Home Explore Help
Sign In
SPIN
/
ID2T-toolkit
6
5
Fork 2
Files Issues 20 Pull Requests 0 Wiki
Tree: 18e4e554c8
Branches Tags
ID2T-toolkit
/
code_boost
/
src
/
cxx
/
statistics.h

statistics.h 8.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311 
  1. /*
    2. 

  2.  * Class providing containers and access methods for statistical data collection.
    3. 

  3.  */
    4. 

  4. #ifndef CPP_PCAPREADER_STATISTICS_H
    5. 

  5. #define CPP_PCAPREADER_STATISTICS_H
    6. 

  6. 

  7. 

  8. #include <unordered_map>
    9. 

  9. #include <list>
    10. 

  10. #include <tuple>
    11. 

  11. #include <tins/timestamp.h>
    12. 

  12. #include <tins/ip_address.h>
    13. 

  13. 

  14. /*
    15. 

  15.  * Definition of structs used in unordered_map fields
    16. 

  16.  */
    17. 

  17. 

  18. /*
    19. 

  19.  * Struct used as data structure for method get_stats_for_ip, represents:
    20. 

  20.  * - Incoming bandwidth in KBits
    21. 

  21.  * - Outgoing bandwidth in KBits
    22. 

  22.  * - Number of incoming packets per second
    23. 

  23.  * - Number of outgoing packets per second
    24. 

  24.  * - Average size of sent packets in kbytes
    25. 

  25.  * - Average size of received packets in kybtes
    26. 

  26.  * - Average value of TCP option Maximum Segment Size (MSS)
    27. 

  27.  */
    28. 

  28. struct ip_stats {
    29. 

  29.     float bandwidthKBitsIn;
    30. 

  30.     float bandwidthKBitsOut;
    31. 

  31.     float packetPerSecondIn;
    32. 

  32.     float packetPerSecondOut;
    33. 

  33.     float AvgPacketSizeSent;
    34. 

  34.     float AvgPacketSizeRecv;
    35. 

  35.     long AvgMaxSegmentSizeTCP;
    36. 

  36. };
    37. 

  37. 

  38. // Aidmar
    39. 

  39. /*
    40. 

  40.  * Struct used to represent:
    41. 

  41.  * - IP address (IPv4 or IPv6)
    42. 

  42.  * - MSS value
    43. 

  43.  */
    44. 

  44. struct ipAddress_mss {
    45. 

  45.     std::string ipAddress;
    46. 

  46.     int mssValue;
    47. 

  47. 

  48.     bool operator==(const ipAddress_mss &other) const {
    49. 

  49.         return ipAddress == other.ipAddress
    50. 

  50.                && mssValue == other.mssValue;
    51. 

  51.     }
    52. 

  52. };
    53. 

  53. 

  54. // Aidmar
    55. 

  55. /*
    56. 

  56.  * Struct used to represent:
    57. 

  57.  * - IP address (IPv4 or IPv6)
    58. 

  58.  * - Window size
    59. 

  59.  */
    60. 

  60. struct ipAddress_win {
    61. 

  61.     std::string ipAddress;
    62. 

  62.     int winSize;
    63. 

  63. 

  64.     bool operator==(const ipAddress_win &other) const {
    65. 

  65.         return ipAddress == other.ipAddress
    66. 

  66.                && winSize == other.winSize;
    67. 

  67.     }
    68. 

  68. };
    69. 

  69. 

  70. 

  71. /*
    72. 

  72.  * Struct used to represent:
    73. 

  73.  * - IP address (IPv4 or IPv6)
    74. 

  74.  * - TTL value
    75. 

  75.  */
    76. 

  76. struct ipAddress_ttl {
    77. 

  77.     std::string ipAddress;
    78. 

  78.     int ttlValue;
    79. 

  79. 

  80.     bool operator==(const ipAddress_ttl &other) const {
    81. 

  81.         return ipAddress == other.ipAddress
    82. 

  82.                && ttlValue == other.ttlValue;
    83. 

  83.     }
    84. 

  84. };
    85. 

  85. 

  86. /*
    87. 

  87.  * Struct used to represent:
    88. 

  88.  * - IP address (IPv4 or IPv6)
    89. 

  89.  * - Protocol (e.g. TCP, UDP, IPv4, IPv6)
    90. 

  90.  */
    91. 

  91. struct ipAddress_protocol {
    92. 

  92.     std::string ipAddress;
    93. 

  93.     std::string protocol;
    94. 

  94. 

  95.     bool operator==(const ipAddress_protocol &other) const {
    96. 

  96.         return ipAddress == other.ipAddress
    97. 

  97.                && protocol == other.protocol;
    98. 

  98.     }
    99. 

  99. };
    100. 

  100. 

  101. /*
    102. 

  102.  * Struct used to represent:
    103. 

  103.  * - Number of received packets
    104. 

  104.  * - Number of sent packets
    105. 

  105.  * - Data received in kbytes
    106. 

