traffic-taffy 0.5.8__py3-none-any.whl → 0.6.1__py3-none-any.whl

traffic_taffy/dissector_engine/dnstap.py

@@ -0,0 +1,121 @@
+"""A dissection engine for quickly parsing and counting packets."""
+
+from __future__ import annotations
+
+from logging import error, debug
+from traffic_taffy.dissector_engine.dpkt import DissectionEngineDpkt
+from traffic_taffy.dissection import Dissection, PCAPDissectorLevel
+
+import dnstap_pb
+import fstrm
+
+
+class DissectionEngineDNStap(DissectionEngineDpkt):
+    """A dissection engine for parsing saved dnscap files."""
+
+    # should be larger than any potentially stored DNS message
+    READ_SIZE = 8192
+
+    def __init__(self, *args: list, **kwargs: dict):
+        """Create a dissection engine for parsing dnscap files."""
+        super().__init__(*args, **kwargs)
+
+    def load_data(self) -> Dissection:
+        """loads the dnstap file into memory."""
+
+        # technically a dnstap file, not a pcap_file
+        with open(self.pcap_file, "rb") as fh:
+            data = fh.read(self.READ_SIZE)
+
+            # create the framing stream decoded
+            stream = fstrm.FstrmCodec()
+            success = stream.append_and_process(data)
+            if not success:
+                error("failed to read {self.pcap_file} as a fstrm")
+                raise ValueError("failed to read input file")
+
+            # the base header is just extra data about the file's producer
+            # header =
+            header = stream.decode()
+            debug(f"header: {header[1]}")
+            # read more data (see comment below)
+            stream.append(fh.read(self.READ_SIZE - len(stream.buf)))
+
+            # Create the dnstap protobuf parser
+            dd = dnstap_pb.Dnstap()
+
+            dissection = self.dissection
+            level = self.dissector_level
+            count = 0
+
+            # loop through the stream and process each subsequent frame
+            while stream.process():
+                # pull the next frame out
+                body = stream.decode()
+
+                # parse it as a dnstap protobuf object
+                dd.ParseFromString(body[2])
+                message = dd.message
+
+                self.start_packet(message.query_time_sec)
+
+                # keep the buffer at the required size.
+                stream.append(fh.read(self.READ_SIZE - len(stream.buf)))
+
+                # determine if it's IPv4 or IPv6
+                if message.socket_family == 1:
+                    IP = "IP"
+                    self.incr(dissection, "Ethernet_type", 2048)
+                    self.incr(dissection, "Ethernet_IP_version", 4)
+                elif message.socket_family == 2:
+                    IP = "IPv6"
+                    self.incr(dissection, "Ethernet_type", 34525)
+                    self.incr(dissection, "Ethernet_IP_version", 6)
+                else:
+                    raise ValueError("unknown IP protocol in dnstap")
+                prefix = "Ethernet_" + IP + "_"
+
+                # set the source/dest addresses
+                self.incr(dissection, prefix + "src", message.query_address)
+                self.incr(dissection, prefix + "dst", message.response_address)
+
+                # Determine the transport protocol
+                # TODO(hardaker): read these names from the protobuf spec directly
+                if message.socket_protocol == 1:
+                    protocol_prefix = prefix + "UDP_"
+                elif message.socket_protocol == 2:
+                    protocol_prefix = prefix + "TCP_"
+                elif message.socket_protocol == 3:
+                    protocol_prefix = prefix + "DOT_"
+                elif message.socket_protocol == 4:
+                    protocol_prefix = prefix + "DOH_"
+                elif message.socket_protocol == 5:
+                    protocol_prefix = prefix + "DNSCryptUDP_"
+                elif message.socket_protocol == 6:
+                    protocol_prefix = prefix + "DNSCryptTCP_"
+                elif message.socket_protocol == 7:
+                    protocol_prefix = prefix + "DOQ_"
+                else:
+                    raise ValueError("unknown DNS socket protocol in dnstap")
+                # TODO(hardaker): get full protocol list here
+
+                self.incr(dissection, protocol_prefix + "sport", message.query_port)
+                self.incr(dissection, protocol_prefix + "dport", message.response_port)
+
+                if message.type & 0x01 == 1:  # query
+                    self.incr(
+                        dissection, protocol_prefix + "DNS_qr", 0
+                    )  # query = 0 in the protocol
+                else:
+                    self.incr(
+                        dissection, protocol_prefix + "DNS_qr", 1
+                    )  # response = 1 in the protocol
+
+                count += 1
+                if self.maximum_count and count >= self.maximum_count:
+                    break
+
+                if level >= PCAPDissectorLevel.COMMON_LAYERS.value:
+                    self.dissect_dns(message.query_message, protocol_prefix + "DNS_")
+
+        return dissection

