1 package edu.uci.iotproject.detection.layer2;
3 import edu.uci.iotproject.analysis.TriggerTrafficExtractor;
4 import edu.uci.iotproject.util.PcapPacketUtils;
5 import org.pcap4j.core.PcapPacket;
6 import org.pcap4j.util.MacAddress;
8 import java.util.ArrayList;
12 * Attempts to detect the presence of a specific packet sequence in the set of packets provided through multiple calls
13 * to {@link #matchPacket(PcapPacket)}, considering only layer 2 information. This class has the same flavor as the
14 * {@link Layer2SequenceMatcher} class.
16 * @author Janus Varmarken {@literal <jvarmark@uci.edu>}
17 * @author Rahmadi Trimananda {@literal <rtrimana@uci.edu>}
19 public class Layer2RangeMatcher extends Layer2AbstractMatcher {
21 * The range this {@link Layer2RangeMatcher} is searching for.
23 private final List<PcapPacket> mLowerBound;
24 private final List<PcapPacket> mUpperBound;
25 private final double mEps;
26 private int mInclusionTimeMillis;
27 private int mSkippedPackets;
30 * Create a {@code Layer2RangeMatcher}.
31 * @param lowerBound The lower bound of the sequence to match against (search for).
32 * @param upperBound The upper bound of the sequence to match against (search for).
33 * @param eps The epsilon value used in the DBSCAN algorithm.
35 public Layer2RangeMatcher(List<PcapPacket> lowerBound, List<PcapPacket> upperBound,
36 int inclusionTimeMillis, double eps) {
37 // TODO: Just use the lower bound since both lower and upper bounds' packets essentially have the same direction
38 // TODO: for the same position in the array. Both arrays also have the same length.
40 mLowerBound = lowerBound;
41 mUpperBound = upperBound;
43 mInclusionTimeMillis =
44 inclusionTimeMillis == 0 ? TriggerTrafficExtractor.INCLUSION_WINDOW_MILLIS : inclusionTimeMillis;
49 * Attempt to advance this {@code Layer2RangeMatcher} by matching {@code packet} against the packet that this
50 * {@code Layer2RangeMatcher} expects as the next packet of the sequence it is searching for.
52 * @return {@code true} if this {@code Layer2SequenceMatcher} could advance by adding {@code packet} to its set of
53 * matched packets, {@code false} otherwise.
55 public boolean matchPacket(PcapPacket packet) {
56 if (getMatchedPacketsCount() == getTargetSequencePacketCount()) {
57 // We already matched the entire sequence, so we can't match any more packets.
61 // Verify that new packet pertains to same flow as previously matched packets, if any.
62 if (getMatchedPacketsCount() > 0) {
63 MacAddress pktSrc = PcapPacketUtils.getEthSrcAddr(packet);
64 MacAddress pktDst = PcapPacketUtils.getEthDstAddr(packet);
65 MacAddress earlierPktSrc = PcapPacketUtils.getEthSrcAddr(mMatchedPackets.get(0));
66 MacAddress earlierPktDst = PcapPacketUtils.getEthDstAddr(mMatchedPackets.get(0));
67 if (!(pktSrc.equals(earlierPktSrc) && pktDst.equals(earlierPktDst) ||
68 pktSrc.equals(earlierPktDst) && pktDst.equals(earlierPktSrc))) {
73 // Get representative of the packet we expect to match next.
74 PcapPacket expectedLowerBound = mLowerBound.get(mMatchedPackets.size());
75 PcapPacket expectedUpperBound = mUpperBound.get(mMatchedPackets.size());
76 int lowerBound = expectedLowerBound.getOriginalLength();
77 int upperBound = expectedUpperBound.getOriginalLength();
78 // Do strict matching if the lower and upper bounds are the same length
79 // Do range matching with eps otherwise
80 if (lowerBound != upperBound) {
81 lowerBound = lowerBound - (int) mEps;
82 upperBound = upperBound + (int) mEps;
84 // First verify if the received packet has the length we're looking for (the length should be within the range).
85 if (lowerBound <= packet.getOriginalLength() && packet.getOriginalLength() <= upperBound){
86 // If this is the first packet, we only need to verify that its length is correct. Time constraints are
87 // obviously satisfied as there are no previous packets. Furthermore, direction matches by definition as we
88 // don't know the MAC of the device (or phone) in advance, so we can't enforce a rule saying "first packet
89 // must originate from this particular MAC".
90 if (getMatchedPacketsCount() == 0) {
91 // Store packet as matched and advance.
92 mMatchedPackets.add(packet);
95 // Check if direction of packet matches expected direction.
96 boolean actualDirection = getPacketDirection(mMatchedPackets.get(getMatchedPacketsCount()-1),
97 mPacketDirections[getMatchedPacketsCount()-1], packet);
98 boolean expectedDirection = mPacketDirections[getMatchedPacketsCount()];
99 if (actualDirection != expectedDirection) {
102 // Next apply timing constraints:
103 // 1) to be a match, the packet must have a later timestamp than any other packet currently matched
104 // 2) does adding the packet cause the max allowed time between first packet and last packet to be exceeded?
105 if (!packet.getTimestamp().isAfter(mMatchedPackets.get(getMatchedPacketsCount()-1).getTimestamp())) {
108 if (packet.getTimestamp().isAfter(mMatchedPackets.get(0).getTimestamp().
109 plusMillis(mInclusionTimeMillis))) {
112 // If we made it here, it means that this packet has the expected length, direction, and obeys the timing
113 // constraints, so we store it and advance.zzzz
114 mMatchedPackets.add(packet);
115 if (mMatchedPackets.size() == mLowerBound.size()) {
116 // TODO report (to observers?) that we are done?
123 public int getTargetSequencePacketCount() {
124 return mLowerBound.size();
127 public List<PcapPacket> getTargetLowerBound() {
131 public List<PcapPacket> getTargetUpperBound() {