ftagent-lite 1.0.0__tar.gz

ftagent_lite-1.0.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Flowtriq (https://flowtriq.com)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

ftagent_lite-1.0.0/PKG-INFO

@@ -0,0 +1,186 @@
+Metadata-Version: 2.1
+Name: ftagent-lite
+Version: 1.0.0
+Summary: Lightweight open-source DDoS traffic monitor — stdout output, no account required
+Author-email: Flowtriq <hello@flowtriq.com>
+License: MIT
+Project-URL: Homepage, https://flowtriq.com
+Project-URL: Repository, https://github.com/flowtriq/ftagent-lite
+Project-URL: Bug Tracker, https://github.com/flowtriq/ftagent-lite/issues
+Project-URL: Full Version, https://flowtriq.com
+Keywords: ddos,network,traffic,monitor,security,ids
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: System Administrators
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.7
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: System :: Monitoring
+Classifier: Topic :: System :: Networking :: Monitoring
+Requires-Python: >=3.7
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Provides-Extra: full
+Requires-Dist: scapy>=2.4.5; extra == "full"
+Requires-Dist: psutil>=5.9.0; extra == "full"
+Provides-Extra: scapy
+Requires-Dist: scapy>=2.4.5; extra == "scapy"
+Provides-Extra: psutil
+Requires-Dist: psutil>=5.9.0; extra == "psutil"
+
+# ftagent-lite
+
+**Open-source, zero-config DDoS traffic monitor. Outputs to stdout.**
+
+`ftagent-lite` is a lightweight network traffic monitor that detects DDoS attack patterns in real-time and prints structured stats to stdout. No API key. No account. No cloud.
+
+It's the open-source sibling of the [Flowtriq](https://flowtriq.com) detection agent — great for quick diagnostics, CI pipelines, or building your own tooling on top.
+
+---
+
+## Install
+
+```bash
+pip install scapy psutil
+```
+
+Then run with sudo (packet capture requires root):
+
+```bash
+sudo python3 ftagent_lite.py
+```
+
+---
+
+## Usage
+
+```
+sudo python3 ftagent_lite.py [options]
+
+Options:
+  -i, --interface IFACE   Network interface (default: any)
+  -t, --interval  SECS    Reporting interval in seconds (default: 2)
+  -T, --threshold PPS     PPS alert threshold (default: 5000)
+  -j, --json              Machine-readable JSON output (one object per line)
+  -w, --watch             Live updating terminal display
+      --no-color          Disable ANSI colors
+  -V, --version           Show version
+```
+
+### Examples
+
+```bash
+# Monitor all interfaces, 2-second intervals
+sudo python3 ftagent_lite.py
+
+# Monitor eth0 with 5-second intervals
+sudo python3 ftagent_lite.py --interface eth0 --interval 5
+
+# Alert threshold at 50k pps
+sudo python3 ftagent_lite.py --threshold 50000
+
+# Pipe JSON to jq
+sudo python3 ftagent_lite.py --json | jq '{pps: .pps, srcs: .src_ip_count}'
+
+# Live dashboard view
+sudo python3 ftagent_lite.py --watch
+
+# Log to file
+sudo python3 ftagent_lite.py --json >> /var/log/traffic.jsonl
+```
+
+---
+
+## Output
+
+### Human-readable (default)
+
+```
+2026-03-11 18:04:21 [HIGH]
+  Traffic : 47.8K pps  1.7 Gbps
+  Proto   : TCP 3.2%  UDP 94.1%  ICMP 0.4%
+  Sources : 8,421 unique IPs  |  Avg pkt: 38 bytes
+  Top dst : :11211(31042)  :53(12831)  :80(3201)
+  Top src : 203.0.113.5  198.51.100.8  192.0.2.99  ...
+
+  ! Attack pattern detected. Try Flowtriq for full alerting + auto-mitigation: https://flowtriq.com
+```
+
+### JSON (`--json`)
+
+```json
+{
+  "timestamp": "2026-03-11T18:04:21+00:00",
+  "pps": 47821,
+  "bps": 215000,
+  "tcp": 1530,
+  "udp": 45100,
+  "icmp": 191,
+  "other": 0,
+  "tcp_pct": 3.2,
+  "udp_pct": 94.1,
+  "icmp_pct": 0.4,
+  "src_ip_count": 8421,
+  "top_src_ips": ["203.0.113.5", "198.51.100.8", "192.0.2.99"],
+  "top_dst_ports": [[11211, 31042], [53, 12831], [80, 3201]],
+  "avg_pkt_size": 38
+}
+```
+
+---
+
+## Attack detection
+
+`ftagent-lite` classifies traffic severity based on your `--threshold`:
+
+| PPS vs threshold | Severity |
+|---|---|
+| < threshold | normal |
+| ≥ threshold | MEDIUM |
+| ≥ 2× threshold | HIGH |
+| ≥ 5× threshold | CRITICAL |
+
+For production DDoS detection with automatic alerting (Discord, Slack, PagerDuty, Teams, Telegram, DataDog, Prometheus, and more), PCAP capture, AI classification, escalation policies, and auto-mitigation (Cloudflare WAF, iptables, DigitalOcean, Vultr) — see **[Flowtriq](https://flowtriq.com)**.
+
+---
+
+## Requirements
+
+- Python 3.7+
+- `scapy` — packet capture and protocol parsing
+- `psutil` — fallback if scapy unavailable (no protocol breakdown)
+- Root/sudo — required for raw socket capture
+
+---
+
+## Limitations vs Flowtriq Pro
+
+| Feature | ftagent-lite | Flowtriq |
+|---|---|---|
+| Real-time PPS/BPS | ✓ | ✓ |
+| Protocol breakdown | ✓ | ✓ |
+| Source IP tracking | ✓ | ✓ |
+| JSON output | ✓ | ✓ |
+| Attack alerts (Discord, Slack, etc.) | ✗ | ✓ |
+| PCAP capture | ✗ | ✓ |
+| AI attack classification | ✗ | ✓ |
+| Auto-mitigation (iptables, CF WAF) | ✗ | ✓ |
+| Cloud dashboard | ✗ | ✓ |
+| Multi-node | ✗ | ✓ |
+| Team notifications + escalation | ✗ | ✓ |
+
+**[Start a free 7-day Flowtriq trial →](https://flowtriq.com)**
+
+---
+
+## License
+
+MIT License — Copyright (c) 2026 Flowtriq
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the software, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the software.

