PYTHONNNN basic programming

Introduction

System administrators often analyze log files, such as packet captures or firewall logs, to see if there is unusual activity, such as a spike in traffic during a DDOS attack. Unfortunately, there are many different kinds of devices/programs that produce different kinds of log files in many different formats, often with a variable of number of fields, so there is no one tool that understands all the different formats. Consequently, sys admins often write scripts to parse (break into its individual fields) log files for analysis. In this assignment you will write a script to parse a comma separated values (CSV) text file. Once you have the individual fields, your program will then do a basic analysis of the file that gives us a summary report of traffic to a destination IP (or IPs). To make it flexible, your user should be able to use partial IPs so that the program summarizes a range of IPs.

Part I - Validating Arguments

For your script to be flexible, you need to specify the IPs of interest on the command line when invoking the program.

The requirements are as follows:

Name your program a1.

You should be able to run your program from the command line with the following syntax:

[url removed, login to view] file

[url removed, login to view] src_ip file

[url removed, login to view] src_ip dest_ip file

where file is the name of a text file of packet captures, src_ip is a source IP and dest_ip is a destination IP. So you may have 1-3 arguments. Below are some examples of valid commands:

[url removed, login to view] [url removed, login to view]

[url removed, login to view] [url removed, login to view] log

[url removed, login to view] [url removed, login to view] 192.168.1.1 net-dump

Test to make sure your arguments are correct, and if not, print appropriate error messages:

Less than 1 or more than 3 arguments should generate a "usage" error message, similar to the usage error for other Linux commands.

The last argument must be a file that exists. You do not have to test to make sure the contents of the file are in the correct format, but you do have to test for existence of the file.

You also have to test that the IP pattern is in the proper format. Note that IPs must have exactly for octets, each of which has the range 0-255.

Below are examples of invalid calls to the program (also illustrated in the set of sample runs in Part II):

bob@bob-pc-ocz:~/srt-a1$ [url removed, login to view]

Usage: [url removed, login to view] [src_ip [dest_ip]] file

bob@bob-pc-ocz:~/srt-a1$ [url removed, login to view] [url removed, login to view] [url removed, login to view]

Invalid source IP

bob@bob-pc-ocz:~/srt-a1$ [url removed, login to view] [url removed, login to view] [url removed, login to view] [url removed, login to view]

Invalid destination IP

bob@bob-pc-ocz:~/srt-a1$ [url removed, login to view] nofile

File nofile does not exist

Note: all validation on IP numbers must be done using regular expressions.

Hint: don't try to do the whole assignment at once. Do Part I first, test it to make sure it is working, then move on to Part II where you actually analyze the packets.

Part II - Parsing a Log FileFor Analysis

To parse a log file means to break the records (lines) from the file into its fields so that we may analyze the fields. In our case, it means extracting the source IP, destination IP, and protocol from the rest of the fields in each record. (You will be doing a lot more of this in SRT411.)

If the command line arguments are valid, you are to analyze the contents of a CSV file which contains network traffic in the format in this sample file:

[url removed, login to view]

Here is a link to the original tcpdump file I will be using to test this assignment. You can create a file in the format shown above by exporting through Wireshark using File | Export Packet Dissections | As "CSV". Note: you should remove the first line which contains headings.

Your program should print a summary report based on the IPs specified.

If you specified no IPs, then your program should produce a summary report based on all traffic (all source IPs to all destination IPs).

If you specified only a src_ip, then your program should print a summary report of all destination IPs for that source IP.

Your program should list each source IP that sent to the destination IP(s), followed by a count of the number of packets they received by protocol. Below is a file of some sample runs. It contains tests where 0) the command line arguments are invalid, 1) there is no traffic from the source IP, 2) there is only traffic from one source IP to one destination IP, 3) there is traffic from one source IP to multiple destination IPs. The results are from my program, so they should be correct (I hope!):

[url removed, login to view]

Your program should match this output as closely as possible. You should line up your columns nicely like mine.

Testing a program thoroughly is part of what a programmer does (and what you should do!). When I test your assignment on the due date, it will be with all these test cases -- and more. So make sure your program not only works for the set above, but for additional cases this set might not cover.

Your program should contain at least two user-defined functions and possibly more. For example, you could write one function to validate the IPs entered.

You should test that your program produces the same results shown, and run additional test cases. Note that you are writing a small part of the Wireshark filter function, and so you can test your program by using Wireshark to filter by IP and protocol to see if you get the same results as your program.

PHP Softwarearchitektur

Projekt-ID: #6633931

Über das Projekt