taffy-explorer - UI for exploring and comparing pcap files

taffy-explorer acts a lot like a combination of taffy-compare and taffy-graph combined in an interactive UI. It has a detailed graph at the top, a total traffic graph, a number of changeable UI fields equivalent to the common command line arguments (eg, -c, -R, -p, etc), and a table of generated differences based on these parameters.

Note: this is very much a work in progress and is usable today,

but only barely.

Command Line Arguments

taffy-explorer - CLI interface

A graphical PCAP comparison and graphing tool.

taffy-explorer [-h] [-m MATCH_STRING] [-M [MATCH_VALUE ...]] [-E MATCH_EXPRESSION]
               [-c MINIMUM_COUNT] [-t PRINT_THRESHOLD] [-P] [-N] [-R TOP_RECORDS] [-r]
               [-s SORT_BY] [-A ALGORITHM] [-d DISSECTION_LEVEL] [-I [IGNORE_LIST ...]]
               [-n PACKET_COUNT] [-b BIN_SIZE] [-F FILTER] [-L [LAYERS ...]]
               [-x [MODULES ...]] [--merge] [-C] [--cache-file-suffix CACHE_FILE_SUFFIX]
               [--force-overwrite] [--force-load] [--log-level LOG_LEVEL]
               pcap_files [pcap_files ...]

taffy-explorer positional arguments

  • pcap_files - PCAP files to analyze (default: None)

taffy-explorer options

  • -h, --help - show this help message and exit

taffy-explorer Limiting options

  • -m MATCH_STRING, --match-string MATCH_STRING - Only report on data with this substring in the header (default: None)

  • -M MATCH_VALUE, --match-value MATCH_VALUE - Only report on data with this substring in the packet value field (default: None)

  • -E MATCH_EXPRESSION, --match-expression MATCH_EXPRESSION - Match expression to be evaluated at runtime for returning data (default: None)

  • -c MINIMUM_COUNT, --minimum-count MINIMUM_COUNT - Don’t include results without this high of a record count (default: None)

  • -t PRINT_THRESHOLD, --print-threshold PRINT_THRESHOLD - Don’t print results with abs(percent) less than this threshold (default: 0.0)

  • -P, --only-positive - Only show positive entries

  • -N, --only-negative - Only show negative entries

  • -R TOP_RECORDS, --top-records TOP_RECORDS - Show the top N records from each section. (default: None)

  • -r, --reverse_sort - Reverse the sort order of reports

  • -s SORT_BY, --sort-by SORT_BY - Sort report entries by this column (default: delta%)

  • -A ALGORITHM, --algorithm ALGORITHM - The algorithm to apply for data comparison (statistical, correlation) (default: statistical)

taffy-explorer Parsing Options

  • -d DISSECTION_LEVEL, --dissection-level DISSECTION_LEVEL - Dump to various levels of detail (1-10, with 10 is the most detailed and slowest) (default: 2)

  • -I IGNORE_LIST, --ignore-list IGNORE_LIST - A list of (unlikely to be useful) packet fields to ignore (default: ['Ethernet_IP_TCP_seq', 'Ethernet_IP_TCP_ack', 'Ethernet_IPv6_TCP_seq', 'Ethernet_IPv6_TCP_ack', 'Ethernet_IPv6_TCP_Raw_load', 'Ethernet_IP_UDP_Raw_load', 'Ethernet_IP_UDP_DNS_id', 'Ethernet_IP_ICMP_IP in ICMP_UDP in ICMP_chksum', 'Ethernet_IP_ICMP_IP in ICMP_UDP in ICMP_Raw_load', 'Ethernet_IP_ICMP_IP in ICMP_chksum', 'Ethernet_IP_ICMP_IP in ICMP_id', 'Ethernet_IP_TCP_DNS_id', 'Ethernet_IPv6_UDP_DNS_id', 'Ethernet_IPv6_TCP_DNS_id', 'Ethernet_IP_id', 'Ethernet_IP_chksum', 'Ethernet_IP_UDP_chksum', 'Ethernet_IP_TCP_chksum', 'Ethernet_IP_TCP_window', 'Ethernet_IP_TCP_Raw_load', 'Ethernet_IP_UDP_Raw_load', 'Ethernet_IPv6_UDP_chksum', 'Ethernet_IPv6_fl', 'Ethernet_IP_ICMP_chksum', 'Ethernet_IP_ICMP_id', 'Ethernet_IP_ICMP_seq', 'Ethernet_IP_TCP_Padding_load', 'Ethernet_IP_TCP_window', 'Ethernet_IPv6_TCP_chksum', 'Ethernet_IPv6_plen', 'Ethernet_IP_TCP_Encrypted Content_load', 'Ethernet_IP_TCP_TLS_TLS_Raw_load'])

  • -n PACKET_COUNT, --packet-count PACKET_COUNT - Maximum number of packets to analyze (default: 0)

  • -b BIN_SIZE, --bin-size BIN_SIZE - Bin results into this many seconds (default: None)

  • -F FILTER, --filter FILTER - filter to apply to the pcap file when processing (default: None)

  • -L LAYERS, --layers LAYERS - List of extra layers to load (eg: tls, http, etc) (default: [])

  • -x MODULES, --modules MODULES - Extra processing modules to load (currently: psl) (default: None)

  • --merge, --merge-files - Dissect multiple files as one. (compare by time)

  • -C, --cache-pcap-results - Cache and use PCAP results into/from a cache file file

  • --cache-file-suffix CACHE_FILE_SUFFIX, --cs CACHE_FILE_SUFFIX - The suffix file to use when creating cache files (default: taffy)

  • --force-overwrite - Force continuing with an incompatible cache (and rewriting it)

  • --force-load - Force continuing with an incompatible cache (trying to load it anyway)

taffy-explorer Debugging options

  • --log-level LOG_LEVEL, --ll LOG_LEVEL - Define the logging verbosity level (debug, info, warning, error, …). (default: info)

Example Usage: taffy-explore -C file1.pcap file2.pcap