taffy-compare - compare reference and anomaly traffic¶
taffy-compare takes one or multiple PCAP files and examines the contents for differences.
If one PCAP file is provided, it will compare each time bin (default 1 second) against each next time bin.
If two PCAP files are provided, it will compare the contents of the first (“Left”) against the next (“Right”).
Output¶
The output of the tool produces a report showing the differences between the Left and Right samples, in 6 different columns. Each output section includes a title line prefixed by equal signs (“=======”) showing what Left and Right are mapping to (files or time ranges). Then each reported protocol field is reported as a header prefixed with dashes (”—–”) and the protocol field name (such as “Ethernet.IP.UDP.dport”). The columns reported for each protocol field are as follows:
Column |
Description |
|---|---|
Value |
The value for the protocol field being being reported |
Left |
The absolute count of the value in the Left sample |
Right |
The absolute count of the value seen in the Right sample |
Delta |
The absolute count deltas – Right - Left |
Left % |
The percentage of this value vs all the values from the left protocol field |
Right % |
The percentage of this value vs all the values from the right protocol field |
Delta % |
The different between the Left and Right percentage columns |
The default sort order is by Delta %, but can be changed with the -s command line switch.