Adding Current work

Programas/Filtered_in_Files/bruteforce_filteredbyfiles.py

@@ -0,0 +1,217 @@
+#Version 2 #Itera por sip /16 y cuenta numero de puertos por cada dip
+#hello
+
+
+from silk import *
+
+global_num = 2 #posicion del subnetwork. 1 implica A.x.x.x, 2 implica A.B.x.x, etc.
+
+#funcion que recibe un string del ip address y devuelve otro string hasta el subnetwork
+#que indica el numero de posicion
+def ipConversion(number, position):
+    mystr = '.'
+    ipadd = number.split(".")
+    return mystr.join(ipadd[:position])
+
+#Esta funcion recorre la lista de flows, las manda por la funcion de Filter para verificar
+#que sean puertos no comunes, luego guarda una lista de esos flows especificos en un file
+#y devuelve un hash de los flows filtrados.
+def FilterBySIP(flows, flowHash, num):
+
+    fc = 0
+    dportHash = {}
+
+    fdout = open("tmpfile%s" % num, "w")
+
+    for filename in flows:
+        for rec in silkfile_open(filename, READ):#reading the flow file
+		    fc += 1
+        	if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no
+             		continue
+        	dip = str(rec.dip)
+        	sip = str(rec.sip)
+      		dport= rec.dport
+		    sport= rec.sport
+
+		Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash)
+		fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
+
+    # print fc
+    fdout.close()
+    return dportHash
+
+#Esta funcion recorre la lista de flows guardados en el file creado en el step anterior,
+#verifica que esten en el hash creado en el step anterior, las manda por la funcion de Filter para verificar
+#que sean puertos no comunes, luego guarda una lista de esos flows especificos en un file
+#y devuelve un hash de los flows filtrados.
+def FilterBySIPTMP(flowHash, num):
+
+    dportHash = {}
+
+    fdout = open("tmpfile%s" % num, "w")
+
+    with open("tmpfile%s" % (num - 1), "r") as f:
+    	for flow in f:
+            sip, dip, sport, dport = flow.split(":")
+            #print ipConversion(sip, num)
+            sport = int(sport)
+            dport = int(dport)
+            if ipConversion(sip, num) not in flowHash:
+                continue
+            Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash)
+            fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
+        fdout.close()
+    return dportHash
+
+#argumentos consisten del file con los flows, source y destination ip y puertos y
+#un hash vacio para guardar los source ips con la lista de puertos a donde se conecta
+#la funcion verifica que los puertos no sean puertos comunes, para asi agregar el flow al hash
+def Filter(fd, sip, dip, sport, dport, dportHash):
+
+	if dport > 1024 and (sport <= 1024 or (sport >= 8000 and sport < 9000)):
+		return
+	if sip in dportHash:
+#       	if dip in dportHash[sip]["dips"]:
+#        	        dportHash[sip]["dips"][dip] += 1
+#		else:
+#			dportHash[sip]["dips"][dip] = 1
+		if dport in dportHash[sip]["dports"]:
+               	        dportHash[sip]["dports"][dport] += 1
+			#return
+               	else:
+               		dportHash[sip]["dports"][dport] = 1
+     	else:
+		dportHash[sip] = {"dports": {}}
+		dportHash[sip]["dips"] = {}
+	#fd.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
+
+def FilterBySIPFull(flowHash, num):
+    flow_Counter=0
+    dportHash = {}
+
+    for filename in FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf",  data_rootdir="/home/scratch/flow/rwflowpack/"):
+
+        for rec in silkfile_open(filename, READ):#reading the flow file
+                if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no
+                        continue
+                dip = str(rec.dip)
+                sip = ipConversion(str(rec.sip), num+1)
+                dport= rec.dport
+                if sip in dportHash:
+                        if dip in dportHash[sip]:
+                                if dport in dportHash[sip][dip]:
+                                        dportHash[sip][dip][dport] += 1
