diff --git a/NIDS/columns.py b/NIDS/columns.py new file mode 100644 index 0000000..2371cd8 --- /dev/null +++ b/NIDS/columns.py @@ -0,0 +1,177 @@ +Aggr_conn = ['duration', + 'local_orig', + 'local_resp', + 'missed_bytes', + 'orig_pkts', + 'orig_ip_bytes', + 'resp_pkts', + 'resp_ip_bytes', + 'orig_bytes', + 'resp_bytes', + 'has_service', + 'history_has_S', + 'history_has_h', + 'history_has_A', + 'history_has_D', + 'history_has_a', + 'history_has_d', + 'history_has_F', + 'history_has_f', + 'history_has_N', + 'is_destination_broadcast', + 'conn_state_OTH', + 'conn_state_RSTR', + 'conn_state_RSTRH', + 'conn_state_S0', + 'conn_state_S1', + 'conn_state_SF', + 'proto_icmp', + 'proto_tcp', + 'proto_udp', + 'traffic_direction_IPv6', + 'traffic_direction_internal', + 'traffic_direction_outgoing', + 'service_dns', + 'service_ntp', + 'service_other', + 'service_quic', + 'service_quic,ssl', + 'service_ssl', + 'duration_mean_60', + 'duration_min_60', + 'duration_max_60', + 'duration_std_60', + 'duration_var_60', + 'duration_cnt_60', + 'duration_sum_60', + 'missed_bytes_mean_60', + 'missed_bytes_min_60', + 'missed_bytes_max_60', + 'missed_bytes_std_60', + 'missed_bytes_var_60', + 'missed_bytes_cnt_60', + 'missed_bytes_sum_60', + 'orig_pkts_mean_60', + 'orig_pkts_min_60', + 'orig_pkts_max_60', + 'orig_pkts_std_60', + 'orig_pkts_var_60', + 'orig_pkts_cnt_60', + 'orig_pkts_sum_60', + 'orig_ip_bytes_mean_60', + 'orig_ip_bytes_min_60', + 'orig_ip_bytes_max_60', + 'orig_ip_bytes_std_60', + 'orig_ip_bytes_var_60', + 'orig_ip_bytes_cnt_60', + 'orig_ip_bytes_sum_60', + 'resp_pkts_mean_60', + 'resp_pkts_min_60', + 'resp_pkts_max_60', + 'resp_pkts_std_60', + 'resp_pkts_var_60', + 'resp_pkts_cnt_60', + 'resp_pkts_sum_60', + 'resp_ip_bytes_mean_60', + 'resp_ip_bytes_min_60', + 'resp_ip_bytes_max_60', + 'resp_ip_bytes_std_60', + 'resp_ip_bytes_var_60', + 'resp_ip_bytes_cnt_60', + 'resp_ip_bytes_sum_60', + 'local_orig_nunique_60', + 'local_orig_entropy_60', + 'local_resp_nunique_60', + 'local_resp_entropy_60', + 'duration_mean_3600', + 'duration_min_3600', + 'duration_max_3600', + 'duration_std_3600', + 'duration_var_3600', + 'duration_cnt_3600', + 'duration_sum_3600', + 'missed_bytes_mean_3600', + 'missed_bytes_min_3600', + 'missed_bytes_max_3600', + 'missed_bytes_std_3600', + 'missed_bytes_var_3600', + 'missed_bytes_cnt_3600', + 'missed_bytes_sum_3600', + 'orig_pkts_mean_3600', + 'orig_pkts_min_3600', + 'orig_pkts_max_3600', + 'orig_pkts_std_3600', + 'orig_pkts_var_3600', + 'orig_pkts_cnt_3600', + 'orig_pkts_sum_3600', + 'orig_ip_bytes_mean_3600', + 'orig_ip_bytes_min_3600', + 'orig_ip_bytes_max_3600', + 'orig_ip_bytes_std_3600', + 'orig_ip_bytes_var_3600', + 'orig_ip_bytes_cnt_3600', + 'orig_ip_bytes_sum_3600', + 'resp_pkts_mean_3600', + 'resp_pkts_min_3600', + 'resp_pkts_max_3600', + 'resp_pkts_std_3600', + 'resp_pkts_var_3600', + 'resp_pkts_cnt_3600', + 'resp_pkts_sum_3600', + 'resp_ip_bytes_mean_3600', + 'resp_ip_bytes_min_3600', + 'resp_ip_bytes_max_3600', + 'resp_ip_bytes_std_3600', + 'resp_ip_bytes_var_3600', + 'resp_ip_bytes_cnt_3600', + 'resp_ip_bytes_sum_3600', + 'local_orig_nunique_3600', + 'local_orig_entropy_3600', + 'local_resp_nunique_3600', + 'local_resp_entropy_3600', + 'duration_mean_7200', + 'duration_min_7200', + 'duration_max_7200', + 'duration_std_7200', + 'duration_var_7200', + 'duration_cnt_7200', + 'duration_sum_7200', + 'missed_bytes_mean_7200', + 'missed_bytes_min_7200', + 'missed_bytes_max_7200', + 'missed_bytes_std_7200', + 'missed_bytes_var_7200', + 'missed_bytes_cnt_7200', + 'missed_bytes_sum_7200', + 'orig_pkts_mean_7200', + 'orig_pkts_min_7200', + 'orig_pkts_max_7200', + 'orig_pkts_std_7200', + 'orig_pkts_var_7200', + 'orig_pkts_cnt_7200', + 'orig_pkts_sum_7200', + 'orig_ip_bytes_mean_7200', + 'orig_ip_bytes_min_7200', + 'orig_ip_bytes_max_7200', + 'orig_ip_bytes_std_7200', + 'orig_ip_bytes_var_7200', + 'orig_ip_bytes_cnt_7200', + 'orig_ip_bytes_sum_7200', + 'resp_pkts_mean_7200', + 'resp_pkts_min_7200', + 'resp_pkts_max_7200', + 'resp_pkts_std_7200', + 'resp_pkts_var_7200', + 'resp_pkts_cnt_7200', + 'resp_pkts_sum_7200', + 'resp_ip_bytes_mean_7200', + 'resp_ip_bytes_min_7200', + 'resp_ip_bytes_max_7200', + 'resp_ip_bytes_std_7200', + 'resp_ip_bytes_var_7200', + 'resp_ip_bytes_cnt_7200', + 'resp_ip_bytes_sum_7200', + 'local_orig_nunique_7200', + 'local_orig_entropy_7200', + 'local_resp_nunique_7200', + 'local_resp_entropy_7200'] \ No newline at end of file diff --git a/NIDS/utils.py b/NIDS/utils.py index b3e71e1..0584174 100644 --- a/NIDS/utils.py +++ b/NIDS/utils.py @@ -19,6 +19,7 @@ import json import logging import ipaddress +from scipy.stats import entropy # TODO: is there a better way to handle multi-file logging aside from spamming these everywhere? logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(name)s - %(levelname)s - %(message)s (%(filename)s)') @@ -48,8 +49,6 @@ def preprocess_json_conn(json_batch): Note: the input is only one unzipped json file. """ - # features = ['id.orig_h', "id.resp_h", "proto", "conn_state", "missed_bytes", - # "orig_pkts", "orig_ip_bytes", "resp_pkts", "resp_ip_bytes"] features = ["id.orig_h", "id.resp_h", "proto", "service", "duration", "conn_state", "local_orig","local_resp","missed_bytes","history", "orig_pkts", "orig_ip_bytes", "resp_pkts", "resp_ip_bytes"] @@ -67,8 +66,7 @@ def preprocess_json_conn(json_batch): new_df = pd.DataFrame(data_list, columns=features) #Fill NaNs with 0s : duration, orig_bytes resp_bytes, if there are no columns, create one and fill with 0s new_df = fill_na(new_df) - # # Drop unnecessary columns - # new_df = drop_columns(new_df, ['ts','uid','local_orig', 'local_resp']) + # create history, broadcast, traffic_direction variables new_df = create_history_variable(new_df) new_df = create_broadcast_variable(new_df) @@ -88,12 +86,68 @@ def preprocess_json_conn(json_batch): 'service_other', 'service_ssh','service_ssl', 'traffic_direction_external','traffic_direction_incoming', 'traffic_direction_internal','traffic_direction_outgoing', - "local_orig","local_resp","missed_bytes","orig_pkts","orig_ip_bytes","resp_pkts","resp_ip_bytes"] + "duration","local_orig","local_resp","missed_bytes","orig_pkts","orig_ip_bytes","resp_pkts","resp_ip_bytes"] new_df = makedf_samecol(cols, new_df) # Convert DataFrame to NumPy array np_arr = new_df.to_numpy(dtype=np.float32) return np_arr +from columns import Aggr_conn +def preprocess_json_conn_agg(json_batch): + """ + This function receives a json batch from the main control flow of the train + functions. It should convert the conn.log of the json_batch to a numpy 2D array, apply necessary transformations, + then return it. + + Note: the input is only one unzipped json file. + """ + features = ["ts","uid", "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p", + "proto", "service", "duration", "conn_state", "local_orig","local_resp", + "missed_bytes","history", "orig_pkts", "orig_ip_bytes", "resp_pkts", "resp_ip_bytes"] + #TODO: add features: duration, local_orig, local_resp + data_list = [] + for line in json_batch.splitlines(): + # log_entry is now a single json log from the file + log_entry = json.loads(line.strip()) + # data_list.append([log_entry[feature] for feature in features]) + # Check if each feature is present in the log_entry + feature_values = [log_entry.get(feature, None) for feature in features] + data_list.append(feature_values) + + #TODO: optimize the code via removing pandas + df = pd.DataFrame(data_list, columns=features) + + #fill Nans with 0s : duration, orig_bytes resp_bytes + df = fill_na(df) + # create history, broadcast, traffic_direction variables + df = create_history_variable(df) + df = create_broadcast_variable(df) + df = create_direction_variable(df) + + # one hot encode categorical variables + column_name = ['conn_state', "proto", "traffic_direction" , "service"] + df = one_hot_encode(df, column_name) + + # Convert the boolean values in columns "local_orig" and "local_resp" to 1 and 0s + df['local_orig'] = df['local_orig'].astype(int) + df['local_resp'] = df['local_resp'].astype(int) + + #Compute Aggregated Features + windows = [60,3600,7200] #seconds + grp = ['id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p'] + aggr_feature_num = ['duration', 'missed_bytes', 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'] + aggr_feature_cat = ['local_orig', 'local_resp'] + for window in windows: + for feature in aggr_feature_num: + df = calculate_agg_feature_num(df, feature, window) + for feature in aggr_feature_cat: + df = calculate_agg_feature_cat(df, feature, window) + cols = Aggr_conn + # make sure the columns are the same + df = makedf_samecol(cols, df) + # Convert DataFrame to NumPy array + np_arr = df.to_numpy(dtype=np.float32) + return np_arr def preprocess_json_dns(json_batch): """ @@ -215,8 +269,8 @@ def preprocess_json_ssh(json_batch): Note: the input is only one unzipped json file. """ - features = ['id.orig_h', 'id.resp_h','trans_depth','method','host','version', - 'request_body_len','response_body_len','status_code'] + features = ['id.orig_h', 'id.resp_h','version','auth_success','auth_attempts', + 'direction','version','traffic_direction'] data_list = [] for line in json_batch.splitlines(): @@ -523,6 +577,60 @@ def get_raw_conn(json_data_file): return df +def calculate_agg_feature_num(df, agg_feature, window_size): + """ + This function adds a new column "{agg_feature}_{either mean, min, max, std, or var}" to the DataFrame. + This column contains the aggregated features (mean/min/max/std/var/count/sum) of network flows within the past {window_size} seconds + for each group with the same ['id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p']. + + Args: + df: The pandas DataFrame containing network flow data. + window_size: Size of the window for calculating the average (default: 5000 seconds). + + Returns: + A new DataFrame with the added aggregated feautre columns. + """ + # Convert timestamp to datetime + # df['ts'] = datetime.fromtimestamp(df['ts']) #assumes timestamps are in the local machine's timezone. not suggested + df['ts'] = pd.to_datetime(df['ts'], unit='s') + df = df.set_index('ts') + # Calculate the aggregated feature for each group + # to avoid NaN values, calculate the population standard deviation, specified with std(ddof=0) + grp = ['id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p'] + df[f'{agg_feature}_mean_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).mean()) + df[f'{agg_feature}_min_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).min()) + df[f'{agg_feature}_max_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).max()) + df[f'{agg_feature}_std_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).std(ddof=0)) + df[f'{agg_feature}_var_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).var(ddof=0)) + df[f'{agg_feature}_cnt_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).count()) + df[f'{agg_feature}_sum_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).sum()) + + return df.reset_index() + +#For feature such as local_orig , port,... numerical but can be treated as categorical +def calculate_agg_feature_cat(df, agg_feature, window_size): + """ + This function adds a new column "{agg_feature}_{either nunique or entropy}" to the DataFrame. + This column contains the aggregated features (nunique/entropy) of network flows within the past {window_size} seconds + for each group with the same ['id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p']. + + Args: + df: The pandas DataFrame containing network flow data. + window_size: Size of the window for calculating the average (default: 5000 seconds). + + Returns: + A new DataFrame with the added aggregated feautre columns. + """ + # Convert timestamp to datetime + # df['ts'] = datetime.fromtimestamp(df['ts']) #assumes timestamps are in the local machine's timezone. not suggested + df['ts'] = pd.to_datetime(df['ts'], unit='s') + df = df.set_index('ts') + grp = ['id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p'] + df[f'{agg_feature}_nunique_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).apply(lambda x: x.unique().shape[0])) + df[f'{agg_feature}_entropy_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).apply(lambda x: entropy(x.value_counts()))) + return df.reset_index() + + #------------------Online Normalization------------------# #TODO: def online_normalization(new_df): # can be skipped for now, since kitnet has its own normalization. diff --git a/NIDS/zoe_eda.ipynb b/NIDS/zoe_eda.ipynb index f01be10..09ba2ba 100644 --- a/NIDS/zoe_eda.ipynb +++ b/NIDS/zoe_eda.ipynb @@ -2,7 +2,7 @@ "cells": [ { "cell_type": "code", - "execution_count": 8, + "execution_count": 2, "metadata": {}, "outputs": [], "source": [ @@ -16,7 +16,7 @@ }, { "cell_type": "code", - "execution_count": 9, + "execution_count": 3, "metadata": {}, "outputs": [], "source": [ @@ -71,7 +71,7 @@ }, { "cell_type": "code", - "execution_count": 10, + "execution_count": 137, "metadata": {}, "outputs": [], "source": [ @@ -90,7 +90,7 @@ }, { "cell_type": "code", - "execution_count": 16, + "execution_count": 138, "metadata": {}, "outputs": [ { @@ -175,7 +175,7 @@ }, { "cell_type": "code", - "execution_count": 32, + "execution_count": 139, "metadata": {}, "outputs": [], "source": [ @@ -195,7 +195,7 @@ }, { "cell_type": "code", - "execution_count": 33, + "execution_count": 140, "metadata": {}, "outputs": [ { @@ -471,7 +471,7 @@ "[65 rows x 14 columns]" ] }, - "execution_count": 33, + "execution_count": 140, "metadata": {}, "output_type": "execute_result" } @@ -482,7 +482,7 @@ }, { "cell_type": "code", - "execution_count": 34, + "execution_count": 141, "metadata": {}, "outputs": [ { @@ -491,7 +491,7 @@ "dict_keys(['ts', 'uid', 'id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p', 'proto', 'duration', 'orig_bytes', 'resp_bytes', 'conn_state', 'local_orig', 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'])" ] }, - "execution_count": 34, + "execution_count": 141, "metadata": {}, "output_type": "execute_result" } @@ -504,12 +504,12 @@ "cell_type": "markdown", "metadata": {}, "source": [ - "#### Get raw data for Olive" + "#### utils" ] }, { "cell_type": "code", - "execution_count": 35, + "execution_count": 38, "metadata": {}, "outputs": [], "source": [ @@ -595,12 +595,58 @@ " for col in cols:\n", " if col not in new_df.columns:\n", " new_df[col] = 0\n", - " return new_df[cols]" + " return new_df[cols]\n", + "\n", + "def create_history_variable(new_df):\n", + " # break out history variable\n", + " \n", + " if 'history' not in new_df.columns: \n", + " new_df['history'] = 'N' \n", + "\n", + " #fill NaNs with 'N'\n", + " new_df['history'] = new_df['history'].fillna('N') \n", + " new_df['history_has_S'] = new_df['history'].apply(lambda x: 1 if \"S\" in x else 0)\n", + " new_df['history_has_h'] = new_df['history'].apply(lambda x: 1 if \"h\" in x else 0)\n", + " new_df['history_has_A'] = new_df['history'].apply(lambda x: 1 if \"A\" in x else 0)\n", + " new_df['history_has_D'] = new_df['history'].apply(lambda x: 1 if \"D\" in x else 0)\n", + " new_df['history_has_a'] = new_df['history'].apply(lambda x: 1 if \"a\" in x else 0)\n", + " new_df['history_has_d'] = new_df['history'].apply(lambda x: 1 if \"d\" in x else 0)\n", + " new_df['history_has_F'] = new_df['history'].apply(lambda x: 1 if \"F\" in x else 0)\n", + " new_df['history_has_f'] = new_df['history'].apply(lambda x: 1 if \"f\" in x else 0)\n", + " new_df['history_has_N'] = new_df['history'].apply(lambda x: 1 if \"N\" in x else 0)\n", + " new_df = new_df.drop(columns='history')\n", + " return new_df \n", + "\n", + "def fill_na(new_df):\n", + " \n", + " #Fill Nans with 0s : duration, orig_bytes resp_bytes\n", + " # Specify the columns you want to fill with zeros\n", + " columns_to_fill_with_zeros = ['duration', 'orig_bytes', 'resp_bytes']\n", + " # Check if columns exist; if not, create and fill with zeros\n", + " for col in columns_to_fill_with_zeros:\n", + " if col not in new_df.columns:\n", + " new_df[col] = 0\n", + " new_df[columns_to_fill_with_zeros] = new_df[columns_to_fill_with_zeros].fillna(0)\n", + " \n", + " #Fill Nans with 'Other' : service\n", + " columns_to_fill_with_other = ['service']\n", + " if 'service' in new_df.columns:\n", + " # new_df['service'].fillna('other', inplace=True)\n", + " new_df['service'] = new_df['service'].fillna('other')\n", + " \n", + " return new_df" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "#### Get raw data for Olive" ] }, { "cell_type": "code", - "execution_count": 43, + "execution_count": 39, "metadata": {}, "outputs": [], "source": [ @@ -628,7 +674,7 @@ }, { "cell_type": "code", - "execution_count": 44, + "execution_count": 40, "metadata": {}, "outputs": [], "source": [ @@ -637,7 +683,7 @@ }, { "cell_type": "code", - "execution_count": 45, + "execution_count": 41, "metadata": {}, "outputs": [ { @@ -937,7 +983,7 @@ "[65 rows x 16 columns]" ] }, - "execution_count": 45, + "execution_count": 41, "metadata": {}, "output_type": "execute_result" } @@ -948,7 +994,7 @@ }, { "cell_type": "code", - "execution_count": 46, + "execution_count": 42, "metadata": {}, "outputs": [ { @@ -992,640 +1038,2872 @@ " df[f'has_{feature}'] = df[feature].notnull().astype(int)\n" ] }, + { + "cell_type": "code", + "execution_count": 43, + "metadata": {}, + "outputs": [], + "source": [ + "has_null = ['service']\n", + "# Create a variable to track if the feature contains null. Create a column \"has_null_featurename\"\n", + "for feature in has_null: \n", + " df[f'has_{feature}'] = df[feature].notnull().astype(int)\n", + "df['service'] = df['service'].replace({False: 0, True: 1})" + ] + }, + { + "cell_type": "code", + "execution_count": 44, + "metadata": {}, + "outputs": [ + { + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
servicehas_service
0dns1
1dns1
2None0
3dns1
4dns1
.........
60ssl1
61ssl1
62ssl1
63ssl1
64None0
\n", + "

65 rows × 2 columns

\n", + "
" + ], + "text/plain": [ + " service has_service\n", + "0 dns 1\n", + "1 dns 1\n", + "2 None 0\n", + "3 dns 1\n", + "4 dns 1\n", + ".. ... ...\n", + "60 ssl 1\n", + "61 ssl 1\n", + "62 ssl 1\n", + "63 ssl 1\n", + "64 None 0\n", + "\n", + "[65 rows x 2 columns]" + ] + }, + "execution_count": 44, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "df[['service','has_service']]" + ] + }, { "cell_type": "markdown", "metadata": {}, "source": [ - "### Get data for conn for kitnet\n" + "### Get data for conn for kitnet (w/o aggregation)\n" ] }, { "cell_type": "code", - "execution_count": 22, + "execution_count": 533, "metadata": {}, "outputs": [], "source": [ - "#preprocess functions \n", - "def is_private_ip(ip_str):\n", - " \"\"\"\n", - " Takes an IP string and returns whether the IP is private or not per RFC 1918.\n", - "\n", - " Parameters\n", - " ----------\n", - " ip_str: str\n", - " String of an IP address.\n", - "\n", - " Returns\n", - " -------\n", - " bool: a bool of whether or not the IP is private. \n", + "def preprocess_json_conn(json_batch):\n", " \"\"\"\n", - " octets = [int(x) for x in ip_str.split(\".\")]\n", - " if octets[0] == 10 \\\n", - " or (octets[0] == 172 and 16 <= octets[1] <= 31) \\\n", - " or (octets[0] == 192 and octets[1] == 168):\n", - " return True\n", - " else:\n", - " return False\n", - "\n", - "def get_traffic_direction(source_ip, destination_ip):\n", - " \"\"\"\n", - " Takes a source and destination IP address and returns the direction of the traffic.\n", - " Please ensure the source and destination are correct as this is useless without the verification of the parameters.\n", + " This function receives a json batch from the main control flow of the train \n", + " functions. It should convert the conn.log of the json_batch to a numpy 2D array, apply necessary transformations,\n", + " then return it. \n", "\n", - " Parameters\n", - " ----------\n", - " source_ip: str\n", - " Source IP address of the flow.\n", - " destination_ip: str\n", - " Destination IP address of the flow.\n", - " \n", - " Returns\n", - " -------\n", - " str: string indicating the direction. Can be 'internal', 'outgoing', 'incoming' or 'external'.\n", + " Note: the input is only one unzipped json file. \n", " \"\"\"\n", - " if is_private_ip(source_ip) and is_private_ip(destination_ip):\n", - " return \"internal\"\n", - " elif is_private_ip(source_ip) and not is_private_ip(destination_ip):\n", - " return \"outgoing\"\n", - " elif not is_private_ip(source_ip) and is_private_ip(destination_ip):\n", - " return \"incoming\"\n", - " else:\n", - " return \"external\"\n", - " \n", - "def create_history_variable(new_df):\n", - " # break out history variable\n", - " \n", - " #fill NaNs with 'N'\n", - " # new_df['history'] = new_df['history'].fillna('N') \n", - " if 'history' not in new_df.columns:\n", - " new_df['history'] = 'N'\n", - "\n", - " new_df['history_has_S'] = new_df['history'].apply(lambda x: 1 if \"S\" in x else 0)\n", - " new_df['history_has_h'] = new_df['history'].apply(lambda x: 1 if \"h\" in x else 0)\n", - " new_df['history_has_A'] = new_df['history'].apply(lambda x: 1 if \"A\" in x else 0)\n", - " new_df['history_has_D'] = new_df['history'].apply(lambda x: 1 if \"D\" in x else 0)\n", - " new_df['history_has_a'] = new_df['history'].apply(lambda x: 1 if \"a\" in x else 0)\n", - " new_df['history_has_d'] = new_df['history'].apply(lambda x: 1 if \"d\" in x else 0)\n", - " new_df['history_has_F'] = new_df['history'].apply(lambda x: 1 if \"F\" in x else 0)\n", - " new_df['history_has_f'] = new_df['history'].apply(lambda x: 1 if \"f\" in x else 0)\n", - " new_df['history_has_N'] = new_df['history'].apply(lambda x: 1 if \"N\" in x else 0)\n", - " new_df = new_df.drop(columns='history')\n", - "\n", - " if 'id.orig_h'in new_df.columns:\n", - " new_df = new_df[new_df['id.orig_h'].str.contains(\"::\") == False]\n", - " return new_df \n", - "\n", - "def create_broadcast_variable(new_df):\n", - " # create broadcast variable\n", - " #255 is the broadcast address for ipv4(#TODO : ask Diego)\n", - " if 'id.resp_h' in new_df.columns:\n", - " new_df['is_destination_broadcast'] = new_df['id.resp_h'].apply(lambda x: 1 if \"255\" in x[-3:] else 0) \n", - " return new_df\n", - "\n", - "def create_direction_variable(new_df):\n", - " #create traffic direction variable\n", - " if 'traffic_direction' in new_df.columns:\n", - " new_df['traffic_direction'] = new_df.apply(lambda x: get_traffic_direction(x['id.orig_h'], x['id.resp_h']), axis=1) \n", - " return new_df\n", - "\n", - "def one_hot_encode(df, column_name):\n", - " new_df = pd.get_dummies(data=df, columns=column_name)\n", - " return new_df\n", - "\n", - "def duration_to_numerical(new_df):\n", - " # Convert duration to string\n", - " new_df['duration'] = new_df['duration'].astype(str)\n", - " # Extract the time portion (HH:MM:SS.mmmmmm) from the 'duration' column\n", - " new_df['duration'] = new_df['duration'].str.extract(r'\\d days (.*)')\n", - " # Convert the time portion to a numerical format (float)\n", - " new_df['duration'] = pd.to_timedelta(new_df['duration']).dt.total_seconds()\n", - " return new_df \n", - "\n", - "def drop_columns(new_df, columns_to_drop):\n", - " columns_to_drop_existing = [col for col in columns_to_drop if col in new_df.columns]\n", - " new_df.drop(columns=columns_to_drop_existing, axis=1, inplace=True)\n", - " return new_df\n", - "\n", - "\n", - "#TODO: create a function that takes in a dataframe and perform the preprocessing steps on it\n", - "def preprocess(new_df):\n", - " \n", - " # Drop unnecessary columns \n", - " columns_to_drop = ['ts','uid','local_orig', 'local_resp']\n", - " new_df.drop(columns_to_drop, axis=1, inplace=True)\n", - "\n", + " features = [\"id.orig_h\", \"id.resp_h\", \"proto\", \"service\", \"duration\", \"conn_state\", \n", + " \"local_orig\",\"local_resp\",\"missed_bytes\",\"history\", \n", + " \"orig_pkts\", \"orig_ip_bytes\", \"resp_pkts\", \"resp_ip_bytes\"]\n", + " #TODO: add features: duration, local_orig, local_resp \n", + " data_list = []\n", + " for line in json_batch.splitlines():\n", + " # log_entry is now a single json log from the file \n", + " log_entry = json.loads(line.strip())\n", + " # data_list.append([log_entry[feature] for feature in features])\n", + " # Check if each feature is present in the log_entry\n", + " feature_values = [log_entry.get(feature, None) for feature in features]\n", + " data_list.append(feature_values)\n", + " #Re-use the preprocess function from last sem by Zoe. \n", + " #TODO: optimize the code via removing pandas\n", + " new_df = pd.DataFrame(data_list, columns=features) \n", + " #Fill NaNs with 0s : duration, orig_bytes resp_bytes, if there are no columns, create one and fill with 0s \n", + " new_df = fill_na(new_df) \n", " # create history, broadcast, traffic_direction variables\n", " new_df = create_history_variable(new_df)\n", " new_df = create_broadcast_variable(new_df)\n", " new_df = create_direction_variable(new_df)\n", - "\n", " # one hot encode categorical variables\n", - " #TODO : discuss with Diego, if there's a better way to do this. since, input dataset may have different conn state, that means the columns would be different. \n", " column_name = ['conn_state', \"proto\", \"traffic_direction\" , \"service\"]\n", - " for col in column_name:\n", - " if col in new_df.columns:\n", - " new_df = one_hot_encode(new_df, [col])\n", - " new_df = new_df.drop(columns=['id.orig_h', 'id.resp_h'])\n", - "\n", - " return new_df\n", - "\n", - "\n", - "def fill_na(new_df):\n", - " \n", - " #Fill Nans with 0s : duration, orig_bytes resp_bytes\n", - " # Specify the columns you want to fill with zeros\n", - " columns_to_fill_with_zeros = ['duration', 'orig_bytes', 'resp_bytes']\n", - " # Check if columns exist; if not, create and fill with zeros\n", - " for col in columns_to_fill_with_zeros:\n", - " if col not in new_df.columns:\n", - " new_df[col] = 0\n", - " new_df[columns_to_fill_with_zeros] = new_df[columns_to_fill_with_zeros].fillna(0)\n", - " \n", - "\n", - " #Fill Nans with 'Other' : service\n", - " columns_to_fill_with_other = ['service']\n", - " if 'service' in new_df.columns:\n", - " # new_df['service'].fillna('other', inplace=True)\n", - " new_df['service'] = new_df['service'].fillna('other')\n", - " \n", - " return new_df\n", - "\n", - "def makedf_samecol(new_df):\n", - " #Create these columns if they are not present in the original df and fill them with 0s. \n", - " # Ensure that all the specified columns are present even if they are not present in the original df. \n", + " new_df = one_hot_encode(new_df, column_name)\n", + " # Convert the boolean values in columns \"local_orig\" and \"local_resp\" to 1 and 0s\n", + " new_df['local_orig'] = new_df['local_orig'].astype(int)\n", + " new_df['local_resp'] = new_df['local_resp'].astype(int)\n", + " # make sure the columns are the same as the original df\n", + " #TODO: to be confirmed once HSRN EDA is done\n", " cols = ['conn_state_OTH', 'conn_state_REJ','conn_state_RSTO', 'conn_state_RSTOS0', 'conn_state_RSTR','conn_state_RSTRH', \n", " 'conn_state_S0', 'conn_state_S1', 'conn_state_S2','conn_state_S3', 'conn_state_SF', 'conn_state_SH', 'conn_state_SHR',\n", - " 'proto_tcp', 'proto_udp',\n", + " 'proto_tcp', 'proto_udp', \n", " 'service_dhcp', 'service_dns','service_http', 'service_irc','service_ntp',\n", " 'service_other', 'service_ssh','service_ssl',\n", " 'traffic_direction_external','traffic_direction_incoming', \n", - " 'traffic_direction_internal','traffic_direction_outgoing']\n", - " for col in cols:\n", - " if col not in new_df.columns:\n", - " new_df[col] = 0\n", - " return new_df\n" - ] - }, - { - "cell_type": "code", - "execution_count": 59, - "metadata": {}, - "outputs": [], - "source": [ - "def preprocess_json(json_batch):\n", - " \"\"\"\n", - " This function receives a json batch from the main control flow of the train \n", - " functions. It should convert the json_batch to a numpy 2D array, apply necessary transformations,\n", - " then return it. \n", - "\n", - " Note: the input is only one unzipped json file. \n", - " \"\"\"\n", - " # TODO: add the featureset here \n", - " # TODO: should we move this feature set somewhere else?\n", - " features = ['id.orig_p', \"id.resp_p\", \"proto\", \"conn_state\", \"missed_bytes\",\n", - " \"orig_pkts\", \"orig_ip_bytes\", \"resp_pkts\", \"resp_ip_bytes\"]\n", - " # add the following features ['duration', 'history']\n", - " # TODO: @olive please run the script as is, it should work.\n", - " # However, some log records in json do not have duration or history fields.