grittyninja/filter.sh

## filter.sh
#!/bin/bash

# SETTINGS
CLIENT="10.0.2.15"
SPLIT=180
CLASS=$2
# FUNCTIONS
function AVG {
  LIST=(${@})
  SUM=0
  TOTAL=${#LIST[@]}
  for i in ${LIST[@]}; do
     SUM=$(($SUM+$i))
  done
  echo "scale=2; $SUM/$TOTAL" | bc -l
}

function HM {
  LIST=(${@})
  SUM=0
  TOTAL=${#LIST[@]}
  for i in ${LIST[@]}; do
    VAL=$(echo "1/$i" | bc -l)
    SUM=$(echo "$SUM+$VAL" | bc -l)
  done
  echo "scale=2; $TOTAL/$SUM" | bc -l
}

function MED {
  LIST=(${@})
  LIST=( $( printf "%s\n" "${LIST[@]}" | sort -n ) )
  N=$((${#LIST[@]}/2))
  # if list is even
  [ $((${#LIST[@]}%2)) -eq 0 ] && {
    echo "scale=2;(${LIST[$N]}+${LIST[$N-1]})/2" | bc -l #| tr -d ".00"
  }
  # if list is odd
  [ $((${#LIST[@]}%2)) -eq 1 ] && {
    echo ${LIST[$N]}
  }
}

function MODE {
  LIST=(${@})
  echo $(printf '%s\n' "${LIST[@]}" | sort | uniq -c | sort | tail -n 1 | awk {'print $2'})
}

function CL {
  SUFF=".00"
  TEXT=$1
  echo ${TEXT%$SUFF}
}

function STD {
  LIST=(${@})
  N=${#LIST[@]}
  u=$(AVG ${LIST[@]})
  SUM=0
  for i in ${LIST[@]}; do
    VAL=$(echo "($i-$u)^2" | bc -l)
    SUM=$(echo "$SUM+$VAL" | bc -l)
  done
  VARIANCE=$(echo "$SUM/$N" | bc -l)
  STD=$(echo "scale=2;sqrt($VARIANCE)" | bc -l)
  echo $STD

}

# MAIN
echo "### Extracting data from $1 - $CLASS ###"
echo "[+] Getting unrelated IP..."
IP=($(tshark -r $1 -Y 'frame contains "/edgedl/release2" or frame contains "Google Internet Authority" or frame contains "COMODO RSA Certification Authority" or frame contains "Microsoft-CryptoAPI"' -T fields -e ip.addr |  sed -e 's/\(10.0.2.15,\|,10.0.2.15\)//g' | uniq))
TMPNAME="tmp_$(cat /dev/urandom | tr -dc 'a-z' | fold -w 8 | head -n 1)"

echo "[+] Building filter..."
FILTER="!bootp and !nbns and !arp and !(udp.dstport == 5355) and ip.addr eq 10.0.2.15 and !(ip.addr eq 10.0.2.255) and !ntp and !(ip.addr eq 104.25.10.6) "
IPFILTER=""
for ip in "${IP[@]}"
do
   :
   IPFILTER="$IPFILTER and !(ip.addr eq $ip) "
done
DYNFILTER="$FILTER$IPFILTER"

echo "[+] Filtering packet..."
tshark -r $1 -Y "$DYNFILTER" -w "$TMPNAME.pcapng"

echo "[+] Splitting packet every $SPLIT seconds..."
NSPLIT=$((1800/$SPLIT))
LOW=0
for i in $(seq 1 $NSPLIT)
   do
   HIGH=$(($i*$SPLIT))
   tshark -r "$TMPNAME.pcapng" -Y "frame.time_relative gt $LOW and frame.time_relative lt $HIGH" -w "$TMPNAME"_"$i.pcapng"
   LOW=$(($LOW+$SPLIT))
done

touch "sample.data"

for i in $(seq 1 $NSPLIT); do
FILE="$TMPNAME"_"$i.pcapng"

echo "[+] Looping through TCP stream $FILE..."
STREAM=0
while true; do
IP=$(tshark -r $FILE -Y "tcp.stream eq $STREAM" -T fields -e ip.dst | sed -e 's/10.0.2.15//g' | sort | uniq | tr -d '\n')
if [ $IP ]; then
    echo "[+] Extracting statistics data from Conversation $STREAM"
    # get byte sent
    BYTESENT=($(tshark -r $FILE -Y "tcp.stream eq $STREAM && ip.src eq $CLIENT" -T fields -e frame.len))