+                                else:
+                                        dportHash[sip][dip][dport] = 1
+                        else:
+                                dportHash[sip][dip] = {dport : 1}
+                else:
+                        dportHash[sip] = { dip: {dport: 1} }
+
+    return dportHash
+
+#Hace lo mismo que la funcion FilterBySIPTMP, lo unico que esta vez no hace falta verificar los puertos
+#y ademas crea otro hash de los source ips con sus destination ips con sus puertos
+def last_step(flowHash, num):
+    dportHash = {}
+
+    with open("tmpfile%s" % (num), "r") as f:
+    	for flow in f:
+            sip, dip, sport, dport = flow.split(":")
+            sport = int(sport)
+            dport = int(dport)
+            if (':' in sip) or (num > global_num and sip not in flowHash):
+                print sip
+                print "Do we ever enter here?"
+                continue
+            if sip in dportHash:
+                if dip in dportHash[sip]:
+                    if dport in dportHash[sip][dip]:
+                        dportHash[sip][dip][dport] += 1
+                    else:
+                        dportHash[sip][dip][dport] = 1
+                else:
+                        dportHash[sip][dip] = {dport : 1}
+            else:
+                dportHash[sip] = { dip: {dport: 1} }
+        return dportHash
+
+#Funcion que verifica que el total de puertos por cada source ip con su destination ip
+#sea mayor que 100. Devuelve un hash con los flows filtrados.
+def filter_laststep(flowhash):
+    otherhash ={}
+
+    for sips in flowhash: #se itera por todos los dip y sus counters o puertos
+        for dips, dports in flowhash[sips].items():
+            #print "Filter", len(dports)
+            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
+                                    #y por lo tanto se guardan en un hash
+                if sips in otherhash:
+                    otherhash[sips][dips] = dports
+                else:
+                    otherhash[sips] = {dips: dports}
+    return otherhash
+
+
+
+def main():
+#variable del intervalo de los flows a verificar
+    startDate = "2018/08/01"
+    endDate = "2018/08/31"
+
+    myNum = global_num #variable que dicta la posicion del subnetwork
+
+    #lista de flows total
+    flows = FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf",  data_rootdir="/home/scratch/flow/rwflowpack/")
+
+    otherHash = {}
+
+    flowHash = FilterBySIP(flows, otherHash, myNum) #hash de todos los sourceip en el subnetwork de posicion myNum con sus puertos
+
+    print "Before thresh 1", len(flowHash)
+
+    #Verifica source ips sospechosos por cantidad de puertos conectados
+    #devuelve hash con los source ips filtrados
+    for sip in flowHash:
+    	if  len(flowHash[sip]["dports"]) >= 100:
+    		otherHash[sip] = flowHash[sip]
+
+    print "After thresh 1", len(otherHash)
+
+
+    while myNum <3:
+
+        flowHash= FilterBySIPTMP(otherHash, myNum + 1)
+
+        #print "Before thresh 2", len(flowHash)
+        otherHash = {}
+        for sip in flowHash: #se itera por todos los dip y sus counters o puertos
+        	if  len(flowHash[sip]["dports"]) >= 100:
+        		otherHash[sip] = flowHash[sip]
+
+
+        #print "After thresh 2", len(otherHash)
+        myNum += 1
+
+    final_hash = last_step(otherHash, myNum)
+    #print final_hash
+    # for sips in final_hash: #se itera por todos los dip y sus counters o puertos
+    #     for dips, dports in final_hash[sips].items():
+    #         print "final", len(dports)"
+    filtered_final_hash = filter_laststep(final_hash)
+
+
+    fc = 0
+    fo=0
+    for sip in filtered_final_hash:
+        fc +=1
+        for dip in filtered_final_hash[sip]:
+            fo +=1
+            #print sip, dip, filtered_final_hash[sip][dip]
+        #print (flowHash)
+    print fc
+    print fo
+
+
+if __name__== "__main__":
+  main()