  106.  * - Data sent in kbytes
    107. 

  107.  */
    108. 

  108. struct entry_ipStat {
    109. 

  109.     long pkts_received;
    110. 

  110.     long pkts_sent;
    111. 

  111.     float kbytes_received;
    112. 

  112.     float kbytes_sent;
    113. 

  113.     // Aidmar - to calculate tn/r score
    114. 

  114.     long firstAppearAsSenderPktCount;
    115. 

  115.     long firstAppearAsReceiverPktCount;
    116. 

  116.     long sourceAnomalyScore;
    117. 

  117.     long destinationAnomalyScore;
    118. 

  118. 

  119.     bool operator==(const entry_ipStat &other) const {
    120. 

  120.         return pkts_received == other.pkts_received
    121. 

  121.                && pkts_sent == other.pkts_sent
    122. 

  122.                && kbytes_sent == other.kbytes_sent
    123. 

  123.                && kbytes_received == other.kbytes_received
    124. 

  124.                // Aidmar
    125. 

  125.                && firstAppearAsSenderPktCount == other.firstAppearAsSenderPktCount
    126. 

  126.                && firstAppearAsReceiverPktCount == other.firstAppearAsReceiverPktCount
    127. 

  127.                && sourceAnomalyScore == other.sourceAnomalyScore
    128. 

  128.                && destinationAnomalyScore == other.destinationAnomalyScore;
    129. 

  129.     }
    130. 

  130. };
    131. 

  131. 

  132. /*
    133. 

  133.  * Struct used to represent:
    134. 

  134.  * - IP address (IPv4 or IPv6)
    135. 

  135.    - Traffic direction (out: outgoing connection, in: incoming connection)
    136. 

  136.  * - Port number
    137. 

  137.  */
    138. 

  138. struct ipAddress_inOut_port {
    139. 

  139.     std::string ipAddress;
    140. 

  140.     std::string trafficDirection;
    141. 

  141.     int portNumber;
    142. 

  142. 

  143.     bool operator==(const ipAddress_inOut_port &other) const {
    144. 

  144.         return ipAddress == other.ipAddress
    145. 

  145.                && trafficDirection == other.trafficDirection
    146. 

  146.                && portNumber == other.portNumber;
    147. 

  147.     }
    148. 

  148. 

  149. };
    150. 

  150. 

  151. /*
    152. 

  152.  * Definition of hash functions for structs used as key in unordered_map
    153. 

  153.  */
    154. 

  154. namespace std {
    155. 

  155.     template<>
    156. 

  156.     struct hash<ipAddress_ttl> {
    157. 

  157.         std::size_t operator()(const ipAddress_ttl &k) const {
    158. 

  158.             using std::size_t;
    159. 

  159.             using std::hash;
    160. 

  160.             using std::string;
    161. 

  161.             return ((hash<string>()(k.ipAddress)
    162. 

  162.                      ^ (hash<int>()(k.ttlValue) << 1)) >> 1);
    163. 

  163.         }
    164. 

  164.     };
    165. 

  165. 

  166.     // Aidmar
    167. 

  167.       template<>
    168. 

  168.     struct hash<ipAddress_mss> {
    169. 

  169.         std::size_t operator()(const ipAddress_mss &k) const {
    170. 

  170.             using std::size_t;
    171. 

  171.             using std::hash;
    172. 

  172.             using std::string;
    173. 

  173.             return ((hash<string>()(k.ipAddress)
    174. 

  174.                      ^ (hash<int>()(k.mssValue) << 1)) >> 1);
    175. 

  175.         }
    176. 

  176.     };
    177. 

  177. 

  178.     // Aidmar
    179. 

  179.       template<>
    180. 

  180.     struct hash<ipAddress_win> {
    181. 

  181.         std::size_t operator()(const ipAddress_win &k) const {
    182. 

  182.             using std::size_t;
    183. 

  183.             using std::hash;
    184. 

  184.             using std::string;
    185. 

  185.             return ((hash<string>()(k.ipAddress)
    186. 

  186.                      ^ (hash<int>()(k.winSize) << 1)) >> 1);
    187. 

  187.         }
    188. 

  188.     };
    189. 

  189. 

  190.     template<>
    191. 

  191.     struct hash<ipAddress_protocol> {
    192. 

  192.         std::size_t operator()(const ipAddress_protocol &k) const {
    193. 

  193.             using std::size_t;
    194. 

  194.             using std::hash;
    195. 

  195.             using std::string;
    196. 

  196.             return ((hash<string>()(k.ipAddress)
    197. 

  197.                      ^ (hash<string>()(k.protocol) << 1)) >> 1);
    198. 

  198.         }
    199. 

  199.     };
    200. 

  200. 

  201.     template<>
    202. 

  202.     struct hash<ipAddress_inOut_port> {
    203. 

  203.         std::size_t operator()(const ipAddress_inOut_port &k) const {
    204. 

  204.             using std::size_t;
    205. 

  205.             using std::hash;
    206. 

