traffic-taffy 0.9.6__py3-none-any.whl → 0.9.8__py3-none-any.whl

traffic_taffy/__init__.py

@@ -1 +1 @@
-__VERSION__ = "0.9.6"
+__VERSION__ = "0.9.8"

traffic_taffy/dissector.py

@@ -259,16 +259,14 @@ class PCAPDissector:
         match_expression: str | None = None,
     ) -> None:
         """Output the results in an FSDB file."""
-        if timestamps is None:
-            timestamps = [0]
         import pyfsdb
 
         fh = pyfsdb.Fsdb(
             out_file_handle=sys.stdout,
-            out_column_names=["key", "subkey", "value"],
+            out_column_names=["timestamp", "key", "subkey", "value"],
             converters={"value": int},
         )
-        for _, key, subkey, value in self.dissection.find_data(
+        for timestamp, key, subkey, value in self.dissection.find_data(
             timestamps=timestamps,
             match_string=match_string,
             match_value=match_value,
@@ -276,7 +274,7 @@ class PCAPDissector:
             make_printable=True,
             match_expression=match_expression,
         ):
-            fh.append([key, subkey, value])
+            fh.append([timestamp, key, subkey, value])
         fh.close()
 
 

traffic_taffy/hooks/blag.py

@@ -0,0 +1,51 @@
+"""Traffic-Taffy plugin to look up addresses in the BLAG blocklist."""
+from blagbl import BlagBL
+import ipaddress
+
+from traffic_taffy.hooks import register_hook
+from traffic_taffy.dissector import POST_DISSECT_HOOK, INIT_HOOK
+from traffic_taffy.dissection import Dissection
+
+blag = None
+blag_ips = None
+
+
+@register_hook(INIT_HOOK)
+def init_blag(**kwargs):
+    """Initialize the BLAG block list table."""
+    global blag
+    global blag_ips
+
+    if blag is None:
+        blag = BlagBL()
+        blag.parse_blag_contents()
+        blag_ips = blag.ips
+
+
+@register_hook(POST_DISSECT_HOOK)
+def ip_blagbl_lookup(dissection: Dissection, **kwargs):
+    """Perform IP address lookups within the BLAG block list."""
+    timestamps = dissection.data.keys()
+
+    for timestamp in timestamps:
+        keys = list(dissection.data[timestamp].keys())
+
+        for key in keys:
+            key = str(key)
+            if (
+                key.endswith("IP_src") or key.endswith("IP_dst")
+                # or key.endswith("IPv6_src")
+                # or key.endswith("IPv6_dst")
+            ):
+                for value in dissection.data[timestamp][key]:
+                    try:
+                        value = str(ipaddress.IPv4Address(value))
+                    except Exception:
+                        continue
+                    count = dissection.data[timestamp][key][value]
+
+                    if value in blag_ips:
+                        for blocklist in blag_ips[value]:
+                            dissection.data[timestamp][key + "_blocklist"][
+                                blocklist
+                            ] += count

traffic_taffy/hooks/ip2asn.py

@@ -9,7 +9,7 @@ from traffic_taffy.taffy_config import taffy_default, TaffyConfig
 
 i2a = None
 
-taffy_default("modules.ip2asn.database", "ip2asn-combined.tsv")
+taffy_default("modules.ip2asn.database", ip2asn.DEFAULT_IP2ASN_FILE)
 
 
 @register_hook(INIT_HOOK)
@@ -20,7 +20,7 @@ def init_ip2asn(**kwargs):
         config = TaffyConfig()
         db_path = config.get_dotnest("modules.ip2asn.database")
 
-        if not Path(db_path).exists():
+        if db_path and not Path(db_path).exists():
             error("The ip2asn plugin requires a ip2asn-combined.tsv in this directory")
             error("Please download it from https://iptoasn.com/")
 

traffic_taffy/output/console.py

@@ -65,6 +65,7 @@ class Console(Output):
     def output_record(self, key: str, subkey: Any, data: Dict[str, Any]) -> None:
         """Print a report to the console."""
 