traffic_taffy/dissector_engine/dpkt.py

@@ -1,18 +1,31 @@
+"""A dissection engine for quickly parsing and counting packets."""
+
+from __future__ import annotations
+
+from logging import debug
 from traffic_taffy.dissector_engine import DissectionEngine
 from traffic_taffy.dissection import Dissection, PCAPDissectorLevel
-from pcap_parallel import PCAPParallel as pcapp
+from pcap_parallel import PCAPParallel
 
 import dpkt
 
 
 class DissectionEngineDpkt(DissectionEngine):
-    def __init__(self, *args, **kwargs):
+    """A dissection engine for quickly parsing and counting packets."""
+
+    DNS_PORT: int = 53
+    HTTP_PORT: int = 80
+    IPV6_VERSION: int = 6
+
+    def __init__(self, *args: list, **kwargs: dict):
+        """Create a dissection engine for quickly parsing and counting packets."""
         super().__init__(*args, **kwargs)
 
-    def load(self) -> Dissection:
-        self.init_dissection()
+    def load_data(self) -> None:
+        """Load the specified PCAP into memory."""
+        # Note: called from self.load() after initializing
         if isinstance(self.pcap_file, str):
-            pcap = dpkt.pcap.Reader(pcapp.open_maybe_compressed(self.pcap_file))
+            pcap = dpkt.pcap.Reader(PCAPParallel.open_maybe_compressed(self.pcap_file))
         else:
             # it's an open handle already
             pcap = dpkt.pcap.Reader(self.pcap_file)
@@ -20,45 +33,144 @@ class DissectionEngineDpkt(DissectionEngine):
             pcap.setfilter(self.pcap_filter)
         pcap.dispatch(self.maximum_count, self.callback)
 
-        self.dissection.calculate_metadata()
-        return self.dissection
-
-    def incr(self, dissection, name, value):
+    def incr(self, dissection: Dissection, name: str, value: str | int) -> None:
+        """Increment a given name and value counter."""
         if name not in self.ignore_list:
             dissection.incr(name, value)
 