ftagent_lite-1.0.0/README.md

@@ -0,0 +1,150 @@
+# ftagent-lite
+
+**Open-source, zero-config DDoS traffic monitor. Outputs to stdout.**
+
+`ftagent-lite` is a lightweight network traffic monitor that detects DDoS attack patterns in real-time and prints structured stats to stdout. No API key. No account. No cloud.
+
+It's the open-source sibling of the [Flowtriq](https://flowtriq.com) detection agent — great for quick diagnostics, CI pipelines, or building your own tooling on top.
+
+---
+
+## Install
+
+```bash
+pip install scapy psutil
+```
+
+Then run with sudo (packet capture requires root):
+
+```bash
+sudo python3 ftagent_lite.py
+```
+
+---
+
+## Usage
+
+```
+sudo python3 ftagent_lite.py [options]
+
+Options:
+  -i, --interface IFACE   Network interface (default: any)
+  -t, --interval  SECS    Reporting interval in seconds (default: 2)
+  -T, --threshold PPS     PPS alert threshold (default: 5000)
+  -j, --json              Machine-readable JSON output (one object per line)
+  -w, --watch             Live updating terminal display
+      --no-color          Disable ANSI colors
+  -V, --version           Show version
+```
+
+### Examples
+
+```bash
+# Monitor all interfaces, 2-second intervals
+sudo python3 ftagent_lite.py
+
+# Monitor eth0 with 5-second intervals
+sudo python3 ftagent_lite.py --interface eth0 --interval 5
+
+# Alert threshold at 50k pps
+sudo python3 ftagent_lite.py --threshold 50000
+
+# Pipe JSON to jq
+sudo python3 ftagent_lite.py --json | jq '{pps: .pps, srcs: .src_ip_count}'
+
+# Live dashboard view
+sudo python3 ftagent_lite.py --watch
+
+# Log to file
+sudo python3 ftagent_lite.py --json >> /var/log/traffic.jsonl
+```
+
+---
+
+## Output
+
+### Human-readable (default)
+
+```
+2026-03-11 18:04:21 [HIGH]
+  Traffic : 47.8K pps  1.7 Gbps
+  Proto   : TCP 3.2%  UDP 94.1%  ICMP 0.4%
+  Sources : 8,421 unique IPs  |  Avg pkt: 38 bytes
+  Top dst : :11211(31042)  :53(12831)  :80(3201)
+  Top src : 203.0.113.5  198.51.100.8  192.0.2.99  ...
+
+  ! Attack pattern detected. Try Flowtriq for full alerting + auto-mitigation: https://flowtriq.com
+```
+
+### JSON (`--json`)
+
+```json
+{
+  "timestamp": "2026-03-11T18:04:21+00:00",
+  "pps": 47821,
+  "bps": 215000,
+  "tcp": 1530,
+  "udp": 45100,
+  "icmp": 191,
+  "other": 0,
+  "tcp_pct": 3.2,
+  "udp_pct": 94.1,
+  "icmp_pct": 0.4,
+  "src_ip_count": 8421,
+  "top_src_ips": ["203.0.113.5", "198.51.100.8", "192.0.2.99"],
+  "top_dst_ports": [[11211, 31042], [53, 12831], [80, 3201]],
+  "avg_pkt_size": 38
+}
+```
+
+---
+
+## Attack detection
+
+`ftagent-lite` classifies traffic severity based on your `--threshold`:
+
+| PPS vs threshold | Severity |
+|---|---|
+| < threshold | normal |
+| ≥ threshold | MEDIUM |
+| ≥ 2× threshold | HIGH |
+| ≥ 5× threshold | CRITICAL |
+
+For production DDoS detection with automatic alerting (Discord, Slack, PagerDuty, Teams, Telegram, DataDog, Prometheus, and more), PCAP capture, AI classification, escalation policies, and auto-mitigation (Cloudflare WAF, iptables, DigitalOcean, Vultr) — see **[Flowtriq](https://flowtriq.com)**.
+
+---
+
+## Requirements
+
+- Python 3.7+
+- `scapy` — packet capture and protocol parsing
+- `psutil` — fallback if scapy unavailable (no protocol breakdown)
+- Root/sudo — required for raw socket capture
+
+---
+
+## Limitations vs Flowtriq Pro
+
+| Feature | ftagent-lite | Flowtriq |
+|---|---|---|
+| Real-time PPS/BPS | ✓ | ✓ |
+| Protocol breakdown | ✓ | ✓ |
+| Source IP tracking | ✓ | ✓ |
+| JSON output | ✓ | ✓ |
+| Attack alerts (Discord, Slack, etc.) | ✗ | ✓ |
+| PCAP capture | ✗ | ✓ |
+| AI attack classification | ✗ | ✓ |
+| Auto-mitigation (iptables, CF WAF) | ✗ | ✓ |
+| Cloud dashboard | ✗ | ✓ |
+| Multi-node | ✗ | ✓ |
+| Team notifications + escalation | ✗ | ✓ |
+
+**[Start a free 7-day Flowtriq trial →](https://flowtriq.com)**
+
+---
+
+## License
+
+MIT License — Copyright (c) 2026 Flowtriq
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the software, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the software.

