taffy-compare - compare reference and anomaly traffic

taffy-compare takes one or multiple PCAP files and examines the contents for differences.

If one PCAP file is provided, it will compare each time bin (default 1 second) against each next time bin.

If two PCAP files are provided, it will compare the contents of the first (“Left”) against the next (“Right”).

Output

The output of the tool produces a report showing the differences between the Left and Right samples, in 6 different columns. Each output section includes a title line prefixed by equal signs (“=======”) showing what Left and Right are mapping to (files or time ranges). Then each reported protocol field is reported as a header prefixed with dashes (”—–”) and the protocol field name (such as “Ethernet.IP.UDP.dport”). The columns reported for each protocol field are as follows:

Column

Description

Value

The value for the protocol field being being reported

Left

The absolute count of the value in the Left sample

Right

The absolute count of the value seen in the Right sample

Delta

The absolute count deltas – Right - Left

Left %

The percentage of this value vs all the values from the left protocol field

Right %

The percentage of this value vs all the values from the right protocol field

Delta %

The different between the Left and Right percentage columns

The default sort order is by Delta %, but can be changed with the -s command line switch.

Command Line Arguments

taffy-compare - CLI interface

Takes a set of pcap files to compare and creates a report.

taffy-compare [-h] [-f] [-m MATCH_STRING] [-M [MATCH_VALUE ...]] [-E MATCH_EXPRESSION]
              [-c MINIMUM_COUNT] [-t PRINT_THRESHOLD] [-P] [-N] [-R TOP_RECORDS] [-r]
              [-s SORT_BY] [-A ALGORITHM] [-d DISSECTION_LEVEL] [-I [IGNORE_LIST ...]]
              [-n PACKET_COUNT] [-b BIN_SIZE] [-F FILTER] [-L [LAYERS ...]]
              [-x [MODULES ...]] [--merge] [-C] [--cache-file-suffix CACHE_FILE_SUFFIX]
              [--force-overwrite] [--force-load] [--log-level LOG_LEVEL]
              [pcap_files ...]

taffy-compare positional arguments

  • pcap_files - PCAP files to analyze (default: None)

taffy-compare options

  • -h, --help - show this help message and exit

taffy-compare Output format

  • -f, --fsdb - Print results in an FSDB formatted output

taffy-compare Limiting options

  • -m MATCH_STRING, --match-string MATCH_STRING - Only report on data with this substring in the header (default: None)

  • -M MATCH_VALUE, --match-value MATCH_VALUE - Only report on data with this substring in the packet value field (default: None)

  • -E MATCH_EXPRESSION, --match-expression MATCH_EXPRESSION - Match expression to be evaluated at runtime for returning data (default: None)

  • -c MINIMUM_COUNT, --minimum-count MINIMUM_COUNT - Don’t include results without this high of a record count (default: None)

  • -t PRINT_THRESHOLD, --print-threshold PRINT_THRESHOLD - Don’t print results with abs(percent) less than this threshold (default: 0.0)

  • -P, --only-positive - Only show positive entries

  • -N, --only-negative - Only show negative entries

  • -R TOP_RECORDS, --top-records TOP_RECORDS - Show the top N records from each section. (default: None)

  • -r, --reverse_sort - Reverse the sort order of reports

  • -s SORT_BY, --sort-by SORT_BY - Sort report entries by this column (default: delta%)

  • -A ALGORITHM, --algorithm ALGORITHM - The algorithm to apply for data comparison (statistical, correlation) (default: statistical)

taffy-compare Parsing Options

  • -d DISSECTION_LEVEL, --dissection-level DISSECTION_LEVEL - Dump to various levels of detail (1-10, with 10 is the most detailed and slowest) (default: 2)

  • -I IGNORE_LIST, --ignore-list IGNORE_LIST - A list of (unlikely to be useful) packet fields to ignore (default: ['Ethernet_IP_TCP_seq', 'Ethernet_IP_TCP_ack', 'Ethernet_IPv6_TCP_seq', 'Ethernet_IPv6_TCP_ack', 'Ethernet_IPv6_TCP_Raw_load', 'Ethernet_IP_UDP_Raw_load', 'Ethernet_IP_UDP_DNS_id', 'Ethernet_IP_ICMP_IP in ICMP_UDP in ICMP_chksum', 'Ethernet_IP_ICMP_IP in ICMP_UDP in ICMP_Raw_load', 'Ethernet_IP_ICMP_IP in ICMP_chksum', 'Ethernet_IP_ICMP_IP in ICMP_id', 'Ethernet_IP_TCP_DNS_id', 'Ethernet_IPv6_UDP_DNS_id', 'Ethernet_IPv6_TCP_DNS_id', 'Ethernet_IP_id', 'Ethernet_IP_chksum', 'Ethernet_IP_UDP_chksum', 'Ethernet_IP_TCP_chksum', 'Ethernet_IP_TCP_window', 'Ethernet_IP_TCP_Raw_load', 'Ethernet_IP_UDP_Raw_load', 'Ethernet_IPv6_UDP_chksum', 'Ethernet_IPv6_fl', 'Ethernet_IP_ICMP_chksum', 'Ethernet_IP_ICMP_id', 'Ethernet_IP_ICMP_seq', 'Ethernet_IP_TCP_Padding_load', 'Ethernet_IP_TCP_window', 'Ethernet_IPv6_TCP_chksum', 'Ethernet_IPv6_plen', 'Ethernet_IP_TCP_Encrypted Content_load', 'Ethernet_IP_TCP_TLS_TLS_Raw_load'])

  • -n PACKET_COUNT, --packet-count PACKET_COUNT - Maximum number of packets to analyze (default: 0)

  • -b BIN_SIZE, --bin-size BIN_SIZE - Bin results into this many seconds (default: None)

  • -F FILTER, --filter FILTER - filter to apply to the pcap file when processing (default: None)

  • -L LAYERS, --layers LAYERS - List of extra layers to load (eg: tls, http, etc) (default: [])

  • -x MODULES, --modules MODULES - Extra processing modules to load (currently: psl) (default: None)

  • --merge, --merge-files - Dissect multiple files as one. (compare by time)

  • -C, --cache-pcap-results - Cache and use PCAP results into/from a cache file file

  • --cache-file-suffix CACHE_FILE_SUFFIX, --cs CACHE_FILE_SUFFIX - The suffix file to use when creating cache files (default: taffy)

  • --force-overwrite - Force continuing with an incompatible cache (and rewriting it)

  • --force-load - Force continuing with an incompatible cache (trying to load it anyway)

taffy-compare Debugging options

  • --log-level LOG_LEVEL, --ll LOG_LEVEL - Define the logging verbosity level (debug, info, warning, error, …). (default: info)

Example Usage: taffy-compare -C file1.pcap file2.pcap