    # get byte recv
    BYTERECV=($(tshark -r $FILE -Y "tcp.stream eq $STREAM && ip.dst eq $CLIENT" -T fields -e frame.len))
    if ! [[ $BYTESENT && $BYTERECV ]]; then
      echo "STATUS: BAD"
      ((++STREAM))
      continue
    fi
    # total packet sent
    PACKETSENT=${#BYTESENT[@]}

    # total packet received
    PACKETRECV=${#BYTERECV[@]}

    # avg byte sent
    F1=$(CL "$(AVG ${BYTESENT[@]})")

    # avg byte recv
    F2=$(CL "$(AVG ${BYTERECV[@]})")

    # median byte sent
    F3=$(CL "$(MED ${BYTESENT[@]})")

    # median byte recv
    F4=$(CL "$(MED ${BYTERECV[@]})")

    # ratio = total packet sent per total packet recv
    F5=$(CL "$(echo "scale=2; $PACKETSENT/$PACKETRECV" | bc -l)")

    # standard deviation ratio (byte sent / byte recv)
    STD_BYTESENT=$(CL "$(STD ${BYTESENT[@]})")
    STD_BYTERECV=$(CL "$(STD ${BYTERECV[@]})")
    echo "STDBS: $STD_BYTESENT"
    echo "STDRECV: $STD_BYTERECV"
    # if divider is zero
    if [ ${STD_BYTERECV%.*} -eq 0 ]; then
      echo "STATUS: BAD"
      ((++STREAM))
      continue
    fi

    F6=$(CL "$(echo "scale=2; $STD_BYTESENT/$STD_BYTERECV" | bc -l)")

    # mode byte sent
    F7=$(MODE ${BYTESENT[@]})

    # mode byte recv
    F8=$(MODE ${BYTERECV[@]})

    # harmonic mean byte sent
    F9=$(CL "$(HM ${BYTESENT[@]})")

    # harmonic mean byte recv
    F10=$(CL "$(HM ${BYTERECV[@]})")

    echo "$F1, $F2, $F3, $F4, $F5, $F6, $F7, $F8, $F9, $F10, $CLASS" >> sample.data
else
    echo "[+] END"
    break
fi
echo "STATUS: SUCCESS"
((++STREAM))
done

done

echo "[+] Cleaning ..."
rm $TMPNAME*.pcapng
	#!/bin/bash

	# SETTINGS
	CLIENT="10.0.2.15"
	SPLIT=180
	CLASS=$2
	# FUNCTIONS
	function AVG {
	LIST=(${@})
	SUM=0
	TOTAL=${#LIST[@]}
	for i in ${LIST[@]}; do
	SUM=$(($SUM+$i))
	done
	echo "scale=2; $SUM/$TOTAL" \| bc -l
	}

	function HM {
	LIST=(${@})
	SUM=0
	TOTAL=${#LIST[@]}
	for i in ${LIST[@]}; do
	VAL=$(echo "1/$i" \| bc -l)
	SUM=$(echo "$SUM+$VAL" \| bc -l)
	done
	echo "scale=2; $TOTAL/$SUM" \| bc -l
	}

	function MED {
	LIST=(${@})
	LIST=( $( printf "%s\n" "${LIST[@]}" \| sort -n ) )
	N=$((${#LIST[@]}/2))
	# if list is even
	[ $((${#LIST[@]}%2)) -eq 0 ] && {
	echo "scale=2;(${LIST[$N]}+${LIST[$N-1]})/2" \| bc -l #\| tr -d ".00"
	}
	# if list is odd
	[ $((${#LIST[@]}%2)) -eq 1 ] && {
	echo ${LIST[$N]}
	}
	}

	function MODE {
	LIST=(${@})
	echo $(printf '%s\n' "${LIST[@]}" \| sort \| uniq -c \| sort \| tail -n 1 \| awk {'print $2'})
	}

	function CL {
	SUFF=".00"
	TEXT=$1
	echo ${TEXT%$SUFF}
	}

	function STD {
	LIST=(${@})
	N=${#LIST[@]}
	u=$(AVG ${LIST[@]})
	SUM=0
	for i in ${LIST[@]}; do
	VAL=$(echo "($i-$u)^2" \| bc -l)
	SUM=$(echo "$SUM+$VAL" \| bc -l)
	done
	VARIANCE=$(echo "$SUM/$N" \| bc -l)
	STD=$(echo "scale=2;sqrt($VARIANCE)" \| bc -l)
	echo $STD

