D4
/
analyzer-d4-pibs
mirror of https://github.com/D4-project/analyzer-d4-pibs
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:D4-project/analyzer-d4-pibs

master
Gerard Wagener 2019-07-15 15:08:02 +02:00
parent bc3e724a81 6871de5f8a
commit 4770c2f197
1 changed files with 14 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
README.md
View File

@ -1,12 +1,13 @@
# Passive Identification of BackScatter # Passive Identification of BackScatter (pibs)
Read a pcap file and display potential backscatter traffic on standard output Read a pcap file and display potential backscatter traffic on standard output
This is very early stage and subject to change. This is very early stage and subject to change.
# Install dependencies # Install dependencies
As there were some changes in libwiretap, at least the version 2.6.3-1 is needed. As there were some changes in libwiretap, at least the version 2.6.3-1 is required.
``` shell ``` shell
apt-get install libwiretap-dev apt-get install libwiretap-dev
apt-get install libhiredis-dev apt-get install libhiredis-dev
@ -16,12 +17,11 @@ apt-get install libglib2.0-dev
make make
``` ```
# How to use # How to use pibs
``` shell `./pibs -r pcapfile.cap -b`
./pibs -r pcapfile.cap -b
./pibs -u e344c4fb-442e-45a6-92b9-d8e30aeef448 -z 127.0.0.1 -p 6379 -y 2 `./pibs -u e344c4fb-442e-45a6-92b9-d8e30aeef448 -z 127.0.0.1 -p 6379 -y 2`
Consumes the files from the worker queue and write potential backscatter on Consumes the files from the worker queue and write potential backscatter on
standard output. The worker queue should include absolute filenames. standard output. The worker queue should include absolute filenames.
@ -30,39 +30,38 @@ The redis database 2 is used as specified with the -y option.
The string e344c4fb-442e-45a6-92b9-d8e30aeef448 is the uuid that must be inline with the The string e344c4fb-442e-45a6-92b9-d8e30aeef448 is the uuid that must be inline with the
worker. worker.
pibs -r source.cap.gz -w backscatter.cap `pibs -r source.cap.gz -w backscatter.cap`
Read the file source.cap.gz, identify potential backscatter and store it in the Read the file source.cap.gz, identify potential backscatter and store it in the
file backscatter.cap to be further analysed with other tools such as wireshark file backscatter.cap to be further analysed with other tools such as wireshark
```
pibs -r pcapfile.cap -s `pibs -r pcapfile.cap -s`
Read the file source.cap, identify potential backscatter and display the Read the file source.cap, identify potential backscatter and display the
usage of the used internal hash table. Feature for debugging purpose. usage of the used internal hash table. Feature for debugging purpose.
pibs -r pcapfile.cap -d `pibs -r pcapfile.cap -d`
Dump the internal data structures for debugging purposes from the processing Dump the internal data structures for debugging purposes from the processing
of the pcapfile. of the pcapfile.
pibs -n `pibs -n`
Create fresh internal data structure as shared memory for multi processing Create fresh internal data structure as shared memory for multi processing
purposes. The segment id is displayed on standard output. purposes. The segment id is displayed on standard output.
pibs -n -i myinstance.shm `pibs -n -i myinstance.shm`
Create a shared memory and store the segment identifier in the file Create a shared memory and store the segment identifier in the file
myinstance.shm myinstance.shm
pibs -r pcapfile.cap.gz -a -i instance.shm `pibs -r pcapfile.cap.gz -a -i instance.shm`
Read pcapfile.cap.gz identify potential backscatter and store it in the Read pcapfile.cap.gz identify potential backscatter and store it in the
shared memory segment with the identifier stored in the file instance.shm. shared memory segment with the identifier stored in the file instance.shm.
The previous states are taken into account. The previous states are taken into account.
pibs -i instance.shm -a -s `pibs -i instance.shm -a -s`
Display the usage of the internal hash table from the shared memory segment Display the usage of the internal hash table from the shared memory segment
specified in the file instance.shm. This command can be executed in parallel specified in the file instance.shm. This command can be executed in parallel