Usage Tips¶
Some general tips for use the traffic-taffy tools are below. These tips are particularly helpful to the taffy-compare and taffy-graph tools, but most of the tools support these dissection and output limiting flags.
Use caching¶
Use the -C switch to write cache files next to the processed PCAP files when possible. This takes a bit of disk space but greatly feeds up future runs.
Start with fast comparisons of limited packet numbers¶
Especially when you need rapid answers for responding to incoming attacks, start with a fixed number of packets (e.g. 10,000) and use a faster dissection level (3).
Argument |
Description |
|---|---|
-d 3 |
set the dissection level to 3 |
-n 10000 |
parse at most 10k packets |
(Eventually you’ll always want level 10, but it’s more CPU and memory intensive)
Start comparisons with large filtering thresholds¶
For filtering the output to show only the major differences, limit what is reported to a high number of minimum enumerations, and/or only with at least a decent percentage change. Also, limit each section results to just the top 10 or so differences. You might want to sort by a particular column (e.g. right) too if sorting by the delta percentage isn’t showing interesting data.
Note: these clauses are logically ANDed together.
Argument |
Description |
|---|---|
-c 1000 |
Show only differences with at least 1000 counts |
-t 10 |
Show only differences with at least a 10% change: |
-R 10 |
Show only the top 10 differences: |
-s right |
Optionally sort by the right column instead of the delta % |
Filter the outputs to the likely candidate packets¶
The tools support filtering the output both by packet field name and by value, which can be highly helpful for generating output from both taffy-compare and taffy-graph. For example, if you know you want to study DNS packet fields in particular and really just for names example.com you can use -m DNS -M example.com to limit the results.
Argument |
Description |
|---|---|
-m DNS |
limit the output to just field names with “DNS” in the name |
-M example.com |
limit the output to just field values with “exmaple.com” in them |
TODO: currently these matches are simple, fast in-the-string matches only. Regular expressions are needed in the future.