\n", - " # Please catch this error, and if there is no duration, add a duration of 0 to the record. \n", - " # If there is no history, add a history, with the value \"N\"\n", - " data_list = []\n", - " for line in json_batch.splitlines():\n", - " # log_entry is now a single json log from the file\n", - " log_entry = json.loads(line.strip())\n", - " data_list.append([log_entry[feature] for feature in features])\n", - " # np_arr = np.array(data_list)\n", - " \n", - " # TODO: apply transformations based on last semesters work\n", - " #Re-use the preprocess function from last sem by Zoe. \n", - " #TODO: optimize the code via removing pandas\n", - " new_df = pd.DataFrame(data_list, columns=features) \n", - " #Fill NaNs with 0s : duration, orig_bytes resp_bytes, if there are no columns, create one and fill with 0s \n", - " new_df = fill_na(new_df) \n", - " # Drop unnecessary columns \n", - " new_df = drop_columns(new_df, ['ts','uid','local_orig', 'local_resp'])\n", - " \n", - " # create history, broadcast, traffic_direction variables\n", - " new_df = create_history_variable(new_df)\n", - " new_df = create_broadcast_variable(new_df)\n", - " new_df = create_direction_variable(new_df)\n", - "\n", - " # one hot encode categorical variables\n", - " column_name = ['conn_state', \"proto\", \"traffic_direction\" , \"service\"]\n", - " for col in column_name:\n", - " if col in new_df.columns:\n", - " new_df = one_hot_encode(new_df, [col])\n", - " # new_df = new_df.drop(columns=['id.orig_h', 'id.resp_h'])\n", - "\n", - " new_df = drop_columns(new_df, ['id.orig_h', 'id.resp_h'])\n", - "\n", - " # make sure the columns are the same as the original df\n", - " new_df = makedf_samecol(new_df)\n", - " # new_df = new_df.drop(columns=['orig_l2_addr','resp_l2_addr'])\n", - " new_df = drop_columns(new_df, ['orig_l2_addr','resp_l2_addr'])\n", - "\n", + " 'traffic_direction_internal','traffic_direction_outgoing',\n", + " \"duration\",\"local_orig\",\"local_resp\",\"missed_bytes\",\"orig_pkts\",\"orig_ip_bytes\",\"resp_pkts\",\"resp_ip_bytes\"]\n", + " new_df = makedf_samecol(cols, new_df)\n", " # Convert DataFrame to NumPy array\n", - " np_arr = new_df.to_numpy()# np_arr is now a numpy 2D array\n", - " \n", - " logging.info(\"Hello from preprocess_json. Please implement me :)\")\n", + " np_arr = new_df.to_numpy(dtype=np.float32)\n", " return np_arr" ] }, { "cell_type": "code", - "execution_count": 60, + "execution_count": 534, "metadata": {}, "outputs": [ { - "name": "stdout", - "output_type": "stream", - "text": [ - "/usr/local/logs/2024-02-12/conn.07:09:20-08:00:00.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[63393 5228 0 ... 0 0 0]\n", - " [64457 53 0 ... 0 0 0]\n", - " [53988 53 0 ... 0 0 0]\n", - " ...\n", - " [56459 53 0 ... 0 0 0]\n", - " [54084 53 0 ... 0 0 0]\n", - " [60681 53 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.05:13:22-06:02:53.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[59403 137 0 ... 0 0 0]\n", - " [35489 137 0 ... 0 0 0]\n", - " [44385 5353 0 ... 0 0 0]\n", - " ...\n", - " [57294 5353 0 ... 0 0 0]\n", - " [42608 5353 0 ... 0 0 0]\n", - " [63333 443 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.09:00:00-10:00:00.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[56300 20002 0 ... 0 0 0]\n", - " [53603 443 0 ... 0 0 0]\n", - " [50950 53 0 ... 0 0 0]\n", - " ...\n", - " [35138 5353 0 ... 0 0 0]\n", - " [33194 5353 0 ... 0 0 0]\n", - " [47765 5353 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.04:07:18-05:13:22.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[63050 80 0 ... 0 0 0]\n", - " [63051 443 0 ... 0 0 0]\n", - " [63006 443 0 ... 0 0 0]\n", - " ...\n", - " [57733 53 0 ... 0 0 0]\n", - " [62023 53 0 ... 0 0 0]\n", - " [53724 53 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.03:01:30-04:07:18.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[62862 80 0 ... 0 0 0]\n", - " [62865 443 0 ... 0 0 0]\n", - " [62866 443 0 ... 0 0 0]\n", - " ...\n", - " [63043 443 0 ... 0 0 0]\n", - " [62999 443 0 ... 0 0 0]\n", - " [63049 443 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.11:01:06-12:01:08.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[64634 53 0 ... 0 0 0]\n", - " [37278 5353 0 ... 0 0 0]\n", - " [48796 5353 0 ... 0 0 0]\n", - " ...\n", - " [51378 443 0 ... 0 0 0]\n", - " [47573 5353 0 ... 0 0 0]\n", - " [36679 5353 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.01:03:07-02:00:00.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[64471 53 0 ... 0 0 0]\n", - " [ 5353 5353 0 ... 0 0 0]\n", - " [ 5353 5353 0 ... 0 0 0]\n", - " ...\n", - " [63904 53 0 ... 0 0 0]\n", - " [52184 443 0 ... 0 0 0]\n", - " [55361 53 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.12:01:08-13:12:58.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[ 5353 5353 0 ... 0 0 0]\n", - " [ 5353 5353 0 ... 0 0 0]\n", - " [60990 5353 0 ... 0 0 0]\n", - " ...\n", - " [51417 443 0 ... 0 0 0]\n", - " [50523 5353 0 ... 0 0 0]\n", - " [43820 5353 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.00:00:00-01:03:07.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[63511 443 0 ... 0 0 0]\n", - " [ 3722 3722 0 ... 0 0 0]\n", - " [38066 20002 0 ... 0 0 0]\n", - " ...\n", - " [56224 5353 0 ... 0 0 0]\n", - " [64048 53 0 ... 0 0 0]\n", - " [60647 53 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.16:00:35-16:00:38.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[55024 53 0 ... 0 0 0]\n", - " [53000 53 0 ... 0 0 0]\n", - " [64833 53 0 ... 0 0 0]\n", - " ...\n", - " [52333 443 0 ... 0 0 0]\n", - " [52211 443 0 ... 0 0 0]\n", - " [51689 443 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.02:00:00-03:01:30.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[54162 443 0 ... 0 0 0]\n", - " [53359 53 0 ... 0 0 0]\n", - " [50334 53 0 ... 0 0 0]\n", - " ...\n", - " [62833 443 0 ... 0 0 0]\n", - " [62857 443 0 ... 0 0 0]\n", - " [62859 443 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.15:00:01-15:54:31.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[52250 993 0 ... 0 0 0]\n", - " [61665 443 0 ... 0 0 0]\n", - " [ 5353 5353 0 ... 0 0 0]\n", - " ...\n", - " [54510 53 0 ... 0 0 0]\n", - " [60670 443 0 ... 0 0 0]\n", - " [ 3 3 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.14:15:58-15:00:01.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[51493 443 0 ... 0 0 0]\n", - " [51492 443 0 ... 0 0 0]\n", - " [51495 443 0 ... 0 0 0]\n", - " ...\n", - " [52249 443 0 ... 0 0 0]\n", - " [61642 7000 0 ... 0 0 0]\n", - " [51622 993 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.08:00:00-09:00:00.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[ 5353 5353 0 ... 0 0 0]\n", - " [64653 443 0 ... 0 0 0]\n", - " [64673 443 0 ... 0 0 0]\n", - " ...\n", - " [63096 53 0 ... 0 0 0]\n", - " [44419 5353 0 ... 0 0 0]\n", - " [33330 5353 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.10:00:00-11:01:06.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[34805 5353 0 ... 0 0 0]\n", - " [43493 5353 0 ... 0 0 0]\n", - " [44814 5353 0 ... 0 0 0]\n", - " ...\n", - " [52349 53 0 ... 0 0 0]\n", - " [52293 53 0 ... 0 0 0]\n", - " [51090 443 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.06:02:53-07:09:20.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[63336 443 0 ... 0 0 0]\n", - " [63334 443 0 ... 0 0 0]\n", - " [58575 53 0 ... 0 0 0]\n", - " ...\n", - " [63500 443 0 ... 0 0 0]\n", - " [59760 53 0 ... 0 0 0]\n", - " [54309 53 0 ... 0 0 0]]\n", - "/usr/local/logs/2024-02-12/conn.13:12:58-14:15:58.log.gz\n", - "Index(['id.orig_p', 'id.resp_p', 'proto', 'conn_state', 'missed_bytes',\n", - " 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes'],\n", - " dtype='object')\n", - "[[65363 53 0 ... 0 0 0]\n", - " [51657 53 0 ... 0 0 0]\n", - " [51400 443 0 ... 0 0 0]\n", - " ...\n", - " [51481 443 0 ... 0 0 0]\n", - " [51482 443 0 ... 0 0 0]\n", - " [51445 443 0 ... 0 0 0]]\n" - ] + "data": { + "text/plain": [ + "array([[0.000e+00, 0.000e+00, 0.000e+00, ..., 6.200e+01, 1.000e+00,\n", + " 1.690e+02],\n", + " [0.000e+00, 0.000e+00, 0.000e+00, ..., 6.200e+01, 1.000e+00,\n", + " 1.420e+02],\n", + " [0.000e+00, 0.000e+00, 0.000e+00, ..., 1.280e+02, 2.000e+00,\n", + " 8.000e+01],\n", + " ...,\n", + " [0.000e+00, 0.000e+00, 0.000e+00, ..., 1.921e+03, 9.000e+00,\n", + " 5.408e+03],\n", + " [0.000e+00, 0.000e+00, 0.000e+00, ..., 2.484e+03, 9.000e+00,\n", + " 5.408e+03],\n", + " [0.000e+00, 0.000e+00, 0.000e+00, ..., 4.000e+01, 1.000e+00,\n", + " 4.000e+01]], dtype=float32)" + ] + }, + "execution_count": 534, + "metadata": {}, + "output_type": "execute_result" } ], "source": [ - "current_dir_path = '/usr/local/logs/2024-02-12'\n", - "if not os.path.islink(current_dir_path):\n", - " # sub_dir is now any given historical data directory \n", - " logging.info(f\"Checking {current_dir_path}\")\n", - " for file in os.listdir(current_dir_path):\n", - " # file is now any given file in the historical data directory\n", - " current_file_path = os.path.join(current_dir_path, file)\n", - " if \"conn.\" in file:\n", - " # get the whole file in memory\n", - " logging.info(f\"Opening file {current_file_path}\")\n", - " json_data_file = ungzip(current_file_path)\n", - " print(current_file_path)\n", - " np_arr = preprocess_json(json_data_file)\n", - " \n", - "\n", - " # # process json and give back a np_array (in utils)\n", - " # np_arr = preprocess_json(json_data_file)\n", - " # train_batch(kit, np_arr)" + "preprocess_json_conn(json_data_file)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ - "## dns" + "### Get data for conn for kitnet (w aggregation)\n" ] }, { "cell_type": "code", - "execution_count": 294, + "execution_count": 488, "metadata": {}, "outputs": [], "source": [ - "current_dir_path = '/usr/local/logs/2024-02-12'\n", - "if not os.path.islink(current_dir_path):\n", - " # sub_dir is now any given historical data directory \n", - " logging.info(f\"Checking {current_dir_path}\")\n", - " for file in os.listdir(current_dir_path):\n", - " # file is now any given file in the historical data directory\n", - " current_file_path = os.path.join(current_dir_path, file)\n", - " if \"dns.\" in file: #conn.\n", - " # get the whole file in memory\n", - " logging.info(f\"Opening file {current_file_path}\")\n", - " json_data_file = ungzip(current_file_path)\n", - " # print(current_file_path)\n", - " # print(json_data_file)" + "id_feature = [\"id.orig_h\", \"id.orig_p\", \"id.resp_h\", \"id.resp_p\"]\n", + "features = [\"ts\",\"uid\", \"id.orig_h\", \"id.orig_p\", \"id.resp_h\", \"id.resp_p\",\n", + " \"proto\", \"service\", \"duration\", \"conn_state\", \"local_orig\",\"local_resp\",\n", + " \"missed_bytes\",\"history\", \"orig_pkts\", \"orig_ip_bytes\", \"resp_pkts\", \"resp_ip_bytes\"]\n", + "data_list = []\n", + "for line in json_data_file.splitlines():\n", + " # log_entry is now a single json log from the file\n", + " log_entry = json.loads(line.strip())\n", + " \n", + " # Check if each feature is present in the log_entry\n", + " feature_values = [log_entry.get(feature, None) for feature in features]\n", + " data_list.append(feature_values)\n", + "\n", + "df = pd.DataFrame(data_list, columns=features)" ] }, { "cell_type": "code", - "execution_count": 295, + "execution_count": 489, + "metadata": {}, + "outputs": [], + "source": [ + "#fill Nans with 0s : duration, orig_bytes resp_bytes\n", + "df = fill_na(df) \n", + "\n", + "if 'history' not in df.columns: \n", + " df['history'] = 'N' \n", + "#fill NaNs with 'N'\n", + "df['history'] = df['history'].fillna('N')\n", + "df = create_broadcast_variable(df)\n", + "df = create_direction_variable(df)\n", + "# Convert the boolean values in columns \"local_orig\" and \"local_resp\" to 1 and 0s\n", + "df['local_orig'] = df['local_orig'].astype(int)\n", + "df['local_resp'] = df['local_resp'].astype(int)\n" + ] + }, + { + "cell_type": "code", + "execution_count": 490, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ - "{'ts': 1707768003.869346, 'uid': 'CS9fzl4EIr1i9ibne5', 'id.orig_h': '10.19.235.169', 'id.orig_p': 65501, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 3613, 'rtt': 0.01270914077758789, 'query': 'guzzoni.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['guzzoni-apple-com.v.aaplimg.com'], 'TTLs': [3321.0], 'rejected': False}\n", - "{'ts': 1707768003.869397, 'uid': 'C7KsDehrLNsfmgqo', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53141, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 5769, 'rtt': 0.012659072875976562, 'query': 'guzzoni.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['guzzoni-apple-com.v.aaplimg.com', '34.225.66.6'], 'TTLs': [3321.0, 100.0], 'rejected': False}\n", - "{'ts': 1707768003.885104, 'uid': 'C2Gqup3XI5f3vrEywb', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53400, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 62046, 'query': 'guzzoni-apple-com.v.aaplimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768003.992969, 'uid': 'CTv1qs4jy8ygljcWh4', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60106, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 31442, 'rtt': 0.00483393669128418, 'query': 'gsp-ssl.ls.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['gsp-ssl.ls-apple.com.akadns.net', 'gsp-ssl-geomap.ls-apple.com.akadns.net', 'gspx-ssl.ls.apple.com', 'get-bx.g.aaplimg.com'], 'TTLs': [3160.0, 20.0, 37.0, 2860.0], 'rejected': False}\n", - "{'ts': 1707768003.993001, 'uid': 'CnUWOdi7PwDh9qu36', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63620, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 59117, 'rtt': 0.004804134368896484, 'query': 'gsp-ssl.ls.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['gsp-ssl.ls-apple.com.akadns.net', 'gsp-ssl-geomap.ls-apple.com.akadns.net', 'gspx-ssl.ls.apple.com', 'get-bx.g.aaplimg.com', '17.253.3.218', '17.253.3.219'], 'TTLs': [3160.0, 20.0, 37.0, 2860.0, 22.0, 22.0], 'rejected': False}\n", - "{'ts': 1707768004.000686, 'uid': 'CRhDGa4J2VjqxcrvFd', 'id.orig_h': '10.19.235.169', 'id.orig_p': 64011, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 34884, 'query': 'get-bx.g.aaplimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768004.701893, 'uid': 'CNy3cnbOrrK4bzhXk', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58952, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 50063, 'rtt': 0.010221004486083984, 'query': 'cds.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['cds-cdn.v.aaplimg.com', 'cds.apple.com.akadns.net', 'world-gen.g.aaplimg.com'], 'TTLs': [699.0, 541.0, 350.0], 'rejected': False}\n", - "{'ts': 1707768004.701956, 'uid': 'CdDh5v2xr6EcVsZBn3', 'id.orig_h': '10.19.235.169', 'id.orig_p': 65505, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 47780, 'rtt': 0.010159015655517578, 'query': 'cds.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['cds-cdn.v.aaplimg.com', 'cds.apple.com.akadns.net', 'world-gen.g.aaplimg.com', '17.253.3.195', '17.253.3.196'], 'TTLs': [699.0, 541.0, 350.0, 11.0, 11.0], 'rejected': False}\n", - "{'ts': 1707768004.714708, 'uid': 'CpZ8zo1mwFlF4xU6ll', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63407, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 21447, 'query': 'world-gen.g.aaplimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768004.891548, 'uid': 'C1xg3w3Hytsc22Arj8', 'id.orig_h': '10.19.235.169', 'id.orig_p': 52512, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 21654, 'rtt': 0.003859996795654297, 'query': 'help.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['help.origin-apple.com.akadns.net', 'help-ar.apple.com.edgekey.net', 'e11408.d.akamaiedge.net'], 'TTLs': [3386.0, 7.0, 18118.0], 'rejected': False}\n", - "{'ts': 1707768004.891596, 'uid': 'CScqm2rwPuq6ODeF5', 'id.orig_h': '10.19.235.169', 'id.orig_p': 51154, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 175, 'rtt': 0.003813028335571289, 'query': 'help.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['help.origin-apple.com.akadns.net', 'help-ar.apple.com.edgekey.net', 'e11408.d.akamaiedge.net', '23.39.33.227'], 'TTLs': [3386.0, 7.0, 18118.0, 16.0], 'rejected': False}\n", - "{'ts': 1707768004.89837, 'uid': 'CXfA7b1Y9vbslHs5Wk', 'id.orig_h': '10.19.235.169', 'id.orig_p': 55666, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 23325, 'query': 'e11408.d.akamaiedge.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707767996.633702, 'uid': 'CV7lLp41bMgMmZZ8Ma', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707767996.633707, 'uid': 'CV7lLp41bMgMmZZ8Ma', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707767996.634273, 'uid': 'CFOxfA2y3iHRT6qNQ1', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707767996.634296, 'uid': 'CFOxfA2y3iHRT6qNQ1', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707767996.634299, 'uid': 'CFOxfA2y3iHRT6qNQ1', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707767996.634345, 'uid': 'CFOxfA2y3iHRT6qNQ1', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768008.16405, 'uid': 'CtGRpN3rQKlJqFeX81', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58275, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 32276, 'rtt': 0.16800379753112793, 'query': '3-courier.push.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['3.courier-push-apple.com.akadns.net', 'us-ne-courier-4.push-apple.com.akadns.net'], 'TTLs': [18596.0, 10.0], 'rejected': False}\n", - "{'ts': 1707768008.164094, 'uid': 'Cavla512AHVHbzyhS4', 'id.orig_h': '10.19.235.169', 'id.orig_p': 51532, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 34578, 'rtt': 0.16796112060546875, 'query': '3-courier.push.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['3.courier-push-apple.com.akadns.net', 'us-ne-courier-4.push-apple.com.akadns.net', '17.57.144.12', '17.57.144.10', '17.57.144.11'], 'TTLs': [18596.0, 10.0, 50.0, 50.0, 50.0], 'rejected': False}\n", - "{'ts': 1707768008.334786, 'uid': 'CoQegW2E5DDua67if', 'id.orig_h': '10.19.235.169', 'id.orig_p': 59456, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 54614, 'query': 'us-ne-courier-4.push-apple.com.akadns.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768008.334808, 'uid': 'C0QsNQ3CI6fsPFatH7', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58399, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 36803, 'rtt': 0.003490924835205078, 'query': 'us-ne-courier-4.push-apple.com.akadns.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['17.57.144.10', '17.57.144.11', '17.57.144.12'], 'TTLs': [50.0, 50.0, 50.0], 'rejected': False}\n", - "{'ts': 1707768008.470885, 'uid': 'CeDTL23UzfVAmQ4zSf', 'id.orig_h': '10.19.235.169', 'id.orig_p': 54722, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 53662, 'rtt': 0.00436091423034668, 'query': 'fmfmobile.fe2.apple-dns.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['17.248.199.71'], 'TTLs': [110.0], 'rejected': False}\n", - "{'ts': 1707768011.051394, 'uid': 'CmwatF4XvE3Wf7pM37', 'id.orig_h': '10.19.235.169', 'id.orig_p': 54439, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 52289, 'query': 'stk.px-cloud.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768011.051321, 'uid': 'CBOt594rDWQAm9k8ja', 'id.orig_h': '10.19.235.169', 'id.orig_p': 62654, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 25946, 'rtt': 0.0037779808044433594, 'query': 'stk.px-cloud.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['34.107.199.61'], 'TTLs': [346.0], 'rejected': False}\n", - "{'ts': 1707768011.086383, 'uid': 'C4ed1Q29UXNlekubrf', 'id.orig_h': '10.19.235.169', 'id.orig_p': 57226, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 43761, 'rtt': 0.0032088756561279297, 'query': 'www.linkedin.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['www-linkedin-com.l-0005.l-msedge.net', 'l-0005.l-msedge.net'], 'TTLs': [196.0, 144.0], 'rejected': False}\n", - "{'ts': 1707768011.086273, 'uid': 'C2OLUB4M5nxGjuXcEl', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60947, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 38510, 'rtt': 0.003319978713989258, 'query': 'www.linkedin.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['www-linkedin-com.l-0005.l-msedge.net', 'l-0005.l-msedge.net', '13.107.42.14'], 'TTLs': [196.0, 144.0, 144.0], 'rejected': False}\n", - "{'ts': 1707768011.091898, 'uid': 'CowX4cUdrEERG26Rk', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63311, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 22008, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768011.091743, 'uid': 'Cc3E49lJ0Vo7AniI3', 'id.orig_h': '10.19.235.169', 'id.orig_p': 62224, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 46578, 'rtt': 0.0040700435638427734, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.251.40.110'], 'TTLs': [28.0], 'rejected': False}\n", - "{'ts': 1707768011.142463, 'uid': 'CzfR5A39hCFNUjcvh5', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60533, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 44570, 'rtt': 0.0035169124603271484, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com', '35.190.45.20'], 'TTLs': [168.0, 84.0, 89.0], 'rejected': False}\n", - "{'ts': 1707768011.144673, 'uid': 'CqjLPs2HAg8mhPneXb', 'id.orig_h': '10.19.235.169', 'id.orig_p': 54647, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 48408, 'rtt': 0.0034868717193603516, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com'], 'TTLs': [168.0, 84.0], 'rejected': False}\n", - "{'ts': 1707768011.19874, 'uid': 'CQwNWW16eK6mMXWBQ8', 'id.orig_h': '10.19.235.169', 'id.orig_p': 61137, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 63611, 'query': 'google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768011.198661, 'uid': 'C8ywg5JOg2TBVwhr3', 'id.orig_h': '10.19.235.169', 'id.orig_p': 50470, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 10089, 'rtt': 0.004611015319824219, 'query': 'google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.250.176.206'], 'TTLs': [85.0], 'rejected': False}\n", - "{'ts': 1707768016.040144, 'uid': 'CB9Nuo1hhYd7B5Qplg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.00017905235290527344, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 32769, 'qclass_name': 'qclass-32769', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768016.040184, 'uid': 'Cmr2cA2bcEZpaT62Ni', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.00016188621520996094, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 32769, 'qclass_name': 'qclass-32769', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768016.290879, 'uid': 'CB9Nuo1hhYd7B5Qplg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.5027029514312744, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768016.29104, 'uid': 'Cmr2cA2bcEZpaT62Ni', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.5025451183319092, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768016.541494, 'uid': 'CB9Nuo1hhYd7B5Qplg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.497711181640625, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768016.541521, 'uid': 'Cmr2cA2bcEZpaT62Ni', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.4977099895477295, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768017.041797, 'uid': 'CB9Nuo1hhYd7B5Qplg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.75343918800354, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768017.041847, 'uid': 'Cmr2cA2bcEZpaT62Ni', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.7534189224243164, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768019.041301, 'uid': 'CB9Nuo1hhYd7B5Qplg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768019.041352, 'uid': 'Cmr2cA2bcEZpaT62Ni', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768023.041808, 'uid': 'CB9Nuo1hhYd7B5Qplg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768023.04184, 'uid': 'Cmr2cA2bcEZpaT62Ni', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768041.334957, 'uid': 'Cm87T22wUF9Xgf2hQc', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58859, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 1373, 'rtt': 0.009403228759765625, 'query': 'i.ytimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.250.80.54', '142.250.176.214', '142.251.40.214', '142.251.40.246', '142.250.65.182', '142.250.65.214', '142.250.65.246', '142.250.81.246', '142.251.41.22', '142.251.32.118', '142.251.35.182', '142.251.40.118', '142.251.40.150', '142.251.40.182', '142.250.64.118', '142.250.72.118'], 'TTLs': [115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0], 'rejected': False}\n", - "{'ts': 1707768041.335145, 'uid': 'Cdfwdv4ld5dxu66lkb', 'id.orig_h': '10.19.235.169', 'id.orig_p': 55001, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 22436, 'query': 'i.ytimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768043.972181, 'uid': 'CvRKJe1a08sWalfyC4', 'id.orig_h': '10.19.235.169', 'id.orig_p': 64431, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 22874, 'query': 'ssl.gstatic.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768043.971934, 'uid': 'CtWSEy1vyE9vZw0qoj', 'id.orig_h': '10.19.235.169', 'id.orig_p': 56763, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 9322, 'rtt': 0.011201858520507812, 'query': 'ssl.gstatic.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.250.65.163'], 'TTLs': [140.0], 'rejected': False}\n", - "{'ts': 1707768056.301998, 'uid': 'CvjH4lCGPJ9LUCrwc', 'id.orig_h': '10.19.235.169', 'id.orig_p': 49575, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 54718, 'rtt': 0.004024982452392578, 'query': 'rr2---sn-ab5l6nrd.googlevideo.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['rr2.sn-ab5l6nrd.googlevideo.com', '173.194.31.7'], 'TTLs': [1694.0, 709.0], 'rejected': False}\n", - "{'ts': 1707768056.302119, 'uid': 'C8HxqF18GVKBzwOfy2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 49930, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 2864, 'rtt': 0.0039038658142089844, 'query': 'rr2---sn-ab5l6nrd.googlevideo.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['rr2.sn-ab5l6nrd.googlevideo.com'], 'TTLs': [1694.0], 'rejected': False}\n", - "{'ts': 1707768058.512371, 'uid': 'C6FWYg1GxLGCRKnZ1c', 'id.orig_h': '10.19.235.169', 'id.orig_p': 62270, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 44497, 'query': 'e2c19.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768058.512212, 'uid': 'CQQVS44iPyhIgZmBN9', 'id.orig_h': '10.19.235.169', 'id.orig_p': 57966, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 39452, 'rtt': 0.004097938537597656, 'query': 'e2c19.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['34.65.65.90'], 'TTLs': [103.0], 'rejected': False}\n", - "{'ts': 1707768065.371772, 'uid': 'CORRsd4Im8PhvUKmFj', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58786, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 30065, 'rtt': 0.00403594970703125, 'query': 'beacons.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons6.gvt2.com'], 'TTLs': [296.0], 'rejected': False}\n", - "{'ts': 1707768065.371707, 'uid': 'Cldop02l2ZWmk79tlj', 'id.orig_h': '10.19.235.169', 'id.orig_p': 65026, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 14418, 'rtt': 0.0041010379791259766, 'query': 'beacons.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons6.gvt2.com', '142.250.80.99'], 'TTLs': [296.0, 14.0], 'rejected': False}\n", - "{'ts': 1707768056.121626, 'uid': 'CcNhB52Qc5uqzhsz9i', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768056.121661, 'uid': 'CTwUUI1tOY1GAoWV4a', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768068.752692, 'uid': 'C1yVau1jdH7lOjXg9c', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60842, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 58562, 'rtt': 0.004012107849121094, 'query': 'beacons3.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.251.40.195'], 'TTLs': [224.0], 'rejected': False}\n", - "{'ts': 1707768068.752782, 'uid': 'CswX3f2hd3Ahsk9rle', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60132, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 40178, 'query': 'beacons3.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768072.963568, 'uid': 'CGSdHihDcE0Mldqrg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 61599, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 30947, 'query': 'accounts.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768072.963482, 'uid': 'Cd2dY7qCBe1lpSUNb', 'id.orig_h': '10.19.235.169', 'id.orig_p': 55901, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 62931, 'rtt': 0.00950312614440918, 'query': 'accounts.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['172.253.115.84'], 'TTLs': [250.0], 'rejected': False}\n", - "{'ts': 1707768103.363284, 'uid': 'Cf8DM92nqCOgF3slRa', 'id.orig_h': '10.19.235.169', 'id.orig_p': 57310, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 19584, 'rtt': 0.003793954849243164, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com'], 'TTLs': [76.0, 290.0], 'rejected': False}\n", - "{'ts': 1707768103.363225, 'uid': 'C0rpq51YoNH8lIo9G9', 'id.orig_h': '10.19.235.169', 'id.orig_p': 56888, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 36237, 'rtt': 0.0038530826568603516, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com', '35.201.100.119'], 'TTLs': [76.0, 290.0, 295.0], 'rejected': False}\n", - "{'ts': 1707768131.11402, 'uid': 'CAPoTz3bvsNlxUm9mf', 'id.orig_h': '10.19.235.169', 'id.orig_p': 55037, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 12515, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768131.113952, 'uid': 'CbUb6S1PyFJ8Rvuwqd', 'id.orig_h': '10.19.235.169', 'id.orig_p': 57526, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 64879, 'rtt': 0.06569910049438477, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.251.40.110'], 'TTLs': [206.0], 'rejected': False}\n", - "{'ts': 1707768127.535699, 'uid': 'CKtVev46zUbzqmWUG2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768127.534376, 'uid': 'C0vKnM28xV50a4omch', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768127.535702, 'uid': 'CKtVev46zUbzqmWUG2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768128.535343, 'uid': 'CKtVev46zUbzqmWUG2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768129.655155, 'uid': 'CKtVev46zUbzqmWUG2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768133.655476, 'uid': 'CKtVev46zUbzqmWUG2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768128.535376, 'uid': 'C0vKnM28xV50a4omch', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768129.655195, 'uid': 'C0vKnM28xV50a4omch', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768133.655502, 'uid': 'C0vKnM28xV50a4omch', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768162.962636, 'uid': 'CIKeSv8WITwkGD475', 'id.orig_h': '10.19.235.169', 'id.orig_p': 51231, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 266, 'query': 'docs.