Programas/Multiprocess/bruteforce_sip-dip_threehash.py

@@ -0,0 +1,62 @@
+# Guarda lista de puertos de cada dip por cada sip
+
+from silk import *
+
+
+startDate = "2018/09/1"
+endDate = "2018/09/30"
+#Para filtrar por puertos. Pero no queremos todavia
+#minPort = 20
+#maxPort = 5000
+
+
+def verify_type():
+    x = 0
+    dportHash = {} #contains amount of dport per each sip
+    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"):
+        for rec in silkfile_open(filename, READ):#reading the flow file
+            sip = str(rec.sip)
+            dip = str(rec.dip)
+            dport = rec.dport
+            if (':' in sip): #Si en el paso anterior se vio que no
+                # print "heeloo", x
+                # x+=1
+                #                                             #tiene el length de puertos requerido, se ignora
+                continue
+            else:
+                if sip in dportHash:
+                    if dip in dportHash[sip]:
+                        if dport in dportHash[sip][dip]:
+                            dportHash[sip][dip][dport] += 1
+                        else:
+                            dportHash[sip][dip][dport] = 1
+                    else:
+                        dportHash[sip][dip] = {dport : 1}
+                else:
+                    dportHash[sip] = { dip: {dport: 1} }
+    return dportHash
+
+
+#MAIN
+otherHash = {}
+counter = 0
+files = FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/")
+files = [x for x in files]
+print "Flow", len(files)
+flowHash = verify_type()
+print "After flow", len(flowHash)
+for sips in flowHash: #se itera por todos los dip y sus counters o puertos
+    for dips, dports in flowHash[sips].items():
+        if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
+                                #y por lo tanto se guardan en un hash
+            print "DIP", dips, len(dports)
+            if sips in otherHash:
+                otherHash[sips][dips] = dports
+            else:
+                otherHash[sips] = {dips: dports}
+
+for dips, dports in otherHash.items():
+    counter +=1 #para contar los elementos del hash
+
+print counter
+#print otherHash

Programas/Multiprocess/map_bruteforce_three.py

@@ -0,0 +1,98 @@
+# Guarda lista de puertos de cada dip por cada sip
+#ftp remote edit
+from silk import *
+import multiprocessing as mp
+
+
+#Para filtrar por puertos. Pero no queremos todavia
+#minPort = 20
+#maxPort = 5000
+
+
+def verify_type(filename):
+
+    dportHash = {} #contains amount of dport per each sip
+    filename = [filename]
+    #print "stooy aqui"
+
+    for file in filename:
+
+        for rec in silkfile_open(file, READ):#reading the flow file
+            sip = str(rec.sip)
+            dip = str(rec.dip)
+            dport = rec.dport
+            if (':' in sip): #Si en el paso anterior se vio que n                                                    #tiene el length de puertos requerido, se ignora
+
+                # x+=1
+                continue
+            else:
+                if sip in dportHash:
+                    if dip in dportHash[sip]:
+                        if dport in dportHash[sip][dip]:
+                            dportHash[sip][dip][dport] += 1
+                        else:
+                            dportHash[sip][dip][dport] = 1
+                    else:
+                        dportHash[sip][dip] = {dport : 1}
+                else:
+                    dportHash[sip] = { dip: {dport: 1} }
+
+    return dportHash
+
+def join_hash(list):
+    complete_hash ={}
+    for i in list:
+        for sip, hash in i.items():
+            if sip in complete_hash:
+                #print "hello", sip
+                for dip, dports in i[sip].items():
+                    #print dip
+                    if dip in complete_hash[sip]:
+                        #print "wassup"
+                        for number, value in dports.items():
+                            if number in complete_hash[sip]:
+                                print "DPORTS", number
+                                complete_hash[sip][dip][number] += value
+                            else:
+                                complete_hash[sip][dip][number]= value
+                    else:
+                        complete_hash[sip][dip]= dports
+            else:
+                complete_hash[sip]= hash
+    return complete_hash
+
+
+def main():
+    startDate = "2018/09/1"
+    endDate = "2018/09/30"
+    otherHash = {}
+    counter = 0
+    process_num = 8
+    pool = mp.Pool(processes=process_num)
+    files = FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/")
+
+    files = [x for x in files]
+    print len(files)
+    fileHash = pool.map(verify_type, files) # FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"))
+    flowHash = join_hash(fileHash)
+    print "FLOW", len(flowHash)
+    for sips in flowHash: #se itera por todos los dip y sus counters o puertos
+        #print sips
+        for dips, dports in flowHash[sips].items():
+            #print "Dip", dips, dports
+            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
+                                #y por lo tanto se guardan en un hash
+                print "DIP", dips, len(dports)
+                if sips in otherHash:
+                    otherHash[sips][dips] = dports
+                else:
+                    otherHash[sips] = {dips: dports}
+
+    for dips, dports in otherHash.items():
+        counter +=1 #para contar los elementos del hash
+
+    print counter
+#print otherHash
+
+if __name__== "__main__":
+  main()

