9. 評価実験に用いたPCAPファイル
Security Related
•activeosfingerprinting.pcap – An NMap OS fingerprinting scan
•arppoison.pcap – Demonstration of ARP cache poisoning at the
packet level
•aurora.pcap – A lab system being exploited by the aurora exploit
used against Google and others. Created using Metasploit.
•ratinfected.pcap – A lab system infected with a remote access trojan
sending data back to its upstream host
•synscan.pcap – A basic TCP SYN scan
Wireless Networking
•80211beacon.pcap – An 802.11 wireless beacon packet collected
from a WinPCap adapter
•80211-WEPauth.pcap – A successful 802.11 wireless WEP
authentication sequence
•80211-WEPauthfail.pcap – A failed 802.11 wireless WEP
authentication sequence
•80211-WPAauth.pcap – A successful 802.11 wireless WPA
authentication sequence
•80211-WPAauthfail.pcap – A failed 802.11 wireless WPA
authentication sequence
Common Protocols
•arp_gratuitous.pcap – A gratuitous ARP packet
•arp_resolution.pcap – The ARP resolution process
•dhcp_inlease_renewal.pcap – A DHCP client obtaining an IP address while inside its
lease time
•dhcp_nolease_renewal.pcap – A DHCP client obtaining an IP address while outside of
its lease time
•dns_axfr.pcap – A DNS full zone transfer
•dns_query_response.pcap – A simple DNS query and response
•dns_recursivequery_client.pcap – A recursive query as viewed from the clients
perspective
•dns_recursivequery_server.pcap – A recursive query as viewed from the intermediate
servers perspective
•http_espn.pcap – HTTP communication while browsing to ESPN.com
•http_google.pcap – HTTP communication while browsing to ESPN.com
•icmp_echo.pcap – A sample of ICMP echo requests and replies created by the ping
tool
•icmp_traceroute.pcap – Sample ICMP traffic generated by the traceroute tool
•ip_frag_source.pcap – Fragmented IP packets
•tcp_dupack.pcap – Duplicate ACK packets generated as a result of high latency
•tcp_handshake.pcap – The TCP connection initiation process
•tcp_refuseconnections.pcap – A TCP SYN followed by a RST from a failed
communication attempt
•tcp_retransmissions.pcap – Example of retransmissions that are a result of dropped
packets
•tcp_teardown.pcap – The TCP connection completion process
•tcp_zerowindowdead.pcap – TCP flow control halting an established connection
•tcp_zerowindowrecovery.pcap – TCP flow control stopping and then resuming an
established connection
10. 評価実験1(DB操作なし)
データタイプ パケット数 ファイル数 ファイルサイズ
a 100940 18386k
b 12858 18317k
c 14086 18372k
データタイプ 提案手法
tcpdump tcpdump
a 3m29982 1m50.988 0m22.537
b 0m23.083 0m15.167 0m7.249
c 0m2.481 0m1.153 0m0.170
11. 評価実験2 (小さなpcapファイルと解析とDB操作)
ip_frag_source.pcap – Fragmented IP packets
-bash-4.1# ls ip_frag_source.pcap -alh
-rw-r--r-- 1 root root 7.2K Apr 12 2011 ip_frag_source.pcap
-bash-4.1# time ./parse < dump-ip_flag_source > tmp
real 0m0.033s
user 0m0.028s
sys 0m0.005s
-bash-4.1# time tcpdump -XA -vv -r ip_frag_source.pcap >
tmp
reading from file ip_frag_source.pcap, link-type EN10MB
(Ethernet)
real 0m0.012s
user 0m0.004s
sys 0m0.006s
-bash-4.1# time grep length tcpdump-ip_flag_source | cut -
d"," -f7
-bash-4.1# time ./test-insert.sh tmp
real 0m1.115s
user 0m0.928s
sys 0m0.146s
Twitter_dm.pcap - Twitter direct message
-bash-4.1# ls -alh twitter_dm.pcap
-rw-r--r-- 1 root root 4.4K Apr 12 2011 twitter_dm.pcap
-bash-4.1# time ./parse < dump-twitter_dm > tmp
real 0m0.026s
user 0m0.022s
sys 0m0.003s
-bash-4.1# time tcpdump -XA -vv -r twitter_dm.pcap > tmp
reading from file twitter_dm.pcap, link-type EN10MB (Ethernet)
real 0m0.456s
user 0m0.008s
sys 0m0.001s
-bash-4.1# time grep length tcpdump-twitter_dm | cut -d"," -f7
-bash-4.1# time ./test-insert.sh tmp2
real 0m3.898s
user 0m3.186s
sys 0m0.589s
12. 評価実験3 (大きいpcapファイルの解析とDB操作)
ratinfected.pcap – A lab system infected with a remote
access trojan sending data back to its upstream host
-bash-4.1# ls ratinfected.pcap -alh
-rw-r--r-- 1 root root 558K Apr 12 2011 ratinfected.pcap
-bash-4.1# time ./parse < dump-ratinfected > tmp
real 0m2.520s
user 0m1.327s
sys 0m0.025s
-bash-4.1# time tcpdump -A -r ratinfected.pcap > tmp
reading from file ratinfected.pcap, link-type EN10MB
(Ethernet)
real 0m0.074s
user 0m0.025s
sys 0m0.006s
-bash-4.1# time grep length tcpdump-ratinfected | cut -d","
-f7
-bash-4.1# time ./test-insert.sh tmp
real 3m23.138s
user 2m51.618s
sys 0m29.775s
Download-fast.pcap Fast-download
# ls -alh download-fast.pcap
-rw-r--r-- 1 root root 85M Apr 8 2011 download-fast.pcap
-bash-4.1# time ./parse < dump > tmp
real 3m50.127s
user 3m45.217s
sys 0m2.540s
-bash-4.1# time tcpdump -XA -vv -r download-fast.pcap > tmp
reading from file download-fast.pcap, link-type EN10MB (Ethernet)
real 0m24.763s
user 0m12.626s
sys 0m0.701s
-bash-4.1# time grep length tcpdump-download-fast | cut -d"," -f7
-bash-4.1# time ./test-insert.sh list
real 36m52.282s
user 31m11.860s
sys 5m26.755s