Filter and Aggregation of Ethernet fields: Mac Address using summary statistics

Development
1

Hello,
I am planning to apply the summary statistics framework to filter and aggregate the Ethernet fields: Mac Addresses from my packet capture file, .pcapng. I attempted certain approaches but getting errors. As a newcomer in the field, maybe I am missing certain conditions that I need to fulfill.

@load base/frameworks/sumstats

module Ethernet;

# Defining a record for logging MAC address statistics
type EtherMacStats: record {
    ts: time;            # Timestamp of the summary event
    mac: string;         # The MAC address (source or destination)
    direction: string;   # Direction of the MAC address (src or dst)
    count: int;          # Count of packets associated with the MAC address
};

# Initializing the summary statistics framework
event zeek_init() {
    Log::create_stream("ether_mac_stats", [$columns=[ts, mac, direction, count]]);
}

# Handlinge Ethernet frames
event packet(f: fa_file, p: packet) {
    if ( p$payload$ethernet?$src && p$payload$ethernet?$dst ) {
        local src_mac = fmt("%s", p$payload$ethernet$src);
        local dst_mac = fmt("%s", p$payload$ethernet$dst);
        
        # Observe source MAC address
        SumStats::observe("src_mac_count", src_mac);
        
        # Observe destination MAC address
        SumStats::observe("dst_mac_count", dst_mac);
    }
}

# Creating summary statistics for MAC addresses
event SumStats::create_summarizer() {
    # Summarize source MAC addresses
    SumStats::create([
        $name = "src_mac_count",
        $epoch = 1 sec,   # Interval of 1 second
        $reducers = [SumStats::SUM],
        $threshold = 1,   # Report if count is 1 or more
    ]);

    # Summarize destination MAC addresses
    SumStats::create([
        $name = "dst_mac_count",
        $epoch = 1 sec,   # Interval of 1 second
        $reducers = [SumStats::SUM],
        $threshold = 1,   # Report if count is 1 or more
    ]);
}

# Handle the results of the summarization
event SumStats::result(name: string, key: any, result: double, num: double) {
    if ( name == "src_mac_count" ) {
        Log::write("ether_mac_stats", [$ts=network_time(), $mac=key, $direction="src", $count=int(result)]);
    }
    else if ( name == "dst_mac_count" ) {
        Log::write("ether_mac_stats", [$ts=network_time(), $mac=key, $direction="dst", $count=int(result)]);
    }
}
2

As a newcomer in the field, maybe I am missing certain conditions that I need to fulfill.

Your script has a lot syntax and semantics errors, and I am tempted to think it was generated by a machine to look meaningful, but it is not at all; uncritically using some LLM and then asking for feedback on big chunks of generated code would be a huge waste of your and our time.

Since your code has so many errors I would suggest you instead try to make small pieces work at a time, and make sure you understand what you are doing at each step.

Example syntax errors:

  • count: int; # Count of packets associated with the MAC address

    You cannot name your record field count since count is an existing type. Try something like e.g., count_ (while at it you might want to make the type of the field count as well since you do not need negative values).

  • $count_=int(result)

    This is not a proper way to cast a real value to an integer, you probably want to use double_to_count.

Semantic errors:

  • There is neither an event packet(f: fa_file, p: packet) nor a type packet in Zeek itself, so this makes no sense. You probably want to instead hook into connection lifecycle events like new_connection, e.g.,
    event new_connection(c: connection)
	{
	if ( c$orig?$l2_addr && c$resp?$l2_addr ) ...
  • To log your EtherMacStats record its fields need to be &log, and you also should assign a module-specific log ID which you’d use when creating your log stream. The documentation explains the process in more detail.
  • Your use of the sumstats framework is wrong, e.g., you do not pass valid reducers (and SumStats::SUM is not an actual thing). The sumstats documentation documents with examples how to use the framework.
1 Like