Feature extraction from tcpdump dataset

Hello,

I have used one BRO script to extract the features from the tcpdump dataset. But after executing the script I am getting the output related to only on or two ip addresses. Tcp protocol related features are also missing. In the script tcp related event is already written. Source bytes and destination bytes and many other fields are missing in the output. Output is coming like this.

12623 894270562.332940 53 53 192.168.1.10 172.16.112.20 114.076435 udp 53 SF 0 46 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
3379 894264041.623323 53 53 172.16.112.20 192.168.1.10 188.920237 udp 53 SF 0 80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
18751 894276050.128957 53 53 192.168.1.10 192.112.36.4 79.935439 udp 53 S0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
18911 894276319.473667 53 53 192.168.1.10 172.16.112.20 32.000492 udp 53 SF 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
15254 894272639.391092 3 1 192.168.1.1 192.168.1.10 56.142144 icmp 3 SH 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
124 894261608.818447 53 53 172.16.112.20 192.168.1.10 10.889097 udp 53 SF 0 88 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
10890 894268867.616405 53 53 172.16.112.20 192.168.1.20 86.801842 udp 53 SF 0 106 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
20487 894301329.172629 21836 69 192.168.1.1 255.255.255.255 14.185021 udp 69 S0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
3168 894264041.623323 53 53 172.16.112.20 192.168.1.10 116.796997 udp 53 SF 0 80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
5215 894264041.623323 53 53 172.16.112.20 192.168.1.10 824.392281 udp 53 SF 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
20920 894309698.188181 1100 53 192.168.1.20 192.168.1.10 0.000204 udp 53 S0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
17426 894274962.704143 3 1 192.168.1.1 192.168.1.10 55.393165 icmp 3 SH 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
19407 894279440.127267 53 53 192.168.1.10 192.203.230.10 52.577897 udp 53 S0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
14138 894271782.414871 53 53 172.16.112.20 192.168.1.10 70.741656 udp 53 SF 0 80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
11385 894269373.326256 53 53 192.168.1.10 172.16.112.20 92.350040 udp 53 S0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
5503 894265091.295491 53 53 172.16.112.20 194.7.248.153 4.497476 udp 53 S0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
6388 894264946.828720 53 53 172.16.112.20 192.168.1.10 523.448570 udp 53 SF 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
7118 894265986.131874 53 53 172.16.112.20 192.168.1.20 0.000000 udp 53 OTH 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
6655 894264946.828720 53 53 172.16.112.20 192.168.1.10 768.043159 udp 53 SF 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
7530 894265816.715767 53 53 172.16.112.20 192.168.1.10 291.721001 udp 53 SF 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
7720 894266226.030665 53 53 172.16.112.20 135.8.60.182 13.094761 udp 53 S0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1312 894262128.202500 53 53 172.16.112.20 192.168.1.10 472.436405 udp 53 SF 0 80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
19348 894279464.545284 53 53 192.168.1.10 128.9.0.107 0.000000 udp 53 OTH 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
19665 894283246.635702 53 53 172.16.112.20 197.218.177.69 4.499342 udp 53 S0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1756 894262128.202500 53 53 172.16.112.20 192.168.1.10 720.434234 udp 53 SF 0 80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
13742 894271496.860470 53 53 192.168.1.10 172.16.112.20 0.000000 udp 53 OTH 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
3339 894264041.623323 53 53 172.16.112.20 192.168.1.10 135.101538 udp 53 SF 0 80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
9625 894267896.744671 53 53 172.16.112.20 192.168.1.10 0.187004 udp 53 SF 0 80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
7513 894265816.715767 53 53 172.16.112.20 192.168.1.10 269.665598 udp 53 SF 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Please, tell me some scripts if it is available through which I can extract all the features from the tcpdump data set. I am newbie to BRO IDS. I don’t know much about the BRO IDS. Please,help me. Thanks in advance.

Hello,

I have used one BRO script to extract the features from the tcpdump
dataset. But after executing the script I am getting the output related to
only on or two ip addresses. Tcp protocol related features are also missing.
In the script tcp related event is already written. Source bytes and
destination bytes and many other fields are missing in the output. Output is
coming like this.