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768162.962567, 'uid': 'CdHh4r4iy8qMmqsuVg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 65380, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 6187, 'rtt': 0.04783892631530762, 'query': 'docs.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.251.40.238'], 'TTLs': [227.0], 'rejected': False}\n", - "{'ts': 1707768154.152796, 'uid': 'CiHkri25egnxjgmaA5', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768154.152832, 'uid': 'CBu8kV3Hl0aVPvQgf5', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768179.379697, 'uid': 'CMmWJc1autUp5z5F4b', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63173, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 53772, 'rtt': 0.012414932250976562, 'query': 'westus-0.in.applicationinsights.azure.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['westus-0.in.ai.monitor.azure.com', 'westus-0.in.ai.privatelink.monitor.azure.com', 'gig-ai-prod-westus-0.trafficmanager.net', 'gig-ai-prod-wus-0-app-v4-tag.westus.cloudapp.azure.com', '20.189.172.32'], 'TTLs': [20.0, 20.0, 20.0, 150.0, 10.0], 'rejected': False}\n", - "{'ts': 1707768183.100971, 'uid': 'CZnqEb3Yxux92cgnqi', 'id.orig_h': '10.19.235.169', 'id.orig_p': 59243, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 40460, 'rtt': 0.0034639835357666016, 'query': 'stocks-data-service.lb-apple.com.akadns.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['stocks-data-service.apple.com.edgesuite.net', 'a1091.dscapi7.akamai.net'], 'TTLs': [16.0, 10714.0], 'rejected': False}\n", - "{'ts': 1707768183.101003, 'uid': 'CS02PvYXEL39tQn3a', 'id.orig_h': '10.19.235.169', 'id.orig_p': 55961, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 26619, 'rtt': 0.0034329891204833984, 'query': 'stocks-data-service.lb-apple.com.akadns.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['stocks-data-service.apple.com.edgesuite.net', 'a1091.dscapi7.akamai.net', '104.126.118.203', '104.126.118.211'], 'TTLs': [16.0, 10714.0, 13.0, 13.0], 'rejected': False}\n", - "{'ts': 1707768183.484249, 'uid': 'C8zMFb2gSUZE5b4Wm8', 'id.orig_h': '10.19.235.169', 'id.orig_p': 57237, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 60066, 'rtt': 0.0036308765411376953, 'query': 'ff-proxy.leetcode.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['172.67.72.213', '104.26.8.101', '104.26.9.101'], 'TTLs': [230.0, 230.0, 230.0], 'rejected': False}\n", - "{'ts': 1707768183.484351, 'uid': 'CP4tMf3N6CnTdBto6a', 'id.orig_h': '10.19.235.169', 'id.orig_p': 64831, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 42208, 'query': 'ff-proxy.leetcode.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768191.042252, 'uid': 'CbRadG2VhzPxtcDVU1', 'id.orig_h': '10.19.235.169', 'id.orig_p': 56153, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 33093, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768191.042086, 'uid': 'CYen5h246vLUhiVS2f', 'id.orig_h': '10.19.235.169', 'id.orig_p': 50100, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 31959, 'rtt': 0.004681110382080078, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.251.40.110'], 'TTLs': [146.0], 'rejected': False}\n", - "{'ts': 1707768191.048922, 'uid': 'CRIWT14xS4EAgxXF7d', 'id.orig_h': '10.19.235.169', 'id.orig_p': 59923, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 53158, 'rtt': 0.0053980350494384766, 'query': 'www.linkedin.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['www-linkedin-com.l-0005.l-msedge.net', 'l-0005.l-msedge.net', '13.107.42.14'], 'TTLs': [16.0, 202.0, 202.0], 'rejected': False}\n", - "{'ts': 1707768191.049025, 'uid': 'CQ5rRY1XXDXlVxtoM2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53418, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 21384, 'rtt': 0.0052950382232666016, 'query': 'www.linkedin.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['www-linkedin-com.l-0005.l-msedge.net', 'l-0005.l-msedge.net'], 'TTLs': [16.0, 202.0], 'rejected': False}\n", - "{'ts': 1707768191.186603, 'uid': 'CYJwLXnMBelg5gI6k', 'id.orig_h': '10.19.235.169', 'id.orig_p': 59399, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 20343, 'rtt': 0.11486697196960449, 'query': 'config.extension.grammarly.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['d27xxe7juh1us6.cloudfront.net', '108.138.106.48', '108.138.106.79', '108.138.106.93', '108.138.106.51'], 'TTLs': [132.0, 43.0, 43.0, 43.0, 43.0], 'rejected': False}\n", - "{'ts': 1707768191.186662, 'uid': 'C56WuV9JNjVzhtfU2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63414, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 53130, 'rtt': 0.11630797386169434, 'query': 'config.extension.grammarly.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['d27xxe7juh1us6.cloudfront.net'], 'TTLs': [132.0], 'rejected': False}\n", - "{'ts': 1707768192.957792, 'uid': 'Cclm5c2zlZmfQSVqF6', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60136, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 60724, 'query': 'ssl.gstatic.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768192.957682, 'uid': 'CMNVT34JKVDdLP5dCe', 'id.orig_h': '10.19.235.169', 'id.orig_p': 50340, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 23065, 'rtt': 0.004062175750732422, 'query': 'ssl.gstatic.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.250.65.163'], 'TTLs': [290.0], 'rejected': False}\n", - "{'ts': 1707768208.284169, 'uid': 'CeFu4e4wsYwUUlGDGd', 'id.orig_h': '10.19.235.169', 'id.orig_p': 61766, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 8541, 'rtt': 0.0075609683990478516, 'query': 'clients4.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['clients.l.google.com'], 'TTLs': [46.0], 'rejected': False}\n", - "{'ts': 1707768208.284079, 'uid': 'CwvFDa3uVt13JFb1Ad', 'id.orig_h': '10.19.235.169', 'id.orig_p': 49923, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 14154, 'rtt': 0.0076520442962646484, 'query': 'clients4.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['clients.l.google.com', '142.251.41.14'], 'TTLs': [46.0, 116.0], 'rejected': False}\n", - "{'ts': 1707768211.639575, 'uid': 'Cc8ku044193K5nFUh3', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.00013709068298339844, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 32769, 'qclass_name': 'qclass-32769', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768211.640876, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 2.09808349609375e-05, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 32769, 'qclass_name': 'qclass-32769', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768211.640893, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 1.0967254638671875e-05, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 32769, 'qclass_name': 'qclass-32769', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768211.890166, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.5014240741729736, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768211.890267, 'uid': 'Cc8ku044193K5nFUh3', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.5013589859008789, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768212.140118, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.5104920864105225, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768212.140148, 'uid': 'Cc8ku044193K5nFUh3', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.5104641914367676, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", - "{'ts': 1707768212.650607, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.7415308952331543, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768212.650611, 'uid': 'Cc8ku044193K5nFUh3', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.7415611743927002, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768214.650975, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768214.650999, 'uid': 'Cc8ku044193K5nFUh3', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768218.654082, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768218.654274, 'uid': 'Cc8ku044193K5nFUh3', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", - "{'ts': 1707768230.893679, 'uid': 'CMpH0U22mjw7txOwSg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 54707, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 22870, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com'], 'TTLs': [247.0, 163.0], 'rejected': False}\n", - "{'ts': 1707768230.893679, 'uid': 'CXff902tWyV6AA6X4g', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63399, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 21698, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com', '35.201.100.119'], 'TTLs': [247.0, 163.0, 168.0], 'rejected': False}\n", - "{'ts': 1707768239.962227, 'uid': 'CWjUv94qtMUT6aYnpi', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53518, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 15898, 'query': 'docs.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768239.962125, 'uid': 'CudCK43BK9D7x9vPIc', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60236, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 8292, 'rtt': 0.0038809776306152344, 'query': 'docs.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.251.40.238'], 'TTLs': [151.0], 'rejected': False}\n", - "{'ts': 1707768258.322417, 'uid': 'ClPPlc4mFj27oP97a8', 'id.orig_h': '10.19.235.169', 'id.orig_p': 52477, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 5845, 'rtt': 0.010509967803955078, 'query': 'www.youtube.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['youtube-ui.l.google.com'], 'TTLs': [218.0], 'rejected': False}\n", - "{'ts': 1707768258.322297, 'uid': 'C6sTLv1ckVjyDwwq5k', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53623, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 57915, 'rtt': 0.01063084602355957, 'query': 'www.youtube.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['youtube-ui.l.google.com', '142.250.80.110', '142.250.176.206', '142.251.40.206', '142.250.65.238', '142.250.81.238', '142.251.41.14', '142.251.32.110', '142.251.35.174', '142.251.40.110', '142.251.40.142', '142.251.40.174', '142.250.64.110', '142.250.72.110', '142.250.80.14', '142.250.80.46', '142.250.80.78'], 'TTLs': [218.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0], 'rejected': False}\n", - "{'ts': 1707768251.734881, 'uid': 'CQS3Zs29MFlKhbw0Eb', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768251.734923, 'uid': 'C07qn71K4tfzB1m934', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768268.115842, 'uid': 'Cwjq1V2nwnyr9M4iA3', 'id.orig_h': '10.19.235.169', 'id.orig_p': 54497, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 12463, 'query': 'i.ytimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768268.115783, 'uid': 'CpFyNkRg7a585tL7f', 'id.orig_h': '10.19.235.169', 'id.orig_p': 50325, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 22427, 'rtt': 0.006042957305908203, 'query': 'i.ytimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.250.65.246', '142.250.81.246', '142.251.41.22', '142.251.32.118', '142.251.35.182', '142.251.40.118', '142.251.40.150', '142.251.40.182', '142.250.64.118', '142.250.72.118', '142.250.80.54', '142.250.176.214', '142.251.40.214', '142.251.40.246', '142.250.65.182', '142.250.65.214'], 'TTLs': [186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0], 'rejected': False}\n", - "{'ts': 1707768271.955977, 'uid': 'CwZuFw4DLCukiLptei', 'id.orig_h': '10.19.235.169', 'id.orig_p': 59682, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 46522, 'rtt': 0.008795976638793945, 'query': 'www.linkedin.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['www-linkedin-com.l-0005.l-msedge.net', 'l-0005.l-msedge.net'], 'TTLs': [234.0, 122.0], 'rejected': False}\n", - "{'ts': 1707768271.955856, 'uid': 'CVuPNUlPD2GpLFCi8', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53671, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 22895, 'rtt': 0.008917808532714844, 'query': 'www.linkedin.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['www-linkedin-com.l-0005.l-msedge.net', 'l-0005.l-msedge.net', '13.107.42.14'], 'TTLs': [234.0, 122.0, 122.0], 'rejected': False}\n", - "{'ts': 1707768283.961244, 'uid': 'C6Q45w47IADF5eSDGg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 49198, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 26270, 'query': 'ssl.gstatic.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768283.961177, 'uid': 'CO9COB1om0mKlPU427', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60772, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 8928, 'rtt': 0.010110855102539062, 'query': 'ssl.gstatic.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.250.65.163'], 'TTLs': [199.0], 'rejected': False}\n", - "{'ts': 1707768285.370859, 'uid': 'CwZ4DT9iZkGBIIi42', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63799, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 27169, 'query': 'matrix.hsrn.nyu.edu', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768285.370792, 'uid': 'CCUolX1uUhbV90jFh3', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58309, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 24840, 'rtt': 0.0048182010650634766, 'query': 'matrix.hsrn.nyu.edu', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['216.165.12.42'], 'TTLs': [86400.0], 'rejected': False}\n", - "{'ts': 1707768298.358392, 'uid': 'Cm4WRr1kukdSESxfWl', 'id.orig_h': '10.19.235.169', 'id.orig_p': 50826, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 42909, 'rtt': 0.00412297248840332, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com'], 'TTLs': [179.0, 95.0], 'rejected': False}\n", - "{'ts': 1707768298.358307, 'uid': 'CQqM5y4UR7UGf3cpo', 'id.orig_h': '10.19.235.169', 'id.orig_p': 55469, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 58844, 'rtt': 0.004208087921142578, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com', '35.201.100.119'], 'TTLs': [179.0, 95.0, 100.0], 'rejected': False}\n", - "{'ts': 1707768299.966229, 'uid': 'CAlXeh60wXmAHS50f', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60948, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 37294, 'rtt': 0.010381937026977539, 'query': 'az764295.vo.msecnd.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 28, 'qtype_name': 'AAAA', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['cs22.wpc.v0cdn.net'], 'TTLs': [3471.0], 'rejected': False}\n", - "{'ts': 1707768299.966307, 'uid': 'CY3Isw2j6ALKK0Dx1j', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60374, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 15296, 'rtt': 0.010305166244506836, 'query': 'az764295.vo.msecnd.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['cs22.wpc.v0cdn.net'], 'TTLs': [3471.0], 'rejected': False}\n", - "{'ts': 1707768299.966262, 'uid': 'C8Ipyl1XHbL0gcbox1', 'id.orig_h': '10.19.235.169', 'id.orig_p': 57584, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 9658, 'rtt': 0.01034998893737793, 'query': 'az764295.vo.msecnd.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['cs22.wpc.v0cdn.net', '152.199.4.33'], 'TTLs': [3471.0, 3487.0], 'rejected': False}\n", - "{'ts': 1707768314.499201, 'uid': 'CNQvG4mFcLlcNyjWf', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58332, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 43714, 'rtt': 0.007024049758911133, 'query': 'rr2---sn-ab5l6nrd.googlevideo.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['rr2.sn-ab5l6nrd.googlevideo.com', '173.194.31.7'], 'TTLs': [1436.0, 451.0], 'rejected': False}\n", - "{'ts': 1707768314.4993, 'uid': 'CmRC7e1SPcc4Fb5xAk', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53470, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 39390, 'rtt': 0.01618504524230957, 'query': 'rr2---sn-ab5l6nrd.googlevideo.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['rr2.sn-ab5l6nrd.googlevideo.com'], 'TTLs': [1436.0], 'rejected': False}\n", - "{'ts': 1707768328.101499, 'uid': 'CzCUgL3H5ffsY8Pc2i', 'id.orig_h': '10.19.235.169', 'id.orig_p': 62761, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 11019, 'rtt': 0.004101991653442383, 'query': 'apidata.googleusercontent.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['googlehosted.l.googleusercontent.com'], 'TTLs': [18.0], 'rejected': False}\n", - "{'ts': 1707768328.101528, 'uid': 'Cft5lek1rqV6mlF26', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63067, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 24581, 'rtt': 0.0040740966796875, 'query': 'apidata.googleusercontent.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['googlehosted.l.googleusercontent.com', '142.251.40.97'], 'TTLs': [18.0, 138.0], 'rejected': False}\n", - "{'ts': 1707768328.108973, 'uid': 'CmziFZkI89kzCEN31', 'id.orig_h': '10.19.235.169', 'id.orig_p': 59520, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 58952, 'query': 'googlehosted.l.googleusercontent.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768332.896213, 'uid': 'CoVmED2RAXbutegvmd', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768332.896215, 'uid': 'CoVmED2RAXbutegvmd', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768332.896548, 'uid': 'CVoUx1SG7PpILjwt2', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768332.89655, 'uid': 'CVoUx1SG7PpILjwt2', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768332.896562, 'uid': 'CVoUx1SG7PpILjwt2', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", - "{'ts': 1707768332.896568, 'uid': 'CVoUx1SG7PpILjwt2', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "(65, 22)\n" + ] + } + ], + "source": [ + "print(df.shape)" + ] + }, + { + "cell_type": "code", + "execution_count": 491, + "metadata": {}, + "outputs": [ + { + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
tsuidid.orig_hid.orig_pid.resp_hid.resp_pprotoservicedurationconn_state...missed_byteshistoryorig_pktsorig_ip_bytesresp_pktsresp_ip_bytesorig_bytesresp_bytesis_destination_broadcasttraffic_direction
01.707758e+09C0LEGs2p93lnNEFB5f192.168.0.16865363192.168.0.153udpdns0.019866SF...0Dd1621169000internal
11.707758e+09CoIaps3LBPANWZX887192.168.0.16851657192.168.0.153udpdns0.012296SF...0Dd1621142000internal
21.707758e+09CllN3R2OE84qgP4Myl192.168.0.16851400142.250.80.74443tcpother0.016519RSTR...0DFr2128280000outgoing
31.707758e+09CnAcZTvINoaJSPmC2192.168.0.1685353224.0.0.2515353udpdns7.450594S0...0D246900000outgoing
41.707758e+09CrKvqoo2pkmR8IcKffe80::17:2915:d910:f375353ff02::fb5353udpdns7.450569S0...0D250900000IPv6
\n", + "

5 rows × 22 columns

\n", + "
" + ], + "text/plain": [ + " ts uid id.orig_h id.orig_p \\\n", + "0 1.707758e+09 C0LEGs2p93lnNEFB5f 192.168.0.168 65363 \n", + "1 1.707758e+09 CoIaps3LBPANWZX887 192.168.0.168 51657 \n", + "2 1.707758e+09 CllN3R2OE84qgP4Myl 192.168.0.168 51400 \n", + "3 1.707758e+09 CnAcZTvINoaJSPmC2 192.168.0.168 5353 \n", + "4 1.707758e+09 CrKvqoo2pkmR8IcKf fe80::17:2915:d910:f37 5353 \n", + "\n", + " id.resp_h id.resp_p proto service duration conn_state ... \\\n", + "0 192.168.0.1 53 udp dns 0.019866 SF ... \n", + "1 192.168.0.1 53 udp dns 0.012296 SF ... \n", + "2 142.250.80.74 443 tcp other 0.016519 RSTR ... \n", + "3 224.0.0.251 5353 udp dns 7.450594 S0 ... \n", + "4 ff02::fb 5353 udp dns 7.450569 S0 ... \n", + "\n", + " missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes \\\n", + "0 0 Dd 1 62 1 169 \n", + "1 0 Dd 1 62 1 142 \n", + "2 0 DFr 2 128 2 80 \n", + "3 0 D 2 469 0 0 \n", + "4 0 D 2 509 0 0 \n", + "\n", + " orig_bytes resp_bytes is_destination_broadcast traffic_direction \n", + "0 0 0 0 internal \n", + "1 0 0 0 internal \n", + "2 0 0 0 outgoing \n", + "3 0 0 0 outgoing \n", + "4 0 0 0 IPv6 \n", + "\n", + "[5 rows x 22 columns]" + ] + }, + "execution_count": 491, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "df.head()" + ] + }, + { + "cell_type": "code", + "execution_count": 149, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "id.orig_h id.orig_p id.resp_h id.resp_p\n", + "192.168.0.1 45892 192.168.0.255 20002 0.000000\n", + " 46449 224.0.0.251 5353 0.000000\n", + " 46818 224.0.0.251 5353 0.000000\n", + " 58627 192.168.0.255 20002 0.000000\n", + "192.168.0.168 3 142.250.80.1 3 1.246119\n", + " ... \n", + " 64633 17.248.175.21 443 0.017568\n", + " 65363 192.168.0.1 53 0.019866\n", + " 65528 142.250.80.1 443 0.119744\n", + "fe80::17:2915:d910:f37 143 ff02::16 0 0.000000\n", + " 5353 ff02::fb 5353 7.450569\n", + "Name: duration, Length: 63, dtype: float64\n" + ] + } + ], + "source": [ + "# Group the DataFrame by the specified columns\n", + "grouped_data = df.groupby(['id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p'])\n", + "\n", + "# Extract the first 'ts' value for each group (assuming timestamps are ordered)\n", + "first_ts = grouped_data['duration'].first()\n", + "\n", + "# This will be a Series with the first 'ts' value for each unique combination of grouping keys\n", + "print(first_ts)" + ] + }, + { + "cell_type": "code", + "execution_count": 150, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "id.orig_h id.orig_p id.resp_h id.resp_p\n", + "192.168.0.168 3 142.250.80.1 3 1.246119\n", + " 5353 224.0.0.251 5353 7.450594\n", + " 51381 20.189.173.2 443 45.350865\n", + " 51448 216.165.12.42 443 30.428033\n", + " 59051 17.57.144.54 5223 49.082516\n", + "fe80::17:2915:d910:f37 5353 ff02::fb 5353 7.450569\n", + "Name: duration, dtype: float64" + ] + }, + "execution_count": 150, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "first_ts[first_ts > 1]" + ] + }, + { + "cell_type": "code", + "execution_count": 123, + "metadata": {}, + "outputs": [], + "source": [ + "filtered_df = df[(df['id.orig_h'] == '192.168.0.168') & (df['id.orig_p'] == 51428)]" + ] + }, + { + "cell_type": "code", + "execution_count": 151, + "metadata": {}, + "outputs": [ + { + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
tsuidid.orig_hid.orig_pid.resp_hid.resp_pprotoservicedurationconn_statelocal_origlocal_respmissed_byteshistoryorig_pktsorig_ip_bytesresp_pktsresp_ip_bytesorig_bytesresp_bytes
311.707758e+09ClKxU23lRlw5hdtGFj192.168.0.16851428142.250.65.234443tcpssl0.141091S1TrueFalse0ShADad10165814762600
421.707762e+09CJRUNP37hqlOb5Poa5192.168.0.16851428142.250.65.234443tcpother0.012353RSTRTrueFalse0DFTr439714000
\n", + "
" + ], + "text/plain": [ + " ts uid id.orig_h id.orig_p \\\n", + "31 1.707758e+09 ClKxU23lRlw5hdtGFj 192.168.0.168 51428 \n", + "42 1.707762e+09 CJRUNP37hqlOb5Poa5 192.168.0.168 51428 \n", + "\n", + " id.resp_h id.resp_p proto service duration conn_state local_orig \\\n", + "31 142.250.65.234 443 tcp ssl 0.141091 S1 True \n", + "42 142.250.65.234 443 tcp other 0.012353 RSTR True \n", + "\n", + " local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts \\\n", + "31 False 0 ShADad 10 1658 14 \n", + "42 False 0 DFTr 4 397 1 \n", + "\n", + " resp_ip_bytes orig_bytes resp_bytes \n", + "31 7626 0 0 \n", + "42 40 0 0 " + ] + }, + "execution_count": 151, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "filtered_df" + ] + }, + { + "cell_type": "code", + "execution_count": 251, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "4000.0" + ] + }, + "execution_count": 251, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "(1.707762e+09 - 1.707758e+09)" + ] + }, + { + "cell_type": "code", + "execution_count": 487, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "Index(['ts', 'uid', 'id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p',\n", + " 'proto', 'service', 'duration', 'conn_state', 'local_orig',\n", + " 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes',\n", + " 'resp_pkts', 'resp_ip_bytes', 'orig_bytes', 'resp_bytes',\n", + " 'is_destination_broadcast', 'traffic_direction'],\n", + " dtype='object')" + ] + }, + "execution_count": 487, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "df.columns" + ] + }, + { + "cell_type": "code", + "execution_count": 310, + "metadata": {}, + "outputs": [], + "source": [ + "#To be confirmed with HSRN data\n", + "windows = [1,10,60,360] #seconds \n", + "grp = ['id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p']\n", + "#TODO: aggregate the features to compute the windowed features \n", + "windowed_features_num = ['mean','min','max','std','var','cnt', 'sum'] #for numerical features: duration, orig_pkts, orig_ip_bytes, resp_pkts, resp_ip_bytes\n", + "windowed_features_cat = ['nuniq','entropy'] #for categorical features: conn_state, proto, service, history\n", + "aggr_feature_num = ['duration, missed_bytes, orig_pkts, orig_ip_bytes, resp_pkts, resp_ip_bytes']\n", + "aggr_feature_num = ['local_orig', 'local_resp']" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "**Research on ways to do aggregation in time windows (Real-Time Aggregation Features )**\n", + "1. https://nussknacker.io/documentation/docs/1.1/scenarios_authoring/AggregatesInTimeWindows/ \n", + "2. rolling mean\n" + ] + }, + { + "cell_type": "code", + "execution_count": 127, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Collecting pandasql\n", + " Downloading pandasql-0.7.3.tar.gz (26 kB)\n", + "Requirement already satisfied: numpy in /Users/Zoe_1/opt/anaconda3/lib/python3.9/site-packages (from pandasql) (1.23.5)\n", + "Requirement already satisfied: pandas in /Users/Zoe_1/opt/anaconda3/lib/python3.9/site-packages (from pandasql) (1.4.2)\n", + "Requirement already satisfied: sqlalchemy in /Users/Zoe_1/opt/anaconda3/lib/python3.9/site-packages (from pandasql) (1.4.32)\n", + "Requirement already satisfied: python-dateutil>=2.8.1 in /Users/Zoe_1/opt/anaconda3/lib/python3.9/site-packages (from pandas->pandasql) (2.8.2)\n", + "Requirement already satisfied: pytz>=2020.1 in /Users/Zoe_1/opt/anaconda3/lib/python3.9/site-packages (from pandas->pandasql) (2021.3)\n", + "Requirement already satisfied: six>=1.5 in /Users/Zoe_1/opt/anaconda3/lib/python3.9/site-packages (from python-dateutil>=2.8.1->pandas->pandasql) (1.16.0)\n", + "Requirement already satisfied: greenlet!=0.4.17 in /Users/Zoe_1/opt/anaconda3/lib/python3.9/site-packages (from sqlalchemy->pandasql) (2.0.2)\n", + "Building wheels for collected packages: pandasql\n", + " Building wheel for pandasql (setup.py) ... \u001b[?25ldone\n", + "\u001b[?25h Created wheel for pandasql: filename=pandasql-0.7.3-py3-none-any.whl size=26784 sha256=f55c3b6f2822eaa7fb687d2a2679ace938a115c3571028606f5828a4bf028d61\n", + " Stored in directory: /Users/Zoe_1/Library/Caches/pip/wheels/63/e8/ec/75b1df467ecf57b6ececb32cb16f4e86697cbfe55cb0c51f07\n", + "Successfully built pandasql\n", + "Installing collected packages: pandasql\n", + "Successfully installed pandasql-0.7.3\n" + ] + } + ], + "source": [ + "!pip install pandasql" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "### SQL" + ] + }, + { + "cell_type": "code", + "execution_count": 131, + "metadata": {}, + "outputs": [], + "source": [ + "from pandasql import sqldf" + ] + }, + { + "cell_type": "code", + "execution_count": 186, + "metadata": {}, + "outputs": [], + "source": [ + "output = sqldf('''SELECT * FROM df LIMIT 5''')" + ] + }, + { + "cell_type": "code", + "execution_count": 187, + "metadata": {}, + "outputs": [ + { + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
tsuidid.orig_hid.orig_pid.resp_hid.resp_pprotoservicedurationconn_state...missed_byteshistoryorig_pktsorig_ip_bytesresp_pktsresp_ip_bytesorig_bytesresp_bytesis_destination_broadcasttraffic_direction
01.707758e+09C0LEGs2p93lnNEFB5f192.168.0.16865363192.168.0.153udpdns0.019866SF...0Dd1621169000internal
11.707758e+09CoIaps3LBPANWZX887192.168.0.16851657192.168.0.153udpdns0.012296SF...0Dd1621142000internal
21.707758e+09CllN3R2OE84qgP4Myl192.168.0.16851400142.250.80.74443tcpother0.016519RSTR...0DFr2128280000outgoing
31.707758e+09CnAcZTvINoaJSPmC2192.168.0.1685353224.0.0.2515353udpdns7.450594S0...0D246900000outgoing
41.707758e+09CrKvqoo2pkmR8IcKffe80::17:2915:d910:f375353ff02::fb5353udpdns7.450569S0...0D250900000IPv6
\n", + "

5 rows × 22 columns

\n", + "