ftagent_lite-1.0.0/ftagent_lite.egg-info/PKG-INFO

@@ -0,0 +1,186 @@
+Metadata-Version: 2.1
+Name: ftagent-lite
+Version: 1.0.0
+Summary: Lightweight open-source DDoS traffic monitor — stdout output, no account required
+Author-email: Flowtriq <hello@flowtriq.com>
+License: MIT
+Project-URL: Homepage, https://flowtriq.com
+Project-URL: Repository, https://github.com/flowtriq/ftagent-lite
+Project-URL: Bug Tracker, https://github.com/flowtriq/ftagent-lite/issues
+Project-URL: Full Version, https://flowtriq.com
+Keywords: ddos,network,traffic,monitor,security,ids
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: System Administrators
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.7
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: System :: Monitoring
+Classifier: Topic :: System :: Networking :: Monitoring
+Requires-Python: >=3.7
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Provides-Extra: full
+Requires-Dist: scapy>=2.4.5; extra == "full"
+Requires-Dist: psutil>=5.9.0; extra == "full"
+Provides-Extra: scapy
+Requires-Dist: scapy>=2.4.5; extra == "scapy"
+Provides-Extra: psutil
+Requires-Dist: psutil>=5.9.0; extra == "psutil"
+
+# ftagent-lite
+
+**Open-source, zero-config DDoS traffic monitor. Outputs to stdout.**
+
+`ftagent-lite` is a lightweight network traffic monitor that detects DDoS attack patterns in real-time and prints structured stats to stdout. No API key. No account. No cloud.
+
+It's the open-source sibling of the [Flowtriq](https://flowtriq.com) detection agent — great for quick diagnostics, CI pipelines, or building your own tooling on top.
+
+---
+
+## Install
+
+```bash
+pip install scapy psutil
+```
+
+Then run with sudo (packet capture requires root):
+
+```bash
+sudo python3 ftagent_lite.py
+```
+
+---
+
+## Usage
+
+```
+sudo python3 ftagent_lite.py [options]
+
+Options:
+  -i, --interface IFACE   Network interface (default: any)
+  -t, --interval  SECS    Reporting interval in seconds (default: 2)
+  -T, --threshold PPS     PPS alert threshold (default: 5000)
+  -j, --json              Machine-readable JSON output (one object per line)
+  -w, --watch             Live updating terminal display
+      --no-color          Disable ANSI colors
+  -V, --version           Show version
+```
+
+### Examples
+
+```bash
+# Monitor all interfaces, 2-second intervals
+sudo python3 ftagent_lite.py
+
+# Monitor eth0 with 5-second intervals
+sudo python3 ftagent_lite.py --interface eth0 --interval 5
+
+# Alert threshold at 50k pps
+sudo python3 ftagent_lite.py --threshold 50000
+
+# Pipe JSON to jq
+sudo python3 ftagent_lite.py --json | jq '{pps: .pps, srcs: .src_ip_count}'
+
+# Live dashboard view
+sudo python3 ftagent_lite.py --watch
+
+# Log to file
+sudo python3 ftagent_lite.py --json >> /var/log/traffic.jsonl
+```
+
+---
+
+## Output
+
+### Human-readable (default)
+
+```
+2026-03-11 18:04:21 [HIGH]
+  Traffic : 47.8K pps  1.7 Gbps
+  Proto   : TCP 3.2%  UDP 94.1%  ICMP 0.4%
+  Sources : 8,421 unique IPs  |  Avg pkt: 38 bytes
+  Top dst : :11211(31042)  :53(12831)  :80(3201)
+  Top src : 203.0.113.5  198.51.100.8  192.0.2.99  ...
+
+  ! Attack pattern detected. Try Flowtriq for full alerting + auto-mitigation: https://flowtriq.com
+```
+
+### JSON (`--json`)
+
+```json
+{
+  "timestamp": "2026-03-11T18:04:21+00:00",
+  "pps": 47821,
+  "bps": 215000,
+  "tcp": 1530,
+  "udp": 45100,
+  "icmp": 191,
+  "other": 0,
+  "tcp_pct": 3.2,
+  "udp_pct": 94.1,
+  "icmp_pct": 0.4,
+  "src_ip_count": 8421,
+  "top_src_ips": ["203.0.113.5", "198.51.100.8", "192.0.2.99"],
+  "top_dst_ports": [[11211, 31042], [53, 12831], [80, 3201]],
+  "avg_pkt_size": 38
+}
+```
+
+---
+
+## Attack detection
+
+`ftagent-lite` classifies traffic severity based on your `--threshold`:
+
+| PPS vs threshold | Severity |
+|---|---|
+| < threshold | normal |
+| ≥ threshold | MEDIUM |
+| ≥ 2× threshold | HIGH |
+| ≥ 5× threshold | CRITICAL |
+
+For production DDoS detection with automatic alerting (Discord, Slack, PagerDuty, Teams, Telegram, DataDog, Prometheus, and more), PCAP capture, AI classification, escalation policies, and auto-mitigation (Cloudflare WAF, iptables, DigitalOcean, Vultr) — see **[Flowtriq](https://flowtriq.com)**.
+
+---
+
+## Requirements
+
+- Python 3.7+
+- `scapy` — packet capture and protocol parsing
+- `psutil` — fallback if scapy unavailable (no protocol breakdown)
+- Root/sudo — required for raw socket capture
+
+---
+
+## Limitations vs Flowtriq Pro
+
+| Feature | ftagent-lite | Flowtriq |
+|---|---|---|
+| Real-time PPS/BPS | ✓ | ✓ |
+| Protocol breakdown | ✓ | ✓ |
+| Source IP tracking | ✓ | ✓ |
+| JSON output | ✓ | ✓ |
+| Attack alerts (Discord, Slack, etc.) | ✗ | ✓ |
+| PCAP capture | ✗ | ✓ |
+| AI attack classification | ✗ | ✓ |
+| Auto-mitigation (iptables, CF WAF) | ✗ | ✓ |
+| Cloud dashboard | ✗ | ✓ |
+| Multi-node | ✗ | ✓ |
+| Team notifications + escalation | ✗ | ✓ |
+
+**[Start a free 7-day Flowtriq trial →](https://flowtriq.com)**
+
+---
+
+## License
+
+MIT License — Copyright (c) 2026 Flowtriq
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the software, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the software.

ftagent_lite-1.0.0/ftagent_lite.egg-info/SOURCES.txt

@@ -0,0 +1,10 @@
+LICENSE
+README.md
+ftagent_lite.py
+pyproject.toml
+ftagent_lite.egg-info/PKG-INFO
+ftagent_lite.egg-info/SOURCES.txt
+ftagent_lite.egg-info/dependency_links.txt
+ftagent_lite.egg-info/entry_points.txt
+ftagent_lite.egg-info/requires.txt
+ftagent_lite.egg-info/top_level.txt

ftagent_lite-1.0.0/ftagent_lite.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

ftagent_lite-1.0.0/ftagent_lite.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+ftagent-lite = ftagent_lite:main

