|
|
@@ -0,0 +1,163 @@
|
|
|
+--------------------------------------------------
|
|
|
+-- $Header: /cvs/WIP/datcat-import/crawdad/bin/analysis/trace_stats.lua,v 1.1 2007/04/25 15:18:28 emile Exp $
|
|
|
+-- extracts various stats (subset of crl_stats)
|
|
|
+-- from a trace file, use like:
|
|
|
+-- tshark -q <other opts> -Xlua_script:trace_stats.lua <trace>
|
|
|
+-- wireshark/tshark needs to be compiled --with-lua
|
|
|
+--------------------------------------------------
|
|
|
+
|
|
|
+do
|
|
|
+ ip_addr_extractor = Field.new("ip.addr")
|
|
|
+ tcp_src_port_extractor = Field.new("tcp.srcport")
|
|
|
+ tcp_dst_port_extractor = Field.new("tcp.dstport")
|
|
|
+ tcp_stream_extractor = Field.new("tcp.stream")
|
|
|
+ tls_handshake_type_extractor = Field.new("ssl.handshake.type")
|
|
|
+ tls_content_type_extractor = Field.new("ssl.record.content_type")
|
|
|
+ tls_ccs_extractor = Field.new("ssl.change_cipher_spec")
|
|
|
+ icmp_type_extractor = Field.new("icmp.type")
|
|
|
+
|
|
|
+ local function init_listener()
|
|
|
+ local tap = Listener.new("ssl")
|
|
|
+
|
|
|
+ local file = assert(io.open("handshake_stats", "w"))
|
|
|
+ file:write("stream,time\n")
|
|
|
+ file:close()
|
|
|
+----------------------
|
|
|
+----- stats functions
|
|
|
+----------------------
|
|
|
+
|
|
|
+-- ipv4 counts
|
|
|
+ local ipv4_src_cache = {}
|
|
|
+ local ipv4_dst_cache = {}
|
|
|
+ local ipv4_src_count = 0
|
|
|
+ local ipv4_dst_count = 0
|
|
|
+ function stats_ipv4_counts(pinfo,tvb)
|
|
|
+ local ip_src
|
|
|
+ local ip_dst
|
|
|
+ ip_src, ip_dst = ip_addr_extractor()
|
|
|
+ if ( ip_src ) then
|
|
|
+ if (not ipv4_src_cache[ tostring(ip_src) ] == true ) then
|
|
|
+ ipv4_src_cache[ tostring(ip_src) ] = true
|
|
|
+ ipv4_src_count = ipv4_src_count + 1
|
|
|
+ else
|
|
|
+ -- print("src already recorded")
|
|
|
+ end
|
|
|
+
|
|
|
+ else
|
|
|
+ -- print("NO src")
|
|
|
+ end
|
|
|
+ if ( ip_dst ) then
|
|
|
+ if (not ipv4_dst_cache[ tostring(ip_dst) ] == true ) then
|
|
|
+ ipv4_dst_cache[ tostring(ip_dst) ] = true
|
|
|
+ ipv4_dst_count = ipv4_dst_count + 1
|
|
|
+ else
|
|
|
+ -- print("dst already recorded")
|
|
|
+ end
|
|
|
+ else
|
|
|
+ -- print("NO dst")
|
|
|
+ end
|
|
|
+ end
|
|
|
+
|
|
|
+-- tcp stream counts
|
|
|
+ local tcp_stream_cache = {}
|
|
|
+ local tcp_stream_count = 0
|
|
|
+ function stats_stream_counts(pinfo,tvb)
|
|
|
+ local stream
|
|
|
+ local sport, dport, saddr, daddr
|
|
|
+ stream = tcp_stream_extractor()
|
|
|
+ saddr, daddr = ip_addr_extractor()
|
|
|
+ sport = tcp_src_port_extractor()
|
|
|
+ dport = tcp_dst_port_extractor()
|
|
|
+
|
|
|
+ if ( stream ) then
|
|
|
+ if (not tcp_stream_cache[ tostring(stream) ] == true ) then
|
|
|
+ tcp_stream_cache[ tostring(stream) ] = true
|
|
|
+ tcp_stream_count = tcp_stream_count + 1
|
|
|