" + ], + "text/plain": [ + " ts uid id.orig_h id.orig_p \\\n", + "0 1.707758e+09 C0LEGs2p93lnNEFB5f 192.168.0.168 65363 \n", + "1 1.707758e+09 CoIaps3LBPANWZX887 192.168.0.168 51657 \n", + "2 1.707758e+09 CllN3R2OE84qgP4Myl 192.168.0.168 51400 \n", + "3 1.707758e+09 CnAcZTvINoaJSPmC2 192.168.0.168 5353 \n", + "4 1.707758e+09 CrKvqoo2pkmR8IcKf fe80::17:2915:d910:f37 5353 \n", + "\n", + " id.resp_h id.resp_p proto service duration conn_state ... \\\n", + "0 192.168.0.1 53 udp dns 0.019866 SF ... \n", + "1 192.168.0.1 53 udp dns 0.012296 SF ... \n", + "2 142.250.80.74 443 tcp other 0.016519 RSTR ... \n", + "3 224.0.0.251 5353 udp dns 7.450594 S0 ... \n", + "4 ff02::fb 5353 udp dns 7.450569 S0 ... \n", + "\n", + " missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes \\\n", + "0 0 Dd 1 62 1 169 \n", + "1 0 Dd 1 62 1 142 \n", + "2 0 DFr 2 128 2 80 \n", + "3 0 D 2 469 0 0 \n", + "4 0 D 2 509 0 0 \n", + "\n", + " orig_bytes resp_bytes is_destination_broadcast traffic_direction \n", + "0 0 0 0 internal \n", + "1 0 0 0 internal \n", + "2 0 0 0 outgoing \n", + "3 0 0 0 outgoing \n", + "4 0 0 0 IPv6 \n", + "\n", + "[5 rows x 22 columns]" + ] + }, + "execution_count": 187, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "output" + ] + }, + { + "cell_type": "code", + "execution_count": 216, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "ts float64\n", + "uid object\n", + "id.orig_h object\n", + "id.orig_p int64\n", + "id.resp_h object\n", + "id.resp_p int64\n", + "proto object\n", + "service object\n", + "duration float64\n", + "conn_state object\n", + "local_orig bool\n", + "local_resp bool\n", + "missed_bytes int64\n", + "history object\n", + "orig_pkts int64\n", + "orig_ip_bytes int64\n", + "resp_pkts int64\n", + "resp_ip_bytes int64\n", + "orig_bytes int64\n", + "resp_bytes int64\n", + "is_destination_broadcast int64\n", + "traffic_direction object\n", + "dtype: object" + ] + }, + "execution_count": 216, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "df.dtypes\n" + ] + }, + { + "cell_type": "code", + "execution_count": 188, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "Index(['ts', 'uid', 'id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p',\n", + " 'proto', 'service', 'duration', 'conn_state', 'local_orig',\n", + " 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes',\n", + " 'resp_pkts', 'resp_ip_bytes', 'orig_bytes', 'resp_bytes',\n", + " 'is_destination_broadcast', 'traffic_direction'],\n", + " dtype='object')" + ] + }, + "execution_count": 188, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "output.columns" + ] + }, + { + "cell_type": "code", + "execution_count": 153, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "Index(['ts', 'uid', 'id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p',\n", + " 'proto', 'service', 'duration', 'conn_state', 'local_orig',\n", + " 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes',\n", + " 'resp_pkts', 'resp_ip_bytes', 'orig_bytes', 'resp_bytes'],\n", + " dtype='object')" + ] + }, + "execution_count": 153, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "output.columns" + ] + }, + { + "cell_type": "code", + "execution_count": 214, + "metadata": {}, + "outputs": [], + "source": [ + "query = '''\n", + "SELECT id.orig_h, id.orig_p, id.resp_h, id.resp_p, AVG(b.duration) as avg_duration\n", + "FROM df a \n", + "JOIN df b\n", + "ON a.id.orig_h = b.id.orig_h AND a.id.orig_p = b.id.orig_p AND a.id.resp_h = b.id.resp_h AND a.id.resp_p = b.id.resp_p\n", + "\n", + "WHERE a.ts - b.ts <= 60\n", + "GROUP BY a.id.orig_h, a.id.orig_p, a.id.resp_h, a.id.resp_p\n", + "'''\n", + "\n", + "#calculate AVG(value) OVER (PARTITION BY group)\n", + "#df['mean_value'] = df.groupby('group').value.transform(np.mean)" + ] + }, + { + "cell_type": "code", + "execution_count": 222, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "ts float64\n", + "uid object\n", + "id.orig_h object\n", + "id.orig_p int64\n", + "id.resp_h object\n", + "id.resp_p int64\n", + "proto object\n", + "service object\n", + "duration float64\n", + "conn_state object\n", + "local_orig bool\n", + "local_resp bool\n", + "missed_bytes int64\n", + "history object\n", + "orig_pkts int64\n", + "orig_ip_bytes int64\n", + "resp_pkts int64\n", + "resp_ip_bytes int64\n", + "orig_bytes int64\n", + "resp_bytes int64\n", + "is_destination_broadcast int64\n", + "traffic_direction object\n", + "dtype: object" + ] + }, + "execution_count": 222, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "df.dtypes" + ] + }, + { + "cell_type": "code", + "execution_count": 221, + "metadata": {}, + "outputs": [ + { + "ename": "ValueError", + "evalue": "The type of id.orig_p is not a SQLAlchemy type", + "output_type": "error", + "traceback": [ + "\u001b[0;31m---------------------------------------------------------------------------\u001b[0m", + "\u001b[0;31mValueError\u001b[0m Traceback (most recent call last)", + "\u001b[1;32m/Users/Zoe_1/Documents/VS/NYU/NIDS/NIDS/zoe_eda.ipynb Cell 44\u001b[0m line \u001b[0;36m\u001b[0;34m()\u001b[0m\n\u001b[1;32m 6\u001b[0m df_dtypes \u001b[39m=\u001b[39m {\u001b[39m'\u001b[39m\u001b[39mid.orig_p\u001b[39m\u001b[39m'\u001b[39m: \u001b[39m'\u001b[39m\u001b[39mINTEGER\u001b[39m\u001b[39m'\u001b[39m, \u001b[39m'\u001b[39m\u001b[39mid.resp_p\u001b[39m\u001b[39m'\u001b[39m: \u001b[39m'\u001b[39m\u001b[39mINTEGER\u001b[39m\u001b[39m'\u001b[39m}\n\u001b[1;32m 7\u001b[0m \u001b[39m# df_dtypes = {'id.orig_h': 'VARCHAR', 'id.orig_p': 'INTEGER', 'id.resp_h': 'VARCHAR', 'id.resp_p': 'INTEGER'}\u001b[39;00m\n\u001b[0;32m----> 8\u001b[0m df\u001b[39m.\u001b[39;49mto_sql(\u001b[39m'\u001b[39;49m\u001b[39mdf\u001b[39;49m\u001b[39m'\u001b[39;49m, engine, index\u001b[39m=\u001b[39;49m\u001b[39mFalse\u001b[39;49;00m, dtype\u001b[39m=\u001b[39;49mdf_dtypes)\n\u001b[1;32m 9\u001b[0m \u001b[39m# df.to_sql('df', engine, index=False) # Replace 'df' with your desired table name\u001b[39;00m\n\u001b[1;32m 10\u001b[0m result_df \u001b[39m=\u001b[39m pd\u001b[39m.\u001b[39mread_sql(\u001b[39m'\u001b[39m\u001b[39mSELECT id.orig_p,id.resp_p FROM df\u001b[39m\u001b[39m'\u001b[39m, engine)\n", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/pandas/core/generic.py:2951\u001b[0m, in \u001b[0;36mNDFrame.to_sql\u001b[0;34m(self, name, con, schema, if_exists, index, index_label, chunksize, dtype, method)\u001b[0m\n\u001b[1;32m 2794\u001b[0m \u001b[39m\"\"\"\u001b[39;00m\n\u001b[1;32m 2795\u001b[0m \u001b[39mWrite records stored in a DataFrame to a SQL database.\u001b[39;00m\n\u001b[1;32m 2796\u001b[0m \n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 2947\u001b[0m \u001b[39m[(1,), (None,), (2,)]\u001b[39;00m\n\u001b[1;32m 2948\u001b[0m \u001b[39m\"\"\"\u001b[39;00m \u001b[39m# noqa:E501\u001b[39;00m\n\u001b[1;32m 2949\u001b[0m \u001b[39mfrom\u001b[39;00m \u001b[39mpandas\u001b[39;00m\u001b[39m.\u001b[39;00m\u001b[39mio\u001b[39;00m \u001b[39mimport\u001b[39;00m sql\n\u001b[0;32m-> 2951\u001b[0m \u001b[39mreturn\u001b[39;00m sql\u001b[39m.\u001b[39;49mto_sql(\n\u001b[1;32m 2952\u001b[0m \u001b[39mself\u001b[39;49m,\n\u001b[1;32m 2953\u001b[0m name,\n\u001b[1;32m 2954\u001b[0m con,\n\u001b[1;32m 2955\u001b[0m schema\u001b[39m=\u001b[39;49mschema,\n\u001b[1;32m 2956\u001b[0m if_exists\u001b[39m=\u001b[39;49mif_exists,\n\u001b[1;32m 2957\u001b[0m index\u001b[39m=\u001b[39;49mindex,\n\u001b[1;32m 2958\u001b[0m index_label\u001b[39m=\u001b[39;49mindex_label,\n\u001b[1;32m 2959\u001b[0m chunksize\u001b[39m=\u001b[39;49mchunksize,\n\u001b[1;32m 2960\u001b[0m dtype\u001b[39m=\u001b[39;49mdtype,\n\u001b[1;32m 2961\u001b[0m method\u001b[39m=\u001b[39;49mmethod,\n\u001b[1;32m 2962\u001b[0m )\n", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/pandas/io/sql.py:697\u001b[0m, in \u001b[0;36mto_sql\u001b[0;34m(frame, name, con, schema, if_exists, index, index_label, chunksize, dtype, method, engine, **engine_kwargs)\u001b[0m\n\u001b[1;32m 692\u001b[0m \u001b[39melif\u001b[39;00m \u001b[39mnot\u001b[39;00m \u001b[39misinstance\u001b[39m(frame, DataFrame):\n\u001b[1;32m 693\u001b[0m \u001b[39mraise\u001b[39;00m \u001b[39mNotImplementedError\u001b[39;00m(\n\u001b[1;32m 694\u001b[0m \u001b[39m\"\u001b[39m\u001b[39m'\u001b[39m\u001b[39mframe\u001b[39m\u001b[39m'\u001b[39m\u001b[39m argument should be either a Series or a DataFrame\u001b[39m\u001b[39m\"\u001b[39m\n\u001b[1;32m 695\u001b[0m )\n\u001b[0;32m--> 697\u001b[0m \u001b[39mreturn\u001b[39;00m pandas_sql\u001b[39m.\u001b[39;49mto_sql(\n\u001b[1;32m 698\u001b[0m frame,\n\u001b[1;32m 699\u001b[0m name,\n\u001b[1;32m 700\u001b[0m if_exists\u001b[39m=\u001b[39;49mif_exists,\n\u001b[1;32m 701\u001b[0m index\u001b[39m=\u001b[39;49mindex,\n\u001b[1;32m 702\u001b[0m index_label\u001b[39m=\u001b[39;49mindex_label,\n\u001b[1;32m 703\u001b[0m schema\u001b[39m=\u001b[39;49mschema,\n\u001b[1;32m 704\u001b[0m chunksize\u001b[39m=\u001b[39;49mchunksize,\n\u001b[1;32m 705\u001b[0m dtype\u001b[39m=\u001b[39;49mdtype,\n\u001b[1;32m 706\u001b[0m method\u001b[39m=\u001b[39;49mmethod,\n\u001b[1;32m 707\u001b[0m engine\u001b[39m=\u001b[39;49mengine,\n\u001b[1;32m 708\u001b[0m \u001b[39m*\u001b[39;49m\u001b[39m*\u001b[39;49mengine_kwargs,\n\u001b[1;32m 709\u001b[0m )\n", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/pandas/io/sql.py:1729\u001b[0m, in \u001b[0;36mSQLDatabase.to_sql\u001b[0;34m(self, frame, name, if_exists, index, index_label, schema, chunksize, dtype, method, engine, **engine_kwargs)\u001b[0m\n\u001b[1;32m 1679\u001b[0m \u001b[39m\"\"\"\u001b[39;00m\n\u001b[1;32m 1680\u001b[0m \u001b[39mWrite records stored in a DataFrame to a SQL database.\u001b[39;00m\n\u001b[1;32m 1681\u001b[0m \n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 1725\u001b[0m \u001b[39m Any additional kwargs are passed to the engine.\u001b[39;00m\n\u001b[1;32m 1726\u001b[0m \u001b[39m\"\"\"\u001b[39;00m\n\u001b[1;32m 1727\u001b[0m sql_engine \u001b[39m=\u001b[39m get_engine(engine)\n\u001b[0;32m-> 1729\u001b[0m table \u001b[39m=\u001b[39m \u001b[39mself\u001b[39;49m\u001b[39m.\u001b[39;49mprep_table(\n\u001b[1;32m 1730\u001b[0m frame\u001b[39m=\u001b[39;49mframe,\n\u001b[1;32m 1731\u001b[0m name\u001b[39m=\u001b[39;49mname,\n\u001b[1;32m 1732\u001b[0m if_exists\u001b[39m=\u001b[39;49mif_exists,\n\u001b[1;32m 1733\u001b[0m index\u001b[39m=\u001b[39;49mindex,\n\u001b[1;32m 1734\u001b[0m index_label\u001b[39m=\u001b[39;49mindex_label,\n\u001b[1;32m 1735\u001b[0m schema\u001b[39m=\u001b[39;49mschema,\n\u001b[1;32m 1736\u001b[0m dtype\u001b[39m=\u001b[39;49mdtype,\n\u001b[1;32m 1737\u001b[0m )\n\u001b[1;32m 1739\u001b[0m total_inserted \u001b[39m=\u001b[39m sql_engine\u001b[39m.\u001b[39minsert_records(\n\u001b[1;32m 1740\u001b[0m table\u001b[39m=\u001b[39mtable,\n\u001b[1;32m 1741\u001b[0m con\u001b[39m=\u001b[39m\u001b[39mself\u001b[39m\u001b[39m.\u001b[39mconnectable,\n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 1748\u001b[0m \u001b[39m*\u001b[39m\u001b[39m*\u001b[39mengine_kwargs,\n\u001b[1;32m 1749\u001b[0m )\n\u001b[1;32m 1751\u001b[0m \u001b[39mself\u001b[39m\u001b[39m.\u001b[39mcheck_case_sensitive(name\u001b[39m=\u001b[39mname, schema\u001b[39m=\u001b[39mschema)\n", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/pandas/io/sql.py:1616\u001b[0m, in \u001b[0;36mSQLDatabase.prep_table\u001b[0;34m(self, frame, name, if_exists, index, index_label, schema, dtype)\u001b[0m\n\u001b[1;32m 1614\u001b[0m \u001b[39mfor\u001b[39;00m col, my_type \u001b[39min\u001b[39;00m dtype\u001b[39m.\u001b[39mitems():\n\u001b[1;32m 1615\u001b[0m \u001b[39mif\u001b[39;00m \u001b[39mnot\u001b[39;00m \u001b[39misinstance\u001b[39m(to_instance(my_type), TypeEngine):\n\u001b[0;32m-> 1616\u001b[0m \u001b[39mraise\u001b[39;00m \u001b[39mValueError\u001b[39;00m(\u001b[39mf\u001b[39m\u001b[39m\"\u001b[39m\u001b[39mThe type of \u001b[39m\u001b[39m{\u001b[39;00mcol\u001b[39m}\u001b[39;00m\u001b[39m is not a SQLAlchemy type\u001b[39m\u001b[39m\"\u001b[39m)\n\u001b[1;32m 1618\u001b[0m table \u001b[39m=\u001b[39m SQLTable(\n\u001b[1;32m 1619\u001b[0m name,\n\u001b[1;32m 1620\u001b[0m \u001b[39mself\u001b[39m,\n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 1626\u001b[0m dtype\u001b[39m=\u001b[39mdtype,\n\u001b[1;32m 1627\u001b[0m )\n\u001b[1;32m 1628\u001b[0m table\u001b[39m.\u001b[39mcreate()\n", + "\u001b[0;31mValueError\u001b[0m: The type of id.orig_p is not a SQLAlchemy type" + ] + } + ], + "source": [ + "import sqlite3\n", + "from sqlalchemy.types import VARCHAR, INTEGER, FLOAT\n", + "# cursor = conn.cursor()\n", + "from sqlalchemy import create_engine\n", + "engine = create_engine('sqlite://', echo=False) #Create an in-memory SQLite database.\n", + "df_dtypes = {'id.orig_p': 'INTEGER', 'id.resp_p': 'INTEGER'}\n", + "# df_dtypes = {'id.orig_h': 'VARCHAR', 'id.orig_p': 'INTEGER', 'id.resp_h': 'VARCHAR', 'id.resp_p': 'INTEGER'}\n", + "df.to_sql('df', engine, index=False, dtype=df_dtypes)\n", + "# df.to_sql('df', engine, index=False) # Replace 'df' with your desired table name\n", + "result_df = pd.read_sql('SELECT id.orig_p,id.resp_p FROM df', engine)\n", + "# result_df = pd.read_sql('SELECT id.orig_h, id.orig_p, id.resp_h, id.resp_p FROM df', engine)\n", + "# df.to_sql(name='df_sql', con=engine)\n", + "\n" + ] + }, + { + "cell_type": "code", + "execution_count": 211, + "metadata": {}, + "outputs": [ + { + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
tsuidid.orig_hid.orig_pid.resp_hid.resp_pprotoservicedurationconn_state...missed_byteshistoryorig_pktsorig_ip_bytesresp_pktsresp_ip_bytesorig_bytesresp_bytesis_destination_broadcasttraffic_direction
01.707758e+09C0LEGs2p93lnNEFB5f192.168.0.16865363192.168.0.153udpdns0.019866SF...0Dd1621169000internal
11.707758e+09CoIaps3LBPANWZX887192.168.0.16851657192.168.0.153udpdns0.012296SF...0Dd1621142000internal
21.707758e+09CllN3R2OE84qgP4Myl192.168.0.16851400142.250.80.74443tcpother0.016519RSTR...0DFr2128280000outgoing
31.707758e+09CnAcZTvINoaJSPmC2192.168.0.1685353224.0.0.2515353udpdns7.450594S0...0D246900000outgoing
41.707758e+09CrKvqoo2pkmR8IcKffe80::17:2915:d910:f375353ff02::fb5353udpdns7.450569S0...0D250900000IPv6
..................................................................
601.707762e+09CmsBId1mQSH21Nn8Xf192.168.0.1685147320.189.172.32443tcpssl0.347173SF...0ShADdfFa12192195408000outgoing
611.707762e+09CPrXFE2XI3xFN2x4x6192.168.0.1685148020.189.172.32443tcpssl0.332572SF...0ShADdfFa12192195408000outgoing
621.707762e+09CKX629PWRVQsJH3Df192.168.0.1685148120.189.172.32443tcpssl0.338312SF...0ShADdfFa12192195408000outgoing
631.707762e+09CGzmAv3TE4THf4pQ5d192.168.0.1685148220.189.172.32443tcpssl0.343127SF...0ShADdfFa12248495408000outgoing
641.707762e+09CUN2d84adrzHQOxdJi192.168.0.16851445140.82.112.25443tcpother0.022740RSTRH...0Ar140140000outgoing
\n", + "

65 rows × 22 columns

\n", + "
" + ], + "text/plain": [ + " ts uid id.orig_h id.orig_p \\\n", + "0 1.707758e+09 C0LEGs2p93lnNEFB5f 192.168.0.168 65363 \n", + "1 1.707758e+09 CoIaps3LBPANWZX887 192.168.0.168 51657 \n", + "2 1.707758e+09 CllN3R2OE84qgP4Myl 192.168.0.168 51400 \n", + "3 1.707758e+09 CnAcZTvINoaJSPmC2 192.168.0.168 5353 \n", + "4 1.707758e+09 CrKvqoo2pkmR8IcKf fe80::17:2915:d910:f37 5353 \n", + ".. ... ... ... ... \n", + "60 1.707762e+09 CmsBId1mQSH21Nn8Xf 192.168.0.168 51473 \n", + "61 1.707762e+09 CPrXFE2XI3xFN2x4x6 192.168.0.168 51480 \n", + "62 1.707762e+09 CKX629PWRVQsJH3Df 192.168.0.168 51481 \n", + "63 1.707762e+09 CGzmAv3TE4THf4pQ5d 192.168.0.168 51482 \n", + "64 1.707762e+09 CUN2d84adrzHQOxdJi 192.168.0.168 51445 \n", + "\n", + " id.resp_h id.resp_p proto service duration conn_state ... \\\n", + "0 192.168.0.1 53 udp dns 0.019866 SF ... \n", + "1 192.168.0.1 53 udp dns 0.012296 SF ... \n", + "2 142.250.80.74 443 tcp other 0.016519 RSTR ... \n", + "3 224.0.0.251 5353 udp dns 7.450594 S0 ... \n", + "4 ff02::fb 5353 udp dns 7.450569 S0 ... \n", + ".. ... ... ... ... ... ... ... \n", + "60 20.189.172.32 443 tcp ssl 0.347173 SF ... \n", + "61 20.189.172.32 443 tcp ssl 0.332572 SF ... \n", + "62 20.189.172.32 443 tcp ssl 0.338312 SF ... \n", + "63 20.189.172.32 443 tcp ssl 0.343127 SF ... \n", + "64 140.82.112.25 443 tcp other 0.022740 RSTRH ... \n", + "\n", + " missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes \\\n", + "0 0 Dd 1 62 1 169 \n", + "1 0 Dd 1 62 1 142 \n", + "2 0 DFr 2 128 2 80 \n", + "3 0 D 2 469 0 0 \n", + "4 0 D 2 509 0 0 \n", + ".. ... ... ... ... ... ... \n", + "60 0 ShADdfFa 12 1921 9 5408 \n", + "61 0 ShADdfFa 12 1921 9 5408 \n", + "62 0 ShADdfFa 12 1921 9 5408 \n", + "63 0 ShADdfFa 12 2484 9 5408 \n", + "64 0 Ar 1 40 1 40 \n", + "\n", + " orig_bytes resp_bytes is_destination_broadcast traffic_direction \n", + "0 0 0 0 internal \n", + "1 0 0 0 internal \n", + "2 0 0 0 outgoing \n", + "3 0 0 0 outgoing \n", + "4 0 0 0 IPv6 \n", + ".. ... ... ... ... \n", + "60 0 0 0 outgoing \n", + "61 0 0 0 outgoing \n", + "62 0 0 0 outgoing \n", + "63 0 0 0 outgoing \n", + "64 0 0 0 outgoing \n", + "\n", + "[65 rows x 22 columns]" + ] + }, + "execution_count": 211, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "result_df" + ] + }, + { + "cell_type": "code", + "execution_count": 215, + "metadata": {}, + "outputs": [ + { + "ename": "OperationalError", + "evalue": "(sqlite3.OperationalError) no such column: id.orig_h\n[SQL: \nSELECT id.orig_h, id.orig_p, id.resp_h, id.resp_p, AVG(b.duration) as avg_duration\nFROM df a \nJOIN df b\nON a.id.orig_h = b.id.orig_h AND a.id.orig_p = b.id.orig_p AND a.id.resp_h = b.id.resp_h AND a.id.resp_p = b.id.resp_p\n\nWHERE a.ts - b.ts <= 60\nGROUP BY a.id.orig_h, a.id.orig_p, a.id.resp_h, a.id.resp_p\n]\n(Background on this error at: https://sqlalche.me/e/14/e3q8)", + "output_type": "error", + "traceback": [ + "\u001b[0;31m---------------------------------------------------------------------------\u001b[0m", + "\u001b[0;31mOperationalError\u001b[0m Traceback (most recent call last)", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/sqlalchemy/engine/base.py:1808\u001b[0m, in \u001b[0;36mConnection._execute_context\u001b[0;34m(self, dialect, constructor, statement, parameters, execution_options, *args, **kw)\u001b[0m\n\u001b[1;32m 1807\u001b[0m \u001b[39mif\u001b[39;00m \u001b[39mnot\u001b[39;00m evt_handled:\n\u001b[0;32m-> 1808\u001b[0m \u001b[39mself\u001b[39;49m\u001b[39m.\u001b[39;49mdialect\u001b[39m.\u001b[39;49mdo_execute(\n\u001b[1;32m 1809\u001b[0m cursor, statement, parameters, context\n\u001b[1;32m 1810\u001b[0m )\n\u001b[1;32m 1812\u001b[0m \u001b[39mif\u001b[39;00m \u001b[39mself\u001b[39m\u001b[39m.\u001b[39m_has_events \u001b[39mor\u001b[39;00m \u001b[39mself\u001b[39m\u001b[39m.\u001b[39mengine\u001b[39m.\u001b[39m_has_events:\n", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/sqlalchemy/engine/default.py:732\u001b[0m, in \u001b[0;36mDefaultDialect.do_execute\u001b[0;34m(self, cursor, statement, parameters, context)\u001b[0m\n\u001b[1;32m 731\u001b[0m \u001b[39mdef\u001b[39;00m \u001b[39mdo_execute\u001b[39m(\u001b[39mself\u001b[39m, cursor, statement, parameters, context\u001b[39m=\u001b[39m\u001b[39mNone\u001b[39;00m):\n\u001b[0;32m--> 732\u001b[0m cursor\u001b[39m.\u001b[39;49mexecute(statement, parameters)\n", + "\u001b[0;31mOperationalError\u001b[0m: no such column: id.orig_h", + "\nThe above exception was the direct cause of the following exception:\n", + "\u001b[0;31mOperationalError\u001b[0m Traceback (most recent call last)", + "\u001b[1;32m/Users/Zoe_1/Documents/VS/NYU/NIDS/NIDS/zoe_eda.ipynb Cell 44\u001b[0m line \u001b[0;36m\u001b[0;34m()\u001b[0m\n\u001b[1;32m 1\u001b[0m \u001b[39mfrom\u001b[39;00m \u001b[39msqlalchemy\u001b[39;00m \u001b[39mimport\u001b[39;00m text\n\u001b[1;32m 2\u001b[0m \u001b[39mwith\u001b[39;00m engine\u001b[39m.\u001b[39mconnect() \u001b[39mas\u001b[39;00m conn:\n\u001b[0;32m----> 3\u001b[0m conn\u001b[39m.\u001b[39;49mexecute(text(query))\u001b[39m.\u001b[39mfetchall()\n", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/sqlalchemy/engine/base.py:1295\u001b[0m, in \u001b[0;36mConnection.execute\u001b[0;34m(self, statement, *multiparams, **params)\u001b[0m\n\u001b[1;32m 1291\u001b[0m util\u001b[39m.\u001b[39mraise_(\n\u001b[1;32m 1292\u001b[0m exc\u001b[39m.\u001b[39mObjectNotExecutableError(statement), replace_context\u001b[39m=\u001b[39merr\n\u001b[1;32m 1293\u001b[0m )\n\u001b[1;32m 1294\u001b[0m \u001b[39melse\u001b[39;00m:\n\u001b[0;32m-> 1295\u001b[0m \u001b[39mreturn\u001b[39;00m meth(\u001b[39mself\u001b[39;49m, multiparams, params, _EMPTY_EXECUTION_OPTS)\n", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/sqlalchemy/sql/elements.py:325\u001b[0m, in \u001b[0;36mClauseElement._execute_on_connection\u001b[0;34m(self, connection, multiparams, params, execution_options, _force)\u001b[0m\n\u001b[1;32m 321\u001b[0m \u001b[39mdef\u001b[39;00m \u001b[39m_execute_on_connection\u001b[39m(\n\u001b[1;32m 322\u001b[0m \u001b[39mself\u001b[39m, connection, multiparams, params, execution_options, _force\u001b[39m=\u001b[39m\u001b[39mFalse\u001b[39;00m\n\u001b[1;32m 323\u001b[0m ):\n\u001b[1;32m 324\u001b[0m \u001b[39mif\u001b[39;00m _force \u001b[39mor\u001b[39;00m \u001b[39mself\u001b[39m\u001b[39m.\u001b[39msupports_execution:\n\u001b[0;32m--> 325\u001b[0m \u001b[39mreturn\u001b[39;00m connection\u001b[39m.\u001b[39;49m_execute_clauseelement(\n\u001b[1;32m 326\u001b[0m \u001b[39mself\u001b[39;49m, multiparams, params, execution_options\n\u001b[1;32m 327\u001b[0m )\n\u001b[1;32m 328\u001b[0m \u001b[39melse\u001b[39;00m:\n\u001b[1;32m 329\u001b[0m \u001b[39mraise\u001b[39;00m exc\u001b[39m.\u001b[39mObjectNotExecutableError(\u001b[39mself\u001b[39m)\n", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/sqlalchemy/engine/base.py:1487\u001b[0m, in \u001b[0;36mConnection._execute_clauseelement\u001b[0;34m(self, elem, multiparams, params, execution_options)\u001b[0m\n\u001b[1;32m 1475\u001b[0m compiled_cache \u001b[39m=\u001b[39m execution_options\u001b[39m.\u001b[39mget(\n\u001b[1;32m 1476\u001b[0m \u001b[39m\"\u001b[39m\u001b[39mcompiled_cache\u001b[39m\u001b[39m\"\u001b[39m, \u001b[39mself\u001b[39m\u001b[39m.\u001b[39mengine\u001b[39m.\u001b[39m_compiled_cache\n\u001b[1;32m 1477\u001b[0m )\n\u001b[1;32m 1479\u001b[0m compiled_sql, extracted_params, cache_hit \u001b[39m=\u001b[39m elem\u001b[39m.\u001b[39m_compile_w_cache(\n\u001b[1;32m 1480\u001b[0m dialect\u001b[39m=\u001b[39mdialect,\n\u001b[1;32m 1481\u001b[0m compiled_cache\u001b[39m=\u001b[39mcompiled_cache,\n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 1485\u001b[0m linting\u001b[39m=\u001b[39m\u001b[39mself\u001b[39m\u001b[39m.\u001b[39mdialect\u001b[39m.\u001b[39mcompiler_linting \u001b[39m|\u001b[39m compiler\u001b[39m.\u001b[39mWARN_LINTING,\n\u001b[1;32m 1486\u001b[0m )\n\u001b[0;32m-> 1487\u001b[0m ret \u001b[39m=\u001b[39m \u001b[39mself\u001b[39;49m\u001b[39m.\u001b[39;49m_execute_context(\n\u001b[1;32m 1488\u001b[0m dialect,\n\u001b[1;32m 1489\u001b[0m dialect\u001b[39m.\u001b[39;49mexecution_ctx_cls\u001b[39m.\u001b[39;49m_init_compiled,\n\u001b[1;32m 1490\u001b[0m compiled_sql,\n\u001b[1;32m 1491\u001b[0m distilled_params,\n\u001b[1;32m 1492\u001b[0m execution_options,\n\u001b[1;32m 1493\u001b[0m compiled_sql,\n\u001b[1;32m 1494\u001b[0m distilled_params,\n\u001b[1;32m 1495\u001b[0m elem,\n\u001b[1;32m 1496\u001b[0m extracted_params,\n\u001b[1;32m 1497\u001b[0m cache_hit\u001b[39m=\u001b[39;49mcache_hit,\n\u001b[1;32m 1498\u001b[0m )\n\u001b[1;32m 1499\u001b[0m \u001b[39mif\u001b[39;00m has_events:\n\u001b[1;32m 1500\u001b[0m \u001b[39mself\u001b[39m\u001b[39m.\u001b[39mdispatch\u001b[39m.\u001b[39mafter_execute(\n\u001b[1;32m 1501\u001b[0m \u001b[39mself\u001b[39m,\n\u001b[1;32m 1502\u001b[0m elem,\n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 1506\u001b[0m ret,\n\u001b[1;32m 1507\u001b[0m )\n", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/sqlalchemy/engine/base.py:1851\u001b[0m, in \u001b[0;36mConnection._execute_context\u001b[0;34m(self, dialect, constructor, statement, parameters, execution_options, *args, **kw)\u001b[0m\n\u001b[1;32m 1848\u001b[0m branched\u001b[39m.\u001b[39mclose()\n\u001b[1;32m 1850\u001b[0m \u001b[39mexcept\u001b[39;00m \u001b[39mBaseException\u001b[39;00m \u001b[39mas\u001b[39;00m e:\n\u001b[0;32m-> 1851\u001b[0m \u001b[39mself\u001b[39;49m\u001b[39m.\u001b[39;49m_handle_dbapi_exception(\n\u001b[1;32m 1852\u001b[0m e, statement, parameters, cursor, context\n\u001b[1;32m 1853\u001b[0m )\n\u001b[1;32m 1855\u001b[0m \u001b[39mreturn\u001b[39;00m result\n", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/sqlalchemy/engine/base.py:2032\u001b[0m, in \u001b[0;36mConnection._handle_dbapi_exception\u001b[0;34m(self, e, statement, parameters, cursor, context)\u001b[0m\n\u001b[1;32m 2030\u001b[0m util\u001b[39m.\u001b[39mraise_(newraise, with_traceback\u001b[39m=\u001b[39mexc_info[\u001b[39m2\u001b[39m], from_\u001b[39m=\u001b[39me)\n\u001b[1;32m 2031\u001b[0m \u001b[39melif\u001b[39;00m should_wrap:\n\u001b[0;32m-> 2032\u001b[0m util\u001b[39m.\u001b[39;49mraise_(\n\u001b[1;32m 2033\u001b[0m sqlalchemy_exception, with_traceback\u001b[39m=\u001b[39;49mexc_info[\u001b[39m2\u001b[39;49m], from_\u001b[39m=\u001b[39;49me\n\u001b[1;32m 2034\u001b[0m )\n\u001b[1;32m 2035\u001b[0m \u001b[39melse\u001b[39;00m:\n\u001b[1;32m 2036\u001b[0m util\u001b[39m.\u001b[39mraise_(exc_info[\u001b[39m1\u001b[39m], with_traceback\u001b[39m=\u001b[39mexc_info[\u001b[39m2\u001b[39m])\n", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/sqlalchemy/util/compat.py:207\u001b[0m, in \u001b[0;36mraise_\u001b[0;34m(***failed resolving arguments***)\u001b[0m\n\u001b[1;32m 204\u001b[0m exception\u001b[39m.\u001b[39m__cause__ \u001b[39m=\u001b[39m replace_context\n\u001b[1;32m 206\u001b[0m \u001b[39mtry\u001b[39;00m:\n\u001b[0;32m--> 207\u001b[0m \u001b[39mraise\u001b[39;00m exception\n\u001b[1;32m 208\u001b[0m \u001b[39mfinally\u001b[39;00m:\n\u001b[1;32m 209\u001b[0m \u001b[39m# credit to\u001b[39;00m\n\u001b[1;32m 210\u001b[0m \u001b[39m# https://cosmicpercolator.com/2016/01/13/exception-leaks-in-python-2-and-3/\u001b[39;00m\n\u001b[1;32m 211\u001b[0m \u001b[39m# as the __traceback__ object creates a cycle\u001b[39;00m\n\u001b[1;32m 212\u001b[0m \u001b[39mdel\u001b[39;00m exception, replace_context, from_, with_traceback\n", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/sqlalchemy/engine/base.py:1808\u001b[0m, in \u001b[0;36mConnection._execute_context\u001b[0;34m(self, dialect, constructor, statement, parameters, execution_options, *args, **kw)\u001b[0m\n\u001b[1;32m 1806\u001b[0m \u001b[39mbreak\u001b[39;00m\n\u001b[1;32m 1807\u001b[0m \u001b[39mif\u001b[39;00m \u001b[39mnot\u001b[39;00m evt_handled:\n\u001b[0;32m-> 1808\u001b[0m \u001b[39mself\u001b[39;49m\u001b[39m.\u001b[39;49mdialect\u001b[39m.\u001b[39;49mdo_execute(\n\u001b[1;32m 1809\u001b[0m cursor, statement, parameters, context\n\u001b[1;32m 1810\u001b[0m )\n\u001b[1;32m 1812\u001b[0m \u001b[39mif\u001b[39;00m \u001b[39mself\u001b[39m\u001b[39m.\u001b[39m_has_events \u001b[39mor\u001b[39;00m \u001b[39mself\u001b[39m\u001b[39m.\u001b[39mengine\u001b[39m.\u001b[39m_has_events:\n\u001b[1;32m 1813\u001b[0m \u001b[39mself\u001b[39m\u001b[39m.\u001b[39mdispatch\u001b[39m.\u001b[39mafter_cursor_execute(\n\u001b[1;32m 1814\u001b[0m \u001b[39mself\u001b[39m,\n\u001b[1;32m 1815\u001b[0m cursor,\n\u001b[0;32m (...)\u001b[0m\n\u001b[1;32m 1819\u001b[0m context\u001b[39m.\u001b[39mexecutemany,\n\u001b[1;32m 1820\u001b[0m )\n", + "File \u001b[0;32m~/opt/anaconda3/lib/python3.9/site-packages/sqlalchemy/engine/default.py:732\u001b[0m, in \u001b[0;36mDefaultDialect.do_execute\u001b[0;34m(self, cursor, statement, parameters, context)\u001b[0m\n\u001b[1;32m 731\u001b[0m \u001b[39mdef\u001b[39;00m \u001b[39mdo_execute\u001b[39m(\u001b[39mself\u001b[39m, cursor, statement, parameters, context\u001b[39m=\u001b[39m\u001b[39mNone\u001b[39;00m):\n\u001b[0;32m--> 732\u001b[0m cursor\u001b[39m.\u001b[39;49mexecute(statement, parameters)\n", + "\u001b[0;31mOperationalError\u001b[0m: (sqlite3.OperationalError) no such column: id.orig_h\n[SQL: \nSELECT id.orig_h, id.orig_p, id.resp_h, id.resp_p, AVG(b.duration) as avg_duration\nFROM df a \nJOIN df b\nON a.id.orig_h = b.id.orig_h AND a.id.orig_p = b.id.orig_p AND a.id.resp_h = b.id.resp_h AND a.id.resp_p = b.id.resp_p\n\nWHERE a.ts - b.ts <= 60\nGROUP BY a.id.orig_h, a.id.orig_p, a.id.resp_h, a.id.resp_p\n]\n(Background on this error at: https://sqlalche.me/e/14/e3q8)" + ] + } + ], + "source": [ + "from sqlalchemy import text\n", + "with engine.connect() as conn:\n", + " conn.execute(text(query)).fetchall()" + ] + }, + { + "cell_type": "code", + "execution_count": 175, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "Index(['ts', 'uid', 'id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p',\n", + " 'proto', 'service', 'duration', 'conn_state', 'local_orig',\n", + " 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes',\n", + " 'resp_pkts', 'resp_ip_bytes', 'orig_bytes', 'resp_bytes',\n", + " 'is_destination_broadcast', 'traffic_direction'],\n", + " dtype='object')" + ] + }, + "execution_count": 175, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "df.columns" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "### Pandas" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "#### EDA" + ] + }, + { + "cell_type": "code", + "execution_count": 435, + "metadata": {}, + "outputs": [], + "source": [ + "#'ts' is unix format\n", + "#import \n", + "from datetime import datetime" + ] + }, + { + "cell_type": "code", + "execution_count": 311, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "2024-02-12 12:13:20\n" + ] + } + ], + "source": [ + "from datetime import datetime\n", + "print(datetime.fromtimestamp(1.707758e+09))" + ] + }, + { + "cell_type": "code", + "execution_count": 314, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "(65, 22)" + ] + }, + "execution_count": 314, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "df.shape" + ] + }, + { + "cell_type": "code", + "execution_count": 282, + "metadata": {}, + "outputs": [], + "source": [ + "# Knowing that there is only 1 group that has the same id.orig_h, id.orig_p, id.resp_h, id.resp_p\n", + "fil = df[(df['id.orig_h'] == '192.168.0.168') & (df['id.orig_p'] == 51428)]" + ] + }, + { + "cell_type": "code", + "execution_count": 283, + "metadata": {}, + "outputs": [ + { + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