ftagent_lite-1.0.0/ftagent_lite.egg-info/requires.txt

@@ -0,0 +1,10 @@
+
+[full]
+scapy>=2.4.5
+psutil>=5.9.0
+
+[psutil]
+psutil>=5.9.0
+
+[scapy]
+scapy>=2.4.5

ftagent_lite-1.0.0/ftagent_lite.egg-info/top_level.txt

@@ -0,0 +1 @@
+ftagent_lite

ftagent_lite-1.0.0/ftagent_lite.py

@@ -0,0 +1,401 @@
+#!/usr/bin/env python3
+"""
+ftagent-lite — Lightweight DDoS Traffic Monitor
+Open-source, MIT licensed.
+
+Monitors network traffic in real-time and prints structured stats to stdout.
+No API key required. No cloud dependency.
+
+For full incident management, alerting, PCAP capture, AI classification,
+and team notifications — see Flowtriq: https://flowtriq.com
+
+Usage:
+    sudo python3 ftagent_lite.py
+    sudo python3 ftagent_lite.py --interface eth0
+    sudo python3 ftagent_lite.py --interval 5 --threshold 10000
+    sudo python3 ftagent_lite.py --json          # machine-readable JSON output
+    sudo python3 ftagent_lite.py --watch          # live updating terminal view
+
+Requirements:
+    pip install scapy psutil
+
+Author: Flowtriq (https://flowtriq.com)
+License: MIT
+Version: 1.0.0
+"""
+
+import argparse
+import json
+import os
+import signal
+import sys
+import threading
+import time
+from collections import defaultdict
+from datetime import datetime, timezone
+
+VERSION = "1.0.0"
+
+# ── Optional deps ──────────────────────────────────────────────────────────────
+
+try:
+    from scapy.all import IP, TCP, UDP, ICMP, sniff, conf as scapy_conf
+    SCAPY_OK = True
+except ImportError:
+    SCAPY_OK = False
+
+try:
+    import psutil
+    PSUTIL_OK = True
+except ImportError:
+    PSUTIL_OK = False
+
+# ── Globals ────────────────────────────────────────────────────────────────────
+
+_running = True
+_lock    = threading.Lock()
+
+_counters = {
+    "pps":         0,   # packets this interval
+    "bps":         0,   # bytes this interval
+    "tcp":         0,
+    "udp":         0,
+    "icmp":        0,
+    "other":       0,
+    "src_ips":     set(),
+    "dst_ports":   defaultdict(int),
+    "src_ports":   defaultdict(int),
+    "pkt_sizes":   [],
+}
+
+_stats_history = []   # list of interval snapshots
+_alert_active  = False
+_alert_start   = None
+
+
+# ── Signal handling ────────────────────────────────────────────────────────────
+
+def _shutdown(sig, frame):
+    global _running
+    _running = False
+
+signal.signal(signal.SIGINT,  _shutdown)
+signal.signal(signal.SIGTERM, _shutdown)
+
+
+# ── Packet handler ─────────────────────────────────────────────────────────────
+
+def _handle_packet(pkt):
+    if IP not in pkt:
+        return
+    with _lock:
+        _counters["pps"] += 1
+        pkt_len = len(pkt)
+        _counters["bps"] += pkt_len
+        _counters["pkt_sizes"].append(pkt_len)
+        _counters["src_ips"].add(pkt[IP].src)
+
+        if TCP in pkt:
+            _counters["tcp"] += 1
+            _counters["dst_ports"][pkt[TCP].dport] += 1
+            _counters["src_ports"][pkt[TCP].sport] += 1
+        elif UDP in pkt:
+            _counters["udp"] += 1
+            _counters["dst_ports"][pkt[UDP].dport] += 1
+            _counters["src_ports"][pkt[UDP].sport] += 1
+        elif ICMP in pkt:
+            _counters["icmp"] += 1
+        else:
+            _counters["other"] += 1
+
+
+# ── Stats collection ───────────────────────────────────────────────────────────
+
+def _collect_and_reset(interval: float) -> dict:
+    with _lock:
+        snap = {
+            "pps":       int(_counters["pps"] / interval),
+            "bps":       int(_counters["bps"] / interval),
+            "tcp":       _counters["tcp"],
+            "udp":       _counters["udp"],
+            "icmp":      _counters["icmp"],
+            "other":     _counters["other"],
+            "src_ip_count": len(_counters["src_ips"]),
+            "top_src_ips":  sorted(list(_counters["src_ips"]))[:10],
