flowtag 2.1.1 → 2.1.2

Sign up to get free protection for your applications and to get access to all the features.
data.tar.gz.sig CHANGED
Binary file
@@ -1,6 +1,18 @@
1
1
  = flowtag
2
+ FlowTag is an interactive network trace viewer. It operates on PCAP files, produces a database of flows, and then visualizes the results. The user can then filter for flows of interest, view the payload, and tag the flow with relevant keywords. The current version is written in Ruby using the Tk interface. The code is released under GPL, except the pcapparser library, which is released under LGPL.
2
3
 
3
- Description goes here.
4
+ <img src='http://chrislee.dhs.org/projects/flowtag/flowtag2.png' />
5
+
6
+ The interface is comprised of 6 main elements as follows:
7
+
8
+ * Flow Table. A list of matching flows (source IP, destination IP, source port, destination port, and time). When a flow in this table is clicked on, the contents of the flow will be displayed in the Payload View.
9
+ * Flow Tags. This small entry box allows the user to associate keywords (tags) with the currently selected flow.
10
+ * Payload View. When the user clicks on a flow in the Flow Table, the reconstructed payload of the currently selected flow is displayed in this text box.
11
+ * Connection Visualization. This canvas displays a parallel coordinate plot with the left axis mapping the TCP ports (using a cube root scaling to emphasize the lower ports) and the right axis mapping the IP addresses in order of appearance in the network trace file.
12
+ * Filters. Filters allow the user to remove uninteresting flows based on time, the number of packets in the flow, or the number of bytes in the flow. The time slider is a double-ended linear slider and the packets and bytes sliders are double-ended logarithmic sliders (to give lower numbers have more selection accuracy since they generally more important).
13
+ * Tags List. This selector lists all the defined tags and allows the user to filter for flow matching the selected tag.
14
+
15
+ The FlowTag package contains 3 command-line tools in addition to the GUI. These tools are provided to telp with simple automation and scripting. pcap2flowdb creates a flow database from a pcap file. The database can then be read by the listflows and printflow tools. The listflows tool lists all the flow tuples contained in the flow database. The printflow tool outputs the payload of a specified flow.
4
16
 
5
17
  == Contributing to flowtag
6
18
 
@@ -66,8 +66,8 @@ module FlowTag
66
66
  @ip = (data[12,2].unpack("n")[0] == 0x0800) ? true : false
67
67
  offset = 14
68
68
  if @ip
69
- @ip_hlen = (data[offset].ord & 0x0f) << 2
70
- @ip_proto = data[offset+9].ord
69
+ @ip_hlen = (data[offset,1].unpack("C")[0] & 0x0f) << 2
70
+ @ip_proto = data[offset+9,1].unpack("C")[0]
71
71
  @ip_src, @ip_dst = data[offset+12,8].unpack("NN")
72
72
  offset += @ip_hlen
73
73
  @tcp = true if @ip_proto == 0x06
@@ -76,7 +76,7 @@ module FlowTag
76
76
  @sport, @dport = data[offset,4].unpack("nn")
77
77
  @tcp_sport = @sport
78
78
  @tcp_dport = @dport
79
- @tcp_hlen = (data[offset+12]>>4)<<2
79
+ @tcp_hlen = (data[offset+12,1].unpack("C")[0] >> 4) << 2
80
80
  offset += @tcp_hlen
81
81
  elsif @udp
82
82
  @sport, @dport = data[offset,4].unpack("nn")
metadata CHANGED
@@ -1,13 +1,12 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: flowtag
3
3
  version: !ruby/object:Gem::Version
4
- hash: 9
5
- prerelease:
4
+ prerelease: false
6
5
  segments:
7
6
  - 2
8
7
  - 1
9
- - 1
10
- version: 2.1.1
8
+ - 2
9
+ version: 2.1.2
11
10
  platform: ruby
12
11
  authors:
13
12
  - Chris Lee
@@ -37,133 +36,117 @@ cert_chain:
37
36
  6yhklP75
38
37
  -----END CERTIFICATE-----
39
38
 
