP and ARP analysis as well.\n\n__Outline:__\n* [Contributors](#contributors)\n* [Documentation](#documentation)\n  * [Launching our script](#launch)\n  * [Anomalies](#anomalies)\n    1. [TTL Expiry Attack](#ttl)\n    2. [ARP Poisoning](#arp-poisoning)\n    3. [TCP Retransmission](#tcp-retransmission)\n    4. [Overlapping Fragments](#overlapping-fragments)\n    5. [Multiple TTL values](#multiple-ttl)\n  * [Project directories](#dir)\n* [References and external documentation](#references)\n\n## \u003ca name=\"contributors\"\u003e\u003c/a\u003eContributors\n\n* [Cedric Olivero](https://github.com/CedricOL07)\n* [JB Durville](https://github.com/jbdrvl)\n\n\u003e Contributing: any comment/idea/contribution is welcome.\n\n## \u003ca name=\"documentation\"\u003e\u003c/a\u003eDocumentation\n\n### \u003ca name=\"launch\"\u003e\u003c/a\u003eLaunching our script\n\n```sh\nmake\n\n./p2a -v ./pcap_files/some_pcap_file.pcap -s results.json\n```\n\n#### Usage\n\n```\n$ ./p2a -h\nUsage: ./p2a [OPTIONS] FILE\n\t-h,--help:\t\tdisplay this help message\n\t-v,--verbose:\t\tverbose option\n\t-d,--debug:\t\tdebug option\n\t-x,--exclude OPTIONS:\texclude some possible ambiguities from analysis\n\t\t--exclude ret,mac,ttl\n\t\t\tret: exclude retransmission analysis\n\t\t\tmac: exclude MAC addresses analysis\n\t\t\tttl: exclude TTL analysis\n\t-s,--save FILENAME:\tsaves results to file FILENAME\n\t\tJSON format - FILENAME should contain the JSON extension\nExamples:\n\t./p2a -v ./pcap_files/some_pcap_file.pcapng\n\t./p2a --exclude mac,ttl --verbose my-pcap-file.pcap -s results.json\n```\n\nI just added the option to save all results to a JSON file. To do so, one can use the `--save file.json` option. It saves all sessions in this file, whether ambiguities were found in them or not. I am currently working on a way to render the JSON file nicely in an HTML file (using some JavaScript)..\n\n#### Other scripts\n\n__`SHA(IP, Port)`__\n\nWe made the `sha` script available for debug purposes. It takes as argument an IP address and a port number and returns the SHA1 hash of (IP|Port). This value is used as *session identifier* in the `p2a` script.\n\n```sh\nmake sha\n\n./sha -h\nUsage:\n./sha IP PORT\n\n./sha 127.0.0.1 12345\nIP:   127.0.0.1\nPort: 12345\nSHA1: 21bf549a8095063f49cff573e689b6b10365f4c8\n```\n\n__IP addresses and `whois`__\n\nIf one session is suspicious, it can be useful to know what it relates to. To do so, one can use Wireshark and apply a display filter to only display the given session.\n\nA simpler approach can be to use [`whois`](https://whois.icann.org/en) to know who owns the IP address.\n\nTo use `whois` with all of the IP addresses from the capture file:\n\n```sh\nfor ip in $(tshark -r file.pcapng -T fields -e ip.dst -e ip.src | egrep -o \"[0-9]+.[0-9]+.[0-9]+.[0-9]+\" | sort | uniq); do whois $ip | egrep \"^[Oo]rgani[sz]ation\"; done\n```\n\n\u003e If `tshark` does not work, [here's a C script](https://gist.github.com/jbdrvl/eb8d8623714c60384b241ae8068a407d) that will do the same thing.\n\n### \u003ca name=\"anomalies\"\u003e\u003c/a\u003eAnomalies\n\n#### \u003ca name=\"ttl\"\u003e\u003c/a\u003e1 - TTL Expiry Attack\n\nThe **Time To Live** (TTL) field for an IP packet corresponds to how long is that packet 'allowed' to travel around the network before being dropped by routers. It is a 8-bit value that is usually reduced by one on every hop.\n\nAccording to [Cisco's page on the TTL Expiry Attack](https://www.cisco.com/c/en/us/about/security-center/ttl-expiry-attack.html):\n\n\u003e \"When an IOS device receives a packet with a TTL value of less than or equal to one, an **ICMPv4 Type 11, Code 0** message is sent by an IOS device, resulting in a **corresponding impact on the CPU**.  This impact occurs because more CPU processing is required to respond (using TTL-exceeded packets) to packets with TTL values of less than one than to simply forward a packet with a TTL value greater than one.