diff --git a/CPE449/geolocation/geoip.py b/CPE449/geolocation/geoip.py deleted file mode 100644 index 9e1d9a4..0000000 --- a/CPE449/geolocation/geoip.py +++ /dev/null @@ -1,39 +0,0 @@ -import pygeoip -import re as regex - -ipAddrList = { } - -ipAddrCountry = { } - -geoip = pygeoip.GeoIP('GeoIP.dat') - -loginFile = open("logins.txt") -loginList = loginFile.readlines() - -ipAddrRegex = regex.compile(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})') - -uniqueIPs = 0 -uniqueIPsByCountry = 0 - -for login in loginList: - ipAddr = regex.split(ipAddrRegex, login) - ip = ipAddr[1] - # use dictionary for number of IPs in a Country - country = geoip.country_code_by_addr(ip) - if country not in ipAddrCountry.values(): - uniqueIPsByCountry += 1 - ipAddrCountry[ip] = country - if ip in ipAddrList.keys(): - ipAddrList[ip] += 1 - else: - uniqueIPs+=1 - ipAddrList[ip] = 1 - -print("\nIP Addresses by count:\n") -for ipCount in ipAddrList: - print(ipCount,":", ipAddrList.get(ipCount)) -print("\nIP Addresses by country:\n") -for ipCountry in ipAddrCountry: - print(ipCountry, ":", ipAddrCountry.get(ipCountry)) -print("\nNumber of unique IP addresses: ", uniqueIPs) -print("\nNumber of unique IP addresses by Country: ", uniqueIPsByCountry, "\n") \ No newline at end of file diff --git a/CPE449/geolocation/geolocate.py b/CPE449/geolocation/geolocate.py new file mode 100644 index 0000000..fc3e30e --- /dev/null +++ b/CPE449/geolocation/geolocate.py @@ -0,0 +1,55 @@ +import pygeoip +import re as regex + +ipAddrList = { } + +ipAddrCountryCount = { } +ipAddrCountries = { } + +geoip = pygeoip.GeoIP('GeoIP.dat') + +loginFile = open("logins.txt") +loginList = loginFile.readlines() + +ipAddrRegex = regex.compile(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})') + +uniqueIPs = 0 +uniqueIPsByCountry = 0 + +for login in loginList: + ipAddr = regex.split(ipAddrRegex, login) + ip = ipAddr[1] + if ip in ipAddrList: + country = geoip.country_code_by_addr(ip) + if country not in ipAddrCountryCount.values(): + uniqueIPsByCountry += 1 + ipAddrList[ip] += 1 + else: + country = geoip.country_code_by_addr(ip) + if country not in ipAddrCountryCount.values(): + uniqueIPsByCountry += 1 + ipAddrCountries[ip] = country + uniqueIPs+=1 + ipAddrList[ip] = 1 + +for ip in ipAddrList.keys(): + # use dictionary for number of IPs in a Country + country = geoip.country_code_by_addr(ip) + if country in ipAddrCountryCount: + ipAddrCountryCount[country] += 1 + else: + ipAddrCountryCount[country] = 1 + +print("\nIP Addresses by occurrence:\n") +for ipCount in ipAddrList: + print(ipCount,":", ipAddrList.get(ipCount)) + +print("\nIP Addresses by country:\n") +for ipCountry in ipAddrCountries: + print(ipCountry, ":", ipAddrCountries.get(ipCountry)) + +print("\nIP Address count from countries:\n") +for ipCountry in ipAddrCountryCount: + print(ipCountry, ":", ipAddrCountryCount.get(ipCountry)) + +print("\nNumber of unique IP addresses: ", uniqueIPs) \ No newline at end of file diff --git a/CPE449/portScanDetection/.gitignore b/CPE449/portScanDetection/.gitignore new file mode 100644 index 0000000..cbab2ae --- /dev/null +++ b/CPE449/portScanDetection/.gitignore @@ -0,0 +1,2 @@ +*.exe +build \ No newline at end of file diff --git a/CPE449/portScanDetection/.vscode/c_cpp_properties.json b/CPE449/portScanDetection/.vscode/c_cpp_properties.json new file mode 100644 index 0000000..740781d --- /dev/null +++ b/CPE449/portScanDetection/.vscode/c_cpp_properties.json @@ -0,0 +1,17 @@ +{ + "configurations": [ + { + "name": "linux-gcc-x64", + "includePath": [ + "${workspaceFolder}/**" + ], + "defines": [], + "compilerPath": "/usr/bin/gcc", + "cStandard": "${default}", + "intelliSenseMode": "linux-gcc-x64", + "configurationProvider": "ms-vscode.makefile-tools", + "cppStandard": "${default}" + } + ], + "version": 4 +} \ No newline at end of file diff --git a/CPE449/portScanDetection/.vscode/launch.json b/CPE449/portScanDetection/.vscode/launch.json new file mode 100644 index 0000000..72687b0 --- /dev/null +++ b/CPE449/portScanDetection/.vscode/launch.json @@ -0,0 +1,51 @@ +{ + "version": "0.2.0", + "configurations": [ + { + "name": "(gdb) Launch", + "type": "cppdbg", + "request": "launch", + "program": "${workspaceFolder}/anw0044.exe", + "args": [ + "-i", + "connect_scan.pcap" + ], + "stopAtEntry": false, + "cwd": "${fileDirname}", + "environment": [], + "externalConsole": false, + "MIMode": "gdb", + "setupCommands": [ + { + "description": "Enable pretty-printing for gdb", + "text": "-enable-pretty-printing", + "ignoreFailures": true + }, + { + "description": "Set Disassembly Flavor to Intel", + "text": "-gdb-set disassembly-flavor intel", + "ignoreFailures": true + } + ] + }, + { + "name": "C/C++ Runner: Debug Session", + "type": "cppdbg", + "request": "launch", + "args": [], + "stopAtEntry": false, + "externalConsole": false, + "cwd": "/home/andrew/Repositories/UAHCode/CPE449/portScanDetection", + "program": "/home/andrew/Repositories/UAHCode/CPE449/portScanDetection/build/Debug/outDebug", + "MIMode": "gdb", + "miDebuggerPath": "gdb", + "setupCommands": [ + { + "description": "Enable pretty-printing for gdb", + "text": "-enable-pretty-printing", + "ignoreFailures": true + } + ] + } + ] +} \ No newline at end of file diff --git a/CPE449/portScanDetection/.vscode/settings.json b/CPE449/portScanDetection/.vscode/settings.json new file mode 100644 index 0000000..3c14be9 --- /dev/null +++ b/CPE449/portScanDetection/.vscode/settings.json @@ -0,0 +1,35 @@ +{ + "files.associations": { + "pcap.h": "c", + "search.h": "c" + }, + "C_Cpp_Runner.msvcBatchPath": "", + "C_Cpp_Runner.cCompilerPath": "gcc", + "C_Cpp_Runner.cppCompilerPath": "g++", + "C_Cpp_Runner.debuggerPath": "gdb", + "C_Cpp_Runner.cStandard": "", + "C_Cpp_Runner.cppStandard": "", + "C_Cpp_Runner.useMsvc": false, + "C_Cpp_Runner.warnings": [ + "-Wall", + "-Wextra", + "-Wpedantic" + ], + "C_Cpp_Runner.enableWarnings": true, + "C_Cpp_Runner.warningsAsError": false, + "C_Cpp_Runner.compilerArgs": [], + "C_Cpp_Runner.linkerArgs": [], + "C_Cpp_Runner.includePaths": [], + "C_Cpp_Runner.includeSearch": [ + "*", + "**/*" + ], + "C_Cpp_Runner.excludeSearch": [ + "**/build", + "**/build/**", + "**/.*", + "**/.*/**", + "**/.vscode", + "**/.vscode/**" + ] +} \ No newline at end of file diff --git a/CPE449/portScanDetection/.vscode/tasks.json b/CPE449/portScanDetection/.vscode/tasks.json new file mode 100644 index 0000000..286124a --- /dev/null +++ b/CPE449/portScanDetection/.vscode/tasks.json @@ -0,0 +1,30 @@ +{ + "tasks": [ + { + "type": "cppbuild", + "label": "C/C++: gcc build active file", + "command": "/usr/bin/gcc", + "args": [ + "-fdiagnostics-color=always", + "-I/usr/lib", + "-g", + "${file}", + "-o", + "${fileDirname}/${fileBasenameNoExtension}", + "-libpcap" + ], + "options": { + "cwd": "${fileDirname}" + }, + "problemMatcher": [ + "$gcc" + ], + "group": { + "kind": "build", + "isDefault": true + }, + "detail": "Task generated by Debugger." + } + ], + "version": "2.0.0" +} \ No newline at end of file diff --git