taffy-dissect - dissect and count packet types within a pcap file¶
taffy-dissect takes dissects all or part of a pcap file and counts each of the packet components seen. It provides a quick way to discover the most common packet components that make up a larger body of traffic.
Command Line Arguments¶
taffy-dissect - CLI interface¶
Takes a set of pcap files to compare and creates a report.
taffy-dissect [-h] [-f] [-m MATCH_STRING] [-M [MATCH_VALUE ...]] [-E MATCH_EXPRESSION]
[-c MINIMUM_COUNT] [-t PRINT_THRESHOLD] [-P] [-N] [-R TOP_RECORDS] [-r]
[-s SORT_BY] [-A ALGORITHM] [-d DISSECTION_LEVEL] [-I [IGNORE_LIST ...]]
[-n PACKET_COUNT] [-b BIN_SIZE] [-F FILTER] [-L [LAYERS ...]]
[-x [MODULES ...]] [--merge] [-C] [--cache-file-suffix CACHE_FILE_SUFFIX]
[--force-overwrite] [--force-load] [--log-level LOG_LEVEL]
[pcap_files ...]
taffy-dissect positional arguments¶
pcap_files
- PCAP files to analyze (default:None
)
taffy-dissect options¶
taffy-dissect Output format¶
taffy-dissect Limiting options¶
-m
MATCH_STRING
,--match-string
MATCH_STRING
- Only report on data with this substring in the header (default:None
)-M
MATCH_VALUE
,--match-value
MATCH_VALUE
- Only report on data with this substring in the packet value field (default:None
)-E
MATCH_EXPRESSION
,--match-expression
MATCH_EXPRESSION
- Match expression to be evaluated at runtime for returning data (default:None
)-c
MINIMUM_COUNT
,--minimum-count
MINIMUM_COUNT
- Don’t include results without this high of a record count (default:None
)-t
PRINT_THRESHOLD
,--print-threshold
PRINT_THRESHOLD
- Don’t print results with abs(percent) less than this threshold (default:0.0
)-P
,--only-positive
- Only show positive entries-N
,--only-negative
- Only show negative entries-R
TOP_RECORDS
,--top-records
TOP_RECORDS
- Show the top N records from each section. (default:None
)-r
,--reverse_sort
- Reverse the sort order of reports-s
SORT_BY
,--sort-by
SORT_BY
- Sort report entries by this column (default:delta%
)-A
ALGORITHM
,--algorithm
ALGORITHM
- The algorithm to apply for data comparison (statistical, correlation) (default:statistical
)
taffy-dissect Parsing Options¶
-d
DISSECTION_LEVEL
,--dissection-level
DISSECTION_LEVEL
- Dump to various levels of detail (1-10, with 10 is the most detailed and slowest) (default:2
)-I
IGNORE_LIST
,--ignore-list
IGNORE_LIST
- A list of (unlikely to be useful) packet fields to ignore (default:['Ethernet_IP_TCP_seq', 'Ethernet_IP_TCP_ack', 'Ethernet_IPv6_TCP_seq', 'Ethernet_IPv6_TCP_ack', 'Ethernet_IPv6_TCP_Raw_load', 'Ethernet_IP_UDP_Raw_load', 'Ethernet_IP_UDP_DNS_id', 'Ethernet_IP_ICMP_IP in ICMP_UDP in ICMP_chksum', 'Ethernet_IP_ICMP_IP in ICMP_UDP in ICMP_Raw_load', 'Ethernet_IP_ICMP_IP in ICMP_chksum', 'Ethernet_IP_ICMP_IP in ICMP_id', 'Ethernet_IP_TCP_DNS_id', 'Ethernet_IPv6_UDP_DNS_id', 'Ethernet_IPv6_TCP_DNS_id', 'Ethernet_IP_id', 'Ethernet_IP_chksum', 'Ethernet_IP_UDP_chksum', 'Ethernet_IP_TCP_chksum', 'Ethernet_IP_TCP_window', 'Ethernet_IP_TCP_Raw_load', 'Ethernet_IP_UDP_Raw_load', 'Ethernet_IPv6_UDP_chksum', 'Ethernet_IPv6_fl', 'Ethernet_IP_ICMP_chksum', 'Ethernet_IP_ICMP_id', 'Ethernet_IP_ICMP_seq', 'Ethernet_IP_TCP_Padding_load', 'Ethernet_IP_TCP_window', 'Ethernet_IPv6_TCP_chksum', 'Ethernet_IPv6_plen', 'Ethernet_IP_TCP_Encrypted Content_load', 'Ethernet_IP_TCP_TLS_TLS_Raw_load']
)-n
PACKET_COUNT
,--packet-count
PACKET_COUNT
- Maximum number of packets to analyze (default:0
)-b
BIN_SIZE
,--bin-size
BIN_SIZE
- Bin results into this many seconds (default:None
)-F
FILTER
,--filter
FILTER
- filter to apply to the pcap file when processing (default:None
)-L
LAYERS
,--layers
LAYERS
- List of extra layers to load (eg: tls, http, etc) (default:[]
)-x
MODULES
,--modules
MODULES
- Extra processing modules to load (currently: psl) (default:None
)--merge
,--merge-files
- Dissect multiple files as one. (compare by time)-C
,--cache-pcap-results
- Cache and use PCAP results into/from a cache file file--cache-file-suffix
CACHE_FILE_SUFFIX
,--cs
CACHE_FILE_SUFFIX
- The suffix file to use when creating cache files (default:taffy
)--force-overwrite
- Force continuing with an incompatible cache (and rewriting it)--force-load
- Force continuing with an incompatible cache (trying to load it anyway)
taffy-dissect Debugging options¶
--log-level
LOG_LEVEL
,--ll
LOG_LEVEL
- Define the logging verbosity level (debug, info, warning, error, …). (default:info
)
Example Usage: taffy-compare -C file1.pcap file2.pcap