\"\n\n\u003e \"The TTL expiry behavior creates a **denial of service (DoS) attack vector** against network equipment. Network devices are purpose-built to forward ordinary packets as quickly as possible. When exception packets are encountered, such as those with expiring TTL values, varying amounts of effort are expended by a router to respond appropriately.\"\n\n__Analysis/Code:__\n\nIn `utils.c`, we defined a `TTL_THRESHOLD` (=10 for now). If the TTL for a packet is lower than this value, a flag is raised to indicate that the TTL is low. If too many such flags are raised, it could be a TTL Expiry Attack.\n\nThe [sample pcap file](https://github.com/CedricOL07/pcap_tcp_analyser/blob/master/pcap_files/low_ttl_sample.pcapng) (containing a packet with a low TTL) was captured using the scripts located in the `./attack_scripts/low_ttl` directory.\n\n#### \u003ca name=\"arp-poisoning\"\u003e\u003c/a\u003e2 - ARP Poisoning\n\nARP Poisoning consists in fooling a host in believing we are the *default gateway*. The victim regularly asks the *default gateway* its MAC address (ARP protocol). But an attacker can send the victim packets saying that the *default gateway* is at another MAC address (the attack's MAC address for example). The attacker just needs to send those packets \"regularly enough\" so that the victim \"discards\" the real messages from the *default gateway*.\n\nThis can allow the attacker to proceed and attack the victim in many ways: man-in-the-midde, DoS, black-hole, ...\n* MitM: the attacker redirects the traffic from the victim to the real *default gateway* and vice-versa. That way it can sniff the victim's traffic. It can also modify the packets (active man-in-the-middle).\n* Black-hole: the attacker does not process the packets it gets from the victim: the victim cannot connect to the Internet anymore.\n\n**Example:**\n\nThe victim's IP address is `192.168.10.2` and the *default gateway* is at `192.168.1.1`:\n\n```sh\nsudo arpspoofing -i wlan0 -t 192.168.10.2 192.169.1.1\n```\n\nThe attacker will keep on sending the victim ARP packets telling that `192.168.1.1` is at the attacker's MAC address. That way the victim will send its packets (aiming for the Internet) to the attacker, who does not redirect them (`-r` option to redirect them).\n\n__Analysis/Code:__\n\nFor the analysis, since we are only looking at IP packets (for now), `p2a` saves in a *linked list* all pairs `(MAC address, IP address)` that it encounters. When checking a new given pair, it goes through the linked list and returns an error if the IP address is already associated to another MAC address.\n\nFor the example above, our script would detect that `192.168.1.1` (*default gateway*) is associated to two different MAC addresses: the real one, until the attacker comes in and tell the victim that it is the *default gateway* and that its MAC address gets associated to the *default gateway* (from the victim's point of vue).\n\n#### \u003ca name=\"tcp-retransmission\"\u003e\u003c/a\u003e3 - TCP Retransmission\n\nEach byte of data sent in a TCP connection has an associated *sequence number*. This is indicated on the sequence number field of the *TCP header*.\n\nWhen the receiving socket detects an incoming segment of data, it uses the *acknowledgement number* in the TCP header to indicate receipt. After sending a packet of data, the sender will start a retransmission timer of variable length. If it does not receive an acknowledgment before the timer expires, the sender will assume the segment has been lost and will retransmit it.\n\nWe can see **TCP retransmission** when another packet owns the same acknowledgment and sequence numbers as the current packet.\n\n\u003e TCP Retransmissions are quite common and can be totally normal (if one packet is retransmitted because it was legitimately lost), but can also be the sign of an issue on the network or on a communication.