-    def callback(self, timestamp: float, packet: bytes):
+    def dissect_dns(self, dns_data: bytes, prefix: str = None) -> None:
+        try:
+            dns = dpkt.dns.DNS(dns_data)
+        except dpkt.dpkt.UnpackError:
+            self.incr(self.dissection, prefix + "unparsable_dns", "PARSE_ERROR")
+            debug("DPKT unparsable DNS data")
+            return
+        except UnicodeDecodeError:
+            self.incr(self.dissection, prefix + "unparsable_utf8", "PARSE_ERROR")
+            debug("DPKT unparsable UTF8 data")
+            return
+
+        dissection = self.dissection
+
+        self.incr(dissection, prefix + "id", dns.id)
+        self.incr(dissection, prefix + "opcode", dns.op)
+        # self.incr(dissection, prefix + "qd", dns.qd)
+        # self.incr(dissection, prefix + "an", dns.an)
+        # self.incr(dissection, prefix + "ns", dns.ns)
+        # self.incr(dissection, prefix + "ar", dns.ar)
+
+        # flags and headers
+        self.incr(dissection, prefix + "rcode", dns.rcode)
+        self.incr(dissection, prefix + "ra", dns.ra)
+        self.incr(dissection, prefix + "rd", dns.rd)
+        self.incr(dissection, prefix + "tc", dns.tc)
+        self.incr(dissection, prefix + "z", dns.zero)
+        self.incr(dissection, prefix + "opcode", dns.opcode)
+        self.incr(dissection, prefix + "qr", dns.qr)
+        self.incr(dissection, prefix + "aa", dns.aa)
+        # self.incr(dissection, prefix + "ad", dns.ad)
+
+        # record counts
+        self.incr(dissection, prefix + "qdcount", len(dns.qd))
+        self.incr(dissection, prefix + "ancount", len(dns.an))
+        self.incr(dissection, prefix + "nscount", len(dns.ns))
+        self.incr(dissection, prefix + "arcount", len(dns.ar))
+
+        for record in dns.qd:
+            self.incr(dissection, prefix + "qd_qname", record.name + ".")
+            self.incr(dissection, prefix + "qd_qtype", record.type)
+            self.incr(dissection, prefix + "qd_qclass", record.cls)
+
+        for record in dns.an:
+            self.incr(dissection, prefix + "an_rrname", record.name + ".")
+            self.incr(dissection, prefix + "an_type", record.type)
+            self.incr(dissection, prefix + "an_rclass", record.cls)
+            self.incr(dissection, prefix + "an_rdlen", record.rlen)
+            self.incr(dissection, prefix + "an_ttl", record.ttl)
+
+            # concepts from dpkt.dns.DNS_upnack_rdata()
+            if record.type == dpkt.dns.DNS_A:
+                # TODO(hardaker): decode this hex streem to an IP
+                self.incr(dissection, prefix + "an_rdata", record.ip)
+            elif record.type == dpkt.dns.DNS_AAAA:
+                # TODO(hardaker): decode this hex streem to an IP(v6)
+                self.incr(dissection, prefix + "an_rdata", record.ip6)
+            elif record.type == dpkt.dns.DNS_NS:
+                self.incr(dissection, prefix + "an_nsname", record.nsname)
+            elif record.type == dpkt.dns.DNS_CNAME:
+                self.incr(dissection, prefix + "an_cname", record.cname)
+            elif record.type == dpkt.dns.DNS_CNAME:
+                self.incr(dissection, prefix + "an_ptrname", record.ptrname)
+            elif record.type == dpkt.dns.DNS_MX:
+                self.incr(
+                    dissection,
+                    prefix + "an_preference",
+                    record.preference,
+                )
+                self.incr(dissection, prefix + "an_mxname", record.mxname)
+            elif record.type == dpkt.dns.DNS_SRV:
+                self.incr(dissection, prefix + "an_priority", record.priority)
+                self.incr(dissection, prefix + "an_weight", record.weight)
+                self.incr(dissection, prefix + "an_port", record.port)
+                self.incr(dissection, prefix + "an_srvname", record.srvname)
+                self.incr(dissection, prefix + "an_off", record.off)
+            elif record.type in (dpkt.dns.DNS_TXT, dpkt.dns.DNS_HINFO):
+                for text_record in record:
+                    self.incr(dissection, prefix + "an_text", text_record)
+            elif record.type == dpkt.dns.DNS_SOA:
+                self.incr(dissection, prefix + "an_mname", record.mname + ".")
+                self.incr(dissection, prefix + "an_rname", record.rname)
+                self.incr(dissection, prefix + "an_serial", record.serial)
+                self.incr(dissection, prefix + "an_refresh", record.refresh)
+                self.incr(dissection, prefix + "an_refresh", record.refresh)
+                self.incr(dissection, prefix + "an_retry", record.retry)
+                self.incr(dissection, prefix + "an_expire", record.expire)
+                self.incr(dissection, prefix + "an_minimum", record.minimum)
+
+        for record in dns.ns:
+            self.incr(dissection, prefix + "ns_rrname", record.name + ".")
+            self.incr(dissection, prefix + "ns_type", record.type)
+            self.incr(dissection, prefix + "ns_rclass", record.cls)
+            # self.incr(dissection, prefix + "ns_rdata", record.nsname)
+            self.incr(dissection, prefix + "ns_ttl", record.ttl)
+
+        for record in dns.ar:
+            self.incr(dissection, prefix + "ar_rrname", record.name + "_")
+            self.incr(dissection, prefix + "ar_type", record.type)
+            self.incr(dissection, prefix + "ar_rclass", record.cls)
+            self.incr(dissection, prefix + "ar_ttl", record.ttl)
+            self.incr(dissection, prefix + "ar_rdlen", record.rlen)
+
+    def callback(self, timestamp: float, packet: bytes) -> None:
+        """Dissect and count one packet."""
         # if binning is requested, save it in a binned time slot
         dissection: Dissection = self.dissection
 
-        dissection.timestamp = int(timestamp)
-        if dissection.bin_size:
-            dissection.timestamp = (
-                dissection.timestamp - dissection.timestamp % dissection.bin_size
-            )
-
-        dissection.incr(Dissection.TOTAL_COUNT, dissection.TOTAL_SUBKEY)
+        self.start_packet(int(timestamp), dissection)
 
         level = self.dissector_level
         if isinstance(level, PCAPDissectorLevel):
             level = level.value
+
         if level >= PCAPDissectorLevel.THROUGH_IP.value:
             eth = dpkt.ethernet.Ethernet(packet)
             # these names are designed to match scapy names
-            self.incr(dissection, "Ethernet.dst", eth.dst)
-            self.incr(dissection, "Ethernet.src", eth.src)
-            self.incr(dissection, "Ethernet.type", eth.type)
+            self.incr(dissection, "Ethernet_dst", eth.dst)
+            self.incr(dissection, "Ethernet_src", eth.src)
+            self.incr(dissection, "Ethernet_type", eth.type)
 
             if isinstance(eth.data, dpkt.ip.IP):
                 ip = eth.data
+                udp = None
+                tcp = None
 
