Aggregates wireshark pdml to flows
Project description
Aggregates wireshark pdml to flows, with plugins
Branch |
Build |
Coverage |
---|---|---|
master |
||
develop |
Prerequisites
Installation
$ sudo pip install pdml2flow
Usage
$ pdml2flow -h
usage: pdml2flow [-h] [--version] [-f FLOW_DEF_STR] [-t FLOW_BUFFER_TIME]
[-l DATA_MAXLEN] [-s] [-c] [-a] [-m] [-d] [+json [args]]
[+xml [args]]
Aggregates wireshark pdml to flows
optional arguments:
-h, --help show this help message and exit
--version Print version and exit
-f FLOW_DEF_STR Fields which define the flow, nesting with: '.'
[default: ['vlan.id', 'ip.src', 'ip.dst', 'ipv6.src',
'ipv6.dst', 'udp.stream', 'tcp.stream']]
-t FLOW_BUFFER_TIME Lenght (in seconds) to buffer a flow before writing the
packets [default: 180]
-l DATA_MAXLEN Maximum lenght of data in tshark pdml-field [default:
200]
-s Extract show names, every data leaf will now look like
{ raw : [] , show: [] } [default: False]
-c Removes duplicate data when merging objects, will not
preserve order of leaves [default: False]
-a Instead of merging the frames will append them to an
array [default: False]
-m Appends flow metadata [default: False]
-d Debug mode [default: False]
Plugins:
+json [args] usage: JSON output [-h] [-0] optional arguments: -h,
--help show this help message and exit -0 Terminates
lines with null character
+xml [args] usage: XML output [-h] [-0] optional arguments: -h,
--help show this help message and exit -0 Terminates
lines with null character
Example
Sniff from interface and write json:
$ tshark -i interface -Tpdml | pdml2flow +json
Read a .pcap file
$ tshark -r pcap_file -Tpdml | pdml2flow +json
Aggregate based on ethernet source and ethernet destination address
$ tshark -i interface -Tpdml | pdml2flow -f eth.src -f eth.dst +json
Pretty print flows using jq
$ tshark -i interface -Tpdml | pdml2flow +json | jq
Post-process flows using FluentFlow
$ tshark -i interface -Tpdml | pdml2flow +json | fluentflow rules.js
Plugins
Create a New Plugin
Utils
The following utils are part of this project
pdml2frame
Wireshark pdml to frames, with plugins
$ pdml2frame -h
usage: pdml2frame [-h] [--version] [-s] [-d] [+json [args]] [+xml [args]]
Converts wireshark pdml to frames
optional arguments:
-h, --help show this help message and exit
--version Print version and exit
-s Extract show names, every data leaf will now look like { raw :
[] , show: [] } [default: False]
-d Debug mode [default: False]
Plugins:
+json [args] usage: JSON output [-h] [-0] optional arguments: -h, --help
show this help message and exit -0 Terminates lines with null
character
+xml [args] usage: XML output [-h] [-0] optional arguments: -h, --help
show this help message and exit -0 Terminates lines with null
character
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
pdml2flow-5.0.tar.gz
(17.3 kB
view hashes)