Parsing Wireshark Files Using F#

I went to the Research Triangle Analysts Meetup for network security where I was exposed to Wireshark for the1st time.  One of the problems with analyzing packets is that the data comes in a variety of structures, depending on the nature of what is being captured and what level of commutation is being analyzed.  I decided to learn a bit about network analysis using this book:

One of the examples was analyzing Twitter Direct Messages.  The interesting thing is that the contents of DMs are sent in plain text, so that is a good word to the wise.

I was thinking about how to best analyze the sample packets for the DM and I immediately thought of using F# Type Providers.  You can export the data from Wireshark in a variety of formats, I chose XML for no particular reason

After exporting the data to the file system and bring the data in via the TP, I then wrote a quick script to see how fast I could get to the message sent.  Turns out pretty quick:

 1 open System.IO
 2 open FSharp.Data
 3 
 4 [<Literal>]
 5 let uri = @"C:\Users\jamie\Desktop\ChickenSoftware.PacketAnalysis.Solution\Data\twitter_dm"
 6 
 7 type Context = XmlProvider<uri>
 8 let data = Context.Load(uri)
 9 
10 let protoes = data.Packets |> Seq.collect(fun p -> p.Protoes)
11 let fields = protoes |> Seq.collect(fun p -> p.Fields)
12 let content = fields |> Seq.filter(fun f -> f.Name = Some "urlencoded-form")
13 let values = content |> Seq.map(fun c -> c.Showname)
14 let values' = values |> Seq.filter(fun v -> v.Value.Contains("text"))
15 values'

So F# makes is very easy to consume the data and traverse it.  I am curious how easy it will be to start applying machine learning to these files using F#.  That is up next…