-                IPVER = "IP"
-                if ip.v == 6:
-                    IPVER = "IPv6"
+                ipver = "IP"
+                if ip.v == DissectionEngineDpkt.IPV6_VERSION:
+                    ipver = "IPv6"
 
-                prefix = f"Ethernet.{IPVER}."
+                prefix = f"Ethernet_{ipver}_"
 
-                # TODO: make sure all these match scapy
+                # TODO(hardaker): make sure all these match scapy
                 self.incr(dissection, prefix + "dst", ip.dst)
                 self.incr(dissection, prefix + "src", ip.src)
                 self.incr(dissection, prefix + "df", ip.df)
@@ -76,23 +188,77 @@ class DissectionEngineDpkt(DissectionEngine):
 
                 if isinstance(ip.data, dpkt.udp.UDP):
                     udp = ip.data
-                    self.incr(dissection, prefix + "UDP.sport", udp.sport)
-                    self.incr(dissection, prefix + "UDP.dport", udp.dport)
-                    self.incr(dissection, prefix + "UDP.len", udp.ulen)
-                    self.incr(dissection, prefix + "UDP.chksum", udp.sum)
+                    self.incr(dissection, prefix + "UDP_sport", udp.sport)
+                    self.incr(dissection, prefix + "UDP_dport", udp.dport)
+                    self.incr(dissection, prefix + "UDP_len", udp.ulen)
+                    self.incr(dissection, prefix + "UDP_chksum", udp.sum)
 
-                    # TODO: handle DNS and others for level 3
+                    # TODO(hardaker): handle DNS and others for level 3
 
                 elif isinstance(ip.data, dpkt.tcp.TCP):
-                    # TODO
                     tcp = ip.data
-                    self.incr(dissection, prefix + "TCP.sport", tcp.sport)
-                    self.incr(dissection, prefix + "TCP.dport", tcp.dport)
-                    self.incr(dissection, prefix + "TCP.seq", tcp.seq)
-                    self.incr(dissection, prefix + "TCP.flags", tcp.flags)
-                    # self.incr(dissection, prefix + "TCP.reserved", tcp.reserved)
-                    self.incr(dissection, prefix + "TCP.window", tcp.win)
-                    self.incr(dissection, prefix + "TCP.chksum", tcp.sum)
-                    self.incr(dissection, prefix + "TCP.options", tcp.opts)
-
-                    # TODO: handle DNS and others for level 3
+                    self.incr(dissection, prefix + "TCP_sport", tcp.sport)
+                    self.incr(dissection, prefix + "TCP_dport", tcp.dport)
+                    self.incr(dissection, prefix + "TCP_seq", tcp.seq)
+                    self.incr(dissection, prefix + "TCP_flags", tcp.flags)
+                    # self.incr(dissection, prefix + "TCP_reserved", tcp.reserved)
+                    self.incr(dissection, prefix + "TCP_window", tcp.win)
+                    self.incr(dissection, prefix + "TCP_chksum", tcp.sum)
+                    self.incr(dissection, prefix + "TCP_options", tcp.opts)
+
+                if level >= PCAPDissectorLevel.COMMON_LAYERS.value:
+                    http = None
+                    if udp and DissectionEngineDpkt.DNS_PORT in (udp.sport, udp.dport):
+                        self.dissect_dns(udp.data, prefix + "UDP_DNS_")
+                        return
+
+                    if tcp and DissectionEngineDpkt.DNS_PORT in (tcp.sport, tcp.dport):
+                        self.dissect_dns(tcp.data, prefix + "TCP_DNS_")
+                        return
+
+                    if (
+                        tcp
+                        and DissectionEngineDpkt.HTTP_PORT in (tcp.sport, tcp.dport)
+                        and len(tcp.data) > 0
+                    ):
+                        try:
+                            (command, _, content) = tcp.data.partition(b"\r\n")
+                            http = dpkt.http.Message(content)
+                            prefix += "TCP_HTTP 1_"
+
+                            (method, _, remaining) = command.partition(b" ")
+                            method = method.decode("utf-8")
+                            if method in [
+                                "GET",
+                                "POST",
+                                "HEAD",
+                                "PUT",
+                                "DELETE",
+                                "CONNECT",
+                                "TRACE",
+                                "PATCH",
+                                "OPTIONS",
+                            ]:
+                                prefix += "Request_"
+                                self.incr(dissection, prefix + "Method", method)
+                            else:
+                                prefix += "Response_"
+
+                        except dpkt.dpkt.UnpackError:
+                            self.incr(
+                                dissection,
+                                prefix + "TCP_HTTP_unparsable",
+                                "PARSE_ERROR",
+                            )
+                            debug("DPKT unparsable HTTP data")
+                            return
+
+                    if http:
+                        for header in http.headers:
+                            parts = http.headers[header]
+                            if not isinstance(parts, list):
+                                parts = [parts]
+                            for value in parts:
+                                self.incr(
+                                    dissection, prefix + header, value.capitalize()
+                                )

