|
|
@@ -41,7 +41,7 @@ The following packages/libraries are required to compile the ID2T C++ modules
|
|
|
|
|
|
#### Required Python Packages
|
|
|
The following python packages are required to run ID2T. Install the packages with your preferred package manager. For example, you can use pip3 (pip for python 3). Install pip3 in ubuntu with ``apt install python3-pip`` and install the packages with ``sudo pip3 install <packagename>``.
|
|
|
-* ``scapy-python3`` (make sure its the python3 version)
|
|
|
+* ``scapy`` (make sure its the python3 version)
|
|
|
* ``lea``
|
|
|
* ``matplotlib``
|
|
|
* ``SciPy Stack`` (see [installation instructions](https://www.scipy.org/install.html))
|
|
|
@@ -69,7 +69,7 @@ In this section, we provide examples on how ID2T is used.
|
|
|
### Injecting an attack into an existing dataset
|
|
|
In the following we inject the _PortscanAttack_ into the dataset *pcap_capture.pcap*:
|
|
|
|
|
|
-`` ./id2t -i /home/user/pcap_capture.pcap -a PortscanAttack ip.src=192.168.178.2 mac.src=32-08-24-DC-8D-27 inject.at-timestamp=1476301843 ``
|
|
|
+`` ./id2t -i /home/user/pcap_capture.pcap -a PortscanAttack ip.src=192.168.178.2 mac.src=32:08:24:DC:8D:27 inject.at-timestamp=1476301843 ``
|
|
|
|
|
|
__Explanation__: The parameter ``-i/--input`` takes the path to the PCAP file. This triggers the statistics calculation of the file. After the calculation, the statistics are stored into a SQLite database. If the statistics were already computed in an earlier run, the data is retrieved from the generated database. This saves time as the calculation of the statistics may take long time - depending on the PCAP file size.
|
|
|
|
|
|
@@ -80,7 +80,7 @@ The toolkit recognizes if the input dataset has an associated label file. This r
|
|
|
|
|
|
### The Statistics database
|
|
|
Whenever ID2T processes a pcap file, it creates a database detailing many things related to the network traffic it has processed. These details can be seen using the _query mode_ of ID2T. To specify a query against a pcap file, use the option ``-q/--query`. For example, if we want to know the IP address with the most activity in the pcap file 'test.pcap' we can issue the command:
|
|
|
- ./id2t -i test.pcap -q most_used(ipAddress)
|
|
|
+ ./id2t -i test.pcap -q 'most_used(ipAddress);'
|
|
|
|
|
|
The _query mode_ serves as a place where standard SQL queries (known as _user-defined queries_) can be issued against the database created for a pcap file. Furthermore, the most commonly used queries are provided with special keywords known as _named queries_.
|
|
|
|
|
|
@@ -95,7 +95,7 @@ The _named queries_ can be further divided into two classes:
|
|
|
- _extractors_ - can be applied on gathered data and always reduce the result set to a single element
|
|
|
- e.g. ``random(...)`` returns a randomly chosen element of the list
|
|
|
|
|
|
-A complete list of supported named queries can be found in section [Named Queries](#named-queries). The database scheme, required for building SQL queries, is documented in the wiki article [DB Tables and Fields](https://git.tk.informatik.tu-darmstadt.de/SPIN/ID2T-toolkit/wiki/Statistics-DB%3A-Tables)
|
|
|
+A complete list of supported named queries can be found in section [Named Queries](#named-queries). The database scheme, required for building SQL queries, is documented in the wiki article [DB Tables and Fields](/wiki/Statistics-DB%3A-Tables)
|
|
|
|
|
|
If ``-q/--query`` is called without an argument, the application enters into REPL query mode. This mode is like a standard read-eval-print-loop (REPL) for SQL queries. In this mode, the user can repeatedly input queries (each query must finish with a ";" (semicolon)); send the query by pressing ENTER and see the response in the terminal:
|
|
|
|
|
|
@@ -176,3 +176,4 @@ The [SemVer](http://semver.org/spec/v2.0.0.html) is used for versioning. For cur
|
|
|
## License
|
|
|
|
|
|
Distributed under the MIT license. See [LICENSE](LICENSE.md) for more information.
|
|
|
+
|
aidmar.wainakh