  206.             using std::string;
    207. 

  207.             return ((hash<string>()(k.ipAddress)
    208. 

  208.                      ^ (hash<string>()(k.trafficDirection) << 1)) >> 1)
    209. 

  209.                    ^ (hash<int>()(k.portNumber) << 1);
    210. 

  210.         }
    211. 

  211.     };
    212. 

  212. }
    213. 

  213. 

  214. class statistics {
    215. 

  215. public:
    216. 

  216.     /*
    217. 

  217.      * Constructor
    218. 

  218.      */
    219. 

  219.     statistics();
    220. 

  220. 

  221.     /*
    222. 

  222.      * Methods
    223. 

  223.      */
    224. 

  224.     std::string getFormattedTimestamp(time_t seconds, suseconds_t microseconds) const;
    225. 

  225. 

  226.     /*
    227. 

  227.     * Access methods for containers
    228. 

  228.     */
    229. 

  229.     void incrementPacketCount();
    230. 

  230. 

  231.     // Adimar
    232. 

  232.     void incrementMSScount(std::string ipAddress, int mssValue);
    233. 

  233.     void incrementWinCount(std::string ipAddress, int winSize);
    234. 

  234.     void addIPEntropy();
    235. 

  235. 

  236.     void incrementTTLcount(std::string ipAddress, int ttlValue);
    237. 

  237. 

  238.     void incrementProtocolCount(std::string ipAddress, std::string protocol);
    239. 

  239. 

  240.     void incrementPortCount(std::string ipAddressSender, int outgoingPort, std::string ipAddressReceiver,
    241. 

  241.                             int incomingPort);
    242. 

  242. 

  243.     int getProtocolCount(std::string ipAddress, std::string protocol);
    244. 

  244. 

  245.     void setTimestampFirstPacket(Tins::Timestamp ts);
    246. 

  246. 

  247.     void setTimestampLastPacket(Tins::Timestamp ts);
    248. 

  248. 

  249.     void assignMacAddress(std::string ipAddress, std::string macAddress);
    250. 

  250. 

  251.     void addIpStat_packetSent(std::string ipAddressSender, std::string ipAddressReceiver, long bytesSent);
    252. 

  252. 

  253.     void addMSS(std::string ipAddress, int MSSvalue);
    254. 

  254. 

  255.     void writeToDatabase(std::string database_path);
    256. 

  256. 

  257.     void addPacketSize(uint32_t packetSize);
    258. 

  258. 

  259.     std::string getCaptureDurationTimestamp() const;
    260. 

  260. 

  261.     float getCaptureDurationSeconds() const;
    262. 

  262. 

  263.     float getAvgPacketSize() const;
    264. 

  264. 

  265.     void printStats(std::string ipAddress);
    266. 

  266. 

  267.     /*
    268. 

  268.      * IP Address-specific statistics
    269. 

  269.      */
    270. 

  270.     ip_stats getStatsForIP(std::string ipAddress);
    271. 

  271. 

  272. 

  273. private:
    274. 

  274.     /*
    275. 

  275.      * Data fields
    276. 

  276.      */
    277. 

  277.     Tins::Timestamp timestamp_firstPacket;
    278. 

  278.     Tins::Timestamp timestamp_lastPacket;
    279. 

  279.     float sumPacketSize = 0;
    280. 

  280.     int packetCount = 0;
    281. 

  281. 

  282.     /*
    283. 

  283.      * Data containers
    284. 

  284.      */
    285. 

  285.     // {IP Address, TTL value, count}
    286. 

  286.     std::unordered_map<ipAddress_ttl, int> ttl_distribution;
    287. 

  287. 

  288.     // Aidmar
    289. 

  289.     // {IP Address, MSS value, count}
    290. 

  290.     std::unordered_map<ipAddress_mss, int> mss_distribution;
    291. 

  291.     // {IP Address, Win size, count}
    292. 

  292.     std::unordered_map<ipAddress_win, int> win_distribution;
    293. 

  293. 

  294.     // {IP Address, Protocol, count}
    295. 

  295.     std::unordered_map<ipAddress_protocol, int> protocol_distribution;
    296. 

  296. 

  297.     // {IP Address,  #received packets, #sent packets, Data received in kbytes, Data sent in kbytes}
    298. 

  298.     std::unordered_map<std::string, entry_ipStat> ip_statistics;
    299. 

  299. 

  300.     // {IP Address, in_out, Port Number, count}
    301. 

  301.     std::unordered_map<ipAddress_inOut_port, int> ip_ports;
    302. 

  302. 

  303.     // {IP Address, MAC Address}
    304. 

  304.     std::unordered_map<std::string, std::string> ip_mac_mapping;
    305. 

  305. 

  306.     // {IP Address, avg MSS}
    307. 

  307.     std::unordered_map<std::string, int> ip_sumMss;
    308. 

  308. };
    309. 

  309. 

  310. 

  311. #endif //CPP_PCAPREADER_STATISTICS_H
    312.