tsuidid.orig_hid.orig_pid.resp_hid.resp_pprotoservicedurationconn_state...historyorig_pktsorig_ip_bytesresp_pktsresp_ip_bytesorig_bytesresp_bytesis_destination_broadcasttraffic_directionduration_mean
312024-02-12 17:09:42.990166016ClKxU23lRlw5hdtGFj192.168.0.16851428142.250.65.234443tcpssl0.141091S1...ShADad101658147626000outgoingNaN
422024-02-12 18:12:59.069338112CJRUNP37hqlOb5Poa5192.168.0.16851428142.250.65.234443tcpother0.012353RSTR...DFTr4397140000outgoing0.076722
\n", + "

2 rows × 23 columns

\n", + "
" + ], + "text/plain": [ + " ts uid id.orig_h \\\n", + "31 2024-02-12 17:09:42.990166016 ClKxU23lRlw5hdtGFj 192.168.0.168 \n", + "42 2024-02-12 18:12:59.069338112 CJRUNP37hqlOb5Poa5 192.168.0.168 \n", + "\n", + " id.orig_p id.resp_h id.resp_p proto service duration conn_state \\\n", + "31 51428 142.250.65.234 443 tcp ssl 0.141091 S1 \n", + "42 51428 142.250.65.234 443 tcp other 0.012353 RSTR \n", + "\n", + " ... history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes \\\n", + "31 ... ShADad 10 1658 14 7626 \n", + "42 ... DFTr 4 397 1 40 \n", + "\n", + " orig_bytes resp_bytes is_destination_broadcast traffic_direction \\\n", + "31 0 0 0 outgoing \n", + "42 0 0 0 outgoing \n", + "\n", + " duration_mean \n", + "31 NaN \n", + "42 0.076722 \n", + "\n", + "[2 rows x 23 columns]" + ] + }, + "execution_count": 283, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "fil" + ] + }, + { + "cell_type": "code", + "execution_count": 315, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "0 days 01:03:16.079172096\n", + "3796.079172\n" + ] + } + ], + "source": [ + "import pandas as pd\n", + "\n", + "# Define the timestamps\n", + "dt1 = pd.to_datetime('2024-02-12 17:09:42.990166016')\n", + "dt2 = pd.to_datetime('2024-02-12 18:12:59.069338112')\n", + "\n", + "# Calculate the time difference\n", + "time_diff = dt2 - dt1\n", + "\n", + "# Print the time difference in a human-readable format\n", + "print(time_diff)\n", + "\n", + "# 01:03:16.079172096 \n", + "#compute the time difference into seconds \n", + "print(time_diff.total_seconds())" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "#### Agg Function" + ] + }, + { + "cell_type": "code", + "execution_count": 498, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + " ts uid id.orig_h \\\n", + "0 2024-02-12 17:10:23.364103168 C0LEGs2p93lnNEFB5f 192.168.0.168 \n", + "1 2024-02-12 17:10:23.364033024 CoIaps3LBPANWZX887 192.168.0.168 \n", + "2 2024-02-12 17:10:28.897382144 CllN3R2OE84qgP4Myl 192.168.0.168 \n", + "3 2024-02-12 17:10:23.682648832 CnAcZTvINoaJSPmC2 192.168.0.168 \n", + "4 2024-02-12 17:10:23.682689024 CrKvqoo2pkmR8IcKf fe80::17:2915:d910:f37 \n", + ".. ... ... ... \n", + "60 2024-02-12 18:12:59.359659008 CmsBId1mQSH21Nn8Xf 192.168.0.168 \n", + "61 2024-02-12 18:12:59.394697984 CPrXFE2XI3xFN2x4x6 192.168.0.168 \n", + "62 2024-02-12 18:12:59.394788096 CKX629PWRVQsJH3Df 192.168.0.168 \n", + "63 2024-02-12 18:12:59.396743936 CGzmAv3TE4THf4pQ5d 192.168.0.168 \n", + "64 2024-02-12 18:13:01.153886976 CUN2d84adrzHQOxdJi 192.168.0.168 \n", + "\n", + " id.orig_p id.resp_h id.resp_p proto service duration conn_state \\\n", + "0 65363 192.168.0.1 53 udp dns 0.019866 SF \n", + "1 51657 192.168.0.1 53 udp dns 0.012296 SF \n", + "2 51400 142.250.80.74 443 tcp other 0.016519 RSTR \n", + "3 5353 224.0.0.251 5353 udp dns 7.450594 S0 \n", + "4 5353 ff02::fb 5353 udp dns 7.450569 S0 \n", + ".. ... ... ... ... ... ... ... \n", + "60 51473 20.189.172.32 443 tcp ssl 0.347173 SF \n", + "61 51480 20.189.172.32 443 tcp ssl 0.332572 SF \n", + "62 51481 20.189.172.32 443 tcp ssl 0.338312 SF \n", + "63 51482 20.189.172.32 443 tcp ssl 0.343127 SF \n", + "64 51445 140.82.112.25 443 tcp other 0.022740 RSTRH \n", + "\n", + " ... resp_bytes is_destination_broadcast traffic_direction \\\n", + "0 ... 0 0 internal \n", + "1 ... 0 0 internal \n", + "2 ... 0 0 outgoing \n", + "3 ... 0 0 outgoing \n", + "4 ... 0 0 IPv6 \n", + ".. ... ... ... ... \n", + "60 ... 0 0 outgoing \n", + "61 ... 0 0 outgoing \n", + "62 ... 0 0 outgoing \n", + "63 ... 0 0 outgoing \n", + "64 ... 0 0 outgoing \n", + "\n", + " duration_mean_5000 duration_min_5000 duration_max_5000 \\\n", + "0 0.019866 0.019866 0.019866 \n", + "1 0.012296 0.012296 0.012296 \n", + "2 0.016519 0.016519 0.016519 \n", + "3 7.450594 7.450594 7.450594 \n", + "4 7.450569 7.450569 7.450569 \n", + ".. ... ... ... \n", + "60 0.347173 0.347173 0.347173 \n", + "61 0.332572 0.332572 0.332572 \n", + "62 0.338312 0.338312 0.338312 \n", + "63 0.343127 0.343127 0.343127 \n", + "64 0.050294 0.022740 0.077848 \n", + "\n", + " duration_std_5000 duration_var_5000 duration_cnt_5000 duration_sum_5000 \n", + "0 0.000000 0.000000 1.0 0.019866 \n", + "1 0.000000 0.000000 1.0 0.012296 \n", + "2 0.000000 0.000000 1.0 0.016519 \n", + "3 0.000000 0.000000 1.0 7.450594 \n", + "4 0.000000 0.000000 1.0 7.450569 \n", + ".. ... ... ... ... \n", + "60 0.000000 0.000000 1.0 0.347173 \n", + "61 0.000000 0.000000 1.0 0.332572 \n", + "62 0.000000 0.000000 1.0 0.338312 \n", + "63 0.000000 0.000000 1.0 0.343127 \n", + "64 0.027554 0.000759 2.0 0.100588 \n", + "\n", + "[65 rows x 29 columns]\n" + ] + } + ], + "source": [ + "windowed_features_num = ['mean','min','max','std','var','cnt','sum']\n", + "def calculate_agg_feature_num(df, agg_feature, window_size=5000):\n", + " \"\"\"\n", + " This function adds a new column \"{agg_feature}_{either mean, min, max, std, or var}\" to the DataFrame.\n", + " This column contains the aggregated features (mean/min/max/std/var/count/sum) of network flows within the past {window_size} seconds\n", + " for each group with the same ['id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p'].\n", + "\n", + " Args:\n", + " df: The pandas DataFrame containing network flow data.\n", + " window_size: Size of the window for calculating the average (default: 5000 seconds).\n", + "\n", + " Returns:\n", + " A new DataFrame with the added aggregated feautre columns.\n", + " \"\"\"\n", + " # Convert timestamp to datetime\n", + " # df['ts'] = datetime.fromtimestamp(df['ts']) #assumes timestamps are in the local machine's timezone. not suggested \n", + " df['ts'] = pd.to_datetime(df['ts'], unit='s') \n", + " df = df.set_index('ts') \n", + " # Calculate the aggregated feature for each group\n", + " # to avoid NaN values, calculate the population standard deviation, specified with std(ddof=0)\n", + " grp = ['id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p']\n", + " df[f'{agg_feature}_mean_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).mean())\n", + " df[f'{agg_feature}_min_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).min())\n", + " df[f'{agg_feature}_max_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).max())\n", + " df[f'{agg_feature}_std_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).std(ddof=0))\n", + " df[f'{agg_feature}_var_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).var(ddof=0))\n", + " df[f'{agg_feature}_cnt_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).count())\n", + " df[f'{agg_feature}_sum_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).sum())\n", + "\n", + " return df.reset_index()\n", + "\n", + "result_df = calculate_agg_feature_num(df.copy(),agg_feature = 'duration') # Apply function to a copy of df\n", + "print(result_df)\n" + ] + }, + { + "cell_type": "code", + "execution_count": 499, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "Index(['ts', 'uid', 'id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p',\n", + " 'proto', 'service', 'duration', 'conn_state', 'local_orig',\n", + " 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes',\n", + " 'resp_pkts', 'resp_ip_bytes', 'orig_bytes', 'resp_bytes',\n", + " 'is_destination_broadcast', 'traffic_direction'],\n", + " dtype='object')" + ] + }, + "execution_count": 499, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "df.columns" + ] + }, + { + "cell_type": "code", + "execution_count": 493, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + " ts uid id.orig_h \\\n", + "0 2024-02-12 17:10:23.364103168 C0LEGs2p93lnNEFB5f 192.168.0.168 \n", + "1 2024-02-12 17:10:23.364033024 CoIaps3LBPANWZX887 192.168.0.168 \n", + "2 2024-02-12 17:10:28.897382144 CllN3R2OE84qgP4Myl 192.168.0.168 \n", + "3 2024-02-12 17:10:23.682648832 CnAcZTvINoaJSPmC2 192.168.0.168 \n", + "4 2024-02-12 17:10:23.682689024 CrKvqoo2pkmR8IcKf fe80::17:2915:d910:f37 \n", + ".. ... ... ... \n", + "60 2024-02-12 18:12:59.359659008 CmsBId1mQSH21Nn8Xf 192.168.0.168 \n", + "61 2024-02-12 18:12:59.394697984 CPrXFE2XI3xFN2x4x6 192.168.0.168 \n", + "62 2024-02-12 18:12:59.394788096 CKX629PWRVQsJH3Df 192.168.0.168 \n", + "63 2024-02-12 18:12:59.396743936 CGzmAv3TE4THf4pQ5d 192.168.0.168 \n", + "64 2024-02-12 18:13:01.153886976 CUN2d84adrzHQOxdJi 192.168.0.168 \n", + "\n", + " id.orig_p id.resp_h id.resp_p proto service duration conn_state \\\n", + "0 65363 192.168.0.1 53 udp dns 0.019866 SF \n", + "1 51657 192.168.0.1 53 udp dns 0.012296 SF \n", + "2 51400 142.250.80.74 443 tcp other 0.016519 RSTR \n", + "3 5353 224.0.0.251 5353 udp dns 7.450594 S0 \n", + "4 5353 ff02::fb 5353 udp dns 7.450569 S0 \n", + ".. ... ... ... ... ... ... ... \n", + "60 51473 20.189.172.32 443 tcp ssl 0.347173 SF \n", + "61 51480 20.189.172.32 443 tcp ssl 0.332572 SF \n", + "62 51481 20.189.172.32 443 tcp ssl 0.338312 SF \n", + "63 51482 20.189.172.32 443 tcp ssl 0.343127 SF \n", + "64 51445 140.82.112.25 443 tcp other 0.022740 RSTRH \n", + "\n", + " ... orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes orig_bytes \\\n", + "0 ... 1 62 1 169 0 \n", + "1 ... 1 62 1 142 0 \n", + "2 ... 2 128 2 80 0 \n", + "3 ... 2 469 0 0 0 \n", + "4 ... 2 509 0 0 0 \n", + ".. ... ... ... ... ... ... \n", + "60 ... 12 1921 9 5408 0 \n", + "61 ... 12 1921 9 5408 0 \n", + "62 ... 12 1921 9 5408 0 \n", + "63 ... 12 2484 9 5408 0 \n", + "64 ... 1 40 1 40 0 \n", + "\n", + " resp_bytes is_destination_broadcast traffic_direction \\\n", + "0 0 0 internal \n", + "1 0 0 internal \n", + "2 0 0 outgoing \n", + "3 0 0 outgoing \n", + "4 0 0 IPv6 \n", + ".. ... ... ... \n", + "60 0 0 outgoing \n", + "61 0 0 outgoing \n", + "62 0 0 outgoing \n", + "63 0 0 outgoing \n", + "64 0 0 outgoing \n", + "\n", + " local_orig_nunique_5000 local_orig_entropy_5000 \n", + "0 1.0 0.0 \n", + "1 1.0 0.0 \n", + "2 1.0 0.0 \n", + "3 1.0 0.0 \n", + "4 1.0 0.0 \n", + ".. ... ... \n", + "60 1.0 0.0 \n", + "61 1.0 0.0 \n", + "62 1.0 0.0 \n", + "63 1.0 0.0 \n", + "64 1.0 0.0 \n", + "\n", + "[65 rows x 24 columns]\n" + ] + } + ], + "source": [ + "from scipy.stats import entropy\n", + "#For feature such as local_orig , port,... numerical but can be treated as categorical\n", + "def calculate_agg_feature_cat(df, agg_feature, window_size=5000):\n", + " \"\"\"\n", + " This function adds a new column \"{agg_feature}_{either nunique or entropy}\" to the DataFrame.\n", + " This column contains the aggregated features (nunique/entropy) of network flows within the past {window_size} seconds\n", + " for each group with the same ['id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p'].\n", + "\n", + " Args:\n", + " df: The pandas DataFrame containing network flow data.\n", + " window_size: Size of the window for calculating the average (default: 5000 seconds).\n", + "\n", + " Returns:\n", + " A new DataFrame with the added aggregated feautre columns.\n", + " \"\"\"\n", + " # Convert timestamp to datetime\n", + " # df['ts'] = datetime.fromtimestamp(df['ts']) #assumes timestamps are in the local machine's timezone. not suggested \n", + " df['ts'] = pd.to_datetime(df['ts'], unit='s') \n", + " df = df.set_index('ts') \n", + " grp = ['id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p']\n", + " df[f'{agg_feature}_nunique_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).apply(lambda x: x.unique().shape[0]))\n", + " df[f'{agg_feature}_entropy_{window_size}'] = df.groupby(grp)[f'{agg_feature}'].transform(lambda x: x.rolling(f'{window_size}s', min_periods=1).apply(lambda x: entropy(x.value_counts()))) \n", + " return df.reset_index()\n", + "\n", + "result_df = calculate_agg_feature_cat(df.copy(),agg_feature = 'local_orig') # Apply function to a copy of df\n", + "print(result_df)\n" + ] + }, + { + "cell_type": "code", + "execution_count": 500, + "metadata": {}, + "outputs": [ + { + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
tsuidid.orig_hid.orig_pid.resp_hid.resp_pprotoservicedurationconn_state...resp_bytesis_destination_broadcasttraffic_directionduration_mean_5000duration_min_5000duration_max_5000duration_std_5000duration_var_5000duration_cnt_5000duration_sum_5000
02024-02-12 17:10:23.364103168C0LEGs2p93lnNEFB5f192.168.0.16865363192.168.0.153udpdns0.019866SF...00internal0.0198660.0198660.0198660.00.01.00.019866
12024-02-12 17:10:23.364033024CoIaps3LBPANWZX887192.168.0.16851657192.168.0.153udpdns0.012296SF...00internal0.0122960.0122960.0122960.00.01.00.012296
22024-02-12 17:10:28.897382144CllN3R2OE84qgP4Myl192.168.0.16851400142.250.80.74443tcpother0.016519RSTR...00outgoing0.0165190.0165190.0165190.00.01.00.016519
32024-02-12 17:10:23.682648832CnAcZTvINoaJSPmC2192.168.0.1685353224.0.0.2515353udpdns7.450594S0...00outgoing7.4505947.4505947.4505940.00.01.07.450594
42024-02-12 17:10:23.682689024CrKvqoo2pkmR8IcKffe80::17:2915:d910:f375353ff02::fb5353udpdns7.450569S0...00IPv67.4505697.4505697.4505690.00.01.07.450569
\n", + "

5 rows × 29 columns

\n", + "
" + ], + "text/plain": [ + " ts uid id.orig_h \\\n", + "0 2024-02-12 17:10:23.364103168 C0LEGs2p93lnNEFB5f 192.168.0.168 \n", + "1 2024-02-12 17:10:23.364033024 CoIaps3LBPANWZX887 192.168.0.168 \n", + "2 2024-02-12 17:10:28.897382144 CllN3R2OE84qgP4Myl 192.168.0.168 \n", + "3 2024-02-12 17:10:23.682648832 CnAcZTvINoaJSPmC2 192.168.0.168 \n", + "4 2024-02-12 17:10:23.682689024 CrKvqoo2pkmR8IcKf fe80::17:2915:d910:f37 \n", + "\n", + " id.orig_p id.resp_h id.resp_p proto service duration conn_state \\\n", + "0 65363 192.168.0.1 53 udp dns 0.019866 SF \n", + "1 51657 192.168.0.1 53 udp dns 0.012296 SF \n", + "2 51400 142.250.80.74 443 tcp other 0.016519 RSTR \n", + "3 5353 224.0.0.251 5353 udp dns 7.450594 S0 \n", + "4 5353 ff02::fb 5353 udp dns 7.450569 S0 \n", + "\n", + " ... resp_bytes is_destination_broadcast traffic_direction \\\n", + "0 ... 0 0 internal \n", + "1 ... 0 0 internal \n", + "2 ... 0 0 outgoing \n", + "3 ... 0 0 outgoing \n", + "4 ... 0 0 IPv6 \n", + "\n", + " duration_mean_5000 duration_min_5000 duration_max_5000 duration_std_5000 \\\n", + "0 0.019866 0.019866 0.019866 0.0 \n", + "1 0.012296 0.012296 0.012296 0.0 \n", + "2 0.016519 0.016519 0.016519 0.0 \n", + "3 7.450594 7.450594 7.450594 0.0 \n", + "4 7.450569 7.450569 7.450569 0.0 \n", + "\n", + " duration_var_5000 duration_cnt_5000 duration_sum_5000 \n", + "0 0.0 1.0 0.019866 \n", + "1 0.0 1.0 0.012296 \n", + "2 0.0 1.0 0.016519 \n", + "3 0.0 1.0 7.450594 \n", + "4 0.0 1.0 7.450569 \n", + "\n", + "[5 rows x 29 columns]" + ] + }, + "execution_count": 500, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "result_df.head()" + ] + }, + { + "cell_type": "code", + "execution_count": 495, + "metadata": {}, + "outputs": [], + "source": [ + "fil = result_df[(result_df['id.orig_h'] == '192.168.0.168') & (result_df['id.orig_p'] == 51428)& (result_df['id.resp_h'] == '142.250.65.234') & (result_df['id.resp_p'] == 443)]" + ] + }, + { + "cell_type": "code", + "execution_count": 496, + "metadata": {}, + "outputs": [ + { + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
tsuidid.orig_hid.orig_pid.resp_hid.resp_pprotoservicedurationconn_state...orig_pktsorig_ip_bytesresp_pktsresp_ip_bytesorig_bytesresp_bytesis_destination_broadcasttraffic_directionlocal_orig_nunique_5000local_orig_entropy_5000
312024-02-12 17:09:42.990166016ClKxU23lRlw5hdtGFj192.168.0.16851428142.250.65.234443tcpssl0.141091S1...101658147626000outgoing1.00.0
422024-02-12 18:12:59.069338112CJRUNP37hqlOb5Poa5192.168.0.16851428142.250.65.234443tcpother0.012353RSTR...4397140000outgoing1.00.0
\n", + "

2 rows × 24 columns

\n", + "
" + ], + "text/plain": [ + " ts uid id.orig_h \\\n", + "31 2024-02-12 17:09:42.990166016 ClKxU23lRlw5hdtGFj 192.168.0.168 \n", + "42 2024-02-12 18:12:59.069338112 CJRUNP37hqlOb5Poa5 192.168.0.168 \n", + "\n", + " id.orig_p id.resp_h id.resp_p proto service duration conn_state \\\n", + "31 51428 142.250.65.234 443 tcp ssl 0.141091 S1 \n", + "42 51428 142.250.65.234 443 tcp other 0.012353 RSTR \n", + "\n", + " ... orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes orig_bytes \\\n", + "31 ... 10 1658 14 7626 0 \n", + "42 ... 4 397 1 40 0 \n", + "\n", + " resp_bytes is_destination_broadcast traffic_direction \\\n", + "31 0 0 outgoing \n", + "42 0 0 outgoing \n", + "\n", + " local_orig_nunique_5000 local_orig_entropy_5000 \n", + "31 1.0 0.0 \n", + "42 1.0 0.0 \n", + "\n", + "[2 rows x 24 columns]" + ] + }, + "execution_count": 496, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "fil" + ] + }, + { + "cell_type": "code", + "execution_count": 295, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "0.076722" + ] + }, + "execution_count": 295, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "(0.141091+0.012353)/2" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "#### Full function " + ] + }, + { + "cell_type": "code", + "execution_count": 539, + "metadata": {}, + "outputs": [], + "source": [ + "id_feature = [\"id.orig_h\", \"id.orig_p\", \"id.resp_h\", \"id.resp_p\"]\n", + "features = [\"ts\",\"uid\", \"id.orig_h\", \"id.orig_p\", \"id.resp_h\", \"id.resp_p\",\n", + " \"proto\", \"service\", \"duration\", \"conn_state\", \"local_orig\",\"local_resp\",\n", + " \"missed_bytes\",\"history\", \"orig_pkts\", \"orig_ip_bytes\", \"resp_pkts\", \"resp_ip_bytes\"]\n", + "data_list = []\n", + "for line in json_data_file.splitlines():\n", + " # log_entry is now a single json log from the file\n", + " log_entry = json.loads(line.strip())\n", + " \n", + " # Check if each feature is present in the log_entry\n", + " feature_values = [log_entry.get(feature, None) for feature in features]\n", + " data_list.append(feature_values)\n", + "\n", + "df = pd.DataFrame(data_list, columns=features)" + ] + }, + { + "cell_type": "code", + "execution_count": 541, + "metadata": {}, + "outputs": [], + "source": [ + "from columns import Aggr_conn\n", + "def preprocess_json_conn_agg(json_batch):\n", + " \"\"\"\n", + " This function receives a json batch from the main control flow of the train \n", + " functions. It should convert the conn.log of the json_batch to a numpy 2D array, apply necessary transformations,\n", + " then return it. \n", + "\n", + " Note: the input is only one unzipped json file. \n", + " \"\"\"\n", + " features = [\"ts\",\"uid\", \"id.orig_h\", \"id.orig_p\", \"id.resp_h\", \"id.resp_p\",\n", + " \"proto\", \"service\", \"duration\", \"conn_state\", \"local_orig\",\"local_resp\",\n", + " \"missed_bytes\",\"history\", \"orig_pkts\", \"orig_ip_bytes\", \"resp_pkts\", \"resp_ip_bytes\"]\n", + " #TODO: add features: duration, local_orig, local_resp \n", + " data_list = []\n", + " for line in json_batch.splitlines():\n", + " # log_entry is now a single json log from the file \n", + " log_entry = json.loads(line.strip())\n", + " # data_list.append([log_entry[feature] for feature in features])\n", + " # Check if each feature is present in the log_entry\n", + " feature_values = [log_entry.get(feature, None) for feature in features]\n", + " data_list.append(feature_values)\n", + "\n", + " #TODO: optimize the code via removing pandas\n", + " df = pd.DataFrame(data_list, columns=features) \n", + "\n", + " #fill Nans with 0s : duration, orig_bytes resp_bytes\n", + " df = fill_na(df) \n", + " # create history, broadcast, traffic_direction variables\n", + " df = create_history_variable(df)\n", + " df = create_broadcast_variable(df)\n", + " df = create_direction_variable(df)\n", + "\n", + " # one hot encode categorical variables\n", + " column_name = ['conn_state', \"proto\", \"traffic_direction\" , \"service\"]\n", + " df = one_hot_encode(df, column_name)\n", + "\n", + " # Convert the boolean values in columns \"local_orig\" and \"local_resp\" to 1 and 0s\n", + " df['local_orig'] = df['local_orig'].astype(int)\n", + " df['local_resp'] = df['local_resp'].astype(int)\n", + "\n", + " #Compute Aggregated Features \n", + " windows = [60,3600,7200] #seconds \n", + " grp = ['id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p']\n", + " aggr_feature_num = ['duration', 'missed_bytes', 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes']\n", + " aggr_feature_cat = ['local_orig', 'local_resp']\n", + " for window in windows:\n", + " for feature in aggr_feature_num:\n", + " df = calculate_agg_feature_num(df, feature, window)\n", + " for feature in aggr_feature_cat:\n", + " df = calculate_agg_feature_cat(df, feature, window)\n", + " cols = Aggr_conn\n", + " # make sure the columns are the same \n", + " df = makedf_samecol(cols, df) \n", + " # Convert DataFrame to NumPy array\n", + " np_arr = df.to_numpy(dtype=np.float32)\n", + " return np_arr" + ] + }, + { + "cell_type": "code", + "execution_count": 542, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "array([[0.01986599, 1. , 1. , ..., 0. , 1. ,\n", + " 0. ],\n", + " [0.01229596, 1. , 1. , ..., 0. , 1. ,\n", + " 0. ],\n", + " [0.01651907, 1. , 0. , ..., 0. , 1. ,\n", + " 0. ],\n", + " ...,\n", + " [0.3383119 , 1. , 0. , ..., 0. , 1. ,\n", + " 0. ],\n", + " [0.343127 , 1. , 0. , ..., 0. , 1. ,\n", + " 0. ],\n", + " [0.02273989, 1. , 0. , ..., 0. , 1. ,\n", + " 0. ]], dtype=float32)" + ] + }, + "execution_count": 542, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "preprocess_json_conn_agg(json_data_file)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## dns" + ] + }, + { + "cell_type": "code", + "execution_count": 294, + "metadata": {}, + "outputs": [], + "source": [ + "current_dir_path = '/usr/local/logs/2024-02-12'\n", + "if not os.path.islink(current_dir_path):\n", + " # sub_dir is now any given historical data directory \n", + " logging.info(f\"Checking {current_dir_path}\")\n", + " for file in os.listdir(current_dir_path):\n", + " # file is now any given file in the historical data directory\n", + " current_file_path = os.path.join(current_dir_path, file)\n", + " if \"dns.\" in file: #conn.\n", + " # get the whole file in memory\n", + " logging.info(f\"Opening file {current_file_path}\")\n", + " json_data_file = ungzip(current_file_path)\n", + " # print(current_file_path)\n", + " # print(json_data_file)" + ] + }, + { + "cell_type": "code", + "execution_count": 295, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{'ts': 1707768003.869346, 'uid': 'CS9fzl4EIr1i9ibne5', 'id.orig_h': '10.19.235.169', 'id.orig_p': 65501, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 3613, 'rtt': 0.01270914077758789, 'query': 'guzzoni.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['guzzoni-apple-com.v.aaplimg.com'], 'TTLs': [3321.0], 'rejected': False}\n", + "{'ts': 1707768003.869397, 'uid': 'C7KsDehrLNsfmgqo', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53141, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 5769, 'rtt': 0.012659072875976562, 'query': 'guzzoni.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['guzzoni-apple-com.v.aaplimg.com', '34.225.66.6'], 'TTLs': [3321.0, 100.0], 'rejected': False}\n", + "{'ts': 1707768003.885104, 'uid': 'C2Gqup3XI5f3vrEywb', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53400, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 62046, 'query': 'guzzoni-apple-com.v.aaplimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768003.992969, 'uid': 'CTv1qs4jy8ygljcWh4', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60106, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 31442, 'rtt': 0.00483393669128418, 'query': 'gsp-ssl.ls.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['gsp-ssl.ls-apple.com.akadns.net', 'gsp-ssl-geomap.ls-apple.com.akadns.net', 'gspx-ssl.ls.apple.com', 'get-bx.g.aaplimg.com'], 'TTLs': [3160.0, 20.0, 37.0, 2860.0], 'rejected': False}\n", + "{'ts': 1707768003.993001, 'uid': 'CnUWOdi7PwDh9qu36', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63620, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 59117, 'rtt': 0.004804134368896484, 'query': 'gsp-ssl.ls.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['gsp-ssl.ls-apple.com.akadns.net', 'gsp-ssl-geomap.ls-apple.com.akadns.net', 'gspx-ssl.ls.apple.com', 'get-bx.g.aaplimg.com', '17.253.3.218', '17.253.3.219'], 'TTLs': [3160.0, 20.0, 37.0, 2860.0, 22.0, 22.0], 'rejected': False}\n", + "{'ts': 1707768004.000686, 'uid': 'CRhDGa4J2VjqxcrvFd', 'id.orig_h': '10.19.235.169', 'id.orig_p': 64011, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 34884, 'query': 'get-bx.g.aaplimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768004.701893, 'uid': 'CNy3cnbOrrK4bzhXk', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58952, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 50063, 'rtt': 0.010221004486083984, 'query': 'cds.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['cds-cdn.v.aaplimg.com', 'cds.apple.com.akadns.net', 'world-gen.g.aaplimg.com'], 'TTLs': [699.0, 541.0, 350.0], 'rejected': False}\n", + "{'ts': 1707768004.701956, 'uid': 'CdDh5v2xr6EcVsZBn3', 'id.orig_h': '10.19.235.169', 'id.orig_p': 65505, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 47780, 'rtt': 0.010159015655517578, 'query': 'cds.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['cds-cdn.v.aaplimg.com', 'cds.apple.com.akadns.net', 'world-gen.g.aaplimg.com', '17.253.3.195', '17.253.3.196'], 'TTLs': [699.0, 541.0, 350.0, 11.0, 11.0], 'rejected': False}\n", + "{'ts': 1707768004.714708, 'uid': 'CpZ8zo1mwFlF4xU6ll', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63407, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 21447, 'query': 'world-gen.g.aaplimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768004.891548, 'uid': 'C1xg3w3Hytsc22Arj8', 'id.orig_h': '10.19.235.169', 'id.orig_p': 52512, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 21654, 'rtt': 0.003859996795654297, 'query': 'help.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['help.origin-apple.com.akadns.net', 'help-ar.apple.com.edgekey.net', 'e11408.d.akamaiedge.net'], 'TTLs': [3386.0, 7.0, 18118.0], 'rejected': False}\n", + "{'ts': 1707768004.891596, 'uid': 'CScqm2rwPuq6ODeF5', 'id.orig_h': '10.19.235.169', 'id.orig_p': 51154, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 175, 'rtt': 0.003813028335571289, 'query': 'help.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['help.origin-apple.com.akadns.net', 'help-ar.apple.com.edgekey.net', 'e11408.d.akamaiedge.net', '23.39.33.227'], 'TTLs': [3386.0, 7.0, 18118.0, 16.0], 'rejected': False}\n", + "{'ts': 1707768004.89837, 'uid': 'CXfA7b1Y9vbslHs5Wk', 'id.orig_h': '10.19.235.169', 'id.orig_p': 55666, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 23325, 'query': 'e11408.d.akamaiedge.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707767996.633702, 'uid': 'CV7lLp41bMgMmZZ8Ma', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707767996.633707, 'uid': 'CV7lLp41bMgMmZZ8Ma', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707767996.634273, 'uid': 'CFOxfA2y3iHRT6qNQ1', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707767996.634296, 'uid': 'CFOxfA2y3iHRT6qNQ1', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707767996.634299, 'uid': 'CFOxfA2y3iHRT6qNQ1', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707767996.634345, 'uid': 'CFOxfA2y3iHRT6qNQ1', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768008.16405, 'uid': 'CtGRpN3rQKlJqFeX81', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58275, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 32276, 'rtt': 0.16800379753112793, 'query': '3-courier.push.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['3.courier-push-apple.com.akadns.net', 'us-ne-courier-4.push-apple.com.akadns.net'], 'TTLs': [18596.0, 10.0], 'rejected': False}\n", + "{'ts': 1707768008.164094, 'uid': 'Cavla512AHVHbzyhS4', 'id.orig_h': '10.19.235.169', 'id.orig_p': 51532, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 34578, 'rtt': 0.16796112060546875, 'query': '3-courier.push.apple.