a/CPE449/portScanDetection/Ereet_Packet_Trace_Connect_Open.png b/CPE449/portScanDetection/Ereet_Packet_Trace_Connect_Open.png new file mode 100644 index 0000000..4ad183b Binary files /dev/null and b/CPE449/portScanDetection/Ereet_Packet_Trace_Connect_Open.png differ diff --git a/CPE449/portScanDetection/Ereet_Packet_Trace_Syn_Open.png b/CPE449/portScanDetection/Ereet_Packet_Trace_Syn_Open.png new file mode 100644 index 0000000..c42b57a Binary files /dev/null and b/CPE449/portScanDetection/Ereet_Packet_Trace_Syn_Open.png differ diff --git a/CPE449/portScanDetection/Makefile b/CPE449/portScanDetection/Makefile new file mode 100644 index 0000000..8b90ca5 --- /dev/null +++ b/CPE449/portScanDetection/Makefile @@ -0,0 +1,5 @@ +default: + gcc -I/usr/lib -o anw0044.exe anw0044.c -lpcap + +test: + gcc -I/usr/lib -o test.exe test.c -lpcap \ No newline at end of file diff --git a/CPE449/portScanDetection/PortScanDetect-Description.pdf b/CPE449/portScanDetection/PortScanDetect-Description.pdf new file mode 100644 index 0000000..45c5bda Binary files /dev/null and b/CPE449/portScanDetection/PortScanDetect-Description.pdf differ diff --git a/CPE449/portScanDetection/anw0044.c b/CPE449/portScanDetection/anw0044.c new file mode 100644 index 0000000..2d37aab --- /dev/null +++ b/CPE449/portScanDetection/anw0044.c @@ -0,0 +1,446 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +// Global structures +struct scanTypes +{ + u_int connect; + u_int null; + u_int halfOpen; + u_int udp; + u_int attemptedScans; + u_int xmas; +} scansInFile; + +struct scanTypesBools +{ + bool connect; + bool null; + bool halfOpen; + bool udp; + bool attemptedScans; + bool xmas; +}; + +struct tcpFlagsSet +{ + bool ACK; + bool SYN; + bool SYN_ACK; + bool RST_ACK; + bool FIN; + bool RST; + bool PSH; + bool URG; +}; + +struct tcpDictionary +{ + struct tcpFlagsSet tcpFlags; + int packetNumInGroup; + struct scanTypesBools scanTypes; + uint16_t srcPort; + uint16_t port; + uint16_t dstPort; + uint16_t srcIP; + uint16_t dstIP; +} currentTCPPacket; +struct udpPacket +{ + uint16_t srcPort; + uint16_t port; + uint16_t dstPort; + uint16_t srcIP; + uint16_t dstIP; +} currentUDPPacket; + +// Provided structures +struct pcap_pkthdr *pcapHeaderStruct; +struct ether_header *ethNetHeaderStruct; +struct ip *ipHeaderStruct; +struct tcphdr *tcpHeaderStruct; +struct udphdr *udpHeaderStruct; +struct icmphdr *icmpHeaderStruct; + +// Functions +void myHandler(u_char *args, const struct pcap_pkthdr *header, const u_char *packet); + +ENTRY *seachTable(int key); + +void addToTable(int key, void *data); + +void printScans(); + +// Global variables and constants +int *seqNums; + +int connectScans = 0; + +const int TCP_DICTIONARY_SIZE = 100000; +const char *ErrorMSG = "Must provide input file.\n"; + + +uint8_t *shost; +uint8_t *dhost; + +ENTRY *search; +ENTRY entry; + +int main(int argc, char **argv) +{ + if (hcreate(TCP_DICTIONARY_SIZE) == 0) + { + printf("error"); + hcreate(50000); + }; + if (argc < 3) + { + printf("%s", ErrorMSG); + return 0; + } + + seqNums = malloc(TCP_DICTIONARY_SIZE * TCP_DICTIONARY_SIZE * sizeof(int)); + + char errbuf[PCAP_ERRBUF_SIZE]; + char *pcapFileName = argv[2]; + + pcap_t *pcapFile = pcap_open_offline(pcapFileName, errbuf); + + pcap_loop(pcapFile, 0, myHandler, NULL); + + /* And close the session */ + pcap_close(pcapFile); + + printScans(); +} + +void printScans() +{ + printf("Null: %d\n", scansInFile.null); + printf("Xmas: %d\n", scansInFile.xmas); + printf("UDP: %d\n", scansInFile.udp); + printf("Half-open: %d\n", scansInFile.halfOpen); + printf("Connect: %d\n", scansInFile.connect); + printf("Attempted scans: %d\n", scansInFile.attemptedScans); +} + +void myHandler( + u_char *args, + const struct pcap_pkthdr *header, + const u_char *packet) +{ + /* First, lets make sure we have an IP packet */ + struct ether_header *eth_header; + eth_header = (struct ether_header *)packet; + if (ntohs(eth_header->ether_type) != ETHERTYPE_IP) + { + return; + } + + const u_char *ip_header; + const u_char *tcp_header; + const u_char *udp_header; + const u_char *icmp_header; + const u_char *payload; + + // Packet lengths + int ethHeaderLength = 14; + int ipHeaderLength; + int tcpHeaderLength; + int payloadLength; + + ip_header = packet + ethHeaderLength; + + ipHeaderLength = ((*ip_header) & 0x0F); + + ipHeaderLength = ipHeaderLength * 4; + ipHeaderStruct = (struct iphdr *)ip_header; + // printf("%d\n", ipHeaderStruct->ip_id); + + u_char protocol = *(ip_header + 9); + + + + if ( protocol == IPPROTO_ICMP) + { + search = seachTable(currentUDPPacket.port); + + struct udpPacket *prevUDPPacket; + if (search != NULL) prevUDPPacket = search->data; + scansInFile.udp--; + icmp_header = packet + ethHeaderLength + ipHeaderLength; + icmpHeaderStruct = (struct icmphdr *)icmp_header; + if (icmpHeaderStruct->type == ICMP_DEST_UNREACH) + { + scansInFile.attemptedScans++; + } + } + + if (protocol == IPPROTO_UDP) + { + udp_header = packet + ethHeaderLength + ipHeaderLength; + udpHeaderStruct = (struct udphdr *)udp_header; + currentUDPPacket.port= ntohs(udpHeaderStruct->source); + addToTable(currentUDPPacket.port, ¤tUDPPacket); + if (udpHeaderStruct->uh_dport == 53) + { + return; + } + scansInFile.udp++; + return; + } + + if (protocol != IPPROTO_TCP) + { + return; + } + + tcp_header = packet + ethHeaderLength + ipHeaderLength; + + tcpHeaderLength = ((*(tcp_header + 12)) & 0xF0) >> 4; + + tcpHeaderLength = tcpHeaderLength * 4; + tcpHeaderStruct = (struct tcphdr *)tcp_header; + + + const bool ACKflag = (tcpHeaderStruct->ack == 1); + const bool RSTflag = (tcpHeaderStruct->rst == 1); + const bool SYNflag = (tcpHeaderStruct->syn == 1); + const bool FINflag = (tcpHeaderStruct->fin == 1); + const bool PSHflag = (tcpHeaderStruct->fin == 1); + const bool URGflag = (tcpHeaderStruct->urg == 1); + const uint32_t tcpSEQ = tcpHeaderStruct->seq; + const uint32_t tcpACKSeq = tcpHeaderStruct->ack_seq; + + currentTCPPacket.tcpFlags.ACK = ACKflag; + currentTCPPacket.tcpFlags.RST = RSTflag; + currentTCPPacket.tcpFlags.SYN = SYNflag; + currentTCPPacket.tcpFlags.FIN = FINflag; + currentTCPPacket.tcpFlags.PSH = PSHflag; + currentTCPPacket.tcpFlags.URG = URGflag; + + /* + TCP SYN flag is set when connection is made and when server sends back SYN/ACK + + ACK flag set when server sends back SYN/ACK, and when client sends response to SYN/ACK + + TCP Half-open: + SYN, SYN/ACK, RST + Connect scan: + + Open state: + SYN is first + SYN, ACK is second + RST is last + */ + + search = seachTable(currentTCPPacket.port); + // printf("Packet Num: %d\n", currentTCPPacket.packetNumInGroup); + /* + returns a value when + + + */ + // first packet + + const uint16_t srcPort = ntohs(tcpHeaderStruct->th_sport); + const uint16_t dstPort = ntohs(tcpHeaderStruct->th_dport); + // struct in_addr_t srcIP = ipHeaderStruct->ip_src.s_addr; + + struct tcpDictionary *prevPacket; + if (search!