40
- date: 2011-03-09 00:00:00 -05:00
39
+ date: 2012-12-20 00:00:00 -05:00
41
40
  default_executable:
42
41
  dependencies:
43
42
  - !ruby/object:Gem::Dependency
43
+ prerelease: false
44
+ type: :runtime
45
+ name: tk-double-slider
44
46
  version_requirements: &id001 !ruby/object:Gem::Requirement
45
- none: false
46
47
  requirements:
47
48
  - - ">="
48
49
  - !ruby/object:Gem::Version
49
- hash: 27
50
50
  segments:
51
51
  - 0
52
52
  - 1
53
53
  - 0
54
54
  version: 0.1.0
55
55
  requirement: *id001
56
+ - !ruby/object:Gem::Dependency
56
57
  prerelease: false
57
- name: tk-double-slider
58
58
  type: :runtime
59
- - !ruby/object:Gem::Dependency
59
+ name: tk-parallel-coordinates
60
60
  version_requirements: &id002 !ruby/object:Gem::Requirement
61
- none: false
62
61
  requirements:
63
62
  - - ">="
64
63
  - !ruby/object:Gem::Version
65
- hash: 27
66
64
  segments:
67
65
  - 0
68
66
  - 1
69
67
  - 0
70
68
  version: 0.1.0
71
69
  requirement: *id002
72
- prerelease: false
73
- name: tk-parallel-coordinates
74
- type: :runtime
75
70
  - !ruby/object:Gem::Dependency
71
+ prerelease: false
72
+ type: :development
73
+ name: shoulda
76
74
  version_requirements: &id003 !ruby/object:Gem::Requirement
77
- none: false
78
75
  requirements:
79
76
  - - ">="
80
77
  - !ruby/object:Gem::Version
81
- hash: 3
82
78
  segments:
83
79
  - 0
84
80
  version: "0"
85
81
  requirement: *id003
82
+ - !ruby/object:Gem::Dependency
86
83
  prerelease: false
87
- name: shoulda
88
84
  type: :development
89
- - !ruby/object:Gem::Dependency
85
+ name: bundler
90
86
  version_requirements: &id004 !ruby/object:Gem::Requirement
91
- none: false
92
87
  requirements:
93
88
  - - ~>
94
89
  - !ruby/object:Gem::Version
95
- hash: 23
96
90
  segments:
97
91
  - 1
98
- - 0
99
- - 0
100
- version: 1.0.0
92
+ - 2
93
+ - 3
94
+ version: 1.2.3
101
95
  requirement: *id004
96
+ - !ruby/object:Gem::Dependency
102
97
  prerelease: false
103
- name: bundler
104
98
  type: :development
105
- - !ruby/object:Gem::Dependency
99
+ name: jeweler
106
100
  version_requirements: &id005 !ruby/object:Gem::Requirement
107
- none: false
108
101
  requirements:
109
102
  - - ~>
110
103
  - !ruby/object:Gem::Version
111
- hash: 7
112
104
  segments:
113
105
  - 1
114
- - 5
115
- - 2
116
- version: 1.5.2
106
+ - 8
107
+ - 4
108
+ version: 1.8.4
117
109
  requirement: *id005
110
+ - !ruby/object:Gem::Dependency
118
111
  prerelease: false
119
- name: jeweler
120
112
  type: :development
121
- - !ruby/object:Gem::Dependency
113
+ name: rcov
122
114
  version_requirements: &id006 !ruby/object:Gem::Requirement
123
- none: false
124
115
  requirements:
125
116
  - - ">="
126
117
  - !ruby/object:Gem::Version
127
- hash: 3
128
118
  segments:
129
119
  - 0
130
120
  version: "0"
131
121
  requirement: *id006
132
- prerelease: false
133
- name: rcov
134
- type: :development
135
122
  - !ruby/object:Gem::Dependency
123
+ prerelease: false
124
+ type: :runtime
125
+ name: tk-double-slider
136
126
  version_requirements: &id007 !ruby/object:Gem::Requirement
137
- none: false
138
127
  requirements:
139
128
  - - ">="
140
129
  - !ruby/object:Gem::Version
141
- hash: 27
142
130
  segments:
143
131
  - 0
144
132
  - 1
145
133
  - 0
146
134
  version: 0.1.0
147
135
  requirement: *id007
136
+ - !ruby/object:Gem::Dependency
148
137
  prerelease: false
149
- name: tk-double-slider
150
138
  type: :runtime
151
- - !ruby/object:Gem::Dependency
139
+ name: tk-parallel-coordinates
152
140
  version_requirements: &id008 !ruby/object:Gem::Requirement
153
- none: false
154
141
  requirements:
155
142
  - - ">="
156
143
  - !ruby/object:Gem::Version
157
- hash: 27
158
144
  segments:
159
145
  - 0
160
146
  - 1
161
147
  - 0
162
148
  version: 0.1.0
163
149
  requirement: *id008
164
- prerelease: false
165
- name: tk-parallel-coordinates
166
- type: :runtime
167
150
  description: presents the user with a GUI interface to visualize and explore flows found from a given pcap file
168
151
  email: rubygems@chrislee.dhs.org
169
152
  executables:
@@ -188,8 +171,6 @@ files:
188
171
  - lib/flowtag/pcapparser.rb
189
172
  - LICENSE.txt
190
173
  - README.rdoc
191
- - test/helper.rb
192
- - test/test_flowtag.rb
193
174
  has_rdoc: true
194
175
  homepage: https://rubygems.org/gems/flowtag
195
176
  licenses:
@@ -200,30 +181,25 @@ rdoc_options: []
200
181
  require_paths:
201
182
  - lib
202
183
  required_ruby_version: !ruby/object:Gem::Requirement
203
- none: false
204
184
  requirements:
205
185
  - - ">="
206
186
  - !ruby/object:Gem::Version
207
- hash: 3
208
187
  segments:
209
188
  - 0
210
189
  version: "0"
211
190
  required_rubygems_version: !ruby/object:Gem::Requirement
212
- none: false
213
191
  requirements:
214
192
  - - ">="
215
193
  - !ruby/object:Gem::Version
216
- hash: 3
217
194
  segments:
218
195
  - 0
219
196
  version: "0"
220
197
  requirements: []
221
198
 