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['3.courier-push-apple.com.akadns.net', 'us-ne-courier-4.push-apple.com.akadns.net', '17.57.144.12', '17.57.144.10', '17.57.144.11'], 'TTLs': [18596.0, 10.0, 50.0, 50.0, 50.0], 'rejected': False}\n", + "{'ts': 1707768008.334786, 'uid': 'CoQegW2E5DDua67if', 'id.orig_h': '10.19.235.169', 'id.orig_p': 59456, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 54614, 'query': 'us-ne-courier-4.push-apple.com.akadns.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768008.334808, 'uid': 'C0QsNQ3CI6fsPFatH7', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58399, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 36803, 'rtt': 0.003490924835205078, 'query': 'us-ne-courier-4.push-apple.com.akadns.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['17.57.144.10', '17.57.144.11', '17.57.144.12'], 'TTLs': [50.0, 50.0, 50.0], 'rejected': False}\n", + "{'ts': 1707768008.470885, 'uid': 'CeDTL23UzfVAmQ4zSf', 'id.orig_h': '10.19.235.169', 'id.orig_p': 54722, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 53662, 'rtt': 0.00436091423034668, 'query': 'fmfmobile.fe2.apple-dns.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['17.248.199.71'], 'TTLs': [110.0], 'rejected': False}\n", + "{'ts': 1707768011.051394, 'uid': 'CmwatF4XvE3Wf7pM37', 'id.orig_h': '10.19.235.169', 'id.orig_p': 54439, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 52289, 'query': 'stk.px-cloud.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768011.051321, 'uid': 'CBOt594rDWQAm9k8ja', 'id.orig_h': '10.19.235.169', 'id.orig_p': 62654, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 25946, 'rtt': 0.0037779808044433594, 'query': 'stk.px-cloud.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['34.107.199.61'], 'TTLs': [346.0], 'rejected': False}\n", + "{'ts': 1707768011.086383, 'uid': 'C4ed1Q29UXNlekubrf', 'id.orig_h': '10.19.235.169', 'id.orig_p': 57226, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 43761, 'rtt': 0.0032088756561279297, 'query': 'www.linkedin.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['www-linkedin-com.l-0005.l-msedge.net', 'l-0005.l-msedge.net'], 'TTLs': [196.0, 144.0], 'rejected': False}\n", + "{'ts': 1707768011.086273, 'uid': 'C2OLUB4M5nxGjuXcEl', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60947, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 38510, 'rtt': 0.003319978713989258, 'query': 'www.linkedin.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['www-linkedin-com.l-0005.l-msedge.net', 'l-0005.l-msedge.net', '13.107.42.14'], 'TTLs': [196.0, 144.0, 144.0], 'rejected': False}\n", + "{'ts': 1707768011.091898, 'uid': 'CowX4cUdrEERG26Rk', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63311, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 22008, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768011.091743, 'uid': 'Cc3E49lJ0Vo7AniI3', 'id.orig_h': '10.19.235.169', 'id.orig_p': 62224, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 46578, 'rtt': 0.0040700435638427734, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.251.40.110'], 'TTLs': [28.0], 'rejected': False}\n", + "{'ts': 1707768011.142463, 'uid': 'CzfR5A39hCFNUjcvh5', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60533, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 44570, 'rtt': 0.0035169124603271484, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com', '35.190.45.20'], 'TTLs': [168.0, 84.0, 89.0], 'rejected': False}\n", + "{'ts': 1707768011.144673, 'uid': 'CqjLPs2HAg8mhPneXb', 'id.orig_h': '10.19.235.169', 'id.orig_p': 54647, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 48408, 'rtt': 0.0034868717193603516, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com'], 'TTLs': [168.0, 84.0], 'rejected': False}\n", + "{'ts': 1707768011.19874, 'uid': 'CQwNWW16eK6mMXWBQ8', 'id.orig_h': '10.19.235.169', 'id.orig_p': 61137, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 63611, 'query': 'google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768011.198661, 'uid': 'C8ywg5JOg2TBVwhr3', 'id.orig_h': '10.19.235.169', 'id.orig_p': 50470, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 10089, 'rtt': 0.004611015319824219, 'query': 'google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.250.176.206'], 'TTLs': [85.0], 'rejected': False}\n", + "{'ts': 1707768016.040144, 'uid': 'CB9Nuo1hhYd7B5Qplg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.00017905235290527344, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 32769, 'qclass_name': 'qclass-32769', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768016.040184, 'uid': 'Cmr2cA2bcEZpaT62Ni', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.00016188621520996094, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 32769, 'qclass_name': 'qclass-32769', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768016.290879, 'uid': 'CB9Nuo1hhYd7B5Qplg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.5027029514312744, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768016.29104, 'uid': 'Cmr2cA2bcEZpaT62Ni', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.5025451183319092, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768016.541494, 'uid': 'CB9Nuo1hhYd7B5Qplg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.497711181640625, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768016.541521, 'uid': 'Cmr2cA2bcEZpaT62Ni', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.4977099895477295, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768017.041797, 'uid': 'CB9Nuo1hhYd7B5Qplg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.75343918800354, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768017.041847, 'uid': 'Cmr2cA2bcEZpaT62Ni', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.7534189224243164, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768019.041301, 'uid': 'CB9Nuo1hhYd7B5Qplg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768019.041352, 'uid': 'Cmr2cA2bcEZpaT62Ni', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768023.041808, 'uid': 'CB9Nuo1hhYd7B5Qplg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768023.04184, 'uid': 'Cmr2cA2bcEZpaT62Ni', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768041.334957, 'uid': 'Cm87T22wUF9Xgf2hQc', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58859, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 1373, 'rtt': 0.009403228759765625, 'query': 'i.ytimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.250.80.54', '142.250.176.214', '142.251.40.214', '142.251.40.246', '142.250.65.182', '142.250.65.214', '142.250.65.246', '142.250.81.246', '142.251.41.22', '142.251.32.118', '142.251.35.182', '142.251.40.118', '142.251.40.150', '142.251.40.182', '142.250.64.118', '142.250.72.118'], 'TTLs': [115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0, 115.0], 'rejected': False}\n", + "{'ts': 1707768041.335145, 'uid': 'Cdfwdv4ld5dxu66lkb', 'id.orig_h': '10.19.235.169', 'id.orig_p': 55001, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 22436, 'query': 'i.ytimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768043.972181, 'uid': 'CvRKJe1a08sWalfyC4', 'id.orig_h': '10.19.235.169', 'id.orig_p': 64431, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 22874, 'query': 'ssl.gstatic.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768043.971934, 'uid': 'CtWSEy1vyE9vZw0qoj', 'id.orig_h': '10.19.235.169', 'id.orig_p': 56763, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 9322, 'rtt': 0.011201858520507812, 'query': 'ssl.gstatic.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.250.65.163'], 'TTLs': [140.0], 'rejected': False}\n", + "{'ts': 1707768056.301998, 'uid': 'CvjH4lCGPJ9LUCrwc', 'id.orig_h': '10.19.235.169', 'id.orig_p': 49575, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 54718, 'rtt': 0.004024982452392578, 'query': 'rr2---sn-ab5l6nrd.googlevideo.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['rr2.sn-ab5l6nrd.googlevideo.com', '173.194.31.7'], 'TTLs': [1694.0, 709.0], 'rejected': False}\n", + "{'ts': 1707768056.302119, 'uid': 'C8HxqF18GVKBzwOfy2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 49930, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 2864, 'rtt': 0.0039038658142089844, 'query': 'rr2---sn-ab5l6nrd.googlevideo.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['rr2.sn-ab5l6nrd.googlevideo.com'], 'TTLs': [1694.0], 'rejected': False}\n", + "{'ts': 1707768058.512371, 'uid': 'C6FWYg1GxLGCRKnZ1c', 'id.orig_h': '10.19.235.169', 'id.orig_p': 62270, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 44497, 'query': 'e2c19.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768058.512212, 'uid': 'CQQVS44iPyhIgZmBN9', 'id.orig_h': '10.19.235.169', 'id.orig_p': 57966, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 39452, 'rtt': 0.004097938537597656, 'query': 'e2c19.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['34.65.65.90'], 'TTLs': [103.0], 'rejected': False}\n", + "{'ts': 1707768065.371772, 'uid': 'CORRsd4Im8PhvUKmFj', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58786, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 30065, 'rtt': 0.00403594970703125, 'query': 'beacons.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons6.gvt2.com'], 'TTLs': [296.0], 'rejected': False}\n", + "{'ts': 1707768065.371707, 'uid': 'Cldop02l2ZWmk79tlj', 'id.orig_h': '10.19.235.169', 'id.orig_p': 65026, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 14418, 'rtt': 0.0041010379791259766, 'query': 'beacons.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons6.gvt2.com', '142.250.80.99'], 'TTLs': [296.0, 14.0], 'rejected': False}\n", + "{'ts': 1707768056.121626, 'uid': 'CcNhB52Qc5uqzhsz9i', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768056.121661, 'uid': 'CTwUUI1tOY1GAoWV4a', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768068.752692, 'uid': 'C1yVau1jdH7lOjXg9c', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60842, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 58562, 'rtt': 0.004012107849121094, 'query': 'beacons3.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.251.40.195'], 'TTLs': [224.0], 'rejected': False}\n", + "{'ts': 1707768068.752782, 'uid': 'CswX3f2hd3Ahsk9rle', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60132, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 40178, 'query': 'beacons3.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768072.963568, 'uid': 'CGSdHihDcE0Mldqrg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 61599, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 30947, 'query': 'accounts.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768072.963482, 'uid': 'Cd2dY7qCBe1lpSUNb', 'id.orig_h': '10.19.235.169', 'id.orig_p': 55901, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 62931, 'rtt': 0.00950312614440918, 'query': 'accounts.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['172.253.115.84'], 'TTLs': [250.0], 'rejected': False}\n", + "{'ts': 1707768103.363284, 'uid': 'Cf8DM92nqCOgF3slRa', 'id.orig_h': '10.19.235.169', 'id.orig_p': 57310, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 19584, 'rtt': 0.003793954849243164, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com'], 'TTLs': [76.0, 290.0], 'rejected': False}\n", + "{'ts': 1707768103.363225, 'uid': 'C0rpq51YoNH8lIo9G9', 'id.orig_h': '10.19.235.169', 'id.orig_p': 56888, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 36237, 'rtt': 0.0038530826568603516, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com', '35.201.100.119'], 'TTLs': [76.0, 290.0, 295.0], 'rejected': False}\n", + "{'ts': 1707768131.11402, 'uid': 'CAPoTz3bvsNlxUm9mf', 'id.orig_h': '10.19.235.169', 'id.orig_p': 55037, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 12515, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768131.113952, 'uid': 'CbUb6S1PyFJ8Rvuwqd', 'id.orig_h': '10.19.235.169', 'id.orig_p': 57526, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 64879, 'rtt': 0.06569910049438477, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.251.40.110'], 'TTLs': [206.0], 'rejected': False}\n", + "{'ts': 1707768127.535699, 'uid': 'CKtVev46zUbzqmWUG2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768127.534376, 'uid': 'C0vKnM28xV50a4omch', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768127.535702, 'uid': 'CKtVev46zUbzqmWUG2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768128.535343, 'uid': 'CKtVev46zUbzqmWUG2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768129.655155, 'uid': 'CKtVev46zUbzqmWUG2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768133.655476, 'uid': 'CKtVev46zUbzqmWUG2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768128.535376, 'uid': 'C0vKnM28xV50a4omch', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768129.655195, 'uid': 'C0vKnM28xV50a4omch', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768133.655502, 'uid': 'C0vKnM28xV50a4omch', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0, 120.0, 120.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768162.962636, 'uid': 'CIKeSv8WITwkGD475', 'id.orig_h': '10.19.235.169', 'id.orig_p': 51231, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 266, 'query': 'docs.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768162.962567, 'uid': 'CdHh4r4iy8qMmqsuVg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 65380, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 6187, 'rtt': 0.04783892631530762, 'query': 'docs.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.251.40.238'], 'TTLs': [227.0], 'rejected': False}\n", + "{'ts': 1707768154.152796, 'uid': 'CiHkri25egnxjgmaA5', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768154.152832, 'uid': 'CBu8kV3Hl0aVPvQgf5', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': 'zoe’s macbook pro._airplay._tcp.local', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768179.379697, 'uid': 'CMmWJc1autUp5z5F4b', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63173, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 53772, 'rtt': 0.012414932250976562, 'query': 'westus-0.in.applicationinsights.azure.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['westus-0.in.ai.monitor.azure.com', 'westus-0.in.ai.privatelink.monitor.azure.com', 'gig-ai-prod-westus-0.trafficmanager.net', 'gig-ai-prod-wus-0-app-v4-tag.westus.cloudapp.azure.com', '20.189.172.32'], 'TTLs': [20.0, 20.0, 20.0, 150.0, 10.0], 'rejected': False}\n", + "{'ts': 1707768183.100971, 'uid': 'CZnqEb3Yxux92cgnqi', 'id.orig_h': '10.19.235.169', 'id.orig_p': 59243, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 40460, 'rtt': 0.0034639835357666016, 'query': 'stocks-data-service.lb-apple.com.akadns.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['stocks-data-service.apple.com.edgesuite.net', 'a1091.dscapi7.akamai.net'], 'TTLs': [16.0, 10714.0], 'rejected': False}\n", + "{'ts': 1707768183.101003, 'uid': 'CS02PvYXEL39tQn3a', 'id.orig_h': '10.19.235.169', 'id.orig_p': 55961, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 26619, 'rtt': 0.0034329891204833984, 'query': 'stocks-data-service.lb-apple.com.akadns.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['stocks-data-service.apple.com.edgesuite.net', 'a1091.dscapi7.akamai.net', '104.126.118.203', '104.126.118.211'], 'TTLs': [16.0, 10714.0, 13.0, 13.0], 'rejected': False}\n", + "{'ts': 1707768183.484249, 'uid': 'C8zMFb2gSUZE5b4Wm8', 'id.orig_h': '10.19.235.169', 'id.orig_p': 57237, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 60066, 'rtt': 0.0036308765411376953, 'query': 'ff-proxy.leetcode.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['172.67.72.213', '104.26.8.101', '104.26.9.101'], 'TTLs': [230.0, 230.0, 230.0], 'rejected': False}\n", + "{'ts': 1707768183.484351, 'uid': 'CP4tMf3N6CnTdBto6a', 'id.orig_h': '10.19.235.169', 'id.orig_p': 64831, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 42208, 'query': 'ff-proxy.leetcode.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768191.042252, 'uid': 'CbRadG2VhzPxtcDVU1', 'id.orig_h': '10.19.235.169', 'id.orig_p': 56153, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 33093, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768191.042086, 'uid': 'CYen5h246vLUhiVS2f', 'id.orig_h': '10.19.235.169', 'id.orig_p': 50100, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 31959, 'rtt': 0.004681110382080078, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.251.40.110'], 'TTLs': [146.0], 'rejected': False}\n", + "{'ts': 1707768191.048922, 'uid': 'CRIWT14xS4EAgxXF7d', 'id.orig_h': '10.19.235.169', 'id.orig_p': 59923, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 53158, 'rtt': 0.0053980350494384766, 'query': 'www.linkedin.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['www-linkedin-com.l-0005.l-msedge.net', 'l-0005.l-msedge.net', '13.107.42.14'], 'TTLs': [16.0, 202.0, 202.0], 'rejected': False}\n", + "{'ts': 1707768191.049025, 'uid': 'CQ5rRY1XXDXlVxtoM2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53418, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 21384, 'rtt': 0.0052950382232666016, 'query': 'www.linkedin.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['www-linkedin-com.l-0005.l-msedge.net', 'l-0005.l-msedge.net'], 'TTLs': [16.0, 202.0], 'rejected': False}\n", + "{'ts': 1707768191.186603, 'uid': 'CYJwLXnMBelg5gI6k', 'id.orig_h': '10.19.235.169', 'id.orig_p': 59399, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 20343, 'rtt': 0.11486697196960449, 'query': 'config.extension.grammarly.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['d27xxe7juh1us6.cloudfront.net', '108.138.106.48', '108.138.106.79', '108.138.106.93', '108.138.106.51'], 'TTLs': [132.0, 43.0, 43.0, 43.0, 43.0], 'rejected': False}\n", + "{'ts': 1707768191.186662, 'uid': 'C56WuV9JNjVzhtfU2', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63414, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 53130, 'rtt': 0.11630797386169434, 'query': 'config.extension.grammarly.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['d27xxe7juh1us6.cloudfront.net'], 'TTLs': [132.0], 'rejected': False}\n", + "{'ts': 1707768192.957792, 'uid': 'Cclm5c2zlZmfQSVqF6', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60136, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 60724, 'query': 'ssl.gstatic.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768192.957682, 'uid': 'CMNVT34JKVDdLP5dCe', 'id.orig_h': '10.19.235.169', 'id.orig_p': 50340, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 23065, 'rtt': 0.004062175750732422, 'query': 'ssl.gstatic.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.250.65.163'], 'TTLs': [290.0], 'rejected': False}\n", + "{'ts': 1707768208.284169, 'uid': 'CeFu4e4wsYwUUlGDGd', 'id.orig_h': '10.19.235.169', 'id.orig_p': 61766, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 8541, 'rtt': 0.0075609683990478516, 'query': 'clients4.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['clients.l.google.com'], 'TTLs': [46.0], 'rejected': False}\n", + "{'ts': 1707768208.284079, 'uid': 'CwvFDa3uVt13JFb1Ad', 'id.orig_h': '10.19.235.169', 'id.orig_p': 49923, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 14154, 'rtt': 0.0076520442962646484, 'query': 'clients4.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['clients.l.google.com', '142.251.41.14'], 'TTLs': [46.0, 116.0], 'rejected': False}\n", + "{'ts': 1707768211.639575, 'uid': 'Cc8ku044193K5nFUh3', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.00013709068298339844, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 32769, 'qclass_name': 'qclass-32769', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768211.640876, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 2.09808349609375e-05, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 32769, 'qclass_name': 'qclass-32769', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768211.640893, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 1.0967254638671875e-05, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 32769, 'qclass_name': 'qclass-32769', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768211.890166, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.5014240741729736, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768211.890267, 'uid': 'Cc8ku044193K5nFUh3', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.5013589859008789, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768212.140118, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.5104920864105225, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768212.140148, 'uid': 'Cc8ku044193K5nFUh3', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.5104641914367676, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", + "{'ts': 1707768212.650607, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.7415308952331543, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768212.650611, 'uid': 'Cc8ku044193K5nFUh3', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.7415611743927002, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768214.650975, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768214.650999, 'uid': 'Cc8ku044193K5nFUh3', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768218.654082, 'uid': 'C9n0yl2Fx3cJsUdFii', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768218.654274, 'uid': 'Cc8ku044193K5nFUh3', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['TXT 5 act=2 TXT 5 acl=0 TXT 26 deviceid=B0:BE:83:7F:67:94 TXT 18 fex=1c9/St5PFbgmIQ TXT 30 features=0x4A7FCFD5,0xB8154FDE TXT 7 rsf=0x8 TXT 11 flags=0x204 TXT 40 gid=83D29BEA-9EDF-4CE4-8113-618C319EA398 TXT 5 igl=0 TXT 6 gcgl=0 TXT 20 model=MacBookPro17,1 TXT 4 at=4 TXT 13 protovers=1.1 TXT 39 pi=0d73805e-a022-4fe2-9323-2c4915b3e6c0 TXT 40 psi=E21119A6-C8D0-43AA-B153-8639F6930163 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 15 srcvers=675.4.1', '_airplay._tcp.local', 'zoe’s macbook pro._airplay._tcp.local', 'TXT 10 cn=0,1,2,3 TXT 7 da=true TXT 8 et=0,3,5 TXT 24 ft=0x4A7FCFD5,0xB8154FDE TXT 8 sf=0x204 TXT 8 md=0,1,2 TXT 17 am=MacBookPro17,1 TXT 67 pk=d0373a13b98091c23485d20e25b6c805e87108a1c9c0b90ab7c51ffd08629b99 TXT 6 tp=UDP TXT 8 vn=65537 TXT 10 vs=675.4.1 TXT 4 vv=0', '_raop._tcp.local', 'b0be837f6794@zoe’s macbook pro._raop._tcp.local', 'zoes-macbook-pro.local', 'zoes-macbook-pro.local', 'TXT 7 rpMac=0 TXT 17 rpHN=9206df938c12 TXT 12 rpFl=0x20000 TXT 17 rpHA=978b2124cdf4 TXT 10 rpVr=430.3 TXT 17 rpAD=3082e2d679c5 TXT 17 rpHI=24ea5044a311 TXT 22 rpBA=8C:38:0A:AA:0B:9A', '_companion-link._tcp.local', 'zoe’s macbook pro._companion-link._tcp.local', 'TXT 20 model=MacBookPro17,1 TXT 10 osxvers=22 TXT 8 icolor=2', 'zoes-macbook-pro.local'], 'TTLs': [4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0, 120.0, 4500.0, 4500.0, 4500.0, 4500.0, 120.0], 'rejected': False}\n", + "{'ts': 1707768230.893679, 'uid': 'CMpH0U22mjw7txOwSg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 54707, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 22870, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com'], 'TTLs': [247.0, 163.0], 'rejected': False}\n", + "{'ts': 1707768230.893679, 'uid': 'CXff902tWyV6AA6X4g', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63399, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 21698, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com', '35.201.100.119'], 'TTLs': [247.0, 163.0, 168.0], 'rejected': False}\n", + "{'ts': 1707768239.962227, 'uid': 'CWjUv94qtMUT6aYnpi', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53518, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 15898, 'query': 'docs.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768239.962125, 'uid': 'CudCK43BK9D7x9vPIc', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60236, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 8292, 'rtt': 0.0038809776306152344, 'query': 'docs.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.251.40.238'], 'TTLs': [151.0], 'rejected': False}\n", + "{'ts': 1707768258.322417, 'uid': 'ClPPlc4mFj27oP97a8', 'id.orig_h': '10.19.235.169', 'id.orig_p': 52477, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 5845, 'rtt': 0.010509967803955078, 'query': 'www.youtube.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['youtube-ui.l.google.com'], 'TTLs': [218.0], 'rejected': False}\n", + "{'ts': 1707768258.322297, 'uid': 'C6sTLv1ckVjyDwwq5k', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53623, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 57915, 'rtt': 0.01063084602355957, 'query': 'www.youtube.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['youtube-ui.l.google.com', '142.250.80.110', '142.250.176.206', '142.251.40.206', '142.250.65.238', '142.250.81.238', '142.251.41.14', '142.251.32.110', '142.251.35.174', '142.251.40.110', '142.251.40.142', '142.251.40.174', '142.250.64.110', '142.250.72.110', '142.250.80.14', '142.250.80.46', '142.250.80.78'], 'TTLs': [218.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0, 220.0], 'rejected': False}\n", + "{'ts': 1707768251.734881, 'uid': 'CQS3Zs29MFlKhbw0Eb', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768251.734923, 'uid': 'C07qn71K4tfzB1m934', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768268.115842, 'uid': 'Cwjq1V2nwnyr9M4iA3', 'id.orig_h': '10.19.235.169', 'id.orig_p': 54497, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 12463, 'query': 'i.ytimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768268.115783, 'uid': 'CpFyNkRg7a585tL7f', 'id.orig_h': '10.19.235.169', 'id.orig_p': 50325, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 22427, 'rtt': 0.006042957305908203, 'query': 'i.ytimg.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.250.65.246', '142.250.81.246', '142.251.41.22', '142.251.32.118', '142.251.35.182', '142.251.40.118', '142.251.40.150', '142.251.40.182', '142.250.64.118', '142.250.72.118', '142.250.80.54', '142.250.176.214', '142.251.40.214', '142.251.40.246', '142.250.65.182', '142.250.65.214'], 'TTLs': [186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0, 186.0], 'rejected': False}\n", + "{'ts': 1707768271.955977, 'uid': 'CwZuFw4DLCukiLptei', 'id.orig_h': '10.19.235.169', 'id.orig_p': 59682, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 46522, 'rtt': 0.008795976638793945, 'query': 'www.linkedin.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['www-linkedin-com.l-0005.l-msedge.net', 'l-0005.l-msedge.net'], 'TTLs': [234.0, 122.0], 'rejected': False}\n", + "{'ts': 1707768271.955856, 'uid': 'CVuPNUlPD2GpLFCi8', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53671, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 22895, 'rtt': 0.008917808532714844, 'query': 'www.linkedin.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['www-linkedin-com.l-0005.l-msedge.net', 'l-0005.l-msedge.net', '13.107.42.14'], 'TTLs': [234.0, 122.0, 122.0], 'rejected': False}\n", + "{'ts': 1707768283.961244, 'uid': 'C6Q45w47IADF5eSDGg', 'id.orig_h': '10.19.235.169', 'id.orig_p': 49198, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 26270, 'query': 'ssl.gstatic.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768283.961177, 'uid': 'CO9COB1om0mKlPU427', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60772, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 8928, 'rtt': 0.010110855102539062, 'query': 'ssl.gstatic.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.250.65.163'], 'TTLs': [199.0], 'rejected': False}\n", + "{'ts': 1707768285.370859, 'uid': 'CwZ4DT9iZkGBIIi42', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63799, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 27169, 'query': 'matrix.hsrn.nyu.edu', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768285.370792, 'uid': 'CCUolX1uUhbV90jFh3', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58309, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 24840, 'rtt': 0.0048182010650634766, 'query': 'matrix.hsrn.nyu.edu', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['216.165.12.42'], 'TTLs': [86400.0], 'rejected': False}\n", + "{'ts': 1707768298.358392, 'uid': 'Cm4WRr1kukdSESxfWl', 'id.orig_h': '10.19.235.169', 'id.orig_p': 50826, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 42909, 'rtt': 0.00412297248840332, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com'], 'TTLs': [179.0, 95.0], 'rejected': False}\n", + "{'ts': 1707768298.358307, 'uid': 'CQqM5y4UR7UGf3cpo', 'id.orig_h': '10.19.235.169', 'id.orig_p': 55469, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 58844, 'rtt': 0.004208087921142578, 'query': 'beacons.gcp.gvt2.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['beacons-handoff.gcp.gvt2.com', 'gce-beacons.gcp.gvt2.com', '35.201.100.119'], 'TTLs': [179.0, 95.0, 100.0], 'rejected': False}\n", + "{'ts': 1707768299.966229, 'uid': 'CAlXeh60wXmAHS50f', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60948, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 37294, 'rtt': 0.010381937026977539, 'query': 'az764295.vo.msecnd.