=NULL) prevPacket = search->data; + + + if (search == NULL || srcPort == prevPacket->port + || dstPort == prevPacket->port) + { + search = seachTable(currentTCPPacket.srcPort); + + + currentTCPPacket.packetNumInGroup = 0; + if (ACKflag || RSTflag) + { + return; + } + // start of packet for Half-open and Connect + if (SYNflag && !ACKflag && !RSTflag && !FINflag && !PSHflag && !URGflag) + { + currentTCPPacket.port = dstPort; + currentTCPPacket.packetNumInGroup = 1; + // hdestroy(); + // hcreate(TCP_DICTIONARY_SIZE); + addToTable(currentTCPPacket.dstPort, ¤tTCPPacket); + return; + } + // else one of the other scans + else + { + if (FINflag) + { + // Xmas pattern + if (PSHflag && URGflag) + { + scansInFile.xmas++; + currentTCPPacket.port = dstPort; + currentTCPPacket.packetNumInGroup = 1; + addToTable(currentTCPPacket.port, ¤tTCPPacket); + return; + } + } + // NULL pattern + if (!SYNflag && !ACKflag && + !RSTflag && !FINflag && + !PSHflag && !URGflag) + { + currentTCPPacket.port = dstPort; + currentTCPPacket.packetNumInGroup = 1; + addToTable(currentTCPPacket.port, ¤tTCPPacket); + return; + } + } + } + else + { + // printf("found\n"); + // found packet + prevPacket = search->data; + + currentTCPPacket.packetNumInGroup++; + // does last packet match X-Mas pattern? + if (prevPacket->tcpFlags.PSH && + prevPacket->tcpFlags.FIN && + prevPacket->tcpFlags.URG) + { + // printf("Run\n"); + if (FINflag) + { + // Xmas pattern + if (PSHflag && URGflag) + { + // scansInFile.xmas++; + currentTCPPacket.port = dstPort; + currentTCPPacket.packetNumInGroup = 1; + addToTable(currentTCPPacket.port, ¤tTCPPacket); + return; + } + } + scansInFile.xmas++; + if (ACKflag && RSTflag) + { + scansInFile.xmas--; + scansInFile.attemptedScans++; + // printf("XMas\n"); + currentTCPPacket.packetNumInGroup = 0; + return; + } + return; + } + // ACK and SYN current + else if (SYNflag && ACKflag && + !RSTflag && !FINflag && + !PSHflag && !URGflag) + { + currentTCPPacket.packetNumInGroup++; + if (prevPacket->tcpFlags.SYN && prevPacket->tcpFlags.ACK) + { + addToTable(currentTCPPacket.port, ¤tTCPPacket); + return; + } + addToTable(currentTCPPacket.port, ¤tTCPPacket); + return; + } + // ACK and SYN prev + // Connect and half-open + else if (prevPacket->tcpFlags.ACK && prevPacket->tcpFlags.SYN && + !prevPacket->tcpFlags.FIN && !prevPacket->tcpFlags.PSH && + !prevPacket->tcpFlags.RST && !prevPacket->tcpFlags.URG) + { + if (RSTflag){ + scansInFile.halfOpen++; + addToTable(currentTCPPacket.port, ¤tTCPPacket); + currentTCPPacket.packetNumInGroup = 0; + return; + } + else if (ACKflag) + { + currentTCPPacket.packetNumInGroup++; + addToTable(currentTCPPacket.port, ¤tTCPPacket); + return; + } + } + // ACK prev + // Connect successful? + else if (prevPacket->tcpFlags.ACK && !prevPacket->tcpFlags.SYN && + !prevPacket->tcpFlags.FIN && !prevPacket->tcpFlags.PSH && + !prevPacket->tcpFlags.RST && !prevPacket->tcpFlags.URG) + { + // yes + if (RSTflag){ + scansInFile.connect++; + currentTCPPacket.packetNumInGroup = 0; + return; + } + // no + else if (ACKflag) + { + currentTCPPacket.packetNumInGroup++; + addToTable(currentTCPPacket.port, ¤tTCPPacket); + return; + } + + } + // ACK prev, SYN current + else if (SYNflag && !ACKflag && !RSTflag && !FINflag && !PSHflag && !URGflag && prevPacket->tcpFlags.ACK) + { + currentTCPPacket.packetNumInGroup++; + addToTable(currentTCPPacket.port, ¤tTCPPacket); + return; + } + + // Filtered for + else if (!SYNflag && !ACKflag && + !RSTflag && !FINflag && + !PSHflag && !URGflag && + prevPacket->tcpFlags.SYN) + { + scansInFile.attemptedScans++; + } + // scans for + else if (prevPacket->tcpFlags.SYN && + !SYNflag && !ACKflag && + RSTflag && !FINflag && + !PSHflag && !URGflag) + { + return; + } + + } +} + +void addToTable(int key, void *data) +{ + ENTRY dictionaryEntry; + char index[50]; + sprintf(index, "%u", key); + dictionaryEntry.key = index; + dictionaryEntry.data = data; + hsearch(dictionaryEntry, ENTER); +} + +ENTRY *seachTable(int key) +{ + ENTRY dictionaryEntry; + char index[50]; + sprintf(index, "%u", key); + dictionaryEntry.key = index; + ENTRY *search = hsearch(dictionaryEntry, FIND); + return search; +} \ No newline at end of file diff --git a/CPE449/portScanDetection/connect_scan.pcap b/CPE449/portScanDetection/connect_scan.pcap new file mode 100644 index 0000000..de56fc8 Binary files /dev/null and b/CPE449/portScanDetection/connect_scan.pcap differ diff --git a/CPE449/portScanDetection/halfopen.pcap b/CPE449/portScanDetection/halfopen.pcap new file mode 100644 index 0000000..8580c92 Binary files /dev/null and b/CPE449/portScanDetection/halfopen.pcap differ diff --git a/CPE449/portScanDetection/icmpecho.pcap b/CPE449/portScanDetection/icmpecho.pcap new file mode 100644 index 0000000..c230888 Binary files /dev/null and b/CPE449/portScanDetection/icmpecho.pcap differ diff --git a/CPE449/portScanDetection/noscan.pcap b/CPE449/portScanDetection/noscan.pcap new file mode 100644 index 0000000..a171c11 Binary files /dev/null and b/CPE449/portScanDetection/noscan.pcap differ diff --git a/CPE449/portScanDetection/null_scan.pcap b/CPE449/portScanDetection/null_scan.pcap new file mode 100644 index 0000000..ee46339 Binary files /dev/null and b/CPE449/portScanDetection/null_scan.pcap differ diff --git a/CPE449/portScanDetection/out.txt b/CPE449/portScanDetection/out.txt new file mode 100644 index 0000000..e8a9235 --- /dev/null +++ b/CPE449/portScanDetection/out.txt @@ -0,0 +1,6 @@ +Null: 0 +Xmas: 1668 +UDP: 0 +Half-open: 0 +Connect: 0 +Attempted scans: 0 diff --git a/CPE449/portScanDetection/out2.txt b/CPE449/portScanDetection/out2.txt new file mode 100644 index 0000000..e69de29 diff --git a/CPE449/portScanDetection/test.c b/CPE449/portScanDetection/test.c new file mode 100644 index 0000000..a84a8de --- /dev/null +++ b/CPE449/portScanDetection/test.c @@ -0,0 +1,130 @@ +#include +#include +#include +#include + +/* Finds the payload of a TCP/IP packet */ +void my_packet_handler( + u_char *args, + const struct pcap_pkthdr *header, + const u_char *packet +) +{ + /* First, lets make sure we have an IP packet */ + struct ether_header *eth_header; + eth_header = (struct ether_header *) packet; + if (ntohs(eth_header->ether_type) != ETHERTYPE_IP) { + printf("Not an IP packet. Skipping...\n\n"); + return; + } + + /* The total packet length, including all headers + and the data payload is stored in + header->len and header->caplen. Caplen is + the amount actually available, and len is the + total packet length even if it is larger + than what we currently have captured. If the snapshot + length set with pcap_open_live() is too small, you may + not have the whole packet. */ + printf("Total packet available: %d bytes\n", header->caplen); + printf("Expected packet size: %d bytes\n", header->len); + + /* Pointers to start point of various headers */ + const u_char *ip_header; + const u_char *tcp_header; + const u_char *payload; + + /* Header lengths in bytes */ + int ethernet_header_length = 14; /* Doesn't change */ + int ip_header_length; + int tcp_header_length; + int payload_length; + + /* Find start of IP header */ + ip_header = packet + ethernet_header_length; + /* The second-half of the first byte in ip_header + contains the IP header