+        marker = " "
         style = ""
         endstyle = ""
         if getattr(data, "delta_percentage", None):
@@ -73,12 +74,16 @@ class Console(Output):
             # apply some styling depending on range
             if delta_percentage < -Console.BOLD_LIMIT:
                 style = "[bold red]"
+                marker = "v"
             elif delta_percentage < Console.POSITIVE:
                 style = "[red]"
+                marker = "v"
             elif delta_percentage > Console.BOLD_LIMIT:
                 style = "[bold green]"
+                marker = "^"
             elif delta_percentage > Console.POSITIVE:
                 style = "[green]"
+                marker = "^"
             endstyle = style.replace("[", "[/")
 
         # construct the output line with styling
@@ -92,6 +97,7 @@ class Console(Output):
             style=style,
             endstyle=endstyle,
             subkey=subkey,
+            marker=marker,
             **field_values,
         )
 

traffic_taffy/reports/compareslicesreport.py

@@ -34,7 +34,7 @@ class CompareSlicesReport(Report):
     @property
     def header_string(self) -> str:
         """Header string."""
-        line = "  {style}{subkey:<50}{endstyle}"
+        line = "  {style}  {subkey:<50}{endstyle}"
         line += " {left_count:>8} {right_count:>8} {delta_absolute:>8}"
         line += " {left_percentage:>7} {right_percentage:>7}  {delta_percentage:>7}"
 
@@ -43,7 +43,7 @@ class CompareSlicesReport(Report):
     @property
     def format_string(self) -> str:
         """Formatting string for each printed line."""
-        line = "  {style}{subkey:<50}{endstyle}"
+        line = "  {style}{marker} {subkey:<50}{endstyle}"
         line += " {left_count:>8} {right_count:>8} {delta_absolute:>8}"
         line += " {left_percentage:>7.2f} {right_percentage:>7.2f}  {delta_percentage:>7.2f}"
 

traffic_taffy/reports/correlationchangereport.py

@@ -28,7 +28,7 @@ class CorrelationChangeReport(Report):
     @property
     def header_string(self) -> str:
         """Formatting string for each printed line."""
-        line = "  {style}{subkey:<50}{endstyle}"
+        line = "  {style}  {subkey:<50}{endstyle}"
         line += " {timestamp:>10}"
         line += " {left_correlation:>17}"
         line += " {right_correlation:>17}"
@@ -39,7 +39,7 @@ class CorrelationChangeReport(Report):
     @property
     def format_string(self) -> str:
         """Formatting string for each printed line."""
-        line = "  {style}{subkey:<50}{endstyle}"
+        line = "  {style}{marker} {subkey:<50}{endstyle}"
         line += " {timestamp:>10}"
         line += " {left_correlation:>17.2f}"
         line += " {right_correlation:>17.2f}"

traffic_taffy/reports/correlationreport.py

@@ -22,7 +22,7 @@ class CorrelationReport(Report):
     @property
     def header_string(self) -> str:
         """Formatting string for each printed line."""
-        line = "  {style}{subkey:<50}{endstyle}"
+        line = "  {style}  {subkey:<50}{endstyle}"
         line += " {correlation:>11}"
 
         return line
@@ -30,7 +30,7 @@ class CorrelationReport(Report):
     @property
     def format_string(self) -> str:
         """Formatting string for each printed line."""
-        line = "  {style}{subkey:<50}{endstyle}"
+        line = "  {style}{marker} {subkey:<50}{endstyle}"
         line += " {correlation:>11.2f}"
 
         return line

traffic_taffy/tools/dissect.py

@@ -43,6 +43,12 @@ def dissect_parse_args() -> Namespace:
         help="Print results in an FSDB formatted output",
     )
 
+    parser.add_argument(
+        "-t", "--fsdb-all-timestamps", 
+        action="store_true",
+        help="Print FSDB that includes all timestamps",
+    )
+
     parser.add_argument(
         "--dont-fork",
         action="store_true",
@@ -89,9 +95,12 @@ def main() -> None:
     pd.dissection = dissection
 
     # output as requested
-    if args.fsdb:
+    if args.fsdb or args.fsdb_all_timestamps:
+        timestamps = [0]
+        if args.fsdb_all_timestamps:
+            timestamps = None
         pd.print_to_fsdb(
-            timestamps=[0],
+            timestamps,
             match_string=args.match_string,
             match_value=args.match_value,
             minimum_count=args.minimum_count,

{traffic_taffy-0.9.6.dist-info → traffic_taffy-0.9.8.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: traffic-taffy
-Version: 0.9.6
+Version: 0.9.8
 Summary: A tool for doing differential analysis of pcap files
 Project-URL: Homepage, https://traffic-taffy.github.io/
 Author-email: Wes Hardaker <opensource@hardakers.net>
@@ -14,7 +14,7 @@ Requires-Dist: cryptography
 Requires-Dist: dnssplitter
 Requires-Dist: dotnest>=1.0
 Requires-Dist: dpkt
-Requires-Dist: ip2asn
+Requires-Dist: ip2asn>=1.6.6
 Requires-Dist: msgpack
 Requires-Dist: pandas
 Requires-Dist: pcap-parallel