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 28, 'qtype_name': 'AAAA', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['cs22.wpc.v0cdn.net'], 'TTLs': [3471.0], 'rejected': False}\n", + "{'ts': 1707768299.966307, 'uid': 'CY3Isw2j6ALKK0Dx1j', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60374, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 15296, 'rtt': 0.010305166244506836, 'query': 'az764295.vo.msecnd.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['cs22.wpc.v0cdn.net'], 'TTLs': [3471.0], 'rejected': False}\n", + "{'ts': 1707768299.966262, 'uid': 'C8Ipyl1XHbL0gcbox1', 'id.orig_h': '10.19.235.169', 'id.orig_p': 57584, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 9658, 'rtt': 0.01034998893737793, 'query': 'az764295.vo.msecnd.net', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['cs22.wpc.v0cdn.net', '152.199.4.33'], 'TTLs': [3471.0, 3487.0], 'rejected': False}\n", + "{'ts': 1707768314.499201, 'uid': 'CNQvG4mFcLlcNyjWf', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58332, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 43714, 'rtt': 0.007024049758911133, 'query': 'rr2---sn-ab5l6nrd.googlevideo.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['rr2.sn-ab5l6nrd.googlevideo.com', '173.194.31.7'], 'TTLs': [1436.0, 451.0], 'rejected': False}\n", + "{'ts': 1707768314.4993, 'uid': 'CmRC7e1SPcc4Fb5xAk', 'id.orig_h': '10.19.235.169', 'id.orig_p': 53470, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 39390, 'rtt': 0.01618504524230957, 'query': 'rr2---sn-ab5l6nrd.googlevideo.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['rr2.sn-ab5l6nrd.googlevideo.com'], 'TTLs': [1436.0], 'rejected': False}\n", + "{'ts': 1707768328.101499, 'uid': 'CzCUgL3H5ffsY8Pc2i', 'id.orig_h': '10.19.235.169', 'id.orig_p': 62761, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 11019, 'rtt': 0.004101991653442383, 'query': 'apidata.googleusercontent.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['googlehosted.l.googleusercontent.com'], 'TTLs': [18.0], 'rejected': False}\n", + "{'ts': 1707768328.101528, 'uid': 'Cft5lek1rqV6mlF26', 'id.orig_h': '10.19.235.169', 'id.orig_p': 63067, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 24581, 'rtt': 0.0040740966796875, 'query': 'apidata.googleusercontent.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['googlehosted.l.googleusercontent.com', '142.251.40.97'], 'TTLs': [18.0, 138.0], 'rejected': False}\n", + "{'ts': 1707768328.108973, 'uid': 'CmziFZkI89kzCEN31', 'id.orig_h': '10.19.235.169', 'id.orig_p': 59520, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 58952, 'query': 'googlehosted.l.googleusercontent.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768332.896213, 'uid': 'CoVmED2RAXbutegvmd', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768332.896215, 'uid': 'CoVmED2RAXbutegvmd', 'id.orig_h': '10.19.235.169', 'id.orig_p': 5353, 'id.resp_h': '224.0.0.251', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768332.896548, 'uid': 'CVoUx1SG7PpILjwt2', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768332.89655, 'uid': 'CVoUx1SG7PpILjwt2', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768332.896562, 'uid': 'CVoUx1SG7PpILjwt2', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", + "{'ts': 1707768332.896568, 'uid': 'CVoUx1SG7PpILjwt2', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'query': '_homekit._tcp.local', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 12, 'qtype_name': 'PTR', 'AA': False, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'rejected': False}\n", "{'ts': 1707768371.076297, 'uid': 'CTNKRA4aDKFfoXpTMj', 'id.orig_h': '10.19.235.169', 'id.orig_p': 58391, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 16572, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 65, 'qtype_name': 'HTTPS', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': False, 'Z': 0, 'rejected': False}\n", "{'ts': 1707768371.075662, 'uid': 'C1O1o04Ekt2H6aGMy6', 'id.orig_h': '10.19.235.169', 'id.orig_p': 60690, 'id.resp_h': '128.122.0.71', 'id.resp_p': 53, 'proto': 'udp', 'trans_id': 28476, 'rtt': 0.2589890956878662, 'query': 'play.google.com', 'qclass': 1, 'qclass_name': 'C_INTERNET', 'qtype': 1, 'qtype_name': 'A', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': False, 'TC': False, 'RD': True, 'RA': True, 'Z': 0, 'answers': ['142.251.40.110'], 'TTLs': [264.0], 'rejected': False}\n", "{'ts': 1707768373.944015, 'uid': 'Cy06NI24DUg3Wb1YQe', 'id.orig_h': 'fe80::17:2915:d910:f37', 'id.orig_p': 5353, 'id.resp_h': 'ff02::fb', 'id.resp_p': 5353, 'proto': 'udp', 'trans_id': 0, 'rtt': 0.00015687942504882812, 'query': 'zoe’s macbook pro._companion-link._tcp.local', 'qclass': 32769, 'qclass_name': 'qclass-32769', 'qtype': 255, 'qtype_name': '*', 'rcode': 0, 'rcode_name': 'NOERROR', 'AA': True, 'TC': False, 'RD': False, 'RA': False, 'Z': 0, 'answers': ['_airplay._tcp.local', '_raop._tcp.local'], 'TTLs': [4500.0, 4500.0], 'rejected': False}\n", @@ -3485,7 +5763,539 @@ }, { "cell_type": "code", - "execution_count": 296, + "execution_count": 296, + "metadata": {}, + "outputs": [], + "source": [ + "#utils \n", + "import ipaddress\n", + "def one_hot_encode(df, column_name):\n", + " for col in column_name:\n", + " if col in df.columns:\n", + " df = pd.get_dummies(data=df, columns=[col])\n", + " return df\n", + "\n", + "def create_broadcast_variable(new_df):\n", + " # create broadcast variable\n", + " # can have more than one broadcast address\n", + " #255 is the broadcast address for ipv4 \n", + " if 'id.resp_h' in new_df.columns:\n", + " new_df['is_destination_broadcast'] = new_df['id.resp_h'].apply(lambda x: 1 if \"255\" in x[-3:] else 0) \n", + " return new_df\n", + "\n", + "def create_direction_variable(new_df):\n", + " # #create traffic direction variable\n", + " new_df['traffic_direction'] = new_df.apply(lambda x: get_traffic_direction(x['id.orig_h'], x['id.resp_h']), axis=1) \n", + " return new_df\n", + "\n", + "\n", + "def get_traffic_direction(source_ip, destination_ip):\n", + " \"\"\"\n", + " Takes a source and destination IP address and returns the direction of the traffic.\n", + " Please ensure the source and destination are correct as this is useless without the verification of the parameters.\n", + "\n", + " Parameters\n", + " ----------\n", + " source_ip: str\n", + " Source IP address of the flow.\n", + " destination_ip: str\n", + " Destination IP address of the flow.\n", + " \n", + " Returns\n", + " -------\n", + " str: string indicating the direction. Can be 'internal', 'outgoing', 'incoming' or 'external'.\n", + " \"\"\"\n", + " src_ip = ipaddress.ip_address(source_ip) \n", + " dest_ip = ipaddress.ip_address(destination_ip) \n", + " if src_ip.version == 6 or dest_ip.version ==6:\n", + " return \"IPv6\"\n", + " \n", + " if is_private_ip(source_ip) and is_private_ip(destination_ip):\n", + " return \"internal\"\n", + " elif is_private_ip(source_ip) and not is_private_ip(destination_ip):\n", + " return \"outgoing\"\n", + " elif not is_private_ip(source_ip) and is_private_ip(destination_ip):\n", + " return \"incoming\"\n", + " else:\n", + " return \"external\"\n", + "\n", + "# def is_private_ip(ip_str):\n", + "# \"\"\"\n", + "# Takes an IP string and returns whether the IP is private or not per RFC 1918.\n", + "\n", + "# Parameters\n", + "# ----------\n", + "# ip_str: str\n", + "# String of an IP address.\n", + "\n", + "# Returns\n", + "# -------\n", + "# bool: a bool of whether or not the IP is private. \n", + "# \"\"\"\n", + "# octets = [int(x) for x in ip_str.split(\".\")]\n", + "# if octets[0] == 10 \\\n", + "# or (octets[0] == 172 and 16 <= octets[1] <= 31) \\\n", + "# or (octets[0] == 192 and octets[1] == 168):\n", + "# return True\n", + "# else:\n", + "# return False\n", + " \n", + "\n", + "\n", + "def is_private_ip(ip_str):\n", + " \"\"\"\n", + " Takes an IP string and returns whether the IP is private or not per RFC 1918.\n", + "\n", + " Parameters\n", + " ----------\n", + " ip_str: str\n", + " String of an IP address.\n", + "\n", + " Returns\n", + " -------\n", + " bool: a bool of whether or not the IP is private.\n", + " \"\"\"\n", + " try:\n", + " ip = ipaddress.ip_address(ip_str)\n", + " if ip.version == 4:\n", + " return ip.is_private\n", + " else:\n", + " return False # Ignore IPv6 addresses\n", + " except ValueError:\n", + " return False # Invalid IP address format\n", + "\n", + "def makedf_samecol(cols, new_df):\n", + " #Create these columns if they are not present in the original df and fill them with 0s. \n", + " # Ensure that all the specified columns are present even if they are not present in the original df. \n", + "\n", + " for col in cols:\n", + " if col not in new_df.columns:\n", + " new_df[col] = 0\n", + " return new_df[cols]" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "#conn + Four other logs: dns, http, ssl, ssh \n", + "#for dns: proto (str), rtt(float), qclass(num as type), qtype(str), rcode(numeric 0-9), AA (str, true or false), TC(str, true or false), RD(str, true or false), RA(str, true or false), Z, rejected(str, true or false) \n", + "TODO: check what is the value of Z, and do we need domain name. check what might not be in the logs (so far: rcode,rtt )\n", + "#for http: trans_depth, method, \n" + ] + }, + { + "cell_type": "code", + "execution_count": 297, + "metadata": {}, + "outputs": [], + "source": [ + "features = ['id.orig_h', \"id.resp_h\", \"proto\", \"rtt\",\"qclass_name\", \"qtype_name\",\"rcode_name\",\n", + " \"AA\",\"TC\",\"RD\",\"RA\", \"rejected\"]\n", + " \n", + "data_list = []\n", + "for line in json_data_file.splitlines():\n", + " # log_entry is now a single json log from the file\n", + " log_entry = json.loads(line.strip())\n", + " \n", + " # Check if each feature is present in the log_entry\n", + " feature_values = [log_entry.get(feature, None) for feature in features]\n", + " data_list.append(feature_values)\n", + "\n", + "df = pd.DataFrame(data_list, columns=features)" + ] + }, + { + "cell_type": "code", + "execution_count": 298, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "Index(['id.orig_h', 'id.resp_h', 'proto', 'rtt', 'qclass_name', 'qtype_name',\n", + " 'rcode_name', 'AA', 'TC', 'RD', 'RA', 'rejected'],\n", + " dtype='object')" + ] + }, + "execution_count": 298, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "df.columns" + ] + }, + { + "cell_type": "code", + "execution_count": 299, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "NOERROR 1860\n", + "NXDOMAIN 12\n", + "Name: rcode_name, dtype: int64" + ] + }, + "execution_count": 299, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "df['rcode_name'].value_counts()\n", + "#there are total of 1984 rows \n", + "# NOERROR 1860\n", + "# NXDOMAIN 12" + ] + }, + { + "cell_type": "code", + "execution_count": 300, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Null count for id.orig_h: 0\n", + "Null count for id.resp_h: 0\n", + "Null count for proto: 0\n", + "Null count for rtt: 736\n", + "Null count for qclass_name: 73\n", + "Null count for qtype_name: 73\n", + "Null count for rcode_name: 112\n", + "Null count for AA: 0\n", + "Null count for TC: 0\n", + "Null count for RD: 0\n", + "Null count for RA: 0\n", + "Null count for rejected: 0\n" + ] + } + ], + "source": [ + "#This code checks for null values in each feature\n", + "has_null = []\n", + "for feature in df.columns:\n", + " null_count = df[feature].isnull().sum()\n", + " print(f\"Null count for {feature}: {null_count}\") \n", + " if null_count:\n", + " has_null.append(feature)\n", + "\n", + "# Create a variable for each feature that contains null, with the column name \"has_null_featurename\"\n", + "for feature in has_null: \n", + " df[f'has_{feature}'] = df[feature].notnull().astype(int)\n" + ] + }, + { + "cell_type": "code", + "execution_count": 301, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "['rtt', 'qclass_name', 'qtype_name', 'rcode_name']" + ] + }, + "execution_count": 301, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "has_null " + ] + }, + { + "cell_type": "code", + "execution_count": 302, + "metadata": {}, + "outputs": [], + "source": [ + "#create broadcast and direction variables\n", + "df = create_broadcast_variable(df)\n", + "df = create_direction_variable(df)" + ] + }, + { + "cell_type": "code", + "execution_count": 303, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "(1984,)\n", + "outgoing 1682\n", + "IPv6 302\n", + "Name: traffic_direction, dtype: int64\n", + "0\n" + ] + } + ], + "source": [ + "print(df['traffic_direction'].shape)\n", + "print(df['traffic_direction'].value_counts())\n", + "print(df['traffic_direction'].isnull().sum())" + ] + }, + { + "cell_type": "code", + "execution_count": 305, + "metadata": {}, + "outputs": [], + "source": [ + "#one hot encode qtype, qclass, rcode_name\n", + "column_name = ['proto','qtype_name','qclass_name','rcode_name','traffic_direction']\n", + "df = one_hot_encode(df, column_name)" + ] + }, + { + "cell_type": "code", + "execution_count": 306, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "Index(['id.orig_h', 'id.resp_h', 'rtt', 'AA', 'TC', 'RD', 'RA', 'rejected',\n", + " 'has_rtt', 'has_qclass_name', 'has_qtype_name', 'has_rcode_name',\n", + " 'is_destination_broadcast', 'proto_udp', 'qtype_name_*', 'qtype_name_A',\n", + " 'qtype_name_AAAA', 'qtype_name_HTTPS', 'qtype_name_PTR',\n", + " 'qclass_name_C_INTERNET', 'qclass_name_qclass-32769',\n", + " 'rcode_name_NOERROR', 'rcode_name_NXDOMAIN', 'traffic_direction_IPv6',\n", + " 'traffic_direction_outgoing'],\n", + " dtype='object')" + ] + }, + "execution_count": 306, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "df.columns" + ] + }, + { + "cell_type": "code", + "execution_count": 307, + "metadata": {}, + "outputs": [], + "source": [ + "#encode boolean features \n", + "boolean_to_convert = ['AA', 'TC', 'RD', 'RA', 'rejected']\n", + "df[boolean_to_convert] = df[boolean_to_convert].astype(int)\n" + ] + }, + { + "cell_type": "code", + "execution_count": 308, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "Index(['id.orig_h', 'id.resp_h', 'rtt', 'AA', 'TC', 'RD', 'RA', 'rejected',\n", + " 'has_rtt', 'has_qclass_name', 'has_qtype_name', 'has_rcode_name',\n", + " 'is_destination_broadcast', 'proto_udp', 'qtype_name_*', 'qtype_name_A',\n", + " 'qtype_name_AAAA', 'qtype_name_HTTPS', 'qtype_name_PTR',\n", + " 'qclass_name_C_INTERNET', 'qclass_name_qclass-32769',\n", + " 'rcode_name_NOERROR', 'rcode_name_NXDOMAIN', 'traffic_direction_IPv6',\n", + " 'traffic_direction_outgoing'],\n", + " dtype='object')" + ] + }, + "execution_count": 308, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "df.columns" + ] + }, + { + "cell_type": "code", + "execution_count": 309, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Null count for id.orig_h: 0\n", + "Null count for id.resp_h: 0\n", + "Null count for rtt: 736\n", + "Null count for AA: 0\n", + "Null count for TC: 0\n", + "Null count for RD: 0\n", + "Null count for RA: 0\n", + "Null count for rejected: 0\n", + "Null count for has_rtt: 0\n", + "Null count for has_qclass_name: 0\n", + "Null count for has_qtype_name: 0\n", + "Null count for has_rcode_name: 0\n", + "Null count for is_destination_broadcast: 0\n", + "Null count for proto_udp: 0\n", + "Null count for qtype_name_*: 0\n", + "Null count for qtype_name_A: 0\n", + "Null count for qtype_name_AAAA: 0\n", + "Null count for qtype_name_HTTPS: 0\n", + "Null count for qtype_name_PTR: 0\n", + "Null count for qclass_name_C_INTERNET: 0\n", + "Null count for qclass_name_qclass-32769: 0\n", + "Null count for rcode_name_NOERROR: 0\n", + "Null count for rcode_name_NXDOMAIN: 0\n", + "Null count for traffic_direction_IPv6: 0\n", + "Null count for traffic_direction_outgoing: 0\n" + ] + } + ], + "source": [ + "for feature in df.columns:\n", + " null_count = df[feature].isnull().sum()\n", + " print(f\"Null count for {feature}: {null_count}\") " + ] + }, + { + "cell_type": "code", + "execution_count": 310, + "metadata": {}, + "outputs": [], + "source": [ + "#fillna with 0s:rtt\n", + "columns_to_fill_with_zeros = ['rtt']\n", + "df[columns_to_fill_with_zeros] = df[columns_to_fill_with_zeros].fillna(0)" + ] + }, + { + "cell_type": "code", + "execution_count": 311, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Null count for id.orig_h: 0\n", + "Null count for id.resp_h: 0\n", + "Null count for rtt: 0\n", + "Null count for AA: 0\n", + "Null count for TC: 0\n", + "Null count for RD: 0\n", + "Null count for RA: 0\n", + "Null count for rejected: 0\n", + "Null count for has_rtt: 0\n", + "Null count for has_qclass_name: 0\n", + "Null count for has_qtype_name: 0\n", + "Null count for has_rcode_name: 0\n", + "Null count for is_destination_broadcast: 0\n", + "Null count for proto_udp: 0\n", + "Null count for qtype_name_*: 0\n", + "Null count for qtype_name_A: 0\n", + "Null count for qtype_name_AAAA: 0\n", + "Null count for qtype_name_HTTPS: 0\n", + "Null count for qtype_name_PTR: 0\n", + "Null count for qclass_name_C_INTERNET: 0\n", + "Null count for qclass_name_qclass-32769: 0\n", + "Null count for rcode_name_NOERROR: 0\n", + "Null count for rcode_name_NXDOMAIN: 0\n", + "Null count for traffic_direction_IPv6: 0\n", + "Null count for traffic_direction_outgoing: 0\n" + ] + } + ], + "source": [ + "for feature in df.columns:\n", + " null_count = df[feature].isnull().sum()\n", + " print(f\"Null count for {feature}: {null_count}\") " + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "#TODO: to be confirmed once EDA is done\n", + "dns_cols = ['rtt', 'AA', 'TC', 'RD', 'RA', 'rejected',\n", + " 'has_rtt', 'has_qclass_name', 'has_qtype_name', 'has_rcode_name',\n", + " 'is_destination_broadcast', \n", + " 'proto_tcp', 'proto_udp',\n", + " 'qtype_name_*', 'qtype_name_A',\n", + " 'qtype_name_AAAA', 'qtype_name_HTTPS', 'qtype_name_PTR',\n", + " 'qclass_name_C_INTERNET', 'qclass_name_qclass-32769',\n", + " 'rcode_name_NOERROR', 'rcode_name_NXDOMAIN', \n", + " 'traffic_direction_IPv6',\n", + " 'traffic_direction_external','traffic_direction_incoming', \n", + " 'traffic_direction_internal','traffic_direction_outgoing']\n" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## http" + ] + }, + { + "cell_type": "code", + "execution_count": 338, + "metadata": {}, + "outputs": [], + "source": [ + "current_dir_path = '/usr/local/logs/2024-02-12'\n", + "if not os.path.islink(current_dir_path):\n", + " # sub_dir is now any given historical data directory \n", + " logging.info(f\"Checking {current_dir_path}\")\n", + " for file in os.listdir(current_dir_path):\n", + " # file is now any given file in the historical data directory\n", + " current_file_path = os.path.join(current_dir_path, file)\n", + " if \"http.\" in file: #conn.\n", + " # get the whole file in memory\n", + " logging.info(f\"Opening file {current_file_path}\")\n", + " json_data_file = ungzip(current_file_path)\n", + " # print(current_file_path)\n", + " # print(json_data_file)" + ] + }, + { + "cell_type": "code", + "execution_count": 339, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{'ts': 1707721209.155077, 'uid': 'CGpf9R1APvMKSdDIn2', 'id.orig_h': '192.168.0.109', 'id.orig_p': 57562, 'id.resp_h': '192.168.0.168', 'id.resp_p': 7000, 'trans_depth': 1, 'method': 'GET', 'uri': '/info?txtAirPlay&txtRAOP RTSP/1.', 'version': '0.9', 'request_body_len': 0, 'response_body_len': 1754, 'status_code': 0, 'status_msg': '', 'tags': [], 'resp_fuids': ['FuhWEF48bHYDzu07H7'], 'resp_mime_types': ['text/plain']}\n", + "{'ts': 1707721241.169723, 'uid': 'Cyl3PW2wswIPW1tjY7', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62770, 'id.resp_h': '17.253.3.220', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'CONNECT', 'host': 'proxy-safebrowsing.googleapis.com', 'uri': 'proxy-safebrowsing.googleapis.com:443', 'version': '1.1', 'request_body_len': 0, 'response_body_len': 0, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'proxied': ['PROXY-CONNECTION -> keep-alive']}\n", + "{'ts': 1707723317.563444, 'uid': 'CNKryg21vxMXbO22ud', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62836, 'id.resp_h': '17.253.3.217', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'CONNECT', 'host': 'proxy-safebrowsing.googleapis.com', 'uri': 'proxy-safebrowsing.googleapis.com:443', 'version': '1.1', 'request_body_len': 0, 'response_body_len': 0, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'proxied': ['PROXY-CONNECTION -> keep-alive']}\n", + "{'ts': 1707723874.272749, 'uid': 'COrdGv2boj5FF9jb4g', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62862, 'id.resp_h': '192.229.211.108', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'GET', 'host': 'ocsp.digicert.com', 'uri': '/ME8wTTBLMEkwRzAHBgUrDgMCGgQU36oS4yixCUGT4p9Cgs5HQEKVWKMEFLE+w2kD+L9HAdSYJhoIAu9jZCvDAhAHF3kRAF0iZ/aIkvaPi1BY', 'version': '1.1', 'user_agent': 'com.apple.trustd/3.0', 'request_body_len': 0, 'response_body_len': 471, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'resp_fuids': ['FXJjLH1Q0muVZIJtK2'], 'resp_mime_types': ['application/ocsp-response']}\n", + "{'ts': 1707723874.30856, 'uid': 'CYA8ZH3cjTZmLTsT76', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62863, 'id.resp_h': '192.229.211.108', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'GET', 'host': 'ocsp.digicert.com', 'uri': '/ME8wTTBLMEkwRzAHBgUrDgMCGgQU6468nUcrfgKRdxkj8qXxwcUeV7UEFLPbSKT5ocXYrjZBzBFjaWIpvEvGAhAMq6rRzsTpfMJmWIHQITj3', 'version': '1.1', 'user_agent': 'com.apple.trustd/3.0', 'request_body_len': 0, 'response_body_len': 313, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'resp_fuids': ['FVnAHV1mDu8ovZHRDk'], 'resp_mime_types': ['application/ocsp-response']}\n", + "{'ts': 1707723884.485396, 'uid': 'Cn0vgR2nRErSEBdQ4e', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62869, 'id.resp_h': '192.229.211.108', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'GET', 'host': 'ocsp.digicert.com', 'uri': '/ME8wTTBLMEkwRzAHBgUrDgMCGgQUwS9Fdu0VWeywXbqJv52AeOUj1BMEFOWdWTCCR1jMrPoIVDaGezq1BE3wAhAFUsfv/uwpK6nxOHsHr5Kf', 'version': '1.1', 'user_agent': 'com.apple.trustd/3.0', 'request_body_len': 0, 'response_body_len': 1507, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'resp_fuids': ['FZFKD24tfKS5axsJE9'], 'resp_mime_types': ['application/ocsp-response']}\n", + "{'ts': 1707723884.499973, 'uid': 'CrY9MN1TtY5DJrtgoe', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62870, 'id.resp_h': '142.251.32.99', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'GET', 'host': 'ocsp.pki.goog', 'uri': '/gts1c3/ME8wTTBLMEkwRzAHBgUrDgMCGgQUxy55it3/YTSzuu1HQri7xsAkB2MEFIp0f6+Fze6VzT2c0OJGFPNxNR0nAhBm0ojwKPEI9Qm520f6UYyj', 'version': '1.1', 'user_agent': 'com.apple.trustd/3.0', 'request_body_len': 0, 'response_body_len': 471, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'resp_fuids': ['FFdsbTNBU4QIU5Nia'], 'resp_mime_types': ['application/ocsp-response']}\n", + "{'ts': 1707723884.500895, 'uid': 'C5I46p4mxDkmK39woh', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62871, 'id.resp_h': '142.251.32.99', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'GET', 'host': 'ocsp.pki.goog', 'uri': '/gtsr1/MEwwSjBIMEYwRDAHBgUrDgMCGgQUMJHC1g+C6hie2xOwdV2bBG5n8FAEFOSvKyZxGitIJ4UvUmYs7/CJE3E+Ag0CA7xTWWs0xxj1AVBm', 'version': '1.1', 'user_agent': 'com.apple.trustd/3.0', 'request_body_len': 0, 'response_body_len': 724, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'resp_fuids': ['F68OIy48ioksnTUd64'], 'resp_mime_types': ['application/ocsp-response']}\n" + ] + } + ], + "source": [ + "import json \n", + "for line in json_data_file.splitlines():\n", + " # log_entry is now a single json log from the file\n", + " log_entry = json.loads(line.strip())\n", + " print(log_entry)" + ] + }, + { + "cell_type": "code", + "execution_count": 340, "metadata": {}, "outputs": [], "source": [ @@ -3540,30 +6350,8 @@ " return \"incoming\"\n", " else:\n", " return \"external\"\n", - "\n", - "# def is_private_ip(ip_str):\n", - "# \"\"\"\n", - "# Takes an IP string and returns whether the IP is private or not per RFC 1918.\n", - "\n", - "# Parameters\n", - "# ----------\n", - "# ip_str: str\n", - "# String of an IP address.\n", - "\n", - "# Returns\n", - "# -------\n", - "# bool: a bool of whether or not the IP is private. \n", - "# \"\"\"\n", - "# octets = [int(x) for x in ip_str.split(\".\")]\n", - "# if octets[0] == 10 \\\n", - "# or (octets[0] == 172 and 16 <= octets[1] <= 31) \\\n", - "# or (octets[0] == 192 and octets[1] == 168):\n", - "# return True\n", - "# else:\n", - "# return False\n", " \n", "\n", - "\n", "def is_private_ip(ip_str):\n", " \"\"\"\n", " Takes an IP string and returns whether the IP is private or not per RFC 1918.\n", @@ -3596,24 +6384,13 @@ " return new_df[cols]" ] }, - { - "cell_type": "markdown", - "metadata": {}, - "source": [ - "#conn + Four other logs: dns, http, ssl, ssh \n", - "#for dns: proto (str), rtt(float), qclass(num as type), qtype(str), rcode(numeric 0-9), AA (str, true or false), TC(str, true or false), RD(str, true or false), RA(str, true or false), Z, rejected(str, true or false) \n", - "TODO: check what is the value of Z, and do we need domain name. check what might not be in the logs (so far: rcode,rtt )\n", - "#for http: trans_depth, method, \n" - ] - }, { "cell_type": "code", - "execution_count": 297, + "execution_count": 321, "metadata": {}, "outputs": [], "source": [ - "features = ['id.orig_h', \"id.resp_h\", \"proto\", \"rtt\",\"qclass_name\", \"qtype_name\",\"rcode_name\",\n", - " \"AA\",\"TC\",\"RD\",\"RA\", \"rejected\"]\n", + "features = ['id.orig_h', 'id.resp_h','trans_depth','method','host','version','request_body_len','response_body_len','status_code']\n", " \n", "data_list = []\n", "for line in json_data_file.splitlines():\n", @@ -3629,54 +6406,191 @@ }, { "cell_type": "code", - "execution_count": 298, - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "Index(['id.orig_h', 'id.resp_h', 'proto', 'rtt', 'qclass_name', 'qtype_name',\n", - " 'rcode_name', 'AA', 'TC', 'RD', 'RA', 'rejected'],\n", - " dtype='object')" - ] - }, - "execution_count": 298, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "df.columns" - ] - }, - { - "cell_type": "code", - "execution_count": 299, + "execution_count": 341, "metadata": {}, "outputs": [ { "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
id.orig_hid.resp_htrans_depthhostversionrequest_body_lenresponse_body_lenhas_hostis_destination_broadcastmethod_CONNECTmethod_GETstatus_code_0status_code_200traffic_direction_internaltraffic_direction_outgoing
0192.168.0.109192.168.0.1681None0.90175400011010
1192.168.0.16817.253.3.2201proxy-safebrowsing.googleapis.com1.10010100101
2192.168.0.16817.253.3.2171proxy-safebrowsing.googleapis.com1.10010100101
3192.168.0.168192.229.211.1081ocsp.digicert.com1.1047110010101
4192.168.0.168192.229.211.1081ocsp.digicert.com1.1031310010101
\n", + "
" + ], "text/plain": [ - "NOERROR 1860\n", - "NXDOMAIN 12\n", - "Name: rcode_name, dtype: int64" + " id.orig_h id.resp_h trans_depth \\\n", + "0 192.168.0.109 192.168.0.168 1 \n", + "1 192.168.0.168 17.253.3.220 1 \n", + "2 192.168.0.168 17.253.3.217 1 \n", + "3 192.168.0.168 192.229.211.108 1 \n", + "4 192.168.0.168 192.229.211.108 1 \n", + "\n", + " host version request_body_len \\\n", + "0 None 0.9 0 \n", + "1 proxy-safebrowsing.googleapis.com 1.1 0 \n", + "2 proxy-safebrowsing.googleapis.com 1.1 0 \n", + "3 ocsp.digicert.com 1.1 0 \n", + "4 ocsp.digicert.com 1.1 0 \n", + "\n", + " response_body_len has_host is_destination_broadcast method_CONNECT \\\n", + "0 1754 0 0 0 \n", + "1 0 1 0 1 \n", + "2 0 1 0 1 \n", + "3 471 1 0 0 \n", + "4 313 1 0 0 \n", + "\n", + " method_GET status_code_0 status_code_200 traffic_direction_internal \\\n", + "0 1 1 0 1 \n", + "1 0 0 1 0 \n", + "2 0 0 1 0 \n", + "3 1 0 1 0 \n", + "4 1 0 1 0 \n", + "\n", + " traffic_direction_outgoing \n", + "0 0 \n", + "1 1 \n", + "2 1 \n", + "3 1 \n", + "4 1 " ] }, - "execution_count": 299, + "execution_count": 341, "metadata": {}, "output_type": "execute_result" } ], "source": [ - "df['rcode_name'].value_counts()\n", - "#there are total of 1984 rows \n", - "# NOERROR 1860\n", - "# NXDOMAIN 12" + "df.head()" ] }, { "cell_type": "code", - "execution_count": 300, + "execution_count": 342, "metadata": {}, "outputs": [ { @@ -3685,16 +6599,21 @@ "text": [ "Null count for id.orig_h: 0\n", "Null count for id.resp_h: 0\n", - "Null count for proto: 0\n", - "Null count for rtt: 736\n", - "Null count for qclass_name: 73\n", - "Null count for qtype_name: 73\n", - "Null count for rcode_name: 112\n", - "Null count for AA: 0\n", - "Null count for TC: 0\n", - "Null count for RD: 0\n", - "Null count for RA: 0\n", - "Null count for rejected: 0\n" + "Null count for trans_depth: 0\n", + "Null count for host: 1\n", + "Null count for version: 0\n", + "Null count for request_body_len: 0\n", + "Null count for response_body_len: 0\n", + "Null count for has_host: 0\n", + "Null count for is_destination_broadcast: 0\n", + "Null count for method_CONNECT: 0\n", + "Null count for method_GET: 0\n", + "Null count for status_code_0: 0\n", + "Null count for status_code_200: 0\n", + "Null count for traffic_direction_internal: 0\n", + "Null count for traffic_direction_outgoing: 0\n", + "\n", + "has_null ['host']\n" ] } ], @@ -3707,6 +6626,8 @@ " if null_count:\n", " has_null.append(feature)\n", "\n", + "print(\"\\nhas_null\",has_null) # has_null ['host'] \n", + "\n", "# Create a variable for each feature that contains null, with the column name \"has_null_featurename\"\n", "for feature in has_null: \n", " df[f'has_{feature}'] = df[feature].notnull().astype(int)\n" @@ -3714,88 +6635,290 @@ }, { "cell_type": "code", - "execution_count": 301, + "execution_count": 343, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "Index(['id.orig_h', 'id.resp_h', 'trans_depth', 'host', 'version',\n", + " 'request_body_len', 'response_body_len', 'has_host',\n", + " 'is_destination_broadcast', 'method_CONNECT', 'method_GET',\n", + " 'status_code_0', 'status_code_200', 'traffic_direction_internal',\n", + " 'traffic_direction_outgoing'],\n", + " dtype='object')" + ] + }, + "execution_count": 343, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "df.columns" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "#identify null\n", + "#create has null\n", + "# create broadcast, traffic_direction variables\n", + "# one hot encode categorical variables: 'method','status_code','traffic_direction'\n", + "#fillna with 0s: len?? (no na in len)\n", + "#same columns (no 'host)" + ] + }, + { + "cell_type": "code", + "execution_count": 344, + "metadata": {}, + "outputs": [], + "source": [ + "df = create_broadcast_variable(df)\n", + "df = create_direction_variable(df)" + ] + }, + { + "cell_type": "code", + "execution_count": 345, + "metadata": {}, + "outputs": [], + "source": [ + "column_name = ['version','method','status_code','traffic_direction']\n", + "df = one_hot_encode(df, column_name)" + ] + }, + { + "cell_type": "code", + "execution_count": 346, "metadata": {}, "outputs": [ { "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