Programas/Multiprocess/trw.py

@@ -0,0 +1,61 @@
+##################################
+#   TRW sin reduccion           #
+#      Para Data Set de la Uni    #
+################################
+
+
+
+from silk import *
+startDate = "2018/08/14"
+endDate = "2018/08/15"
+p = 2
+
+def Analisis():
+    counter = 0 # borrar luego
+    sampleHash={} #hash para contener los dip con el numero de conecciones y failed coneccciones
+    flow_counter = 0
+    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"):
+        for rec in silkfile_open(filename, READ):#reading the flow file
+            flow_counter += 1
+            if (':' in str(rec.sip)):
+				continue
+	    else:
+            	connection = [0] * 2 #Lista para contener los valores de conecciones failed y conecciones buenas
+            	sip = str(rec.sip) #Devuelve el ip en notacion punto-decimal
+            	flags = str(rec.tcpflags)
+            #print sip, flags
+	    #counter +=1
+            	if 'A' in flags: ####arreglar
+                	connection[1]=1 #good conections
+                else:
+                	connection [0] =1 #failed conections
+            	if sip in sampleHash:
+	                sampleHash[sip][0]+= connection[0]
+	                sampleHash[sip][1]+= connection[1]
+            	else:
+                	sampleHash[sip] = [connection[0], connection[1]]
+	    #print sampleHash
+    #print flow_counter
+    return sampleHash
+
+sip_connections_list = Analisis()
+#print sip_connections_list
+sipList = {"sipList":[]}
+for sip in sip_connections_list:
+          if (sip_connections_list[sip][1] != 0) and ((sip_connections_list[sip][0] / sip_connections_list[sip][1])  < 1) : #si la cantidad de succesful
+                                #b                #g                    #connections es mas que failed connections
+                      #not scanner, ignore
+                      continue
+          elif (sip_connections_list[sip][1] != 0) and ((sip_connections_list[sip][0] / sip_connections_list[sip][1])  < p): #mas failed que succesful, pero no llega al threshold
+                      #not scanner, ignore
+                      continue                          #se debe tener en cuenta que es suspicious pero no taaanto
+          elif (sip_connections_list[sip][1] == 0 and sip_connections_list[sip][0] > 10): #el ratio de failed a succesful llega al threshold pautado
+                            #scanner, oh oh
+                    hash = {sip:sip_connections_list[sip]}
+                    sipList["sipList"].append(hash)
+          else:
+                            #scanner, oh oh
+                    hash = {sip:sip_connections_list[sip]}
+                    sipList["sipList"].append(hash)
+
+print sipList

