Command Line Options¶
The traffic-taffy tools support various command line options that dictate how the tools both parse pcap datasets, and how they report the results.
Options affecting packet parsing and dissection¶
Option |
Description |
|---|---|
-d DISSECTION_LEVEL |
Dump to various levels of detail (1-10, with 10 is the most detailed and slowest) (default: 2) |
-I [IGNORE_LIST …] |
A list of (unlikely to be useful) packet fields to ignore. Ignoring some sections will speed up parsing some and prevent displaying more useless fields like TCP sequence numbers, eg. See the –help output for a default list. |
-n PACKET_COUNT |
Maximum number of packets to analyze (default: 0) |
-b BIN_SIZE |
Time-bin the results into this many seconds (default: 1) |
-F FILTER |
tcpdump/libpcap filter to apply to the pcap file when processing (default: None) |
-L [LAYERS …] |
List of extra layers to load (eg: tls, http, etc). Some parsing engines (including level 10) won’t load some layers without requesting them. A list of these is TBD still. |
-C |
Cache and use PCAP results into/from a cache file file |
–cs |
The suffix file to use when creating cache files (default: taffy) |
–force-overwrite |
Force continuing with an incompatible cache (and rewriting it) |
–force-load |
Force continuing with an incompatible cache (trying to load it anyway) |
Options limiting the display output¶
These apply to taffy-compare, taffy-dissect and taffy-graph generally
Option |
Description |
|---|---|
-m MATCH_STRING |
Only report on data with this substring in the header |
-M [MATCH_VALUE …] |
Only report on data with particular substrings in the packet value |
-c MINIMUM_COUNT |
Don’t include results without this high of a record count |
-t PRINT_THRESHOLD |
Don’t print results with abs(percent) less than this threshold |
-P |
Only show positive changing entries |
-N |
Only show negative changing entries |
-r |
Reverse the sort order of reports |
taffy-compare output options¶
Option |
Description |
|---|---|
-F |
Output FSDB formatted data (tab-separated with a header) |
-s SORT_BY |
Sort and limit output based on this column name (default: “delta %”) |
-R TOP_RECORDS |
Show the top N records from each section |
taffy-graph output options¶
Option |
Description |
|---|---|
-o OUTPUT_PNG |
Where to store the resulting graph |
-p |
Graph field percentages rather than actual values |
-i |
Interactive repeated graphing – don’t use this yet |
Debugging options¶
Generally most people won’t need these, but if you want to increase or decrease debugging output:
Option |
Description |
|---|---|
–ll LOG_LEVEL |
Change the minimum logging output level (debug, info, warning, error) |
–dont-fork |
Don’t let taffy-dissect use parallel processing |