Data Analysis For Security Threat

The Setup

How are Devices physically connected?

1. Devices Connected
a. Linux System
i. It is configured with 2 NIC cards.
ii. One NIC card represent WAN (provides internet). The other
NIC represent LAN.
iii. The NIC card, which represent WAN is connected to the
Internet port of the service provide.
iv. The other NIC card, which represents LAN, is connected to the
Internet port of Wi-Fi Router.
b. Wi-Fi Router
i. Wi-Fi routers Internet port is connected to the one of the NIC
card of the Linux system.
ii. To configure the WI-FI router you can connect the a cable to
the non internet port and access the admin console using the
router IP [Link]
c. Devices
i. The devices are configured manually.
Configure Devices
1. WI-FI router
a. Configure the Internet setting of the WI-FI router.
b. Give a private IP: [Link], Subnet Mask: [Link]
Gateway: [Link](This is the IP address of the NIC card which
represent LAN).
c. Give router IP as [Link]
d. Disable DHCP
e. In the advances section, disable NAT.
f. Enable dynamic routing.
2. Linux System
a. Configure the IP address, gateway & DNS of the WAN interface.
b. Configure a private IP of the LAN, you can give IP: [Link],
Subnet Mask: [Link] Gateway: [Link]
c. This Linux system as a router, we need to route the packets from
one interface to another interface manually using IPTABLES rules.
i. IPTABLES -A INPUT -i eth1 -j ACCEPT
ii. IPTABLES -A FORWARD -s [Link]/24 -i eth0 -o
eth1 -m conntrack --ctstate NEW -j ACCEPT
iii. IPTABLES -A FORWARD -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
iv. IPTABLES –A POSTROUTING –t nat –j MASQUERADE
d. Using Linux route command, add the following route.
i. route add -net [Link]/24 netmask [Link]
gw [Link]
3. Devices
a. Devices are configured manually with the static ips.
b. The rage of IP’s can be any anything from [Link] – 254. But to
be safer side you can start it from [Link] – 254. You can
configure almost 200 devices.
c. E.g. configure Samsung Galaxy: IP Address: [Link], Subnet
Mask: [Link], Gateway: [Link], Primary & Secondary
DNS: Provided by the Service Provider.

Start WireShark to capture packets

WireShark is a free open-source packet analyzer tool. You can make it to listen on a
particular interface in a promiscuous mode. Every packet, which travels the Linux
system, a copy of that is given to this tool, which can be viewed graphically.

1. Launch WireShark as user root.

a. Open the linux terminal
b. Type sudo wireshark. Note: wireshark should be executed with root
user.
 c. It will open a wireshark window
d. Close the alter window by clicking on OK button.
2. From the menu bar select Capture Options…
3. Select the interface (In our setup select eth0).
4. Add capture filter
a. [Link] [Link]/24
5. Select multiple files capture.
a. This configuration captures the live packets and created a file in a
PCAP format every 30 mints under the configured folder.
6. Click on Start.
7. If the devices are connected to the WI-FI and there are network activities
you can see them in packet display pane.
8. You can even export the displayed packets to a readable format.
a. File -> Export -> As plain text…
b. Enter the file name.
c. If you are redirect all the packets the select Packets radio button.
d. If you wan to add a display filter and redirect only the displayed
packets then select displayed radio button.
e. Select radio buttons on the left of the screen.
f. Click on capture.
g. You will see the packets in plain text format under you saved location.
9. You can add a display filter to view only packets generated from a
particular IP address.
a. E.g. [Link] = [Link] enter this filter command in the filter bix
and click on apply.

Start Java program to order data

This program is developed to group all the packet data captured by WireShark. The
grouping is done based on the IP address, current date. It further filters these
grouped files based on the keyword filter and puts in a matchedFilter file.

File Storage Path:

/home/monitoring/apptesting/pcap_output/redable-format/<Today’s Date>/

Trouble Shooting
1. What should we do when the linux PC reboots
a. For the linux PC to work as a router.
i. Add the above IPTABLES commands.
ii. Add the route.
iii. /sbin/ifconfig to check if the ip’s are assigned.
iv. Open a browser and check if you are able to browser.
v. From the WI-FI router. Under diagnostic tab ping [Link]
IP. If you are able to ping then the setup is fine.
2. What should we do when the WireShak is closed.
 a. Open the terminal.
b. Type sudo wireshark

Code Logic

[Link]
This is the Main file, which starts the scanner thread.

[Link]
It’s a continuous running thread, which monitors any incoming pcap file generated
by WireShark and then converts it to readable format.
o It calls [Link]() to check if there is any
file to convert.
o If a file is found, extract date from the file.
[Link]()
o Copy the pcap file to the temp folder for processing.
[Link]()
o Create a folder for that date if does not exist.
[Link]()
o Iterate the IP list and convert the pcap format to readable format.
o Delete that pcap file.
o Filter the matched results and put the matched contents into
[Link] file.
o If there is no file to process go to sleep.