Added output that maps number of clients to SSID

tenable · Apr 2, 2020 · 0bbb049 · 0bbb049
1 parent f2687d3
commit 0bbb049
Show file tree

Hide file tree

Showing 8 changed files with 83 additions and 15 deletions.
diff --git a/pi_sniffer/pi_sniffer.conf b/pi_sniffer/pi_sniffer.conf
@@ -10,5 +10,6 @@
         <file type="kml" enabled="true" />
         <file type="client_csv" enabled="true"/>
         <file type="probe_csv" enabled="true"/>
+        <file type="ap_clients_csv" enabled="true"/>
     </output>
 </pi_sniffer>
diff --git a/pi_sniffer/src/configuration.cpp b/pi_sniffer/src/configuration.cpp
@@ -16,7 +16,8 @@ Configuration::Configuration() :
     m_wigle(false),
     m_kml(false),
     m_client_csv(false),
-    m_probe_csv(false)
+    m_probe_csv(false),
+    m_ap_clients_csv(false)
 {
 }
 
@@ -150,6 +151,14 @@ void Configuration::parse_output(const pugi::xml_node& p_output)
                 m_probe_csv = true;
             }
         }
+        else if (type.compare("ap_clients_csv") == 0)
+        {
+            std::string enabled(p_output.attribute("enabled").as_string());
+            if (enabled.compare("true") == 0)
+            {
+                m_ap_clients_csv = true;
+            }
+        }
     }
     else if (!path.empty())
     {

diff --git a/pi_sniffer/src/configuration.hpp b/pi_sniffer/src/configuration.hpp
@@ -61,6 +61,11 @@ class Configuration
         return m_probe_csv;
     }
 
+    bool get_ap_clients_csv() const
+    {
+        return m_ap_clients_csv;
+    }
+
     bool has_wep_key(const std::string& p_bssid) const;
 
     bool has_wpa_key(const std::string& p_ssid) const;
@@ -103,6 +108,9 @@ class Configuration
 
     //! indicates if we should write out the probes to a csv file
     bool m_probe_csv;
+
+    //! indicates if we should write out the ap client csv file
+    bool m_ap_clients_csv;
 };
 
 #endif
diff --git a/pi_sniffer/src/main.cpp b/pi_sniffer/src/main.cpp
@@ -85,6 +85,8 @@ namespace
         IEEE80211 link_layer;
         PCAP file_input(p_file);
         file_input.initialize();
+
+        std::cout << "Reading: " << p_file << std::endl;
         while (file_input.get_packet(p_packet))
         {
             link_layer.handle_packet(p_packet);
@@ -283,6 +285,10 @@ int main(int p_argCount, char* p_argArray[])
                 {
                     packet.write_probe_csv_output(packet.m_startTime);
                 }
+                if (packet.get_const_config().get_ap_clients_csv())
+                {
+                    packet.write_ap_clients_csv_output(packet.m_startTime);
+                }
             }
         }
 
@@ -307,6 +313,10 @@ int main(int p_argCount, char* p_argArray[])
         {
             packet.write_probe_csv_output(packet.m_startTime);
         }
+        if (packet.get_const_config().get_ap_clients_csv())
+        {
+            packet.write_ap_clients_csv_output(packet.m_startTime);
+        }
     }
     catch (const std::runtime_error& e)
     {

diff --git a/pi_sniffer/src/packet.cpp b/pi_sniffer/src/packet.cpp
@@ -233,9 +233,6 @@ void Packet::write_wigle_output(const std::string& p_time)
     char buffer[32] = {0};
     std::string time;
 
-    std::string most;
-    std::size_t count = 0;
-
     // loop over the router
     boost::upgrade_lock<boost::shared_mutex> readLock(m_router_mutex);
     for (boost::ptr_unordered_map<boost::uint64_t, AP>::iterator it = m_devices.begin();
@@ -251,12 +248,6 @@ void Packet::write_wigle_output(const std::string& p_time)
             os << it->second->get_ssid() << ",";
         }
 
