def __init__(self, **kwargs):
'''
Constructor
'''
self.sessions = {}
self.alerts = False
self.file = None
dshell.TCPDecoder.__init__(self,
name='country',
description='filter connections on geolocation (country code)',
longdescription="""
country: filter connections on geolocation (country code)
Chainable decoder to filter TCP/UDP streams on geolocation data. If no
downstream (+) decoders are specified, netflow data will be printed to
the screen.
Mandatory option:
--country_code: specify (2 character) country code to filter on
Default behavior:
If either the client or server IP address matches the specified country,
the stream will be included.
Modifier options:
--country_neither: Include only streams where neither the client nor the
server IP address matches the specified country.
--country_both: Include only streams where both the client AND the server
IP addresses match the specified country.
--country_notboth: Include streams where the specified country is NOT BOTH
the client and server IP. Streams where it is one or
the other may be included.
Example:
decode -d country traffic.pcap -W USonly.pcap --country_code US
decode -d country+followstream traffic.pcap --country_code US --country_notboth
""",
filter="ip or ip6",
author='twp',
optiondict={
'code': {'type': 'string', 'help': 'two-char country code'},
'neither': {'action': 'store_true', 'help': 'neither (client/server) is in specified country'},
'both': {'action': 'store_true', 'help': 'both (client/server) ARE in specified country'},
'notboth': {'action': 'store_true', 'help': 'specified country is not both client and server'},
'alerts': {'action': 'store_true'}})
'''instantiate an decoder that will call back to us once the IP decoding is done'''
self.__decoder = dshell.IPDecoder()
self.out = netflowout.NetflowOutput()
self.chainable = True
def __init__(self):
dshell.TCPDecoder.__init__(
self,
name='netflow',
description='generate netflow information from pcap',
longdescription='generate netflow information from pcap',
filter='(tcp or udp)',
author='bg',
optiondict={'group': dict()} #grouping for output module
)
self.out = netflowout.NetflowOutput()
def __init__(self):
dshell.TCPDecoder.__init__(self,
name='large-flows',
description='display netflows that have at least 1MB transferred',
filter='tcp',
author='bg',
optiondict={'size': {
'type': 'float', 'default': 1, 'help': 'number of megabytes transferred'}}
)
self.out = netflowout.NetflowOutput()
self.min = 1048576 # 1MB
def __init__(self, **kwargs):
self.sessions = {}
self.alerts = False
self.file = None
dshell.TCPDecoder.__init__(
self,
name='asn-filter',
description='filter connections on autonomous system number (ASN)',
longdescription="""
This decoder filters connections by autonomous system numbers/names (ASN).
Chainable decoder used to filter TCP/UDP streams by ASNs. If no
downstream (+) decoder is used the netflow data will be printed to
the screen (when using --asn-filter_alerts). If used without specifying
a asn string, the asn-filter will filter nothing out and pass
everything onto the next decoder or print it.
Examples:
decode -d asn-filter <pcap> --asn-filter_asn AS8075 --asn-filter_alerts
This will print the connection info for all connections where
AS8075 is the ASN for either the server of client.
decode -d asn-filter <pcap> --asn-filter_asn Google --asn-filter_alerts
This will print the connection info for all connections where
"Google" appeared in the ASN information.
decode -d asn-filter+followstream <pcap> --asn-filter_asn AS8075
This will filter the streams by ASN and feed them into the
followstream decoder.
""",
filter="ip or ip6",
author='twp/nl',
optiondict={
'asn': {
'type': 'string',
'help': 'asn for client or server'
},
'alerts': {
'action': 'store_true'
}
})
'''instantiate an decoder that will call back to us once the IP decoding is done'''
self.__decoder = dshell.IPDecoder()
self.out = netflowout.NetflowOutput()
self.chainable = True
def __init__(self):
self.len = 5
dshell.TCPDecoder.__init__(
self,
name='long-flows',
description=
'display netflows that have a duration of at least 5mins',
filter='(tcp or udp)',
author='bg',
optiondict={
'len': {
'type':
'int',
'default':
5,
'help':
'set minimum connection time to alert on, in minutes [default: 5 mins]'
},
})
self.out = netflowout.NetflowOutput()