MATLAB Library

Queue Analysis: In order to properly compute the queue behaviour you need packet arrival time and length. In order to read those information you need to use

[Data] = TracesPlay('-o HEADER.timeS HEADER.timeUs Pi.Len -r test.pcap');

Now we have information about arrival time separately for seconds and micro seconds. In order to obtain time in seconds and normalize the starting time we have to

time = Data(1,:)-Data(1,1);
time = double(time) + double(Data(2,:))*10^-6;
time = time - time(1);

The next move is simply adding information about packet size by

Data = [time; double(Data(3,:))];

If you wish you can download a simple MATLAB function pointProcessRead.m which takes a file name and returns a matrix where the first column is time and the second column is packet size.

Simple Trace Analysis: It is very useful to see if the analyzed trace is a typical one i.e. is the packets and bytes arrival process approximately stationary and what is the packets distribution. basicTracePlots.m generates three simple plots showing those properties.

Attacks: Terry Brugger in „Data Mining Methods for Network Intrusion Detection” sumarised numerous different intrussion detection algorithms. The most commonly used by fields are timestemp, source IP, destination IP, source port, destination port and the protocol type. All those fields cen be read by comment

Data = TracesPlay('-o HEADER.timeS HEADER.timeUs IP.src IP.dst TCP.spo TCP.dpo IP.pro -r test.pcap')

for TCP

Data = TracesPlay('-o HEADER.timeS HEADER.timeUs IP.src IP.dst UDP.spo UDPdpo IP.pro -r test.pcap')

for UDP

IP Addresses Analysis: In many cases we would like to compare IP addresses from packet headers with predefined address or range of addresses. All variables from packet headers are presented by the TracesPlay in decimal format. As a consequence, in Matlab we need to change the input String to decimal format e.g '192.168.0.1' -> 3232235521. We present an example of Matlab function ipAddressesAnalysis.m, where we check how many packets are originated from the specified range (which is given as input parameters e.g. 192.168.0.0 255.255.0.0). The aim is to check the amount of TCP, UDP and ICMP packets originated from the specified range.

Part Trace Analysis: If your trace is too large to fit to the memory or you are interested in a part of the trace you can read just part of it using -n option. For example

Data = TracesPlay('-n -1 1000 IP.src -r test.pcap');
reads first 1000 IP source addresses.
Than we can read next 1000 packets by using

Data = TracesPlay('-n 1001 2000 IP.src -r test.pcap');
and finally to read all the rest packets we can use

Data = TracesPlay('-n 2001 -1 IP.src -r test.pcap');

UDP Payload: There is an option making it possible to read UDP payload by using

Data = TracesPlay('UDP.payload 10 -r test.pcap');
where 10 means that you are interested in reading first 10 bytes of payload.
The returned matrix contains the read bytes number (in the first row) and the bytes values (in the next rows) or zero if we asked for more bytes than there is in the file. So if you have a single UDP packet with a payload of 30 bytes than
Data = TracesPlay('UDP.payload 10 -r test.pcap');
returns a vector of 11 integres, where the first one is 11 (the last usefull byte) and 10 next values are the first 10 bytes of payload. If you use 40 in stead of 10 i.e. you run
Data = TracesPlay('UDP.payload 40 -r test.pcap');
you will get a vector of length 41 which first value is 31 since the 31-st value of this vector is caring payload byte. The next values are zeros i.e. values from 32 to 41. Note that if Data(31)==0 it means that the last written byte of this UDP packet was 0.

-setLisner New (v. 0.2): Some simple example to show how work -setLinser feature in Matlab
TracesPlay('-o IP.len -e -r test.pcap -n 100 110 -setLisner lenPrinterFunc');
And Matlab function that we have is
function y=lenPrinterFunc(fields) fprintf('IP.len:%d\n',fields(1) ) end
After execut this sample, we recive on Matlab console.
IP.len:52
IP.len:1500
IP.len:1500

Of course this is only easy sample, you can write any Matlab function that will be handled (runed) from TracesPlay

Command Line

C++ Library

Display packet number and IP src addres

You can use TracesPlay as library. In order to catch IP source addres from stream you need to use this source. Also it is fast and short example who easy in work is TracesPlay also as library.

#ifdef __WIN_32 
#include 
#endif


#include 
#include "tracesPlayDll.h"

// this is a way to catch data from library
class myOutputData : public OutputDataStream {
     int myData;
public:
     myOutputData(){
          myData=0;
     }
     ~myOutputData(){}
     bool printData(int_32 *ptr, int lenght);
     void freeBuffor();
};

// here we catch data from "one" packet stored as array of int_32
bool myOutputData::printData(int_32 *ptr, int lenght){
     /*
       if tab[i] == -1 or 0xffffffff it is empty cel 

     */
          
     printf("\n Packet number %i data:", myData ++);
     for (int i=0;ideactivateOutputToCSV();
     tracesPlay->deactivateOutputToConsol();
     tracesPlay->disablePrintBasicInfoToConsol();       
     tracesPlay->disablePrintError(); 
     tracesPlay->activateOutputToMemory();

     // set what type of filed we have to output
     char *filed[3]={ "PACKET.num", "IP.src"};
     tracesPlay->setOutputProtocolFiled(2,&filed[0]);
     // give us all date even in somthing isnt full
     tracesPlay->activateAlwaysShareData();
     
     // set output stream 
     myOutputData *myOutputStream = new myOutputData();
     tracesPlay->setOutputDataStream(myOutputStream);
     
     // analiz file    
     tracesPlay->readFile("test.pcap",NULL);
     // analiz file with force format    
     // tracesPlay->checkFormat("test.pcap","pcap");

     delete myOutputStream;
     delete tracesPlay;
}