traffic_taffy/dissector_engine/scapy.py

@@ -1,21 +1,26 @@
+"""A scapy engine for deeply parsing and counting packets."""
+
+from __future__ import annotations
 from traffic_taffy.dissector_engine import DissectionEngine
-from traffic_taffy.dissection import Dissection
-from pcap_parallel import PCAPParallel as pcapp
+from pcap_parallel import PCAPParallel
 from logging import warning
 
 from scapy.all import sniff, load_layer
 
 
 class DissectionEngineScapy(DissectionEngine):
-    def _init_(self, *args, **kwargs):
-        super()._init_(*args, **kwargs)
+    """A scapy engine class for deeply parsing and counting packets."""
+
+    def __init__(self, *args: list, **kwargs: dict):
+        """Create a scapy engine class."""
+        super().__init__(*args, **kwargs)
 
-    def load(self) -> Dissection:
-        "Loads a pcap file into a nested dictionary of statistical counts"
-        self.init_dissection()
-        load_this = self.pcap_file
+    def load_data(self) -> None:
+        """Load a pcap file into a nested dictionary of statistical counts."""
         if isinstance(self.pcap_file, str):
-            load_this = pcapp.open_maybe_compressed(self.pcap_file)
+            load_this = PCAPParallel.open_maybe_compressed(self.pcap_file)
+        else:
+            load_this = self.pcap_file
 
         if self.layers:
             for layer in self.layers:
@@ -28,17 +33,15 @@ class DissectionEngineScapy(DissectionEngine):
             count=self.maximum_count,
             filter=self.pcap_filter,
         )
-        self.dissection.calculate_metadata()
-        # TODO: for some reason this fails on xz compressed files when processing in parallel
-        return self.dissection
-
-    def add_item(self, field_value, prefix: str) -> None:
-        "Adds an item to the self.dissection regardless of it's various types"
+        # TODO(hardaker): for some reason this fails on xz compressed files when processing in parallel
 
+    def add_item(self, field_value: str | int, prefix: str) -> None:
+        """Add an item to the self.dissection regardless of it's various types"""
         if isinstance(field_value, list):
             if len(field_value) > 0:
                 # if it's a list of tuples, count the (eg TCP option) names
-                # TODO: values can be always the same or things like timestamps
+                #
+                # TODO(hardaker): values can be always the same or things like timestamps
                 #       that will always change or are too unique
                 if isinstance(field_value[0], tuple):
                     for item in field_value:
@@ -48,11 +51,7 @@ class DissectionEngineScapy(DissectionEngine):
                         self.add_item(item, prefix)
             # else:
             #     debug(f"ignoring empty-list: {field_value}")
-        elif (
-            isinstance(field_value, str)
-            or isinstance(field_value, int)
-            or isinstance(field_value, float)
-        ):
+        elif isinstance(field_value, (str, int, float)):
             self.dissection.incr(prefix, field_value)
 
         elif isinstance(field_value, bytes):
@@ -64,8 +63,7 @@ class DissectionEngineScapy(DissectionEngine):
                 self.dissection.incr(prefix, converted)
 
     def add_layer(self, layer, prefix: str | None = "") -> None:
-        "Analyzes a layer to add counts to each layer sub-component"
-
+        """Analyze a layer to add counts to each layer sub-component."""
         if hasattr(layer, "fields_desc"):
             name_list = [field.name for field in layer.fields_desc]
         elif hasattr(layer, "fields"):
@@ -83,21 +81,18 @@ class DissectionEngineScapy(DissectionEngine):
             try:
                 field_value = getattr(layer, field_name)
                 if hasattr(field_value, "fields"):
-                    self.add_layer(field_value, new_prefix + ".")
+                    self.add_layer(field_value, new_prefix + "_")
                 else:
                     self.add_item(field_value, new_prefix)
             except Exception as e:
                 warning(f"scapy error at '{prefix}' in field '{field_name}'")
                 warning(e)
 
