98 lines
4.7 KiB
Python
98 lines
4.7 KiB
Python
|
#!/usr/bin/env python3
|
|||
|
|
"""Debug specific outlier around frame 1001"""
|
|||
|
|
|
|||
|
|
import sys
|
|||
|
|
sys.path.append('.')
|
|||
|
|
|
|||
|
|
from analyzer.analysis import EthernetAnalyzer
|
|||
|
|
from analyzer.utils import PCAPLoader
|
|||
|
|
|
|||
|
|
def debug_specific_outlier(pcap_file="1 PTPGM.pcapng", src_ip="192.168.4.89"):
|
|||
|
|
"""Debug specific outlier around frame 1001"""
|
|||
|
|
|
|||
|
|
print("=== Debugging Specific Outlier Around Frame 1001 ===")
|
|||
|
|
|
|||
|
|
# Initialize analyzer
|
|||
|
|
analyzer = EthernetAnalyzer(enable_realtime=False, outlier_threshold_sigma=3.0)
|
|||
|
|
|
|||
|
|
# Load and process packets
|
|||
|
|
loader = PCAPLoader(pcap_file)
|
|||
|
|
packets = loader.load_all()
|
|||
|
|
|
|||
|
|
print(f"Loaded {len(packets)} packets")
|
|||
|
|
|
|||
|
|
# Process packets
|
|||
|
|
for i, packet in enumerate(packets, 1):
|
|||
|
|
analyzer._process_single_packet(packet, i)
|
|||
|
|
|
|||
|
|
# Calculate statistics
|
|||
|
|
analyzer.calculate_statistics()
|
|||
|
|
|
|||
|
|
# Find the test flow
|
|||
|
|
test_flow = None
|
|||
|
|
for flow_key, flow in analyzer.flows.items():
|
|||
|
|
if flow.src_ip == src_ip:
|
|||
|
|
test_flow = flow
|
|||
|
|
break
|
|||
|
|
|
|||
|
|
if not test_flow:
|
|||
|
|
print(f"❌ No flow found from {src_ip}")
|
|||
|
|
return
|
|||
|
|
|
|||
|
|
print(f"\n✅ Found flow: {test_flow.src_ip}:{test_flow.src_port} → {test_flow.dst_ip}:{test_flow.dst_port}")
|
|||
|
|
|
|||
|
|
# Check all frame types for outliers around frame 1001
|
|||
|
|
target_frame = 1001
|
|||
|
|
print(f"\n=== Searching for outliers around frame {target_frame} ===")
|
|||
|
|
|
|||
|
|
for frame_type, ft_stats in test_flow.frame_types.items():
|
|||
|
|
if hasattr(ft_stats, 'enhanced_outlier_details') and ft_stats.enhanced_outlier_details:
|
|||
|
|
for frame_num, prev_frame_num, delta_t in ft_stats.enhanced_outlier_details:
|
|||
|
|
if abs(frame_num - target_frame) <= 5: # Within 5 frames of target
|
|||
|
|
deviation = (delta_t - ft_stats.avg_inter_arrival) / ft_stats.std_inter_arrival if ft_stats.std_inter_arrival > 0 else 0
|
|||
|
|
print(f" {frame_type}: Frame {frame_num} (from {prev_frame_num}): {delta_t * 1000:.3f} ms ({deviation:.1f}σ)")
|
|||
|
|
|
|||
|
|
# Also check the raw outlier data for any issues
|
|||
|
|
print(f"\n=== All CH10-Data Outliers ===")
|
|||
|
|
ch10_data_stats = test_flow.frame_types.get('CH10-Data')
|
|||
|
|
if ch10_data_stats and hasattr(ch10_data_stats, 'enhanced_outlier_details'):
|
|||
|
|
print(f"Total CH10-Data outliers: {len(ch10_data_stats.enhanced_outlier_details)}")
|
|||
|
|
for i, (frame_num, prev_frame_num, delta_t) in enumerate(ch10_data_stats.enhanced_outlier_details):
|
|||
|
|
deviation = (delta_t - ch10_data_stats.avg_inter_arrival) / ch10_data_stats.std_inter_arrival if ch10_data_stats.std_inter_arrival > 0 else 0
|
|||
|
|
print(f" {i+1}. Frame {frame_num} (from {prev_frame_num}): {delta_t * 1000:.3f} ms ({deviation:.1f}σ)")
|
|||
|
|
|
|||
|
|
# Let's also check if there might be confusion between different data sources
|
|||
|
|
# Check if there are any outlier frames with frame# around 1001 and prev_frame# around 49
|
|||
|
|
print(f"\n=== Searching for any outlier with prev_frame_num around 49 ===")
|
|||
|
|
found_suspicious = False
|
|||
|
|
for frame_type, ft_stats in test_flow.frame_types.items():
|
|||
|
|
if hasattr(ft_stats, 'enhanced_outlier_details') and ft_stats.enhanced_outlier_details:
|
|||
|
|
for frame_num, prev_frame_num, delta_t in ft_stats.enhanced_outlier_details:
|
|||
|
|
if prev_frame_num >= 45 and prev_frame_num <= 55: # Around 49
|
|||
|
|
deviation = (delta_t - ft_stats.avg_inter_arrival) / ft_stats.std_inter_arrival if ft_stats.std_inter_arrival > 0 else 0
|
|||
|
|
print(f" {frame_type}: Frame {frame_num} (from {prev_frame_num}): {delta_t * 1000:.3f} ms ({deviation:.1f}σ)")
|
|||
|
|
found_suspicious = True
|
|||
|
|
|
|||
|
|
if not found_suspicious:
|
|||
|
|
print(" No outliers found with prev_frame_num around 49")
|
|||
|
|
|
|||
|
|
# Check the frame sequence around 1001 to understand the context
|
|||
|
|
print(f"\n=== Frame sequence context around {target_frame} ===")
|
|||
|
|
ch10_data_stats = test_flow.frame_types.get('CH10-Data')
|
|||
|
|
if ch10_data_stats:
|
|||
|
|
if target_frame in ch10_data_stats.frame_numbers:
|
|||
|
|
frame_index = ch10_data_stats.frame_numbers.index(target_frame)
|
|||
|
|
start_idx = max(0, frame_index - 2)
|
|||
|
|
end_idx = min(len(ch10_data_stats.frame_numbers), frame_index + 3)
|
|||
|
|
|
|||
|
|
print(f"CH10-Data frames around index {frame_index}:")
|
|||
|
|
for i in range(start_idx, end_idx):
|
|||
|
|
marker = " -> " if i == frame_index else " "
|
|||
|
|
ts = ch10_data_stats.timestamps[i] if i < len(ch10_data_stats.timestamps) else "N/A"
|
|||
|
|
print(f"{marker}[{i}] Frame {ch10_data_stats.frame_numbers[i]}: {ts}")
|
|||
|
|
|
|||
|
|
if __name__ == "__main__":
|
|||
|
|
if len(sys.argv) > 1:
|
|||
|
|
debug_specific_outlier(sys.argv[1])
|
|||
|
|
else:
|
|||
|
|
debug_specific_outlier()
|