Parsing Wireshark Files Using F#

I went to the Research Triangle Analysts Meetup for network security where I was exposed to Wireshark for the1st time.  One of the problems with analyzing packets is that the data comes in a variety of structures, depending on the nature of what is being captured and what level of commutation is being analyzed.  I decided to learn a bit about network analysis using this book:

image

One of the examples was analyzing Twitter Direct Messages.  The interesting thing is that the contents of DMs are sent in plain text, so that is a good word to the wise.

image

I was thinking about how to best analyze the sample packets for the DM and I immediately thought of using F# Type Providers.  You can export the data from Wireshark in a variety of formats, I chose XML for no particular reason

image

After exporting the data to the file system and bring the data in via the TP, I then wrote a quick script to see how fast I could get to the message sent.  Turns out pretty quick:

1 open System.IO 2 open FSharp.Data 3 4 [<Literal>] 5 let uri = @"C:\Users\jamie\Desktop\ChickenSoftware.PacketAnalysis.Solution\Data\twitter_dm" 6 7 type Context = XmlProvider<uri> 8 let data = Context.Load(uri) 9 10 let protoes = data.Packets |> Seq.collect(fun p -> p.Protoes) 11 let fields = protoes |> Seq.collect(fun p -> p.Fields) 12 let content = fields |> Seq.filter(fun f -> f.Name = Some "urlencoded-form") 13 let values = content |> Seq.map(fun c -> c.Showname) 14 let values' = values |> Seq.filter(fun v -> v.Value.Contains("text")) 15 values'

image

So F# makes is very easy to consume the data and traverse it.  I am curious how easy it will be to start applying machine learning to these files using F#.  That is up next…

Advertisements

One Response to Parsing Wireshark Files Using F#

  1. Pingback: F# Weekly #25, 2015 | Sergey Tihon's Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: