Simple script to scatter plot ISN values over time (+ TCP port as color) from pcap

generate.py

# Simple script to show the ISN value from a tshark output (extracting non relative ISN)
#
# tshark -n -r <yourcapturefile.cap" -T fields -e frame.time_epoch -T fields -e ip.src -T fields -e tcp.srcport -T fields -e ip.dst -T fields -e tcp.dstport -T fields -e tcp.seq -T fields -e tcp.flags -T fields -e ip.ttl -o tcp.relative_sequence_numbers:FALSE | awk -e '{print $1"\t"$6"\t"$5}' | python3 generate.py
#
# by Alexandre Dulaunoy - for analysis session given more info -> http://www.foo.be/cours/dess-20162017/
#
# 

import numpy as np
import fileinput
from bokeh.plotting import figure, show, output_file

##

x_input = [] #timestamp
y_input = [] #ISN value (non-relative)
z_input = [] #TCP port (used as color)


for line in fileinput.input():
    try:
        rl = line.split("\t")
        x_input.append(int(float(rl[0])))
        y_input.append(int(float(rl[1])))
        z_input.append(int(float(rl[2])))

    except ValueError:
        continue

x = np.array(x_input)
y = np.array(y_input)
z = np.array(z_input)

colors = [
    "#%02x%02x%02x" % (int(r), int(g), 150) for r, g in zip(50+z*2, 30+z*2)
]

TOOLS="hover,crosshair,pan,wheel_zoom,zoom_in,zoom_out,box_zoom,undo,redo,reset,tap,save,box_select,poly_select,lasso_select,"

p = figure(tools=TOOLS, x_axis_type="datetime", title="TCP ISN values in Honeypot")
p.xaxis.axis_label = "Time"
p.scatter(x, y, color=colors, legend="ISN values", alpha=0.5, )
output_file("color_scatter.html", title="TCP ISN values in Honeypot", mode='inline')
show(p)