-        if (it->second->get_client_count() > count && !it->second->get_ssid().empty() && it->second->get_ssid() != "<Unknown>")
-        {
-            count = it->second->get_client_count();
-            most.assign(it->second->get_ssid());
-        }
-
         if (it->second->get_encryption().find("/") != std::string::npos)
         {
             os << "[WPA-PSK][WPA2-PSK]";
@@ -287,7 +278,6 @@ void Packet::write_wigle_output(const std::string& p_time)
         os << "WIFI" << "\n";
     }
 
-    std::cout << most << ":" << count << std::endl;
     // close it
     wigle_output.close();
 }
@@ -361,6 +351,50 @@ void Packet::write_probe_csv_output(const std::string& p_time)
     client_output.close();
 }
 
+void Packet::write_ap_clients_csv_output(const std::string& p_time)
+{
+    std::string filename(m_configuration.get_output_path() + "pi_sniffer_ap_clients_" + p_time + ".csv");
+
+    // create the file
+    std::filebuf ap_clients_output;
+    ap_clients_output.open(filename, std::ios::out);
+    if (!ap_clients_output.is_open())
+    {
+        std::cerr << "Failed to write " << filename << std::endl;
+        return;
+    }
+    std::ostream os(&ap_clients_output);
+
+    // data fields
+    os << "Clients,SSID,MAC,\n";
+
+    // loop over the router
+    boost::upgrade_lock<boost::shared_mutex> readLock(m_router_mutex);
+    for (boost::ptr_unordered_map<boost::uint64_t, AP>::iterator it = m_devices.begin();
+         it != m_devices.end(); ++it)
+    {
+        if (it->second->get_mac() == "00:00:00:00:00:00")
+        {
+            continue;
+        }
+
+        os << it->second->get_client_count() << ",";
+        if (it->second->get_ssid() == "<Unknown>")
+        {
+            os << ",";
+        }
+        else
+        {
+            os << it->second->get_ssid() << ",";
+        }
+
+        os << it->second->get_mac() << std::endl;
+    }
+
+    // close it
+    ap_clients_output.close();
+}
+
 void Packet::add_probe_network(const std::string& p_network, const std::string& p_client)
 {
     if (p_network.size() < 3)

diff --git a/pi_sniffer/src/packet.hpp b/pi_sniffer/src/packet.hpp
@@ -64,6 +64,7 @@ class Packet
     void write_kml_output(const std::string& p_time);
     void write_client_csv_output(const std::string& p_time);
     void write_probe_csv_output(const std::string& p_time);
+    void write_ap_clients_csv_output(const std::string& p_time);
 
 private:
 

diff --git a/pi_sniffer/src/protocols/ieee80211.cpp b/pi_sniffer/src/protocols/ieee80211.cpp
@@ -61,15 +61,20 @@ bool IEEE80211::handle_packet(Packet& p_packet)
     return true;
 }
 
-AP* IEEE80211::get_ap(Packet& p_packet,
-                                       std::size_t p_ssid_offset)
+AP* IEEE80211::get_ap(Packet& p_packet, std::size_t p_ssid_offset, int p_depth)
 {
     boost::uint64_t bssid_mac = (*reinterpret_cast<const boost::uint64_t*>(
         p_packet.m_data + p_ssid_offset));
 
     bssid_mac = (bssid_mac >> 16);
     bssid_mac = (bssid_mac << 16);
     bssid_mac = be64toh(bssid_mac);
+
+    if (bssid_mac == 0 && p_depth == 1)
+    {
+        return get_ap(p_packet, p_ssid_offset - 6, 0);
+    }
+
     return p_packet.find_ap(bssid_mac);
 }
 
@@ -135,7 +140,7 @@ void IEEE80211::do_beacon(Packet& p_packet)
         m_pcap_out.add_packet(p_packet);
     }
 
-    AP* found = get_ap(p_packet, 14);
+    AP* found = get_ap(p_packet, 14, 1);
 
     p_packet.m_stats.increment_beacons();
 

diff --git a/pi_sniffer/src/protocols/ieee80211.hpp b/pi_sniffer/src/protocols/ieee80211.hpp
@@ -20,7 +20,7 @@ class IEEE80211
 
 private:
 
-    AP* get_ap(Packet& p_packet, std::size_t p_ssid_offset);
+    AP* get_ap(Packet& p_packet, std::size_t p_ssid_offset, int p_depth = 0);
 
     Client* get_client(Packet& p_packet, std::size_t p_src_offset, bool p_associated);