tyler-8 · April 13, 2020 20:36 · Apr 13, 2020 · Apr 13, 2020 · Apr 13, 2020 · Apr 13, 2020
diff --git a/parse_cflow_pcap.py b/parse_cflow_pcap.py
@@ -8,7 +8,7 @@
 )
 
 
-def parse_cflow(cflow_capture):
+def parse_cflow_packet(packet_cflow):
     """
     Given the cflow layer of a packet (packet.cflow), parse out the desired fields
     and combine them into a single dictionary.
@@ -22,20 +22,20 @@ def parse_cflow(cflow_capture):
     """
     flows = []
     for field_idx, field in enumerate(FIELDS):
-        field_exists = hasattr(cflow_capture, field)
+        field_exists = hasattr(packet_cflow, field)
         if not field_exists:
             continue
 
         # Use the first field to define the flows
         if field_idx == 0:
             for flow_number, value in enumerate(
-                getattr(cflow_capture, field).all_fields
+                getattr(packet_cflow, field).all_fields
             ):
                 flows.append({field: value.showname_value})
             continue
 
         # Add the additional metadata to their respective flows
-        for flow_number, value in enumerate(getattr(cflow_capture, field).all_fields):
+        for flow_number, value in enumerate(getattr(packet_cflow, field).all_fields):
             flows[flow_number][field] = value.showname_value
 
     return flows
@@ -46,7 +46,7 @@ def parse_cflow(cflow_capture):
 all_flows = []
 
 for packet in capture:
-    packet_flows = parse_cflow(packet.cflow)
+    packet_flows = parse_cflow_packet(packet.cflow)
     all_flows.extend(packet_flows)
 
 
@@ -57,4 +57,4 @@ def parse_cflow(cflow_capture):
     octets = int(flow["octets"])
     flow_octets[uid] += octets
 
-print(flow_octets)
+print(flow_octets)
diff --git a/parse_cflow_pcap.py b/parse_cflow_pcap.py
@@ -12,6 +12,13 @@ def parse_cflow(cflow_capture):
     """
     Given the cflow layer of a packet (packet.cflow), parse out the desired fields
     and combine them into a single dictionary.
+
+    Output will be a list of dicts like so:
+
+    [
+        {"srcaddr": "192.168.1.10", "dstaddr": "192.168.2.10", "octets": "2562"},
+        {"srcaddr": "192.168.1.10", "dstaddr": "192.168.2.10", "octets": "270"},
+    ]
     """
     flows = []
     for field_idx, field in enumerate(FIELDS):
@@ -50,4 +57,4 @@ def parse_cflow(cflow_capture):
     octets = int(flow["octets"])
     flow_octets[uid] += octets
 
-print(flow_octets)
+print(flow_octets)
diff --git a/parse_cflow_pcap.py b/parse_cflow_pcap.py
@@ -0,0 +1,53 @@
+import pyshark
+from collections import defaultdict
+
+FIELDS = (
+    "srcaddr",
+    "dstaddr",
+    "octets",
+)
+
+
+def parse_cflow(cflow_capture):
+    """
+    Given the cflow layer of a packet (packet.cflow), parse out the desired fields
+    and combine them into a single dictionary.
+    """
+    flows = []
+    for field_idx, field in enumerate(FIELDS):
+        field_exists = hasattr(cflow_capture, field)
+        if not field_exists:
+            continue
+
+        # Use the first field to define the flows
+        if field_idx == 0:
+            for flow_number, value in enumerate(
+                getattr(cflow_capture, field).all_fields
+            ):
+                flows.append({field: value.showname_value})
+            continue
+
+        # Add the additional metadata to their respective flows
+        for flow_number, value in enumerate(getattr(cflow_capture, field).all_fields):
+            flows[flow_number][field] = value.showname_value
+
+    return flows
+
+
+capture = pyshark.FileCapture("netflows.pcap")
+
+all_flows = []
+
+for packet in capture:
+    packet_flows = parse_cflow(packet.cflow)
+    all_flows.extend(packet_flows)
+
+
+# Calculate total bytes for each unique src/dest pair
+flow_octets = defaultdict(int)
+for flow in all_flows:
+    uid = flow["srcaddr"] + "-" + flow["dstaddr"]
+    octets = int(flow["octets"])
+    flow_octets[uid] += octets
+
+print(flow_octets)