+ print("Stream #" .. tostring(tcp_stream_count) .. " | " .. tostring(saddr) .. ":" .. tostring(sport) .. " > " .. tostring(daddr) .. ":" .. tostring(dport) )
|
|
|
+ else
|
|
|
+ -- print("stream already recorded")
|
|
|
+ end
|
|
|
+
|
|
|
+ else
|
|
|
+ -- print("NO stream")
|
|
|
+ end
|
|
|
+ end
|
|
|
+
|
|
|
+
|
|
|
+-- ssl stats
|
|
|
+ local tls_src_starts = {}
|
|
|
+ local tls_ccs_cache = {}
|
|
|
+ function stats_tls_handshake(pinfo, tvb)
|
|
|
+ local hs_type, rec_type, ccs, stream
|
|
|
+ hs_type = tls_handshake_type_extractor()
|
|
|
+ ccs = tls_ccs_extractor()
|
|
|
+ stream = tcp_stream_extractor()
|
|
|
+ if(hs_type) then
|
|
|
+ local type_string
|
|
|
+ type_string = tostring(hs_type)
|
|
|
+ if(type_string == "1") then
|
|
|
+ print("Start time for stream #" .. tostring(stream) .. " is " .. tostring(pinfo.abs_ts))
|
|
|
+ tls_src_starts[ tostring(stream) ] = pinfo.abs_ts
|
|
|
+ end
|
|
|
+
|
|
|
+ end
|
|
|
+ if(ccs) then
|
|
|
+ if (not tls_ccs_cache[ tostring(stream) ] == true ) then
|
|
|
+ tls_ccs_cache[ tostring(stream) ] = true
|
|
|
+ print("Received 1st CCS for stream #" .. tostring(stream))
|
|
|
+ else
|
|
|
+ if( tls_src_starts[ tostring(stream)] ) then
|
|
|
+ -- We have received both CCS and Finished messages
|
|
|
+ local hs_time = pinfo.abs_ts - tls_src_starts[ tostring(stream)]
|
|
|
+ print("Total handshake time: " .. tostring(hs_time) )
|
|
|
+ local file = assert(io.open("handshake_stats", "a"))
|
|
|
+ file:write(tostring(stream) .. "," .. tostring(hs_time) .. "\n")
|
|
|
+ file:close()
|
|
|
+
|
|
|
+ end
|
|
|
+ end
|
|
|
+ end
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+ end
|
|
|
+
|
|
|
+-- start/end times
|
|
|
+ local start_time
|
|
|
+ local end_time
|
|
|
+ function stats_start_end_times(pinfo)
|
|
|
+ if (not start_time) then
|
|
|
+ start_time = pinfo.abs_ts
|
|
|
+ end_time = pinfo.abs_ts
|
|
|
+ else
|
|
|
+ if ( start_time > pinfo.abs_ts ) then start_time = pinfo.abs_ts end
|
|
|
+ if ( end_time < pinfo.abs_ts ) then end_time = pinfo.abs_ts end
|
|
|
+ end
|
|
|
+ end
|
|
|
+
|
|
|
+-------------------
|
|
|
+----- tap functions
|
|
|
+-------------------
|
|
|
+ function tap.reset()
|
|
|
+ end
|
|
|
+
|
|
|
+ function tap.packet(pinfo,tvb,ip)
|
|
|
+ stats_ipv4_counts(pinfo,tvb)
|
|
|
+ stats_stream_counts(pinfo,tvb)
|
|
|
+ stats_start_end_times(pinfo)
|
|
|
+ stats_tls_handshake(pinfo, tvb)
|
|
|
+ end
|
|
|
+
|
|
|
+ function tap.draw()
|
|
|
+ print("=== extra stats ===================================================")
|
|
|
+ print("start_time: " .. start_time )
|
|
|
+ print("end_time: " .. end_time )
|
|
|
+ print("ipv4_src_address_count: " .. ipv4_src_count )
|
|
|
+ print("ipv4_dst_address_count: " .. ipv4_dst_count )
|
|
|
+ print("tcp_stream_count: " .. tcp_stream_count )
|
|
|
+ print("===================================================================")
|
|
|
+ end
|
|
|
+ end
|
|
|
+
|
|
|
+ init_listener()
|
|
|
+end
|