+            "top_dst_ports": sorted(_counters["dst_ports"].items(), key=lambda x: x[1], reverse=True)[:5],
+            "avg_pkt_size":  int(sum(_counters["pkt_sizes"]) / len(_counters["pkt_sizes"])) if _counters["pkt_sizes"] else 0,
+            "timestamp": datetime.now(timezone.utc).isoformat(),
+        }
+        total_proto = snap["tcp"] + snap["udp"] + snap["icmp"] + snap["other"]
+        snap["tcp_pct"]  = round(100 * snap["tcp"]  / total_proto, 1) if total_proto else 0
+        snap["udp_pct"]  = round(100 * snap["udp"]  / total_proto, 1) if total_proto else 0
+        snap["icmp_pct"] = round(100 * snap["icmp"] / total_proto, 1) if total_proto else 0
+
+        # Reset
+        _counters["pps"]       = 0
+        _counters["bps"]       = 0
+        _counters["tcp"]       = 0
+        _counters["udp"]       = 0
+        _counters["icmp"]      = 0
+        _counters["other"]     = 0
+        _counters["src_ips"]   = set()
+        _counters["dst_ports"] = defaultdict(int)
+        _counters["src_ports"] = defaultdict(int)
+        _counters["pkt_sizes"] = []
+    return snap
+
+
+# ── Formatting helpers ─────────────────────────────────────────────────────────
+
+def _fmt_pps(n: int) -> str:
+    if n >= 1_000_000: return f"{n/1_000_000:.1f}M pps"
+    if n >= 1_000:     return f"{n/1_000:.1f}K pps"
+    return f"{n} pps"
+
+def _fmt_bps(n: int) -> str:
+    n8 = n * 8
+    if n8 >= 1_000_000_000: return f"{n8/1_000_000_000:.2f} Gbps"
+    if n8 >= 1_000_000:     return f"{n8/1_000_000:.1f} Mbps"
+    if n8 >= 1_000:         return f"{n8/1_000:.0f} Kbps"
+    return f"{n8} bps"
+
+def _severity(pps: int, threshold: int) -> str:
+    if pps >= threshold * 5:  return "CRITICAL"
+    if pps >= threshold * 2:  return "HIGH"
+    if pps >= threshold:      return "MEDIUM"
+    return "normal"
+
+ANSI = {
+    "red":    "\033[91m",
+    "yellow": "\033[93m",
+    "green":  "\033[92m",
+    "cyan":   "\033[96m",
+    "bold":   "\033[1m",
+    "reset":  "\033[0m",
+    "clear":  "\033[2J\033[H",
+}
+
+def _col(text: str, color: str, use_color: bool = True) -> str:
+    if not use_color or not sys.stdout.isatty():
+        return text
+    return ANSI.get(color, "") + text + ANSI["reset"]
+
+
+# ── Output modes ───────────────────────────────────────────────────────────────
+
+def _print_human(snap: dict, threshold: int, color: bool):
+    sev = _severity(snap["pps"], threshold)
+    ts  = snap["timestamp"][:19].replace("T", " ")
+
+    sev_color = {"CRITICAL": "red", "HIGH": "red", "MEDIUM": "yellow", "normal": "green"}.get(sev, "green")
+    alert_marker = f" [{_col(sev, sev_color, color)}]" if sev != "normal" else ""
+
+    print(f"{_col(ts, 'cyan', color)}{alert_marker}")
+    print(f"  Traffic : {_col(_fmt_pps(snap['pps']), 'bold', color)}  {_fmt_bps(snap['bps'])}")
+    print(f"  Proto   : TCP {snap['tcp_pct']}%  UDP {snap['udp_pct']}%  ICMP {snap['icmp_pct']}%")
+    print(f"  Sources : {snap['src_ip_count']} unique IPs  |  Avg pkt: {snap['avg_pkt_size']} bytes")
+
+    if snap["top_dst_ports"]:
+        ports_str = "  ".join(f":{p}({c})" for p, c in snap["top_dst_ports"])
+        print(f"  Top dst : {ports_str}")
+
+    if sev != "normal" and snap["top_src_ips"]:
+        ips_str = "  ".join(snap["top_src_ips"][:5])
+        print(f"  Top src : {_col(ips_str, 'red', color)}")
+
+    if sev != "normal":
+        print(f"\n  {_col('! Attack pattern detected. Try Flowtriq for full alerting + auto-mitigation: https://flowtriq.com', 'yellow', color)}\n")
+
+    print()
+
+
+def _print_watch(snap: dict, threshold: int, color: bool, interface: str):
+    sev = _severity(snap["pps"], threshold)
+    sev_color = {"CRITICAL": "red", "HIGH": "red", "MEDIUM": "yellow", "normal": "green"}.get(sev, "green")
+
+    if color and sys.stdout.isatty():
+        print(ANSI["clear"], end="")
