I am working on a way to find a mapping between the application and the url it accesses at a given timestamp. For this I first got the mapping of tcp port number to url by parsing the packet dump file from time t1 to t2. I wrote this python code for parsing:
import dpkt
f = open('/home/nachiket/Desktop/Research work/my project/s1-pcapFilesParsed/pcap files/2017_04_01_023856.pcap')#2017_03_30_013908.pcap #2017_03_02_010455.pcap
pcap = dpkt.pcap.Reader(f)
g=open('s1final.txt','w')
g.write("\n")
list=set()
for ts, buf in pcap:
eth = dpkt.ethernet.Ethernet(buf)
ip = l2.data
tcp = ip.data
if type(tcp)!=str:
if (tcp.dport == 80 or tcp.dport == 443) and len(tcp.data) > 0:
try:
http1 = dpkt.http.Request(tcp.data)
if http1.uri!='/_ping':
g.write("p "+str((hex(tcp.sport).split('x')[-1])).upper()) #converted to hex
except (dpkt.dpkt.NeedData, dpkt.dpkt.UnpackError):
continue
Now I mapped the tcp port to uid from /proc/net/tcp and from uid I got application name. Thus I merged the two files and got the tcp port to application name mapping at a given timestamp.
The python code:
#! /bin/bash
for i in {1..80}
do
adb shell "date +%s" > dump/netdump$i
adb shell "cat /proc/net/tcp" >> dump/netdump$i
echo finished: $i
sleep 1
done
The problem I faced is the tcp ports from running the first code doesnt match at all with the tcp ports running from second code. If was supposed to merge them on basis on common tcp ports used by application at a given timestamp and hence to find the application to url mapping at a given time. But the ports doesnt match. I know that the /proc/net/tcp is used for getting details of each socket but it shouldn't affect the tcp ports I guess.
PS: I am a beginner and have done research before submitting question
Thank you