{traffic_taffy-0.9.6.dist-info → traffic_taffy-0.9.8.dist-info}/RECORD

@@ -1,10 +1,10 @@
-traffic_taffy/__init__.py,sha256=9xmdbHPOaHkUt61kunVWy2yjchW2Zvmp7Ti49qS99iM,22
+traffic_taffy/__init__.py,sha256=uP67YUi8VVs_JVB_tdvT_PnmKv3-I2IqRNX1DcwDqGs,22
 traffic_taffy/compare.py,sha256=g9rU6oa_2Wy0nUJ7K6TI8JTctyGCRvYEUakDBf7blOY,8644
 traffic_taffy/comparison.py,sha256=KJxOp4UqhfRkF4LI1PMDRIefeyTm2w5sbdr7VUTS4KM,1451
 traffic_taffy/config.py,sha256=DgTu2kA1Ec4Hbwl_44kTsdyJYvxAabgJk9a7aOH2XXU,4444
 traffic_taffy/dissection.py,sha256=DNxcXoNyk2lpJiaSzvAq1YHwHhYPY6xtlVkHTs-eb9Q,23904
 traffic_taffy/dissectmany.py,sha256=SWFXFyERNCi0j7hiMDEeJJdPYDpa0SOlSj1V8AqpXUA,5189
-traffic_taffy/dissector.py,sha256=M5MHVPwfeMHa6s4TG8ZiiNjk7qaht65wdqm0nmRHdQ8,15682
+traffic_taffy/dissector.py,sha256=9QwGMGugHzVE8GWRpsfPXfSj02Sm2i_ZNU0Ah9AZ7BI,15654
 traffic_taffy/graph.py,sha256=EfkxH5D9PNlDpvftkh9GyUusV05EV537QGB7JOMeW4w,4730
 traffic_taffy/graphdata.py,sha256=r_QNXO3FzC7Vx4123SdCliAh7j2NCQ4Lb5uoOJnlt2M,3376
 traffic_taffy/taffy_config.py,sha256=AmdQbWAhoiV7aTNSpV1exJfd5eA0a3sYTIjikHkMPwY,1124
@@ -19,18 +19,19 @@ traffic_taffy/dissector_engine/dnstap.py,sha256=rBzVlB0D3YVhHOsr17cbnCIZU13g20sr
 traffic_taffy/dissector_engine/dpkt.py,sha256=q7cJz6WWpe9xUcEbAY_yn_cma_4loXuS3QKIVln6FHQ,12788
 traffic_taffy/dissector_engine/scapy.py,sha256=S3yrUmSeDjt3oE1I07L3iLFLF8Df8XAZg535FY_eu90,5004
 traffic_taffy/hooks/__init__.py,sha256=Bvhl6RnyBqQkWuCU6TS0O_ZHe4qCQsC4HE8FELigWPw,661
-traffic_taffy/hooks/ip2asn.py,sha256=7UA52L6jej0RYBptzP9izO0yXMcqH7wcp2ocDRUN5dg,2216
+traffic_taffy/hooks/blag.py,sha256=KWFhDYbH8sRcUsujCSdlycE0pYkX5ymyRRbHxi20z3U,1626
+traffic_taffy/hooks/ip2asn.py,sha256=G7zo2lFRLK-fbbzGMMcsaxIIh9ME6BoM0E6cJDaeE18,2233
 traffic_taffy/hooks/labels.py,sha256=5jHXq3-kxDQj9PRYgak-gDzE8dvSUiCEq9mBs9nE014,1933
 traffic_taffy/hooks/psl.py,sha256=A3maHS9FOholOEv1LuX0xSO3u34GyqeYl9_EtJG1pMY,2119
 traffic_taffy/iana/tables.msgpak,sha256=d-R5Xw9yG9t4RqGJRrpE6cjH4YfaxQBwQiBhNjKZbwI,172825
 traffic_taffy/output/__init__.py,sha256=qqlAUA99fxWlHEns-ji7A2RrcA8RA-AKXK7n2D737c8,3312
-traffic_taffy/output/console.py,sha256=QizlMIRbUKm7S57SojBiTAOB4KM9DCcj8EKiH1roO6U,3031
+traffic_taffy/output/console.py,sha256=x68iZYCq3jCn86AsnP339CnDJVLVojfmOOwSbJtaQjk,3195
 traffic_taffy/output/fsdb.py,sha256=0z2zDydfnqOVM8Mj6pTJf4n4pGPupWykuYPgdgjJRN8,1859
 traffic_taffy/output/memory.py,sha256=86tgJ-jMt3UVX31eP6U02YbbYRoqbYhhR4kXJQmYzO4,1870
 traffic_taffy/reports/__init__.py,sha256=lMDS7q35aIdDrJ7G8ot4Q_6t9nYllr0C9510FL43rZY,113
-traffic_taffy/reports/compareslicesreport.py,sha256=Clrif58TPBTwP4BNxh9PcHkyASbUUscrOWtSgLrItN4,2754