-    def callback(self, packet):
-        prefix = "."
-        self.timestamp = int(packet.time)
-        if self.bin_size:
-            self.timestamp = self.timestamp - self.timestamp % self.bin_size
+    def callback(self, packet) -> None:
+        """Handle one packet to dissect."""
+        prefix = "_"
+        self.start_packet(int(packet.time))
 
-        self.dissection.timestamp = int(self.timestamp)
-        self.dissection.incr(Dissection.TOTAL_COUNT, Dissection.TOTAL_SUBKEY)
         for payload in packet.iterpayloads():
-            prefix = f"{prefix}{payload.name}."
+            prefix = f"{prefix}{payload.name}_"
             self.add_layer(payload, prefix[1:])

traffic_taffy/graph.py

@@ -1,3 +1,7 @@
+"""Create an output graph from a dissection data."""
+
+from __future__ import annotations
+
 import seaborn as sns
 import matplotlib.pyplot as plt
 from logging import debug, info
@@ -9,19 +13,21 @@ from traffic_taffy.graphdata import PcapGraphData
 
 
 class PcapGraph(PcapGraphData):
+    """Create an output graph from a dissection data."""
+
     def __init__(
         self,
         pcap_files: str,
         output_file: str,
-        maximum_count: int = None,
-        minimum_count: int = None,
-        bin_size: int = None,
-        match_string: str = None,
-        match_value: str = None,
+        maximum_count: int | None = None,
+        minimum_count: int | None = None,
+        bin_size: int | None = None,
+        match_string: str | None = None,
+        match_value: str | None = None,
         cache_pcap_results: bool = False,
         dissector_level: PCAPDissectorLevel = PCAPDissectorLevel.COUNT_ONLY,
         interactive: bool = False,
-        ignore_list: List[str] = [],
+        ignore_list: List[str] | None = None,
         by_percentage: bool = False,
         pcap_filter: str | None = None,
         cache_file_suffix: str = "taffy",
@@ -29,6 +35,7 @@ class PcapGraph(PcapGraphData):
         force_overwrite: bool = False,
         force_load: bool = False,
     ):
+        """Create an instance of a graphing object."""
         self.pcap_files = pcap_files
         self.output_file = output_file
         self.maximum_count = maximum_count
@@ -41,7 +48,7 @@ class PcapGraph(PcapGraphData):
         self.cache_pcap_results = cache_pcap_results
         self.dissector_level = dissector_level
         self.interactive = interactive
-        self.ignore_list = ignore_list
+        self.ignore_list = ignore_list or []
         self.by_percentage = by_percentage
         self.pcap_filter = pcap_filter
         self.cache_file_suffix = cache_file_suffix
@@ -51,8 +58,8 @@ class PcapGraph(PcapGraphData):
 
         super().__init__()
 
-    def load_pcaps(self):
-        "loads the pcap and counts things into bins"
+    def load_pcaps(self) -> None:
+        """Load the pcap and counts things into bins."""
         self.data = {}
 
         info("reading pcap files")
@@ -72,7 +79,8 @@ class PcapGraph(PcapGraphData):
         self.dissections = pdm.load_all()
         info("done reading pcap files")
 
-    def create_graph(self):
+    def create_graph(self) -> None:
+        """Create the graph itself and save it."""
         df = self.get_dataframe(merge=True, calculate_load_fraction=self.by_percentage)
 
         hue_variable = "index"
@@ -102,8 +110,8 @@ class PcapGraph(PcapGraphData):
         else:
             plt.show()
 
-    def show_graph(self):
-        "Graph the results of the data collection"
+    def show_graph(self) -> None:
+        """Graph the results of the data collection."""
         debug("creating the graph")
         sns.set_theme()
 
@@ -119,7 +127,8 @@ class PcapGraph(PcapGraphData):
                 if not self.match_string and not self.match_value:
                     self.interactive = False
 
-    def graph_it(self):
+    def graph_it(self) -> None:
+        """Load the pcaps and graph it."""
         debug("--- loading pcaps")
         self.load_pcaps()
         debug("--- creating graph")