Mattia Rossi Centre for Advanced Internet Architectures, Swinburne University of Technology, Melbourne, Australia CRICOS number 00111D 31 January, 2012 ---------------------------------------------- OVERVIEW ---------------------------------------------- Three Python scripts used to generate .kml files (as used by Google® Maps) and extract additional information from pcap files containing game client probes for Goldsource, SourceEngine and QuakeEngine based game servers like Counter-Strike, Half-Life and Enemy Territory. ----------------------- LICENCE ----------------------- These scripts are released under a new BSD License. For more details please refer to the included source files. ---------------------- INFORMATION ---------------------- These Python scripts work with Python 2.6 and 2.7 (but not 3.x). They require the following Python packages to work out of the box: 1) Pylibpcap for packet extrapolation (needs libpcap) http://pylibpcap.sourceforge.net/ 2) Pygeoip for interfacing Python with MaxMind's® databases https://github.com/appliedsec/pygeoip You need a valid GeoLite City database from http://www.maxmind.com/app/geolitecity in order to perform the country code mapping Furthermore the per_country_stats_15min.py script needs the following additional program to work out of the box: 3) Quagga (http://www.quagga.net) running BGP with telnet access enabled Refer to the source file to see how to disable the need for Quagga This file is part of the animation_scripts.tar.gz tarball that can be obtained at: http://caia.swin.edu.au/sting/ ----------------------- USAGE ----------------------- The scripts have to be executed in the following order. We assume you have a single pcap file containing probes for each consecutive day. per_country_stats_15min.py: ./per_country_stats_15min.py -d -f -g This file will output one file per input pcap file (read from ) with the .csv extension. The script assumes the existence of pcap files named sting-*.dump, with the asterisk denoting an index number. Each output sting-*.csv file contains geolocation, address, prefix and Autonomous System information in human readable format as comma separated values. The output files are placed in the same directory as the input files (). The information is grouped on a per 15 minute basis. The pcap files have to contain actual IPv4 based UDP probes sent by the game clients, as the script only regards IPv4, and UDP packets containing the headers for the Goldsource, SourceEngine and QuakeEngine probes. The filter parameter is a tcpdump style filter expression. It can be used to extract probes for a single gameserver if more than one are present, e.g.: "dst port 27016", or to preemptively filter out TCP packets which would be actively skipped by the script with the effect of slowing down processing speed. The script needs a GeoLite City database to work, from http://www.maxmind.com/app/geolitecity getbadaddr_15min.py: ./getbadaddr_15min.py This script creates two files. The "badaddr.csv" file contains all addresses of clients which are most likely driven by scripts on machines rather than human interaction, while the "addresslist.txt" file contains all other addresses found in the game server probes. The script assumes the existence of "/sting-*.csv" files in the current directory, as created by the "per_country_stats_15min.py" script. per_15min_kml.py: ./per_15min_kml.py -d -f -g -b Extracts geolocation directly from pcap files (similar to per_country_stats_15min.py), but writes it into .kml files which can be uplodaded to Google Maps (if they're not too big). The .kml file contains one "Placemark" for each location found. The addresses are recorded in the "CDATA" description field, the city name is recorded as the "Placemark" name. The "coordinates" tag contains the latitude, longitude and altitude. The altitude corresponds to the number of addresses found for each location: multiple addresses for the same location are combined in a single "Placemark" tag and all recorded in the description. The geolocation information of the IPv4 addresses is extracted from MaxMinds GeoLite City database which has to be supplied via the -g parameter. The script reads in all pcap files from which need to follow the following naming scheme; --