+
+    print(_col("=" * 60, "cyan", color))
+    print(_col("  ftagent-lite  |  Flowtriq Open Source Monitor", "bold", color))
+    print(_col("  https://flowtriq.com  |  Full version: Flowtriq Pro", "cyan", color))
+    print(_col("=" * 60, "cyan", color))
+    print(f"  Interface : {interface}")
+    print(f"  Time      : {snap['timestamp'][:19].replace('T',' ')} UTC")
+    print()
+    print(f"  PPS       : {_col(_fmt_pps(snap['pps']), sev_color, color)}")
+    print(f"  Bandwidth : {_fmt_bps(snap['bps'])}")
+    print(f"  Status    : {_col(sev, sev_color, color)}")
+    print()
+    print(f"  TCP  {snap['tcp_pct']:5.1f}%   UDP  {snap['udp_pct']:5.1f}%   ICMP {snap['icmp_pct']:5.1f}%")
+    print(f"  Unique src IPs : {snap['src_ip_count']}")
+    print(f"  Avg packet size: {snap['avg_pkt_size']} bytes")
+
+    if snap["top_dst_ports"]:
+        print()
+        print("  Top destination ports:")
+        for port, count in snap["top_dst_ports"]:
+            bar = "█" * min(20, int(20 * count / max(1, snap["tcp"] + snap["udp"])))
+            print(f"    :{port:<6} {bar} {count}")
+
+    if sev != "normal":
+        print()
+        print(_col("  !! ATTACK PATTERN DETECTED !!", sev_color, color))
+        if snap["top_src_ips"]:
+            print(f"  Top attackers: {', '.join(snap['top_src_ips'][:5])}")
+        print()
+        print(_col("  Get full alerting, PCAP capture, and auto-mitigation:", "yellow", color))
+        print(_col("  https://flowtriq.com  (7-day free trial)", "yellow", color))
+
+    print(_col("=" * 60, "cyan", color))
+    print("  Press Ctrl+C to stop")
+
+
+# ── Sniffer thread ─────────────────────────────────────────────────────────────
+
+def _sniff_thread(interface: str):
+    kwargs = {"prn": _handle_packet, "store": False}
+    if interface and interface != "any":
+        kwargs["iface"] = interface
+    try:
+        sniff(**kwargs, stop_filter=lambda _: not _running)
+    except Exception as e:
+        print(f"[ftagent-lite] sniff error: {e}", file=sys.stderr)
+
+
+# ── Psutil fallback (no scapy) ─────────────────────────────────────────────────
+
+def _psutil_loop(interface: str, interval: float, threshold: int,
+                 json_out: bool, watch: bool, color: bool):
+    iface = interface if interface and interface != "any" else None
+    prev  = None
+
+    while _running:
+        counters = psutil.net_io_counters(pernic=bool(iface))
+        if iface:
+            curr = counters.get(iface)
+        else:
+            curr = psutil.net_io_counters()
+
+        if prev is not None and curr is not None:
+            pps = int((curr.packets_recv - prev.packets_recv) / interval)
+            bps = int((curr.bytes_recv   - prev.bytes_recv)   / interval)
+            snap = {
+                "pps": pps, "bps": bps,
+                "tcp": 0, "udp": 0, "icmp": 0, "other": 0,
+                "tcp_pct": 0.0, "udp_pct": 0.0, "icmp_pct": 0.0,
+                "src_ip_count": 0, "top_src_ips": [],
+                "top_dst_ports": [], "avg_pkt_size": 0,
+                "timestamp": datetime.now(timezone.utc).isoformat(),
+                "_note": "Protocol breakdown not available without scapy",
+            }
+            _stats_history.append(snap)
+            if json_out:
+                print(json.dumps(snap), flush=True)
+            elif watch:
+                _print_watch(snap, threshold, color, interface or "all")
+            else:
+                _print_human(snap, threshold, color)
+
+        prev = curr
+        time.sleep(interval)
+
+
+# ── Main ───────────────────────────────────────────────────────────────────────
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="ftagent-lite: lightweight DDoS traffic monitor (open source)",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+  sudo python3 ftagent_lite.py