222
199
  rubyforge_project:
223
- rubygems_version: 1.6.1
200
+ rubygems_version: 1.3.6
224
201
  signing_key:
225
202
  specification_version: 3
226
203
  summary: FlowTag visualizes pcap files for forensic analysis
227
- test_files:
228
- - test/helper.rb
229
- - test/test_flowtag.rb
204
+ test_files: []
205
+
metadata.gz.sig CHANGED
Binary file
@@ -1,18 +0,0 @@
1
- require 'rubygems'
2
- require 'bundler'
3
- begin
4
- Bundler.setup(:default, :development)
5
- rescue Bundler::BundlerError => e
6
- $stderr.puts e.message
7
- $stderr.puts "Run `bundle install` to install missing gems"
8
- exit e.status_code
9
- end
10
- require 'test/unit'
11
- require 'shoulda'
12
-
13
- $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
14
- $LOAD_PATH.unshift(File.dirname(__FILE__))
15
- require 'flowtag'
16
-
17
- class Test::Unit::TestCase
18
- end
@@ -1,63 +0,0 @@
1
- require 'helper'
2
- require 'pp'
3
- class TestFlowtag < Test::Unit::TestCase
4
- flow = ['192.168.44.100', '72.14.207.99', 50697, 80]
5
-
6
- should "create a flowdb from the test.pcap and dump the flows" do
7
- File.unlink('test/test.pcap.flows') if File.exists?('test/test.pcap.flows')
8
- File.unlink('test/test.pcap.pkts') if File.exists?('test/test.pcap.pkts')
9
- File.unlink('test/test.pcap.tags') if File.exists?('test/test.pcap.tags')
10
- fdb = FlowTag::FlowDB.new('test/test.pcap')
11
- assert(File.exists?('test/test.pcap.flows'))
12
- assert(File.exists?('test/test.pcap.pkts'))
13
- assert(File.exists?('test/test.pcap.tags'))
14
- fdb.dumpflows
15
- end
16
-
17
- should "get the first pktid of the test.pcap" do
18
- fdb = FlowTag::FlowDB.new('test/test.pcap')
19
- pid = fdb.getfirstpktid(*flow)
20
- assert_equal(0,pid)
21
- end
22
-
23
- should "return no tags for the first flow" do
24
- fdb = FlowTag::FlowDB.new('test/test.pcap')
25
- tags = fdb.getflowtags(flow)
26
- assert_equal(0,tags.length)
27
- end
28
-
29
- should "get all flows tagged with test should be empty" do
30
- fdb = FlowTag::FlowDB.new('test/test.pcap')
31
- flows = fdb.flows_taggedwith("test")
32
- assert_equal(0,flows.length)
33
- end
34
-
35
- should "tag the first flow with test and retrieve it" do
36
- fdb = FlowTag::FlowDB.new('test/test.pcap')
37
- fdb.tag_flow(flow,["test"])
38
- flows = fdb.flows_taggedwith("test")
39
- assert_equal(1,flows.length)
40
- end
41
-
42
- should "write the tags database and reload" do
43
- fdb = FlowTag::FlowDB.new('test/test.pcap')
44
- fdb.tag_flow(flow,["test"])
45
- fdb.writetagdb
46
- fdb = FlowTag::FlowDB.new('test/test.pcap')
47
- flows = fdb.flows_taggedwith("test")
48
- assert_equal(1, flows.length)
49
- fdb.tag_flow(flow,[])
50
- fdb.writetagdb
51
- fdb = FlowTag::FlowDB.new('test/test.pcap')
52
- flows = fdb.flows_taggedwith("test")
53
- assert_equal(0, flows.length)
54
- end
55
-
56
- should "list all the tags and receive one, test" do
57
- fdb = FlowTag::FlowDB.new('test/test.pcap')
58
- fdb.tag_flow(flow,["test"])
59
- tags = fdb.tags
60
- assert_equal(1, tags.length)
61
- assert_equal("test", tags[0])
62
- end
63
- end