What scripts are you using to generate this output? Also what version
of bro? The output doesn't look like the conn.log from either the 2.0
or 1.5 version of bro. Have you written a script to capture this?

12623 894270562.332940 53 53 192.168.1.10 172.16.112.20 114.076435 udp 53 SF
0 46 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
3379 894264041.623323 53 53 172.16.112.20 192.168.1.10 188.920237 udp 53 SF
0 80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
18751 894276050.128957 53 53 192.168.1.10 192.112.36.4 79.935439 udp 53 S0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
18911 894276319.473667 53 53 192.168.1.10 172.16.112.20 32.000492 udp 53 SF
0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
15254 894272639.391092 3 1 192.168.1.1 192.168.1.10 56.142144 icmp 3 SH 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
124 894261608.818447 53 53 172.16.112.20 192.168.1.10 10.889097 udp 53 SF 0
88 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
10890 894268867.616405 53 53 172.16.112.20 192.168.1.20 86.801842 udp 53 SF
0 106 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
20487 894301329.172629 21836 69 192.168.1.1 255.255.255.255 14.185021 udp 69
S0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
3168 894264041.623323 53 53 172.16.112.20 192.168.1.10 116.796997 udp 53 SF
0 80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
5215 894264041.623323 53 53 172.16.112.20 192.168.1.10 824.392281 udp 53 SF
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
20920 894309698.188181 1100 53 192.168.1.20 192.168.1.10 0.000204 udp 53 S0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
17426 894274962.704143 3 1 192.168.1.1 192.168.1.10 55.393165 icmp 3 SH 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
19407 894279440.127267 53 53 192.168.1.10 192.203.230.10 52.577897 udp 53 S0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
14138 894271782.414871 53 53 172.16.112.20 192.168.1.10 70.741656 udp 53 SF
0 80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
11385 894269373.326256 53 53 192.168.1.10 172.16.112.20 92.350040 udp 53 S0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
5503 894265091.295491 53 53 172.16.112.20 194.7.248.153 4.497476 udp 53 S0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
6388 894264946.828720 53 53 172.16.112.20 192.168.1.10 523.448570 udp 53 SF
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
7118 894265986.131874 53 53 172.16.112.20 192.168.1.20 0.000000 udp 53 OTH 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
6655 894264946.828720 53 53 172.16.112.20 192.168.1.10 768.043159 udp 53 SF
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
7530 894265816.715767 53 53 172.16.112.20 192.168.1.10 291.721001 udp 53 SF
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
7720 894266226.030665 53 53 172.16.112.20 135.8.60.182 13.094761 udp 53 S0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1312 894262128.202500 53 53 172.16.112.20 192.168.1.10 472.436405 udp 53 SF
0 80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
19348 894279464.545284 53 53 192.168.1.10 128.9.0.107 0.000000 udp 53 OTH 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
19665 894283246.635702 53 53 172.16.112.20 197.218.177.69 4.499342 udp 53 S0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1756 894262128.202500 53 53 172.16.112.20 192.168.1.10 720.434234 udp 53 SF
0 80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
13742 894271496.860470 53 53 192.168.1.10 172.16.112.20 0.000000 udp 53 OTH
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
3339 894264041.623323 53 53 172.16.112.20 192.168.1.10 135.101538 udp 53 SF
0 80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
9625 894267896.744671 53 53 172.16.112.20 192.168.1.10 0.187004 udp 53 SF 0
80 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
7513 894265816.715767 53 53 172.16.112.20 192.168.1.10 269.665598 udp 53 SF
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Please, tell me some scripts if it is available through which I can extract
all the features from the tcpdump data set. I am newbie to BRO IDS. I don't
know much about the BRO IDS. Please,help me. Thanks in advance.

What sort of data are you trying to extract from the pcap files? By
default bro-2.0 analyses a lot of events out of the box, there should
be *.log files in your working directory. What are the names of the
files you see?

sridhar