I've been playing around with the Pineapple and packet captures. An interesting topic I want to learn more about is 'user profiling' based on network traffic (pcap files). I want to find out at what times specific applications/websites were used or visited. I want to create some sort of timeline where I want to see at what times a connection/session was established, how long that application/website has been used and at what time the connection/session ended (DNS? SSL handshake? HTTP GET requests? Streams?). A big challenge is also to see through a lot of traffic generated by advertisers or other services that aren't specifically user actions. Are there even unique identifiers of user activity, or is that difficult to keep apart from 'system' traffic?
For example:
- Gmail.com, start 01-01-17 / 14:23:42, end 01-01-17 / 14:46:23, duration 23 min 21 sec
- OR Gmail.com, visited on 01-01-17 / 14:23:42
.....etc.....
I've searched a lot on the internet to learn more about this type of network behavior, but I can't find much usable answers so far. Mostly is about network performance and network security instead of 'user profiling'. Is it even possible to do some reliable kind of 'user profiling' and what are your thoughts about how to technically achieve this and the other possibility's? I also like the info that user_agents show for example, to identify specific devices. Maybe an option is creating some kind of regular expressions and create a script that can be applied to multiple pcaps from different sources.