id.orig_hid.resp_htrans_depthhostrequest_body_lenresponse_body_lenhas_hostis_destination_broadcastmethod_CONNECTmethod_GETstatus_code_0status_code_200traffic_direction_internaltraffic_direction_outgoingversion_0.9version_1.1traffic_direction_internaltraffic_direction_outgoing
0192.168.0.109192.168.0.1681None01754000110101010
1192.168.0.16817.253.3.2201proxy-safebrowsing.googleapis.com00101001010101
2192.168.0.16817.253.3.2171proxy-safebrowsing.googleapis.com00101001010101
3192.168.0.168192.229.211.1081ocsp.digicert.com0471100101010101
4192.168.0.168192.229.211.1081ocsp.digicert.com0313100101010101
\n", + "
" + ], "text/plain": [ - "['rtt', 'qclass_name', 'qtype_name', 'rcode_name']" + " id.orig_h id.resp_h trans_depth \\\n", + "0 192.168.0.109 192.168.0.168 1 \n", + "1 192.168.0.168 17.253.3.220 1 \n", + "2 192.168.0.168 17.253.3.217 1 \n", + "3 192.168.0.168 192.229.211.108 1 \n", + "4 192.168.0.168 192.229.211.108 1 \n", + "\n", + " host request_body_len response_body_len \\\n", + "0 None 0 1754 \n", + "1 proxy-safebrowsing.googleapis.com 0 0 \n", + "2 proxy-safebrowsing.googleapis.com 0 0 \n", + "3 ocsp.digicert.com 0 471 \n", + "4 ocsp.digicert.com 0 313 \n", + "\n", + " has_host is_destination_broadcast method_CONNECT method_GET \\\n", + "0 0 0 0 1 \n", + "1 1 0 1 0 \n", + "2 1 0 1 0 \n", + "3 1 0 0 1 \n", + "4 1 0 0 1 \n", + "\n", + " status_code_0 status_code_200 traffic_direction_internal \\\n", + "0 1 0 1 \n", + "1 0 1 0 \n", + "2 0 1 0 \n", + "3 0 1 0 \n", + "4 0 1 0 \n", + "\n", + " traffic_direction_outgoing version_0.9 version_1.1 \\\n", + "0 0 1 0 \n", + "1 1 0 1 \n", + "2 1 0 1 \n", + "3 1 0 1 \n", + "4 1 0 1 \n", + "\n", + " traffic_direction_internal traffic_direction_outgoing \n", + "0 1 0 \n", + "1 0 1 \n", + "2 0 1 \n", + "3 0 1 \n", + "4 0 1 " ] }, - "execution_count": 301, + "execution_count": 346, "metadata": {}, "output_type": "execute_result" } ], "source": [ - "has_null " - ] - }, - { - "cell_type": "code", - "execution_count": 302, - "metadata": {}, - "outputs": [], - "source": [ - "#create broadcast and direction variables\n", - "df = create_broadcast_variable(df)\n", - "df = create_direction_variable(df)" - ] - }, - { - "cell_type": "code", - "execution_count": 303, - "metadata": {}, - "outputs": [ - { - "name": "stdout", - "output_type": "stream", - "text": [ - "(1984,)\n", - "outgoing 1682\n", - "IPv6 302\n", - "Name: traffic_direction, dtype: int64\n", - "0\n" - ] - } - ], - "source": [ - "print(df['traffic_direction'].shape)\n", - "print(df['traffic_direction'].value_counts())\n", - "print(df['traffic_direction'].isnull().sum())" - ] - }, - { - "cell_type": "code", - "execution_count": 305, - "metadata": {}, - "outputs": [], - "source": [ - "#one hot encode qtype, qclass, rcode_name\n", - "column_name = ['proto','qtype_name','qclass_name','rcode_name','traffic_direction']\n", - "df = one_hot_encode(df, column_name)" + "df.head()" ] }, { "cell_type": "code", - "execution_count": 306, + "execution_count": 347, "metadata": {}, "outputs": [ { "data": { "text/plain": [ - "Index(['id.orig_h', 'id.resp_h', 'rtt', 'AA', 'TC', 'RD', 'RA', 'rejected',\n", - " 'has_rtt', 'has_qclass_name', 'has_qtype_name', 'has_rcode_name',\n", - " 'is_destination_broadcast', 'proto_udp', 'qtype_name_*', 'qtype_name_A',\n", - " 'qtype_name_AAAA', 'qtype_name_HTTPS', 'qtype_name_PTR',\n", - " 'qclass_name_C_INTERNET', 'qclass_name_qclass-32769',\n", - " 'rcode_name_NOERROR', 'rcode_name_NXDOMAIN', 'traffic_direction_IPv6',\n", + "Index(['id.orig_h', 'id.resp_h', 'trans_depth', 'host', 'request_body_len',\n", + " 'response_body_len', 'has_host', 'is_destination_broadcast',\n", + " 'method_CONNECT', 'method_GET', 'status_code_0', 'status_code_200',\n", + " 'traffic_direction_internal', 'traffic_direction_outgoing',\n", + " 'version_0.9', 'version_1.1', 'traffic_direction_internal',\n", " 'traffic_direction_outgoing'],\n", " dtype='object')" ] }, - "execution_count": 306, + "execution_count": 347, "metadata": {}, "output_type": "execute_result" } @@ -3806,137 +6929,30 @@ }, { "cell_type": "code", - "execution_count": 307, - "metadata": {}, - "outputs": [], - "source": [ - "#encode boolean features \n", - "boolean_to_convert = ['AA', 'TC', 'RD', 'RA', 'rejected']\n", - "df[boolean_to_convert] = df[boolean_to_convert].astype(int)\n" - ] - }, - { - "cell_type": "code", - "execution_count": 308, + "execution_count": 348, "metadata": {}, "outputs": [ { "data": { "text/plain": [ - "Index(['id.orig_h', 'id.resp_h', 'rtt', 'AA', 'TC', 'RD', 'RA', 'rejected',\n", - " 'has_rtt', 'has_qclass_name', 'has_qtype_name', 'has_rcode_name',\n", - " 'is_destination_broadcast', 'proto_udp', 'qtype_name_*', 'qtype_name_A',\n", - " 'qtype_name_AAAA', 'qtype_name_HTTPS', 'qtype_name_PTR',\n", - " 'qclass_name_C_INTERNET', 'qclass_name_qclass-32769',\n", - " 'rcode_name_NOERROR', 'rcode_name_NXDOMAIN', 'traffic_direction_IPv6',\n", - " 'traffic_direction_outgoing'],\n", - " dtype='object')" - ] - }, - "execution_count": 308, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "df.columns" - ] - }, - { - "cell_type": "code", - "execution_count": 309, - "metadata": {}, - "outputs": [ - { - "name": "stdout", - "output_type": "stream", - "text": [ - "Null count for id.orig_h: 0\n", - "Null count for id.resp_h: 0\n", - "Null count for rtt: 736\n", - "Null count for AA: 0\n", - "Null count for TC: 0\n", - "Null count for RD: 0\n", - "Null count for RA: 0\n", - "Null count for rejected: 0\n", - "Null count for has_rtt: 0\n", - "Null count for has_qclass_name: 0\n", - "Null count for has_qtype_name: 0\n", - "Null count for has_rcode_name: 0\n", - "Null count for is_destination_broadcast: 0\n", - "Null count for proto_udp: 0\n", - "Null count for qtype_name_*: 0\n", - "Null count for qtype_name_A: 0\n", - "Null count for qtype_name_AAAA: 0\n", - "Null count for qtype_name_HTTPS: 0\n", - "Null count for qtype_name_PTR: 0\n", - "Null count for qclass_name_C_INTERNET: 0\n", - "Null count for qclass_name_qclass-32769: 0\n", - "Null count for rcode_name_NOERROR: 0\n", - "Null count for rcode_name_NXDOMAIN: 0\n", - "Null count for traffic_direction_IPv6: 0\n", - "Null count for traffic_direction_outgoing: 0\n" - ] - } - ], - "source": [ - "for feature in df.columns:\n", - " null_count = df[feature].isnull().sum()\n", - " print(f\"Null count for {feature}: {null_count}\") " - ] - }, - { - "cell_type": "code", - "execution_count": 310, - "metadata": {}, - "outputs": [], - "source": [ - "#fillna with 0s:rtt\n", - "columns_to_fill_with_zeros = ['rtt']\n", - "df[columns_to_fill_with_zeros] = df[columns_to_fill_with_zeros].fillna(0)" - ] - }, - { - "cell_type": "code", - "execution_count": 311, - "metadata": {}, - "outputs": [ - { - "name": "stdout", - "output_type": "stream", - "text": [ - "Null count for id.orig_h: 0\n", - "Null count for id.resp_h: 0\n", - "Null count for rtt: 0\n", - "Null count for AA: 0\n", - "Null count for TC: 0\n", - "Null count for RD: 0\n", - "Null count for RA: 0\n", - "Null count for rejected: 0\n", - "Null count for has_rtt: 0\n", - "Null count for has_qclass_name: 0\n", - "Null count for has_qtype_name: 0\n", - "Null count for has_rcode_name: 0\n", - "Null count for is_destination_broadcast: 0\n", - "Null count for proto_udp: 0\n", - "Null count for qtype_name_*: 0\n", - "Null count for qtype_name_A: 0\n", - "Null count for qtype_name_AAAA: 0\n", - "Null count for qtype_name_HTTPS: 0\n", - "Null count for qtype_name_PTR: 0\n", - "Null count for qclass_name_C_INTERNET: 0\n", - "Null count for qclass_name_qclass-32769: 0\n", - "Null count for rcode_name_NOERROR: 0\n", - "Null count for rcode_name_NXDOMAIN: 0\n", - "Null count for traffic_direction_IPv6: 0\n", - "Null count for traffic_direction_outgoing: 0\n" - ] + "0 0\n", + "1 1\n", + "2 1\n", + "3 1\n", + "4 1\n", + "5 1\n", + "6 1\n", + "7 1\n", + "Name: has_host, dtype: int64" + ] + }, + "execution_count": 348, + "metadata": {}, + "output_type": "execute_result" } ], "source": [ - "for feature in df.columns:\n", - " null_count = df[feature].isnull().sum()\n", - " print(f\"Null count for {feature}: {null_count}\") " + "df['has_host']" ] }, { @@ -3946,29 +6962,33 @@ "outputs": [], "source": [ "#TODO: to be confirmed once EDA is done\n", - "dns_cols = ['rtt', 'AA', 'TC', 'RD', 'RA', 'rejected',\n", - " 'has_rtt', 'has_qclass_name', 'has_qtype_name', 'has_rcode_name',\n", - " 'is_destination_broadcast', \n", - " 'proto_tcp', 'proto_udp',\n", - " 'qtype_name_*', 'qtype_name_A',\n", - " 'qtype_name_AAAA', 'qtype_name_HTTPS', 'qtype_name_PTR',\n", - " 'qclass_name_C_INTERNET', 'qclass_name_qclass-32769',\n", - " 'rcode_name_NOERROR', 'rcode_name_NXDOMAIN', \n", + "http_cols = ['trans_depth', 'request_body_len',\n", + " 'response_body_len', 'has_host', 'is_destination_broadcast',\n", + " 'method_CONNECT', 'method_GET', \n", + " 'status_code_0', 'status_code_200',\n", + " 'version_0.9', 'version_1.1',\n", " 'traffic_direction_IPv6',\n", - " 'traffic_direction_external','traffic_direction_incoming', \n", - " 'traffic_direction_internal','traffic_direction_outgoing']\n" + " 'traffic_direction_internal', 'traffic_direction_outgoing',\n", + " 'traffic_direction_internal','traffic_direction_outgoing']\n" ] }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [] + }, { "cell_type": "markdown", "metadata": {}, "source": [ - "## http" + "## ssh" ] }, { "cell_type": "code", - "execution_count": 338, + "execution_count": 6, "metadata": {}, "outputs": [], "source": [ @@ -3979,7 +6999,7 @@ " for file in os.listdir(current_dir_path):\n", " # file is now any given file in the historical data directory\n", " current_file_path = os.path.join(current_dir_path, file)\n", - " if \"http.\" in file: #conn.\n", + " if \"ssh.\" in file: #conn.\n", " # get the whole file in memory\n", " logging.info(f\"Opening file {current_file_path}\")\n", " json_data_file = ungzip(current_file_path)\n", @@ -3989,21 +7009,14 @@ }, { "cell_type": "code", - "execution_count": 339, + "execution_count": 7, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ - "{'ts': 1707721209.155077, 'uid': 'CGpf9R1APvMKSdDIn2', 'id.orig_h': '192.168.0.109', 'id.orig_p': 57562, 'id.resp_h': '192.168.0.168', 'id.resp_p': 7000, 'trans_depth': 1, 'method': 'GET', 'uri': '/info?txtAirPlay&txtRAOP RTSP/1.', 'version': '0.9', 'request_body_len': 0, 'response_body_len': 1754, 'status_code': 0, 'status_msg': '', 'tags': [], 'resp_fuids': ['FuhWEF48bHYDzu07H7'], 'resp_mime_types': ['text/plain']}\n", - "{'ts': 1707721241.169723, 'uid': 'Cyl3PW2wswIPW1tjY7', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62770, 'id.resp_h': '17.253.3.220', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'CONNECT', 'host': 'proxy-safebrowsing.googleapis.com', 'uri': 'proxy-safebrowsing.googleapis.com:443', 'version': '1.1', 'request_body_len': 0, 'response_body_len': 0, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'proxied': ['PROXY-CONNECTION -> keep-alive']}\n", - "{'ts': 1707723317.563444, 'uid': 'CNKryg21vxMXbO22ud', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62836, 'id.resp_h': '17.253.3.217', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'CONNECT', 'host': 'proxy-safebrowsing.googleapis.com', 'uri': 'proxy-safebrowsing.googleapis.com:443', 'version': '1.1', 'request_body_len': 0, 'response_body_len': 0, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'proxied': ['PROXY-CONNECTION -> keep-alive']}\n", - "{'ts': 1707723874.272749, 'uid': 'COrdGv2boj5FF9jb4g', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62862, 'id.resp_h': '192.229.211.108', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'GET', 'host': 'ocsp.digicert.com', 'uri': '/ME8wTTBLMEkwRzAHBgUrDgMCGgQU36oS4yixCUGT4p9Cgs5HQEKVWKMEFLE+w2kD+L9HAdSYJhoIAu9jZCvDAhAHF3kRAF0iZ/aIkvaPi1BY', 'version': '1.1', 'user_agent': 'com.apple.trustd/3.0', 'request_body_len': 0, 'response_body_len': 471, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'resp_fuids': ['FXJjLH1Q0muVZIJtK2'], 'resp_mime_types': ['application/ocsp-response']}\n", - "{'ts': 1707723874.30856, 'uid': 'CYA8ZH3cjTZmLTsT76', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62863, 'id.resp_h': '192.229.211.108', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'GET', 'host': 'ocsp.digicert.com', 'uri': '/ME8wTTBLMEkwRzAHBgUrDgMCGgQU6468nUcrfgKRdxkj8qXxwcUeV7UEFLPbSKT5ocXYrjZBzBFjaWIpvEvGAhAMq6rRzsTpfMJmWIHQITj3', 'version': '1.1', 'user_agent': 'com.apple.trustd/3.0', 'request_body_len': 0, 'response_body_len': 313, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'resp_fuids': ['FVnAHV1mDu8ovZHRDk'], 'resp_mime_types': ['application/ocsp-response']}\n", - "{'ts': 1707723884.485396, 'uid': 'Cn0vgR2nRErSEBdQ4e', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62869, 'id.resp_h': '192.229.211.108', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'GET', 'host': 'ocsp.digicert.com', 'uri': '/ME8wTTBLMEkwRzAHBgUrDgMCGgQUwS9Fdu0VWeywXbqJv52AeOUj1BMEFOWdWTCCR1jMrPoIVDaGezq1BE3wAhAFUsfv/uwpK6nxOHsHr5Kf', 'version': '1.1', 'user_agent': 'com.apple.trustd/3.0', 'request_body_len': 0, 'response_body_len': 1507, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'resp_fuids': ['FZFKD24tfKS5axsJE9'], 'resp_mime_types': ['application/ocsp-response']}\n", - "{'ts': 1707723884.499973, 'uid': 'CrY9MN1TtY5DJrtgoe', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62870, 'id.resp_h': '142.251.32.99', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'GET', 'host': 'ocsp.pki.goog', 'uri': '/gts1c3/ME8wTTBLMEkwRzAHBgUrDgMCGgQUxy55it3/YTSzuu1HQri7xsAkB2MEFIp0f6+Fze6VzT2c0OJGFPNxNR0nAhBm0ojwKPEI9Qm520f6UYyj', 'version': '1.1', 'user_agent': 'com.apple.trustd/3.0', 'request_body_len': 0, 'response_body_len': 471, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'resp_fuids': ['FFdsbTNBU4QIU5Nia'], 'resp_mime_types': ['application/ocsp-response']}\n", - "{'ts': 1707723884.500895, 'uid': 'C5I46p4mxDkmK39woh', 'id.orig_h': '192.168.0.168', 'id.orig_p': 62871, 'id.resp_h': '142.251.32.99', 'id.resp_p': 80, 'trans_depth': 1, 'method': 'GET', 'host': 'ocsp.pki.goog', 'uri': '/gtsr1/MEwwSjBIMEYwRDAHBgUrDgMCGgQUMJHC1g+C6hie2xOwdV2bBG5n8FAEFOSvKyZxGitIJ4UvUmYs7/CJE3E+Ag0CA7xTWWs0xxj1AVBm', 'version': '1.1', 'user_agent': 'com.apple.trustd/3.0', 'request_body_len': 0, 'response_body_len': 724, 'status_code': 200, 'status_msg': 'OK', 'tags': [], 'resp_fuids': ['F68OIy48ioksnTUd64'], 'resp_mime_types': ['application/ocsp-response']}\n" + "{'ts': 1707749962.327658, 'uid': 'CrPlCp1tZzMjb5FbW5', 'id.orig_h': '192.168.0.168', 'id.orig_p': 50763, 'id.resp_h': '140.82.114.4', 'id.resp_p': 22, 'version': 2, 'auth_success': False, 'auth_attempts': 3, 'direction': 'OUTBOUND', 'client': 'SSH-2.0-OpenSSH_9.0', 'server': 'SSH-2.0-babeld-57ca1323', 'cipher_alg': 'chacha20-poly1305@openssh.com', 'mac_alg': 'hmac-sha2-256-etm@openssh.com', 'compression_alg': 'none', 'kex_alg': 'curve25519-sha256', 'host_key_alg': 'ssh-ed25519', 'host_key': '65:96:2d:fc:e8:d5:a9:11:64:0c:0f:ea:00:6e:5b:bd'}\n" ] } ], @@ -4017,7 +7030,7 @@ }, { "cell_type": "code", - "execution_count": 340, + "execution_count": 8, "metadata": {}, "outputs": [], "source": [ @@ -4108,11 +7121,11 @@ }, { "cell_type": "code", - "execution_count": 321, + "execution_count": 11, "metadata": {}, "outputs": [], "source": [ - "features = ['id.orig_h', 'id.resp_h','trans_depth','method','host','version','request_body_len','response_body_len','status_code']\n", + "features = ['id.orig_h', 'id.resp_h','version','auth_success','auth_attempts','direction','version','traffic_direction']\n", " \n", "data_list = []\n", "for line in json_data_file.splitlines():\n", @@ -4128,7 +7141,7 @@ }, { "cell_type": "code", - "execution_count": 341, + "execution_count": 12, "metadata": {}, "outputs": [ { @@ -4154,269 +7167,88 @@ " \n", " id.orig_h\n", " id.resp_h\n", - " trans_depth\n", - " host\n", " version\n", - " request_body_len\n", - " response_body_len\n", - " has_host\n", - " is_destination_broadcast\n", - " method_CONNECT\n", - " method_GET\n", - " status_code_0\n", - " status_code_200\n", - " traffic_direction_internal\n", - " traffic_direction_outgoing\n", + " auth_success\n", + " auth_attempts\n", + " direction\n", + " version\n", + " traffic_direction\n", " \n", " \n", " \n", " \n", " 0\n", - " 192.168.0.109\n", " 192.168.0.168\n", - " 1\n", + " 140.82.114.4\n", + " 2\n", + " False\n", + " 3\n", + " OUTBOUND\n", + " 2\n", " None\n", - " 0.9\n", - " 0\n", - " 1754\n", - " 0\n", - " 0\n", - " 0\n", - " 1\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " \n", - " \n", - " 1\n", - " 192.168.0.168\n", - " 17.253.3.220\n", - " 1\n", - " proxy-safebrowsing.googleapis.com\n", - " 1.1\n", - " 0\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " \n", - " \n", - " 2\n", - " 192.168.0.168\n", - " 17.253.3.217\n", - " 1\n", - " proxy-safebrowsing.googleapis.com\n", - " 1.1\n", - " 0\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " \n", - " \n", - " 3\n", - " 192.168.0.168\n", - " 192.229.211.108\n", - " 1\n", - " ocsp.digicert.com\n", - " 1.1\n", - " 0\n", - " 471\n", - " 1\n", - " 0\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " \n", - " \n", - " 4\n", - " 192.168.0.168\n", - " 192.229.211.108\n", - " 1\n", - " ocsp.digicert.com\n", - " 1.1\n", - " 0\n", - " 313\n", - " 1\n", - " 0\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", " \n", " \n", - "\n", - "" - ], - "text/plain": [ - " id.orig_h id.resp_h trans_depth \\\n", - "0 192.168.0.109 192.168.0.168 1 \n", - "1 192.168.0.168 17.253.3.220 1 \n", - "2 192.168.0.168 17.253.3.217 1 \n", - "3 192.168.0.168 192.229.211.108 1 \n", - "4 192.168.0.168 192.229.211.108 1 \n", - "\n", - " host version request_body_len \\\n", - "0 None 0.9 0 \n", - "1 proxy-safebrowsing.googleapis.com 1.1 0 \n", - "2 proxy-safebrowsing.googleapis.com 1.1 0 \n", - "3 ocsp.digicert.com 1.1 0 \n", - "4 ocsp.digicert.com 1.1 0 \n", - "\n", - " response_body_len has_host is_destination_broadcast method_CONNECT \\\n", - "0 1754 0 0 0 \n", - "1 0 1 0 1 \n", - "2 0 1 0 1 \n", - "3 471 1 0 0 \n", - "4 313 1 0 0 \n", - "\n", - " method_GET status_code_0 status_code_200 traffic_direction_internal \\\n", - "0 1 1 0 1 \n", - "1 0 0 1 0 \n", - "2 0 0 1 0 \n", - "3 1 0 1 0 \n", - "4 1 0 1 0 \n", - "\n", - " traffic_direction_outgoing \n", - "0 0 \n", - "1 1 \n", - "2 1 \n", - "3 1 \n", - "4 1 " - ] - }, - "execution_count": 341, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "df.head()" - ] - }, - { - "cell_type": "code", - "execution_count": 342, - "metadata": {}, - "outputs": [ - { - "name": "stdout", - "output_type": "stream", - "text": [ - "Null count for id.orig_h: 0\n", - "Null count for id.resp_h: 0\n", - "Null count for trans_depth: 0\n", - "Null count for host: 1\n", - "Null count for version: 0\n", - "Null count for request_body_len: 0\n", - "Null count for response_body_len: 0\n", - "Null count for has_host: 0\n", - "Null count for is_destination_broadcast: 0\n", - "Null count for method_CONNECT: 0\n", - "Null count for method_GET: 0\n", - "Null count for status_code_0: 0\n", - "Null count for status_code_200: 0\n", - "Null count for traffic_direction_internal: 0\n", - "Null count for traffic_direction_outgoing: 0\n", - "\n", - "has_null ['host']\n" - ] - } - ], - "source": [ - "#This code checks for null values in each feature\n", - "has_null = []\n", - "for feature in df.columns:\n", - " null_count = df[feature].isnull().sum()\n", - " print(f\"Null count for {feature}: {null_count}\") \n", - " if null_count:\n", - " has_null.append(feature)\n", - "\n", - "print(\"\\nhas_null\",has_null) # has_null ['host'] \n", - "\n", - "# Create a variable for each feature that contains null, with the column name \"has_null_featurename\"\n", - "for feature in has_null: \n", - " df[f'has_{feature}'] = df[feature].notnull().astype(int)\n" - ] - }, - { - "cell_type": "code", - "execution_count": 343, - "metadata": {}, - "outputs": [ - { - "data": { + "\n", + "" + ], "text/plain": [ - "Index(['id.orig_h', 'id.resp_h', 'trans_depth', 'host', 'version',\n", - " 'request_body_len', 'response_body_len', 'has_host',\n", - " 'is_destination_broadcast', 'method_CONNECT', 'method_GET',\n", - " 'status_code_0', 'status_code_200', 'traffic_direction_internal',\n", - " 'traffic_direction_outgoing'],\n", - " dtype='object')" + " id.orig_h id.resp_h version auth_success auth_attempts \\\n", + "0 192.168.0.168 140.82.114.4 2 False 3 \n", + "\n", + " direction version traffic_direction \n", + "0 OUTBOUND 2 None " ] }, - "execution_count": 343, + "execution_count": 12, "metadata": {}, "output_type": "execute_result" } ], "source": [ - "df.columns" + "df" ] }, { "cell_type": "code", - "execution_count": null, + "execution_count": 13, "metadata": {}, "outputs": [], "source": [ - "#identify null\n", - "#create has null\n", - "# create broadcast, traffic_direction variables\n", - "# one hot encode categorical variables: 'method','status_code','traffic_direction'\n", - "#fillna with 0s: len?? (no na in len)\n", - "#same columns (no 'host)" + "df = create_broadcast_variable(df)\n", + "df = create_direction_variable(df)" ] }, { "cell_type": "code", - "execution_count": 344, + "execution_count": 14, "metadata": {}, "outputs": [], "source": [ - "df = create_broadcast_variable(df)\n", - "df = create_direction_variable(df)" + "df['auth_success'] = df['auth_success'].replace({False: 0, True: 1})\n", + "df['direction'] = df['direction'].replace({'OUTBOUND': 1, 'INBOUND': 0})\n", + "\n", + "# one hot encode categorical variables: proto, qtype, qclass, rcode_name\n", + "column_name = ['version','traffic_direction']\n", + "df = one_hot_encode(df, column_name)" ] }, { "cell_type": "code", - "execution_count": 345, + "execution_count": 15, "metadata": {}, "outputs": [], "source": [ - "column_name = ['version','method','status_code','traffic_direction']\n", - "df = one_hot_encode(df, column_name)" + "ssh_cols = ['auth_success', 'auth_attempts', 'direction',\n", + " 'is_destination_broadcast', 'version_2', \n", + " 'traffic_direction_external','traffic_direction_incoming', \n", + " 'traffic_direction_internal','traffic_direction_outgoing']\n", + " \n", + "df = makedf_samecol(ssh_cols, df)" ] }, { "cell_type": "code", - "execution_count": 346, + "execution_count": 16, "metadata": {}, "outputs": [ { @@ -4440,22 +7272,14 @@ " \n", " \n", " \n", - " id.orig_h\n", - " id.resp_h\n", - " trans_depth\n", - " host\n", - " request_body_len\n", - " response_body_len\n", - " has_host\n", + " auth_success\n", + " auth_attempts\n", + " direction\n", " is_destination_broadcast\n", - " method_CONNECT\n", - " method_GET\n", - " status_code_0\n", - " status_code_200\n", - " traffic_direction_internal\n", - " traffic_direction_outgoing\n", - " version_0.9\n", - " version_1.1\n", + " version_2\n", + " version_2\n", + " traffic_direction_external\n", + " traffic_direction_incoming\n", " traffic_direction_internal\n", " traffic_direction_outgoing\n", " \n", @@ -4463,106 +7287,14 @@ " \n", " \n", " 0\n", - " 192.168.0.109\n", - " 192.168.0.168\n", - " 1\n", - " None\n", - " 0\n", - " 1754\n", - " 0\n", - " 0\n", - " 0\n", - " 1\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " \n", - " \n", - " 1\n", - " 192.168.0.168\n", - " 17.253.3.220\n", - " 1\n", - " proxy-safebrowsing.googleapis.com\n", - " 0\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " \n", - " \n", - " 2\n", - " 192.168.0.168\n", - " 17.253.3.217\n", - " 1\n", - " proxy-safebrowsing.googleapis.com\n", - " 0\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " \n", - " \n", - " 3\n", - " 192.168.0.168\n", - " 192.229.211.108\n", - " 1\n", - " ocsp.digicert.com\n", - " 0\n", - " 471\n", - " 1\n", - " 0\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " 0\n", - " 1\n", - " \n", - " \n", - " 4\n", - " 192.168.0.168\n", - " 192.229.211.108\n", - " 1\n", - " ocsp.digicert.com\n", " 0\n", - " 313\n", + " 3\n", " 1\n", " 0\n", - " 0\n", " 1\n", - " 0\n", " 1\n", " 0\n", - " 1\n", " 0\n", - " 1\n", " 0\n", " 1\n", " \n", @@ -4571,127 +7303,26 @@ "" ], "text/plain": [ - " id.orig_h id.resp_h trans_depth \\\n", - "0 192.168.0.109 192.168.0.168 1 \n", - "1 192.168.0.168 17.253.3.220 1 \n", - "2 192.168.0.168 17.253.3.217 1 \n", - "3 192.168.0.168 192.229.211.108 1 \n", - "4 192.168.0.168 192.229.211.108 1 \n", - "\n", - " host request_body_len response_body_len \\\n", - "0 None 0 1754 \n", - "1 proxy-safebrowsing.googleapis.com 0 0 \n", - "2 proxy-safebrowsing.googleapis.com 0 0 \n", - "3 ocsp.digicert.com 0 471 \n", - "4 ocsp.digicert.com 0 313 \n", - "\n", - " has_host is_destination_broadcast method_CONNECT method_GET \\\n", - "0 0 0 0 1 \n", - "1 1 0 1 0 \n", - "2 1 0 1 0 \n", - "3 1 0 0 1 \n", - "4 1 0 0 1 \n", + " auth_success auth_attempts direction is_destination_broadcast \\\n", + "0 0 3 1 0 \n", "\n", - " status_code_0 status_code_200 traffic_direction_internal \\\n", - "0 1 0 1 \n", - "1 0 1 0 \n", - "2 0 1 0 \n", - "3 0 1 0 \n", - "4 0 1 0 \n", + " version_2 version_2 traffic_direction_external \\\n", + "0 1 1 0 \n", "\n", - " traffic_direction_outgoing version_0.9 version_1.1 \\\n", - "0 0 1 0 \n", - "1 1 0 1 \n", - "2 1 0 1 \n", - "3 1 0 1 \n", - "4 1 0 1 \n", + " traffic_direction_incoming traffic_direction_internal \\\n", + "0 0 0 \n", "\n", - " traffic_direction_internal traffic_direction_outgoing \n", - "0 1 0 \n", - "1 0 1 \n", - "2 0 1 \n", - "3 0 1 \n", - "4 0 1 " - ] - }, - "execution_count": 346, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "df.head()" - ] - }, - { - "cell_type": "code", - "execution_count": 347, - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "Index(['id.orig_h', 'id.resp_h', 'trans_depth', 'host', 'request_body_len',\n", - " 'response_body_len', 'has_host', 'is_destination_broadcast',\n", - " 'method_CONNECT', 'method_GET', 'status_code_0', 'status_code_200',\n", - " 'traffic_direction_internal', 'traffic_direction_outgoing',\n", - " 'version_0.9', 'version_1.1', 'traffic_direction_internal',\n", - " 'traffic_direction_outgoing'],\n", - " dtype='object')" - ] - }, - "execution_count": 347, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "df.columns" - ] - }, - { - "cell_type": "code", - "execution_count": 348, - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "0 0\n", - "1 1\n", - "2 1\n", - "3 1\n", - "4 1\n", - "5 1\n", - "6 1\n", - "7 1\n", - "Name: has_host, dtype: int64" + " traffic_direction_outgoing \n", + "0 1 " ] }, - "execution_count": 348, + "execution_count": 16, "metadata": {}, "output_type": "execute_result" } ], "source": [ - "df['has_host']" - ] - }, - { - "cell_type": "code", - "execution_count": null, - "metadata": {}, - "outputs": [], - "source": [ - "#TODO: to be confirmed once EDA is done\n", - "http_cols = ['trans_depth', 'request_body_len',\n", - " 'response_body_len', 'has_host', 'is_destination_broadcast',\n", - " 'method_CONNECT', 'method_GET', \n", - " 'status_code_0', 'status_code_200',\n", - " 'version_0.9', 'version_1.1',\n", - " 'traffic_direction_IPv6',\n", - " 'traffic_direction_internal', 'traffic_direction_outgoing',\n", - " 'traffic_direction_internal','traffic_direction_outgoing']\n" + "df" ] } ],