Programas/Reduction_Method/bruteforce_reduc_sip-dip_threehash.py

@@ -0,0 +1,75 @@
+#Itera por sip /16 y cuenta numero de puertos por cada dip
+
+from silk import *
+
+
+startDate = "2018/06/01"
+endDate = "2018/06/30"
+#Para filtrar por puertos. Pero no queremos todavia
+#minPort = 20
+#maxPort = 5000
+
+
+def ipConversion(number, position):
+    mystr = ''
+    ipadd = number.split(".") #Devuelve un arreglo
+    for i in range(position+1):
+        if i ==position:
+            mystr = mystr + ipadd[i]
+        else:
+            mystr = mystr + ipadd[i] + '.'
+    return mystr #devuelve los numeros en notacion string
+
+
+
+def UltimoAnalisis(flowHash, num):
+    dportHash={}
+    flow_Counter=0
+    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"):
+        for rec in silkfile_open(filename, READ):#reading the flow file
+            if (':' in str(rec.sip)) or (num != 0 and ipConversion(str(rec.sip), num-1) not in flowHash): #Si en el paso anterior se vio que no
+                                                                         #tiene el length de puertos requerido, se ignora
+                continue
+            else: #agrega a un hash cada puerto con un counter de sus destination ips
+                dip = str(rec.dip)
+                sip = ipConversion(str(rec.sip), num)
+                dport= rec.dport
+                if sip in dportHash:
+                    if dip in dportHash[sip]:
+                        if dport in dportHash[sip][dip]:
+                            dportHash[sip][dip][dport] += 1
+                        else:
+                            dportHash[sip][dip][dport] = 1
+                    else:
+                        dportHash[sip][dip] = {dport : 1}
+                else:
+                    dportHash[sip] = { dip: {dport: 1} }
+
+    #print flow_Counter
+    return dportHash
+
+#main
+
+myNum = 0
+otherHash = {}
+while myNum <4: #Se itera las cuatro veces de acuerdo con la notacion de ipv4
+    flowHash= UltimoAnalisis(otherHash, myNum)
+    otherHash = {} #Se borra el hash para agregar elementos nuevos con la nueva etapa de la busqueda
+    for sips in flowHash: #se itera por todos los dip y sus counters o puertos
+        for dips, dports in flowHash[sips].items():
+            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
+                                    #y por lo tanto se guardan en un hash
+                if sips in otherHash:
+                    otherHash[sips][dips] = dports
+                else:
+                    otherHash[sips] = {dips: dports}
+    myNum += 1
+
+    #print (flowHash)
+
+counter = 0
+
+for dips, dports in otherHash.items():
+    counter +=1 #para contar los elementos del hash
+
+print counter

Programas/Reduction_Method/bruteforce_reduc_sip_threehash.py

@@ -0,0 +1,145 @@
+#Itera por sip /16 y cuenta numero de puertos por cada dip
+
+
+
+from silk import *
+
+
+
+
+
+startDate = "2018/06/01"
+
+endDate = "2018/06/30"
+
+#Para filtrar por puertos. Pero no queremos todavia
+
+#minPort = 20
+
+#maxPort = 5000
+
+
+
+
+
+def ipConversion(number, position):
+
+    mystr = ''
+
+    ipadd = number.split(".") #Devuelve un arreglo
+
+    for i in range(position+1):
+
+        if i ==position:
+
+            mystr = mystr + ipadd[i]
+
+        else:
+
+            mystr = mystr + ipadd[i] + '.'
+
+    return mystr #devuelve los numeros en notacion string
+
+
+
+def UltimoAnalisis(flowHash, num):
+
+    dportHash={}
+
+    flow_Counter=0
+
+    for filename in FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf",  data_rootdir="/home/scratch/flow/rwflowpack/"):
+
+        for rec in silkfile_open(filename, READ):#reading the flow file
+
+            if (':' in str(rec.sip)) or (num != 0 and ipConversion(str(rec.sip), num-1) not in flowHash): #Si en el paso anterior se vio que no
+
+                                                                         #tiene el length de puertos requerido, se ignora
+
+                continue
+
+            else: #agrega a un hash cada puerto con un counter de sus destination ips
+
+                dip = str(rec.dip)
+
+                sip = ipConversion(str(rec.sip), num)
+
+                dport= rec.dport
+
+                if sip in dportHash:
+
+                    if dip in dportHash[sip]:
+
+                        if dport in dportHash[sip][dip]:
+
+                            dportHash[sip][dip][dport] += 1
+
+                        else:
+
+                            dportHash[sip][dip][dport] = 1
+
+                    else:
+
+                        dportHash[sip][dip] = {dport : 1}
+
+                else:
+
+                    dportHash[sip] = { dip: {dport: 1} }
+
+
+
+    #print flow_Counter
+
+    return dportHash
+
+
+
+#main
+
+
+
+myNum = 0
+
+otherHash = {}
+
+while myNum <4: #Se itera las cuatro veces de acuerdo con la notacion de ipv4
+
+    flowHash= UltimoAnalisis(otherHash, myNum)
+
+    otherHash = {} #Se borra el hash para agregar elementos nuevos con la nueva etapa de la busqueda
+
+    for sips in flowHash: #se itera por todos los dip y sus counters o puertos
+
+        for dips, dports in flowHash[sips].items():
+
+            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
+
+                                    #y por lo tanto se guardan en un hash
+
+                if sips in otherHash:
+
+                    otherHash[sips][dips] = dports
+
+                else:
+
+                    otherHash[sips] = {dips: dports}
+
+    myNum += 1
+
+
+
+    #print (flowHash)
+
+
+
+counter = 0
+
+
+
+for dips, dports in otherHash.items():
+
+    counter +=1 #para contar los elementos del hash
+
+
+
+print counter

