Mattia Rossi
Centre for Advanced Internet Architectures,
Swinburne University of Technology,
Melbourne, Australia
CRICOS number 00111D
31 January, 2012
----------------------------------------------
OVERVIEW
----------------------------------------------
Three Python scripts used to generate .kml files (as used by Google® Maps)
and extract additional information from pcap files containing
game client probes for Goldsource, SourceEngine and QuakeEngine
based game servers like Counter-Strike, Half-Life and Enemy Territory.
-----------------------
LICENCE
-----------------------
These scripts are released under a new BSD License. For more details
please refer to the included source files.
----------------------
INFORMATION
----------------------
These Python scripts work with Python 2.6 and 2.7 (but not 3.x).
They require the following Python packages to work out of the box:
1) Pylibpcap for packet extrapolation (needs libpcap)
http://pylibpcap.sourceforge.net/
2) Pygeoip for interfacing Python with MaxMind's® databases
https://github.com/appliedsec/pygeoip
You need a valid GeoLite City database from http://www.maxmind.com/app/geolitecity
in order to perform the country code mapping
Furthermore the per_country_stats_15min.py script needs the following
additional program to work out of the box:
3) Quagga (http://www.quagga.net) running BGP with telnet access enabled
Refer to the source file to see how to disable the need for Quagga
This file is part of the animation_scripts.tar.gz tarball that can be obtained at:
http://caia.swin.edu.au/sting/
-----------------------
USAGE
-----------------------
The scripts have to be executed in the following order. We assume you have
a single pcap file containing probes for each consecutive day.
per_country_stats_15min.py:
./per_country_stats_15min.py -d
-f -g
This file will output one file per input pcap file (read from ) with the .csv
extension. The script assumes the existence of pcap files named sting-*.dump, with
the asterisk denoting an index number. Each output sting-*.csv file contains
geolocation, address, prefix and Autonomous System information in human readable
format as comma separated values. The output files are placed in the same directory
as the input files (). The information is grouped on a per 15 minute basis.
The pcap files have to contain actual IPv4 based UDP probes sent by the game clients,
as the script only regards IPv4, and UDP packets containing the headers for the
Goldsource, SourceEngine and QuakeEngine probes.
The filter parameter is a tcpdump style filter expression. It can be used to extract probes for a
single gameserver if more than one are present, e.g.: "dst port 27016", or to preemptively filter
out TCP packets which would be actively skipped by the script with the effect of slowing down
processing speed.
The script needs a GeoLite City database to work, from http://www.maxmind.com/app/geolitecity
getbadaddr_15min.py:
./getbadaddr_15min.py
This script creates two files. The "badaddr.csv" file contains all addresses of clients which are
most likely driven by scripts on machines rather than human interaction, while the "addresslist.txt"
file contains all other addresses found in the game server probes. The script assumes the existence
of "/sting-*.csv" files in the current directory, as created by the "per_country_stats_15min.py" script.
per_15min_kml.py:
./per_15min_kml.py -d -f -g -b
Extracts geolocation directly from pcap files (similar to per_country_stats_15min.py), but
writes it into .kml files which can be uplodaded to Google Maps (if they're not too big).
The .kml file contains one "Placemark" for each location found. The addresses are recorded
in the "CDATA" description field, the city name is recorded as the "Placemark" name.
The "coordinates" tag contains the latitude, longitude and altitude. The altitude corresponds
to the number of addresses found for each location: multiple addresses for the same location
are combined in a single "Placemark" tag and all recorded in the description.
The geolocation information of the IPv4 addresses is extracted from MaxMinds GeoLite City
database which has to be supplied via the -g parameter.
The script reads in all pcap files from which need to follow the following naming scheme;
--