From 0402965f143de5ae5efd5f8899aa7d6a108194b4 Mon Sep 17 00:00:00 2001
From: Janus Varmarken <varmarken@gmail.com>
Date: Tue, 17 Jul 2018 18:57:17 -0700
Subject: [PATCH] Sketch code for extracting packet pairs (unfinished - unsure
 how to apply it to reconstructed tcp conversations).

---
 .../main/java/edu/uci/iotproject/Main.java    | 46 +++++++++++++++--
 .../iotproject/analysis/PcapPacketFilter.java | 14 +++++
 .../iotproject/analysis/PcapPacketPair.java   | 25 +++++++++
 .../analysis/TcpConversationUtils.java        | 51 +++++++++++++++++++
 4 files changed, 132 insertions(+), 4 deletions(-)
 create mode 100644 Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/analysis/PcapPacketFilter.java
 create mode 100644 Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/analysis/PcapPacketPair.java
 create mode 100644 Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/analysis/TcpConversationUtils.java

diff --git a/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/Main.java b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/Main.java
index 94b7820..b1e5650 100644
--- a/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/Main.java
+++ b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/Main.java
@@ -1,12 +1,14 @@
 package edu.uci.iotproject;
 
-import edu.uci.iotproject.maclayer.MacLayerFlowPattern;
-import edu.uci.iotproject.maclayer.MacLayerFlowPatternFinder;
+import edu.uci.iotproject.analysis.PcapPacketPair;
+import edu.uci.iotproject.analysis.PcapProcessingPipeline;
+import edu.uci.iotproject.analysis.TcpConversationUtils;
 import org.pcap4j.core.*;
 
 import java.io.EOFException;
 import java.net.UnknownHostException;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.concurrent.TimeoutException;
 
 /**
@@ -71,12 +73,48 @@ public class Main {
 ////
 ////        // ========================
 
-
+        /*
         PcapReader pcapReader = new PcapReader(args[0]);
         PcapProcessingPipeline pipeline = new PcapProcessingPipeline(pcapReader);
         TcpReassembler tcpReassembler = new TcpReassembler();
         pipeline.addPcapPacketConsumer(tcpReassembler);
         pipeline.executePipeline();
         System.out.println("Pipeline terminated");
+
+        List<List<PcapPacketPair>> pairs = new ArrayList<>();
+        for (Conversation c : tcpReassembler.getTcpConversations()) {
+            pairs.add(TcpConversationUtils.extractPacketPairs(c));
+        }
+        */
+
+        // -------- 07-17-2018 --------
+        // Only consider packets to/from the TP-Link plug.
+        PcapReader pcapReader = new PcapReader(args[0], "ip host 192.168.1.159");
+        TcpReassembler tcpReassembler = new TcpReassembler();
+        PcapPacket packet;
+        while((packet = pcapReader.readNextPacket()) != null) {
+            tcpReassembler.consumePacket(packet);
+        }
+        // Now we have a set of reassembled TCP conversations.
+        List<Conversation> conversations = tcpReassembler.getTcpConversations();
+        for(Conversation c : conversations) {
+            List<PcapPacketPair> pairs = TcpConversationUtils.extractPacketPairs(c);
+            for (PcapPacketPair pair : pairs) {
+                // TODO ...
+                // 1. discard packets that are not within X seconds after trigger time
+                // 2. conversations may be (are) with different servers - so need to plot in different plots, one per hostname?
+            }
+        }
+
+        // ----------------------------
+
+
+
+
+
     }
+
 }
+
+
+// TP-Link MAC 50:c7:bf:33:1f:09 and usually IP 192.168.1.159 (remember to verify per file)
\ No newline at end of file
diff --git a/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/analysis/PcapPacketFilter.java b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/analysis/PcapPacketFilter.java
new file mode 100644
index 0000000..529faf4
--- /dev/null
+++ b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/analysis/PcapPacketFilter.java
@@ -0,0 +1,14 @@
+package edu.uci.iotproject.analysis;
+
+import org.pcap4j.core.PcapPacket;
+
+/**
+ * TODO add class documentation.
+ *
+ * @author Janus Varmarken
+ */
+public interface PcapPacketFilter {
+
+    boolean shouldIncludePacket(PcapPacket packet);
+
+}
diff --git a/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/analysis/PcapPacketPair.java b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/analysis/PcapPacketPair.java
new file mode 100644
index 0000000..764fd0f
--- /dev/null
+++ b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/analysis/PcapPacketPair.java
@@ -0,0 +1,25 @@
+package edu.uci.iotproject.analysis;
+
+import org.pcap4j.core.PcapPacket;
+
+/**
+ * TODO add class documentation.
+ *
+ * @author Janus Varmarken
+ */
+public class PcapPacketPair {
+
+    private final PcapPacket mFirst;
+
+    private final PcapPacket mSecond;
+
+    public PcapPacketPair(PcapPacket first, PcapPacket second) {
+        mFirst = first;
+        mSecond = second;
+    }
+
+    public PcapPacket getFirst() { return mFirst; }
+
+    public PcapPacket getSecond() { return mSecond; }
+
+}
diff --git a/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/analysis/TcpConversationUtils.java b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/analysis/TcpConversationUtils.java
new file mode 100644
index 0000000..a598f81
--- /dev/null
+++ b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/analysis/TcpConversationUtils.java
@@ -0,0 +1,51 @@
+package edu.uci.iotproject.analysis;
+
+import edu.uci.iotproject.Conversation;
+import edu.uci.iotproject.util.PcapPacketUtils;
+import org.pcap4j.core.PcapPacket;
+import org.pcap4j.packet.IpV4Packet;
+import org.pcap4j.packet.TcpPacket;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * TODO add class documentation.
+ *
+ * @author Janus Varmarken
+ */
+public class TcpConversationUtils {
+
+    public static List<PcapPacketPair> extractPacketPairs(Conversation conv) {
+        List<PcapPacket> packets = conv.getPackets();
+        List<PcapPacketPair> pairs = new ArrayList<>();
+        int i = 0;
+        while (i < packets.size()) {
+            PcapPacket p1 = packets.get(i);
+            String p1SrcIp = p1.get(IpV4Packet.class).getHeader().getSrcAddr().getHostAddress();
+            int p1SrcPort = p1.get(TcpPacket.class).getHeader().getSrcPort().valueAsInt();
+            if (i+1 < packets.size()) {
+                PcapPacket p2 = packets.get(i+1);
+                if (PcapPacketUtils.isSource(p2, p1SrcIp, p1SrcPort)) {
+                    // Two packets in a row going in the same direction -> create one item pair for p1
+                    pairs.add(new PcapPacketPair(p1, null));
+                    // Advance one packet as the following two packets may form a valid two-item pair.
+                    i++;
+                } else {
+                    // The two packets form a response-reply pair, create two-item pair.
+                    pairs.add(new PcapPacketPair(p1, p2));
+                    // Advance two packets as we have already processed the packet at index i+1 in order to create the pair.
+                    i += 2;
+                }
+            } else {
+                // Last packet of conversation => one item pair
+                pairs.add(new PcapPacketPair(p1, null));
+                // Advance i to ensure termination.
+                i++;
+            }
+        }
+        return pairs;
+        // TODO: what if there is long time between response and reply packet? Should we add a threshold and exclude those cases?
+    }
+
+}
-- 
2.34.1