taffy-graph - graph packet components in pcap files

taffy-graph takes one or multiple PCAP files and graphs portions of packets seen within each file. You will need to pass the portionsn of the packet you wish to graph (using -m), and optionally limiting which values of those fields are selected for graphing (using -M and -c).

Note that the -c field selects the minimum count needed per value seen in one time-bin.

To graph all of the traffic regardless of packet types, use -m __TOTAL___ along with -M packet.

example usage

taffy-graph -c 100 -m qname -d 10 -o dns-qnames.png dns-traffic.pcap

Command Line Arguments

taffy-graph - CLI interface

Read a PCAP file and graph it or parts of it.

taffy-graph [-h] [--config [CONFIG ...]] [--set-default [SET_DEFAULT ...]] [-o OUTPUT_FILE]
            [-p] [-i] [--log-level LOG_LEVEL] [-d DISSECTION_LEVEL] [-I [IGNORE_LIST ...]]
            [-n PACKET_COUNT] [-b BIN_SIZE] [-F FILTER] [-L [LAYERS ...]] [-x [MODULES ...]]
            [--merge] [-C] [--cache-file-suffix CACHE_FILE_SUFFIX] [--force-overwrite]
            [--force-load] [-m MATCH_STRING] [-M [MATCH_VALUE ...]] [-E MATCH_EXPRESSION]
            [-c MINIMUM_COUNT]
            input_pcaps [input_pcaps ...]

taffy-graph positional arguments

• input_pcaps - PCAP file to graph (default: None)

taffy-graph options

• -h, --help - show this help message and exit

• --config CONFIG - Configuration file to load (default: None)

• --set-default SET_DEFAULT - Configuration name=value settings to parse (default: None)

• -o OUTPUT_FILE, --output-file OUTPUT_FILE - Where to save the output (png) (default: None)

• -p, --by-percentage - Graph by percentage of traffic rather than by value

• -i, --interactive - Prompt repeatedly for graph data to create

• --log-level LOG_LEVEL, --ll LOG_LEVEL - Define verbosity level (debug, info, warning, error, fotal, critical). (default: info)

taffy-graph Dissection Options

• -d DISSECTION_LEVEL, --dissection-level DISSECTION_LEVEL - Dump to various levels of detail (1-10, with 10 is the most detailed and slowest) (default: 2)

• -I IGNORE_LIST, --ignore-list IGNORE_LIST - A list of (unlikely to be useful) packet fields to ignore (default: ['Ethernet_IP_TCP_seq', 'Ethernet_IP_TCP_ack', 'Ethernet_IPv6_TCP_seq', 'Ethernet_IPv6_TCP_ack', 'Ethernet_IPv6_TCP_Raw_load', 'Ethernet_IP_UDP_Raw_load', 'Ethernet_IP_UDP_DNS_id', 'Ethernet_IP_ICMP_IP in ICMP_UDP in ICMP_chksum', 'Ethernet_IP_ICMP_IP in ICMP_UDP in ICMP_Raw_load', 'Ethernet_IP_ICMP_IP in ICMP_chksum', 'Ethernet_IP_ICMP_IP in ICMP_id', 'Ethernet_IP_TCP_DNS_id', 'Ethernet_IPv6_UDP_DNS_id', 'Ethernet_IPv6_TCP_DNS_id', 'Ethernet_IP_id', 'Ethernet_IP_chksum', 'Ethernet_IP_UDP_chksum', 'Ethernet_IP_TCP_chksum', 'Ethernet_IP_TCP_window', 'Ethernet_IP_TCP_Raw_load', 'Ethernet_IP_UDP_Raw_load', 'Ethernet_IPv6_UDP_chksum', 'Ethernet_IPv6_fl', 'Ethernet_IP_ICMP_chksum', 'Ethernet_IP_ICMP_id', 'Ethernet_IP_ICMP_seq', 'Ethernet_IP_TCP_Padding_load', 'Ethernet_IP_TCP_window', 'Ethernet_IPv6_TCP_chksum', 'Ethernet_IPv6_plen', 'Ethernet_IP_TCP_Encrypted Content_load', 'Ethernet_IP_TCP_TLS_TLS_Raw_load'])

• -n PACKET_COUNT, --packet-count PACKET_COUNT - Maximum number of packets to analyze (default: 0)

• -b BIN_SIZE, --bin-size BIN_SIZE - Bin results into this many seconds (default: None)

• -F FILTER, --filter FILTER - filter to apply to the pcap file when processing (default: None)

• -L LAYERS, --layers LAYERS - List of extra layers to load (eg: tls, http, etc) (default: [])

• -x MODULES, --modules MODULES - Extra processing modules to load (currently: psl) (default: None)

• --merge, --merge-files - Dissect multiple files as one. (compare by time)

• -C, --cache-pcap-results - Cache and use PCAP results into/from a cache file file

• --cache-file-suffix CACHE_FILE_SUFFIX, --cs CACHE_FILE_SUFFIX - The suffix file to use when creating cache files (default: taffy)

• --force-overwrite - Force continuing with an incompatible cache (and rewriting it)

• --force-load - Force continuing with an incompatible cache (trying to load it anyway)

taffy-graph Limiting options

• -m MATCH_STRING, --match-string MATCH_STRING - Only report on data with this substring in the header (default: None)

• -M MATCH_VALUE, --match-value MATCH_VALUE - Only report on data with this substring in the packet value field (default: None)

• -E MATCH_EXPRESSION, --match-expression MATCH_EXPRESSION - Match expression to be evaluated at runtime for returning data (default: None)

• -c MINIMUM_COUNT, --minimum-count MINIMUM_COUNT - Don’t include results without this high of a record count (default: None)

Example Usage: taffy-graph -C -m __TOTAL__ -M packet -o graph.png file.pcap