{"id":13775348,"url":"https://github.com/lucadivit/pcap_features_extraction","last_synced_at":"2025-05-11T07:32:28.815Z","repository":{"id":196927900,"uuid":"197732110","full_name":"lucadivit/Pcap_Features_Extraction","owner":"lucadivit","description":"This program allow you to extract some features from pcap files.","archived":false,"fork":false,"pushed_at":"2023-04-04T14:00:41.000Z","size":1881,"stargazers_count":38,"open_issues_count":6,"forks_count":9,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-11-17T10:39:46.739Z","etag":null,"topics":["attacker","csv","feature-extraction","features","legitimate-pcap","malware","malware-analysis","packet-analyser","packet-filter","pca-analysis","pcap"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lucadivit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-07-19T08:16:34.000Z","updated_at":"2024-03-19T20:17:11.000Z","dependencies_parsed_at":null,"dependency_job_id":"defad14e-d7b0-481a-9827-967bf20dcb22","html_url":"https://github.com/lucadivit/Pcap_Features_Extraction","commit_stats":null,"previous_names":["lucadivit/pcap_features_extraction"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lucadivit%2FPcap_Features_Extraction","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lucadivit%2FPcap_Features_Extraction/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lucadivit%2FPcap_Features_Extraction/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lucadivit%2FPcap_Features_Extraction/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lucadivit","download_url":"https://codeload.github.com/lucadivit/Pcap_Features_Extraction/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253533991,"owners_count":21923515,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attacker","csv","feature-extraction","features","legitimate-pcap","malware","malware-analysis","packet-analyser","packet-filter","pca-analysis","pcap"],"created_at":"2024-08-03T17:01:37.226Z","updated_at":"2025-05-11T07:32:27.580Z","avatar_url":"https://github.com/lucadivit.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"f13469c9891173804423be4403b2c4ff\"\u003e\u003c/a\u003epcap"],"sub_categories":["\u003ca id=\"eb49514924c3f4bf2acf6f3a4436af13\"\u003e\u003c/a\u003e未分类"],"readme":"# Pcap_Features_Extraction\nThis program allow you to extract some features from pcap files.\n## Folders\nYou have to put some pcaps in respective folders.\n## Features Calculation\nFeaturesCalc.py file contains the code to calculate the features. This program is thinked for two type of pcaps: Malware Pcaps and Legitimate Pcaps. There are 26 features:\n- Avg_syn_flag: The average of packets with syn flag active in a window of packtes.\n- Avg_urg_flag\n- Avg_fin_flag\n- Avg_ack_flag\n- Avg_psh_flag\n- Avg_rst_flag\n- Avg_DNS_pkt: The average pf DNS packets in a window of packets.\n- Avg_TCP_pkt\n- Avg_UDP_pkt\n- Avg_ICMP_pkt\n- Duration_window_flow: The time from the first packet to last packet in a window of packets.\n- Avg_delta_time: The average of delta times in a window of packets. Delta time is the time from a packet to the next packet.\n- Min_delta_time: The minimum delta time in a window of packets. \n- Max_delta_time: The maximum delta time in a window of packets. \n- StDev_delta_time: The Standard Deviation of delta time in a window of packets.\n- Avg_pkts_lenght: The average of packet leghts in a window of packet.\n- Min_pkts_lenght\n- Max_pkts_lenght\n- StDev_pkts_lenght\n- Avg_small_payload_pkt: The average of packet with a small payload. A payload is considered small if his size is lower than 32 Byte.\n- Avg_payload: The average of payload size in a window of packets.\n- Min_payload\n- Max_payload\n- StDev_payload\n- Avg_DNS_over_TCP: The average of ration DNS/TCP in a window of packets.\n- Label: 0|1 respectively if pcap is legitimate or malware.\n## CSV\nThe features are saved in a csv file.\n### Example\n```\ncsv = CSV(file_name=\"features\")\ncsv.create_empty_csv()\n#Here i add the header of csv file.\ncsv.add_row(featuresCalc.get_features_name())\n#Here i add a generic row.\nfeatures = featuresCalc.compute_features(array_of_pkts)\ncsv.add_row(features)\n```\n## Attacker Calculation\nAttackerCalc.py file computes an attacker from a malware pcap. The first ip in a malware pcap is probably the attacker because it starts the communication flow.\n\n## Packet Filter \nPacketFilter.py file filters a packet. \n### Example\n```\nattacker = AttackerCalc(pcap=pcap)\nip_to_consider = attacker.compute_attacker()\nip_to_ignore = [\"127.0.0.1\"]\n\nfilter_1 = PacketFilter(ip_whitelist_filter=ip_to_consider, ip_blacklist_filter=[], TCP=True)\n```\nThis filter accepts all the packets with ip: ip_to_consider which have TCP layer.\n```\nfilter_2 = PacketFilter(ip_whitelist_filter=[], ip_blacklist_filter=ip_to_ignore, UDP=True)\n```\nThis filter accepts all the packets which haven't ip: ip_to_ignore with UDP layer.\n```\nfilter_3 = PacketFilter(ip_whitelist_filter=[], ip_blacklist_filter=[], IPv4=True)\n```\nThis filter accepts all packets with IP layer.\nYou can use these filters in the following way:\n```\nfilter_1 = PacketFilter(ip_whitelist_filter=[], ip_blacklist_filter=[], TCP=True, UDP=False)\nfilter_2 = PacketFilter(ip_whitelist_filter=[], ip_blacklist_filter=[], TCP=False, UDP=True)\nif ((filter_2.check_packet_filter(pkt) or filter_1.check_packet_filter(pkt)) is True):\n    print(\"pkt accepted\")\n```\nThis code accepts a packet if it has a TCP Layer or UDP Layer.\n\n## Example Of Usage\nIn Main.py file there is an example of usage of this program. You can run it with:\n```\npython3 Main.py\n```\nThis file creates a single csv every run. So if you put 4 pcaps in a generic folder (or in both folders), the Main.py file creates a single csv with features of 4 (or 8) pcaps.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flucadivit%2Fpcap_features_extraction","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flucadivit%2Fpcap_features_extraction","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flucadivit%2Fpcap_features_extraction/lists"}