-traffic_taffy/reports/correlationchangereport.py,sha256=W8tKWMk5Ss45Ho3wh_mAcK2Jj2fpL7vnNyun2C_lRgw,1575
-traffic_taffy/reports/correlationreport.py,sha256=9PdL_53mxfO619PFSoeRsTEm63L1J_u-B4sVvlH8xaU,1109
+traffic_taffy/reports/compareslicesreport.py,sha256=zLGlW158orhWuneav2_t2pJrEmIIskQEPsbIJMJesX8,2765
+traffic_taffy/reports/correlationchangereport.py,sha256=GazkJe0dx7F0TiGl9G6_l3zHHkglYpA2PfpibvEdalE,1586
+traffic_taffy/reports/correlationreport.py,sha256=QwwFzf1XKsPYQ-m5sHnLeCne0IMcHGamzsOEJBzL32c,1120
 traffic_taffy/tests/test_compare_results.py,sha256=iLcS9wvEqxgKszIspLtD2Zw8Qk5JxOCurQwWYzhtOkM,2318
 traffic_taffy/tests/test_config.py,sha256=UCqSJXVwpFFchcIbyFzLqjVF-wgEV755KlQ7thommro,4284
 traffic_taffy/tests/test_dict_merge.py,sha256=t3rZSQQ0AlBxRKfLborx9SxYN53cCAQQzZ2w-__WT2Y,1429
@@ -45,12 +46,12 @@ traffic_taffy/tools/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSu
 traffic_taffy/tools/cache_info.py,sha256=ZanO6jDlTdfJ7w0N_7BkLyJj4NyZGShaH7SrUulbIoE,2085
 traffic_taffy/tools/compare.py,sha256=oT5fIqfPeY6nGI9vSVAoKDsAVzzqfXJDzyOw2BhPfSI,3509
 traffic_taffy/tools/config.py,sha256=RwJYyfI1yiAKbMzU5mcPTguBiH-hGRy5vk_YvAAjPuM,2343
-traffic_taffy/tools/dissect.py,sha256=B-7e7aqEOWtJ-0P2Y-mzmrzoDqVrDCJ2JzGR45QtuuQ,3073
+traffic_taffy/tools/dissect.py,sha256=kGG0K2d9-OwrAhEU97id2m29PvhYaXZYIw1nLi1aVsE,3346
 traffic_taffy/tools/explore.py,sha256=gUcOfAgangJJI1si1gLPUoWRUKmWUAXSP0oTD2JJygw,24149
 traffic_taffy/tools/export.py,sha256=9zBBGhZK95b4ZiLJ8XK30GPsaBjgR84Sk1HoPIxRpTI,2844
 traffic_taffy/tools/graph.py,sha256=KiKDY9R8JLT5-JouANoi_1WGcdFMhXsLnYlhPsFRWpM,2316
-traffic_taffy-0.9.6.dist-info/METADATA,sha256=pc-nZx_uzZb6DSBR1ZWCbDrKnHPVlkB6EhlSU4T9SWc,2304
-traffic_taffy-0.9.6.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-traffic_taffy-0.9.6.dist-info/entry_points.txt,sha256=F0lqjvw94nQ3hY4eerN7faT9aKhhGUHbqBhuEr9q1r8,361
-traffic_taffy-0.9.6.dist-info/licenses/LICENSE.txt,sha256=hiV1DJgDQeSM1r7P-ez5oxily11S5nsCedU0jKzKKzo,11338
-traffic_taffy-0.9.6.dist-info/RECORD,,
+traffic_taffy-0.9.8.dist-info/METADATA,sha256=AhnwUs9q5jfXHgQOWbF5wYFEkSX3al81a02UgMZLgak,2311
+traffic_taffy-0.9.8.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+traffic_taffy-0.9.8.dist-info/entry_points.txt,sha256=F0lqjvw94nQ3hY4eerN7faT9aKhhGUHbqBhuEr9q1r8,361
+traffic_taffy-0.9.8.dist-info/licenses/LICENSE.txt,sha256=eFp2vwcZFJW55SUQRoEfXio3K9XdwvsaI_WHntR7I2M,11338
+traffic_taffy-0.9.8.dist-info/RECORD,,

{traffic_taffy-0.9.6.dist-info → traffic_taffy-0.9.8.dist-info}/licenses/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright 2023-2024 USC/ISI
+Copyright 2023-2025 USC/ISI
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.