\n\n#### \u003ca name=\"overlapping-fragments\"\u003e\u003c/a\u003e4 - Overlapping Fragments\n\nThe **IP fragment overlapped** exploit occurs when two fragments contained within the *same IP packet* have offsets that indicate that they **overlap** each other in positioning within the packet. This could mean that either fragment A is being *completely* overwritten by fragment B, or that fragment A is *partially* being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments. This is the basis for the **teardrop attack**. (*from Wikipedia*)\n\nOverlapping fragments may also be used in an attempt to **bypass Intrusion Detection Systems**. In this exploit, part of an attack is sent in fragments along with additional random data; future fragments may overwrite the random data with the remainder of the attack. If the completed packet is not properly reassembled at the IDS, the attack will go undetected.\n\n\u003e __Teardrop attack:__ involves sending mangled IP fragments with overlapping, oversized payloads to the target machine.\n\n\u003e NOT IMPLEMENTED YET\n\n#### \u003ca name=\"multiple-ttl\"\u003e\u003c/a\u003e5 - Multiple TTL values\n\nIf we observe multiple TTL values for a given session, it could mean that the route has changed, meaning that the packets do not follow the same path as the end of the connection as they did at the beginning. This could be due to outside genuine changes but could also mean an attacker changes the route the packets take (to do a MiTM attack for example).\n\nHowever, most of the time, one session has two or three different TTL values throughout the whole connection: most of the time, the client and the server do not use the same initial TTL values.\n\nThe script returns an error if there are more than two different TTL values for a given session.\n\n\n### \u003ca name=\"dir\"\u003e\u003c/a\u003eProject directories\n\n| Directory | Description/content  |\n| :------------- | :------------- |\n| `./attack_scripts` | Simple scripts to test and record some TCP ambiguities (spoofing, low TTL) |\n| `./pcap_files` | PCAP files to test `p2a` |\n| `./tests_libpcap` | Two scripts to test and start using `libpcap` |\n\n## \u003ca name=\"references\"\u003e\u003c/a\u003eReferences and external documentation\n\n### `libpcap`\n\n* [Proramming with pcap](http://www.tcpdump.org/pcap.html)\n* [Programming with Libpcap - Sniffing the Network From Your Own Application](http://recursos.aldabaknocking.com/libpcapHakin9LuisMartinGarcia.pdf)\n* [`pcap` apps](http://www.stearns.org/doc/pcap-apps.html)\n    * `pcap` sample files at the end of the web page\n* [The BSD Packet Filter: A New Architecture for User-level Packet Capture](http://www.tcpdump.org//papers/bpf-usenix93.pdf)\n* [`tcpdump` filters](http://alumni.cs.ucr.edu/~marios/ethereal-tcpdump.pdf)\n* [`libpcap` tutorial](http://yuba.stanford.edu/~casado/pcap)\n* [Using `libpcap` in C](https://www.devdungeon.com/content/using-libpcap-c)\n* [`pcap.h` manual page](http://www.manpagez.com/man/3/pcap/)\n\n### TCP Analysis\n* [Packet Reassembly - Wireshark](https://www.wireshark.org/docs/wsug_html_chunked/ChAdvReassemblySection.html#ChAdvReassemblyTcp)\n* [TCP Analysis - Wireshark](https://www.wireshark.org/docs/wsug_html_chunked/ChAdvTCPAnalysis.html)\n\n### TTL Expiry Attack\n* [TTL - Wikipedia](https://en.wikipedia.org/wiki/Time_to_live)\n* [TTL Expiry Attack Identification and Mitigation - CISCO](https://www.cisco.com/c/en/us/about/security-center/ttl-expiry-attack.html)\n\n### TCP Retransmission\n\n* [TCP - Retransmission](https://www.performancevision.com/blog/network-packet-loss-retransmissions-and-duplicate-acknowledgements/)\n\n### Teardrop\n* [IP fragment overlapped- Wikipedia](https://en.wikipedia.org/wiki/IP_fragmentation_attack)\n* [Tear Drop Attack - Wikipedia](https://en.wikipedia.org/wiki/Denial-of-service_attack#Teardrop_attacks)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcedricol07%2Fp2a","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcedricol07%2Fp2a","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcedricol07%2Fp2a/lists"}