Programas/Reduction_Method/bruteforce_reduc_threehash.py

@@ -0,0 +1,74 @@
+#Itera a la vez el sip y el dip y guarda en un hash los puertos
+
+from silk import *
+
+
+startDate = "2018/08/14"
+endDate = "2018/08/15"
+#Para filtrar por puertos. Pero no queremos todavia
+#minPort = 20
+#maxPort = 5000
+
+
+def ipConversion(number, position):
+    mystr = ''
+    ipadd = number.split(".") #Devuelve un arreglo
+    for i in range(position+1):
+        if i ==position:
+            mystr = mystr + ipadd[i]
+        else:
+            mystr = mystr + ipadd[i] + '.'
+    return mystr #devuelve los numeros en notacion string
+
+
+def UltimoAnalisis(flowHash, num):
+    dportHash={}
+    flow_Counter=0
+    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"):
+        for rec in silkfile_open(filename, READ):#reading the flow file
+            if (':' in str(rec.sip)) or (num != 0 and ipConversion(str(rec.sip), num-1) not in flowHash): #Si en el paso anterior se vio que no
+                                                                         #tiene el length de puertos requerido, se ignora
+                continue
+            else: #agrega a un hash cada puerto con un counter de sus destination ips
+                dip = ipConversion(str(rec.dip), num)
+                sip = ipConversion(str(rec.sip), num)
+                dport= rec.dport
+                if sip in dportHash:
+                    if dip in dportHash[sip]:
+                        if dport in dportHash[sip][dip]:
+                            dportHash[sip][dip][dport] += 1
+                        else:
+                            dportHash[sip][dip][dport] = 1
+                    else:
+                        dportHash[sip][dip] = {dport : 1}
+                else:
+                    dportHash[sip] = { dip: {dport: 1} }
+
+    #print flow_Counter
+    return dportHash
+
+
+#main
+
+myNum = 0
+otherHash = {}
+while myNum <4: #Se itera las cuatro veces de acuerdo con la notacion de ipv4
+    flowHash= UltimoAnalisis(otherHash, myNum)
+    otherHash = {} #Se borra el hash para agregar elementos nuevos con la nueva etapa de la busqueda
+    for sips in flowHash: #se itera por todos los dip y sus counters o puertos
+        for dips, dports in flowHash[sips].items():
+            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
+                                    #y por lo tanto se guardan en un hash
+                if sips in otherHash:
+                    otherHash[sips][dips] = dports
+                else:
+                    otherHash[sips] = {dips: dports}
+                print sips, len(dports)
+    myNum += 1
+
+
+counter = 0
+for dips, dports in otherHash.items():
+    counter +=1 #para contar los elementos del hash
+
+print counter