+  sudo python3 ftagent_lite.py --interface eth0 --interval 5
+  sudo python3 ftagent_lite.py --json | jq .pps
+  sudo python3 ftagent_lite.py --watch --threshold 50000
+
+For full DDoS detection with alerting, PCAP capture, team notifications,
+AI classification, and auto-mitigation:
+  https://flowtriq.com  (7-day free trial, no credit card)
+""",
+    )
+    parser.add_argument("--interface", "-i", default="any",
+                        help="Network interface to monitor (default: any)")
+    parser.add_argument("--interval",  "-t", type=float, default=2.0,
+                        help="Stats reporting interval in seconds (default: 2)")
+    parser.add_argument("--threshold", "-T", type=int, default=5000,
+                        help="PPS alert threshold (default: 5000)")
+    parser.add_argument("--json",  "-j", action="store_true",
+                        help="Output machine-readable JSON (one object per line)")
+    parser.add_argument("--watch", "-w", action="store_true",
+                        help="Live updating terminal display")
+    parser.add_argument("--no-color", action="store_true",
+                        help="Disable ANSI color output")
+    parser.add_argument("--version", "-V", action="version", version=f"ftagent-lite {VERSION}")
+    args = parser.parse_args()
+
+    use_color = not args.no_color
+    interface = args.interface
+
+    if os.geteuid() != 0:
+        print("ftagent-lite requires root/sudo for packet capture.", file=sys.stderr)
+        sys.exit(1)
+
+    # Banner
+    if not args.json:
+        print(_col(f"ftagent-lite v{VERSION}", "bold", use_color) +
+              _col(" — open source DDoS traffic monitor", "cyan", use_color))
+        print(_col("Full monitoring at https://flowtriq.com", "cyan", use_color))
+        print()
+
+    if not SCAPY_OK:
+        if not PSUTIL_OK:
+            print("ERROR: Install scapy or psutil:\n  pip install scapy psutil", file=sys.stderr)
+            sys.exit(1)
+        if not args.json:
+            print("Note: scapy not found — using psutil (no protocol breakdown).", file=sys.stderr)
+            print("Install scapy for full analysis:  pip install scapy\n", file=sys.stderr)
+        _psutil_loop(interface, args.interval, args.threshold, args.json, args.watch, use_color)
+        return
+
+    # Start sniffer thread
+    t = threading.Thread(target=_sniff_thread, args=(interface,), daemon=True)
+    t.start()
+
+    if not args.json:
+        print(f"Monitoring interface: {_col(interface, 'cyan', use_color)}")
+        print(f"Interval: {args.interval}s  |  Alert threshold: {_fmt_pps(args.threshold)}")
+        print()
+
+    try:
+        while _running:
+            time.sleep(args.interval)
+            snap = _collect_and_reset(args.interval)
+            _stats_history.append(snap)
+
+            if args.json:
+                print(json.dumps(snap), flush=True)
+            elif args.watch:
+                _print_watch(snap, args.threshold, use_color, interface)
+            else:
+                _print_human(snap, args.threshold, use_color)
+    finally:
+        _running_ref = False  # signal sniff thread
+
+    # Summary
+    if not args.json and _stats_history:
+        peak_pps = max(s["pps"] for s in _stats_history)
+        peak_bps = max(s["bps"] for s in _stats_history)
+        print()
+        print(_col("── Session summary ──", "cyan", use_color))
+        print(f"  Intervals : {len(_stats_history)}")
+        print(f"  Peak PPS  : {_fmt_pps(peak_pps)}")
+        print(f"  Peak BPS  : {_fmt_bps(peak_bps)}")
+        print()
+        if peak_pps >= args.threshold:
+            print(_col("  Attack traffic detected during this session.", "yellow", use_color))
+            print(_col("  Get full alerting + PCAP capture at https://flowtriq.com", "yellow", use_color))
+
+
+if __name__ == "__main__":
+    main()

