taffy-compare - compare reference and anomaly traffic¶
taffy-compare takes one or multiple PCAP files and examines the contents for differences.
If one PCAP file is provided, it will compare each time bin (default 1 second) against each next time bin.
If two PCAP files are provided, it will compare the contents of the first (“Left”) against the next (“Right”).
Output¶
The output of the tool produces a report showing the differences between the Left and Right samples, in 6 different columns. Each output section includes a title line prefixed by equal signs (“=======”) showing what Left and Right are mapping to (files or time ranges). Then each reported protocol field is reported as a header prefixed with dashes (”—–”) and the protocol field name (such as “Ethernet.IP.UDP.dport”). The columns reported for each protocol field are as follows:
Column |
Description |
---|---|
Value |
The value for the protocol field being being reported |
Left |
The absolute count of the value in the Left sample |
Right |
The absolute count of the value seen in the Right sample |
Delta |
The absolute count deltas – Right - Left |
Left % |
The percentage of this value vs all the values from the left protocol field |
Right % |
The percentage of this value vs all the values from the right protocol field |
Delta % |
The different between the Left and Right percentage columns |
The default sort order is by Delta %, but can be changed with the -s command line switch.
Command Line Arguments¶
taffy-compare - CLI interface¶
Takes a set of pcap files to compare and creates a report.
taffy-compare [-h] [-f] [-m MATCH_STRING] [-M [MATCH_VALUE ...]] [-E MATCH_EXPRESSION]
[-c MINIMUM_COUNT] [-t PRINT_THRESHOLD] [-P] [-N] [-R TOP_RECORDS] [-r]
[-s SORT_BY] [-A ALGORITHM] [-d DISSECTION_LEVEL] [-I [IGNORE_LIST ...]]
[-n PACKET_COUNT] [-b BIN_SIZE] [-F FILTER] [-L [LAYERS ...]]
[-x [MODULES ...]] [--merge] [-C] [--cache-file-suffix CACHE_FILE_SUFFIX]
[--force-overwrite] [--force-load] [--log-level LOG_LEVEL]
[pcap_files ...]
taffy-compare positional arguments¶
pcap_files
- PCAP files to analyze (default:None
)
taffy-compare options¶
taffy-compare Output format¶
taffy-compare Limiting options¶
-m
MATCH_STRING
,--match-string
MATCH_STRING
- Only report on data with this substring in the header (default:None
)-M
MATCH_VALUE
,--match-value
MATCH_VALUE
- Only report on data with this substring in the packet value field (default:None
)-E
MATCH_EXPRESSION
,--match-expression
MATCH_EXPRESSION
- Match expression to be evaluated at runtime for returning data (default:None
)-c
MINIMUM_COUNT
,--minimum-count
MINIMUM_COUNT
- Don’t include results without this high of a record count (default:None
)-t
PRINT_THRESHOLD
,--print-threshold
PRINT_THRESHOLD
- Don’t print results with abs(percent) less than this threshold (default:0.0
)-P
,--only-positive
- Only show positive entries-N
,--only-negative
- Only show negative entries-R
TOP_RECORDS
,--top-records
TOP_RECORDS
- Show the top N records from each section. (default:None
)-r
,--reverse_sort
- Reverse the sort order of reports-s
SORT_BY
,--sort-by
SORT_BY
- Sort report entries by this column (default:delta%
)-A
ALGORITHM
,--algorithm
ALGORITHM
- The algorithm to apply for data comparison (statistical, correlation) (default:statistical
)
taffy-compare Parsing Options¶
-d
DISSECTION_LEVEL
,--dissection-level
DISSECTION_LEVEL
- Dump to various levels of detail (1-10, with 10 is the most detailed and slowest) (default:2
)-I
IGNORE_LIST
,--ignore-list
IGNORE_LIST
- A list of (unlikely to be useful) packet fields to ignore (default:['Ethernet_IP_TCP_seq', 'Ethernet_IP_TCP_ack', 'Ethernet_IPv6_TCP_seq', 'Ethernet_IPv6_TCP_ack', 'Ethernet_IPv6_TCP_Raw_load', 'Ethernet_IP_UDP_Raw_load', 'Ethernet_IP_UDP_DNS_id', 'Ethernet_IP_ICMP_IP in ICMP_UDP in ICMP_chksum', 'Ethernet_IP_ICMP_IP in ICMP_UDP in ICMP_Raw_load', 'Ethernet_IP_ICMP_IP in ICMP_chksum', 'Ethernet_IP_ICMP_IP in ICMP_id', 'Ethernet_IP_TCP_DNS_id', 'Ethernet_IPv6_UDP_DNS_id', 'Ethernet_IPv6_TCP_DNS_id', 'Ethernet_IP_id', 'Ethernet_IP_chksum', 'Ethernet_IP_UDP_chksum', 'Ethernet_IP_TCP_chksum', 'Ethernet_IP_TCP_window', 'Ethernet_IP_TCP_Raw_load', 'Ethernet_IP_UDP_Raw_load', 'Ethernet_IPv6_UDP_chksum', 'Ethernet_IPv6_fl', 'Ethernet_IP_ICMP_chksum', 'Ethernet_IP_ICMP_id', 'Ethernet_IP_ICMP_seq', 'Ethernet_IP_TCP_Padding_load', 'Ethernet_IP_TCP_window', 'Ethernet_IPv6_TCP_chksum', 'Ethernet_IPv6_plen', 'Ethernet_IP_TCP_Encrypted Content_load', 'Ethernet_IP_TCP_TLS_TLS_Raw_load']
)-n
PACKET_COUNT
,--packet-count
PACKET_COUNT
- Maximum number of packets to analyze (default:0
)-b
BIN_SIZE
,--bin-size
BIN_SIZE
- Bin results into this many seconds (default:None
)-F
FILTER
,--filter
FILTER
- filter to apply to the pcap file when processing (default:None
)-L
LAYERS
,--layers
LAYERS
- List of extra layers to load (eg: tls, http, etc) (default:[]
)-x
MODULES
,--modules
MODULES
- Extra processing modules to load (currently: psl) (default:None
)--merge
,--merge-files
- Dissect multiple files as one. (compare by time)-C
,--cache-pcap-results
- Cache and use PCAP results into/from a cache file file--cache-file-suffix
CACHE_FILE_SUFFIX
,--cs
CACHE_FILE_SUFFIX
- The suffix file to use when creating cache files (default:taffy
)--force-overwrite
- Force continuing with an incompatible cache (and rewriting it)--force-load
- Force continuing with an incompatible cache (trying to load it anyway)
taffy-compare Debugging options¶
--log-level
LOG_LEVEL
,--ll
LOG_LEVEL
- Define the logging verbosity level (debug, info, warning, error, …). (default:info
)
Example Usage: taffy-compare -C file1.pcap file2.pcap