	}

	# MAIN
	echo "### Extracting data from $1 - $CLASS ###"
	echo "[+] Getting unrelated IP..."
	IP=($(tshark -r $1 -Y 'frame contains "/edgedl/release2" or frame contains "Google Internet Authority" or frame contains "COMODO RSA Certification Authority" or frame contains "Microsoft-CryptoAPI"' -T fields -e ip.addr \| sed -e 's/\(10.0.2.15,\\|,10.0.2.15\)//g' \| uniq))
	TMPNAME="tmp_$(cat /dev/urandom \| tr -dc 'a-z' \| fold -w 8 \| head -n 1)"

	echo "[+] Building filter..."
	FILTER="!bootp and !nbns and !arp and !(udp.dstport == 5355) and ip.addr eq 10.0.2.15 and !(ip.addr eq 10.0.2.255) and !ntp and !(ip.addr eq 104.25.10.6) "
	IPFILTER=""
	for ip in "${IP[@]}"
	do
	:
	IPFILTER="$IPFILTER and !(ip.addr eq $ip) "
	done
	DYNFILTER="$FILTER$IPFILTER"

	echo "[+] Filtering packet..."
	tshark -r $1 -Y "$DYNFILTER" -w "$TMPNAME.pcapng"

	echo "[+] Splitting packet every $SPLIT seconds..."
	NSPLIT=$((1800/$SPLIT))
	LOW=0
	for i in $(seq 1 $NSPLIT)
	do
	HIGH=$(($i*$SPLIT))
	tshark -r "$TMPNAME.pcapng" -Y "frame.time_relative gt $LOW and frame.time_relative lt $HIGH" -w "$TMPNAME"_"$i.pcapng"
	LOW=$(($LOW+$SPLIT))
	done

	touch "sample.data"

	for i in $(seq 1 $NSPLIT); do
	FILE="$TMPNAME"_"$i.pcapng"

	echo "[+] Looping through TCP stream $FILE..."
	STREAM=0
	while true; do
	IP=$(tshark -r $FILE -Y "tcp.stream eq $STREAM" -T fields -e ip.dst \| sed -e 's/10.0.2.15//g' \| sort \| uniq \| tr -d '\n')
	if [ $IP ]; then
	echo "[+] Extracting statistics data from Conversation $STREAM"
	# get byte sent
	BYTESENT=($(tshark -r $FILE -Y "tcp.stream eq $STREAM && ip.src eq $CLIENT" -T fields -e frame.len))

	# get byte recv
	BYTERECV=($(tshark -r $FILE -Y "tcp.stream eq $STREAM && ip.dst eq $CLIENT" -T fields -e frame.len))
	if ! [[ $BYTESENT && $BYTERECV ]]; then
	echo "STATUS: BAD"
	((++STREAM))
	continue
	fi
	# total packet sent
	PACKETSENT=${#BYTESENT[@]}

	# total packet received
	PACKETRECV=${#BYTERECV[@]}

	# avg byte sent
	F1=$(CL "$(AVG ${BYTESENT[@]})")

	# avg byte recv
	F2=$(CL "$(AVG ${BYTERECV[@]})")

	# median byte sent
	F3=$(CL "$(MED ${BYTESENT[@]})")

	# median byte recv
	F4=$(CL "$(MED ${BYTERECV[@]})")

	# ratio = total packet sent per total packet recv
	F5=$(CL "$(echo "scale=2; $PACKETSENT/$PACKETRECV" \| bc -l)")

	# standard deviation ratio (byte sent / byte recv)
	STD_BYTESENT=$(CL "$(STD ${BYTESENT[@]})")
	STD_BYTERECV=$(CL "$(STD ${BYTERECV[@]})")
	echo "STDBS: $STD_BYTESENT"
	echo "STDRECV: $STD_BYTERECV"
	# if divider is zero
	if [ ${STD_BYTERECV%.*} -eq 0 ]; then
	echo "STATUS: BAD"
	((++STREAM))
	continue
	fi

	F6=$(CL "$(echo "scale=2; $STD_BYTESENT/$STD_BYTERECV" \| bc -l)")

	# mode byte sent
	F7=$(MODE ${BYTESENT[@]})

	# mode byte recv
	F8=$(MODE ${BYTERECV[@]})

	# harmonic mean byte sent
	F9=$(CL "$(HM ${BYTESENT[@]})")

	# harmonic mean byte recv
	F10=$(CL "$(HM ${BYTERECV[@]})")

	echo "$F1, $F2, $F3, $F4, $F5, $F6, $F7, $F8, $F9, $F10, $CLASS" >> sample.data
	else
	echo "[+] END"
	break
	fi
	echo "STATUS: SUCCESS"
	((++STREAM))
	done

	done

	echo "[+] Cleaning ..."
	rm $TMPNAME*.pcapng