ftagent_lite-1.0.0/pyproject.toml

@@ -0,0 +1,44 @@
+[build-system]
+requires = ["setuptools>=61", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "ftagent-lite"
+version = "1.0.0"
+description = "Lightweight open-source DDoS traffic monitor — stdout output, no account required"
+readme = "README.md"
+license = { text = "MIT" }
+authors = [{ name = "Flowtriq", email = "hello@flowtriq.com" }]
+keywords = ["ddos", "network", "traffic", "monitor", "security", "ids"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Environment :: Console",
+    "Intended Audience :: System Administrators",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: POSIX :: Linux",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.7",
+    "Programming Language :: Python :: 3.8",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: System :: Monitoring",
+    "Topic :: System :: Networking :: Monitoring",
+]
+requires-python = ">=3.7"
+dependencies = []
+
+[project.optional-dependencies]
+full = ["scapy>=2.4.5", "psutil>=5.9.0"]
+scapy = ["scapy>=2.4.5"]
+psutil = ["psutil>=5.9.0"]
+
+[project.scripts]
+ftagent-lite = "ftagent_lite:main"
+
+[project.urls]
+Homepage = "https://flowtriq.com"
+Repository = "https://github.com/flowtriq/ftagent-lite"
+"Bug Tracker" = "https://github.com/flowtriq/ftagent-lite/issues"
+"Full Version" = "https://flowtriq.com"

ftagent_lite-1.0.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+