How to make dataset such as KDDCup99 via wireshark?

Question

I am going to make a dataset such as KDDCup99 for machine learning purposes, but I don't know how can i extract intrinsic and time-based attributes from wireshark analyzer!! KDDCup99 introduces 43 attributes (intrinsic, time-based and host-based attributes), and I am going to extract this attributes from wireshark analyzer. How can i do it?

Accepted Answer

Jaap is mostly right.

One option is to:

Use tshark to log packet data to CSV format.
Post process that dataset to produce the 'connection' and 'two-second time window' attribute sets.
Do some other logging to get 'root_shell','su_attempted', etc attributes. (In Linux: history, last/lastb and /var/log/secure may help.)

A second option, if you need KDDCup99 data fields collected in real-time is to:

download the Wireshark source code: SVN Repo
hand-code the collection and processing in real-time using *shark's pre-parsed protocol fields in C;
then print to file using CSV file format.

The following should help in producing the CSV output from tshark CLI to 'logfile.csv':

tshark 
-i <interface> 
-w logfile.pcap
-c 100
-T fields
-E header=y -E separator=, -E quote=d -E occurrence=f
-e ip.src -e ip.dst -e ip.proto -e ip.checksum -e tcp.srcport -e tcp.dstport
> logfile.csv

Use Wireshark's packet header browser/details panel to choose which attributes you want to log, then add those attributes to the -e arguments list.

KDDCUP99 description: http://www.sc.ehu.es/acwaldap/gureKddcup/README.pdf
KDDCUP99 description: http://kdd.ics.uci.edu/databases/kddcup99/task.html
Tshark Man Page: http://www.wireshark.org/docs/man-pages/tshark.html

Answer 2

1	Tshark and post process the text output? answered 03 Oct '12, 02:16 Jaap ♦ 11.7k●16●101 accept rate: 14% your comment is not clear for me! (03 Oct '12, 04:02) Bluebit