Attack pcap generation steps for CAIDA trace

[divyapathak24]

• CAIDA:

-Legitimate traffic: CAIDA 2018 dirA /24 pcaps having retransmission in the range 0-15% and avg flows per window around 50

-Attack traffic: Steps used for generation: -Extract random 2% TCP flows from normal trace (0-15% retransmission) and remove these 2% flows from original normal trace -Extract a payload packet from each of the 2% flows. We treat these flows as attack flows -Create a new pcap using python3 such that a new attack flow is started every second -So, at 1st sec, we have a packet from attack flow1, at 2nd sec, we have re-transmitted packet from attack flow1 plus a packet from a new attack flow2 and so on. -Within 2 sec, we observe packets of same attack flow -- to infer that attack flows are active -Attack flows are active till the end of the experiment i.e 60 secs

Todo:

• Test on 135* pcap
• Get instance log (avg number of flows) for this pcap
• Analyze the retransmission logs

[praveenabt]

@prathyush1886 In progress

[praveenabt]

Observations:

• Approach 1: replay normal pcap ( thread 1) and replay attack pcap (thread 2) -- capture on interface
• Approach 2: If normalpkt.timestamp > x, then you inject attack packets belonging to x and x+1
• blink code is using pkt's timestamps for calculating flow duration stats