Source code for pathspider.chains.basic
"""
.. module:: pathspider.chains.basic
:synopsis: A flow analysis chain for basic TCP/IP flow information
This module contains the BasicChain flow analysis chain which can be used by
PATHspider's Observer for recording source and destination addresses and
packet/octet counts.
"""
from pathspider.chains.base import Chain
[docs]class BasicChain(Chain):
"""
This flow analysis chain records details from the TCP/IP headers.
+------------+------+-----------------------------------------------------+
| Field Name | Type | Meaning |
+============+======+=====================================================+
| dip | str | Layer 3 (IPv4/IPv6) source address |
+------------+------+-----------------------------------------------------+
| sp | int | Layer 4 (TCP/UDP) source port |
+------------+------+-----------------------------------------------------+
| dp | int | Layer 4 (TCP/UDP) destination port |
+------------+------+-----------------------------------------------------+
| pkt_fwd | int | A count of the number of packets seen in the |
| | | forward direction |
+------------+------+-----------------------------------------------------+
| pkt_rev | int | A count of the number of packets seen in the |
| | | reverse direction |
+------------+------+-----------------------------------------------------+
| oct_fwd | int | A count of the number of octets seen in the |
| | | forward direction |
+------------+------+-----------------------------------------------------+
| oct_rev | int | A count of the number of octets seen in the |
| | | reverse direction |
+------------+------+-----------------------------------------------------+
"""
def _extract_ports(self, ip):
if ip.udp:
return (ip.udp.src_port, ip.udp.dst_port)
elif ip.tcp:
return (ip.tcp.src_port, ip.tcp.dst_port)
else:
return (None, None)
[docs] def new_flow(self, rec, ip):
"""
New flow function that sets up basic flow information
"""
# Extract addresses and ports
(rec['sip'], rec['dip'], rec['proto']) = (str(ip.src_prefix), str(ip.dst_prefix), ip.proto)
(rec['sp'], rec['dp']) = self._extract_ports(ip)
# Initialize counters
rec['pkt_fwd'] = 0
rec['pkt_rev'] = 0
rec['oct_fwd'] = 0
rec['oct_rev'] = 0
# we want to keep this flow
return True
def ip4(self, rec, ip, rev):
return self._basic_count(rec, ip, rev)
def ip6(self, rec, ip, rev):
return self._basic_count(rec, ip, rev)
def _basic_count(self, rec, ip, rev):
"""
Packet function that counts packets and octets per flow
"""
if rev:
rec["pkt_rev"] += 1
rec["oct_rev"] += ip.size
else:
rec["pkt_fwd"] += 1
rec["oct_fwd"] += ip.size
return True