length (IHL). */ + ip_header_length = ((*ip_header) & 0x0F); + /* The IHL is number of 32-bit segments. Multiply + by four to get a byte count for pointer arithmetic */ + ip_header_length = ip_header_length * 4; + printf("IP header length (IHL) in bytes: %d\n", ip_header_length); + + /* Now that we know where the IP header is, we can + inspect the IP header for a protocol number to + make sure it is TCP before going any further. + Protocol is always the 10th byte of the IP header */ + u_char protocol = *(ip_header + 9); + if (protocol != IPPROTO_TCP) { + printf("Not a TCP packet. Skipping...\n\n"); + return; + } + + /* Add the ethernet and ip header length to the start of the packet + to find the beginning of the TCP header */ + tcp_header = packet + ethernet_header_length + ip_header_length; + /* TCP header length is stored in the first half + of the 12th byte in the TCP header. Because we only want + the value of the top half of the byte, we have to shift it + down to the bottom half otherwise it is using the most + significant bits instead of the least significant bits */ + tcp_header_length = ((*(tcp_header + 12)) & 0xF0) >> 4; + /* The TCP header length stored in those 4 bits represents + how many 32-bit words there are in the header, just like + the IP header length. We multiply by four again to get a + byte count. */ + tcp_header_length = tcp_header_length * 4; + printf("TCP header length in bytes: %d\n", tcp_header_length); + + /* Add up all the header sizes to find the payload offset */ + int total_headers_size = ethernet_header_length+ip_header_length+tcp_header_length; + printf("Size of all headers combined: %d bytes\n", total_headers_size); + payload_length = header->caplen - + (ethernet_header_length + ip_header_length + tcp_header_length); + printf("Payload size: %d bytes\n", payload_length); + payload = packet + total_headers_size; + printf("Memory address where payload begins: %p\n\n", payload); + + /* Print payload in ASCII */ + /* + if (payload_length > 0) { + const u_char *temp_pointer = payload; + int byte_count = 0; + while (byte_count++ < payload_length) { + printf("%c", *temp_pointer); + temp_pointer++; + } + printf("\n"); + } + */ + + return; +} + +int main(int argc, char **argv) { + if (argc < 2) + { + // printf("%s",); + return 0; + } + // printf("%s", "blah"); + + for (int i = 0; i < argc; i++) + { + printf("%s\n", argv[i]); + } + + char* pcapFileName = argv[2]; + char error_buffer[PCAP_ERRBUF_SIZE]; + pcap_t *handle; + /* Snapshot length is how many bytes to capture from each packet. This includes*/ + int snapshot_length = 1024; + /* End the loop after this many packets are captured */ + int total_packet_count = 200; + u_char *my_arguments = NULL; + + handle = pcap_open_offline(pcapFileName, error_buffer); + pcap_loop(handle, total_packet_count, my_packet_handler, my_arguments); + + return 0; +} \ No newline at end of file diff --git a/CPE449/portScanDetection/test.png b/CPE449/portScanDetection/test.png new file mode 100644 index 0000000..ecd2980 Binary files /dev/null and b/CPE449/portScanDetection/test.png differ diff --git a/CPE449/portScanDetection/udp_scan.pcap b/CPE449/portScanDetection/udp_scan.pcap new file mode 100644 index 0000000..e6edb4f Binary files /dev/null and b/CPE449/portScanDetection/udp_scan.pcap differ diff --git a/CPE449/portScanDetection/xmas_scan.pcap b/CPE449/portScanDetection/xmas_scan.pcap new file mode 100644 index 0000000..6fe8b34 Binary files /dev/null and b/CPE449/portScanDetection/xmas_scan.pcap differ