noisedestroyers/StreamLens
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

working to analyze timing issues

Browse Source
This commit is contained in:
noisedestroyers
2025-07-25 15:52:16 -04:00
parent 70c2a1b9d3
commit 4c6e23bff8
31 changed files with 3197 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
.DS_Store vendored Normal file
View File

Binary file not shown.

23
.gitignore vendored Normal file
View File

@@ -0,0 +1,23 @@
# Created by venv; see https://docs.python.org/3/library/venv.html
venv/
venvbak/
__pycache__/
*.pyc
*.pyo
*.pyd
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg

BIN
1 PTPGM.pcapng Normal file
View File

Binary file not shown.

BIN
FSTDaircraft.pcapng Normal file
View File

Binary file not shown.

36
analyzer/__init__.py Normal file
View File

@@ -0,0 +1,36 @@
"""
Ethernet Traffic Analyzer - A modular network analysis tool
This package provides comprehensive analysis of ethernet traffic with specialized
support for telemetry protocols like Chapter 10 (IRIG106), PTP, and IENA.
"""
from .analysis import EthernetAnalyzer, StatisticsEngine, FlowManager
from .models import FlowStats, FrameTypeStats, AnalysisResult
from .protocols import (
Chapter10Dissector, Chapter10Packet,
PTPDissector, IENADissector, StandardProtocolDissectors
)
from .tui import TUIInterface
from .utils import PCAPLoader, LiveCapture
__version__ = "2.0.0"
__author__ = "Network Analysis Team"
__all__ = [
# Core analysis
'EthernetAnalyzer', 'StatisticsEngine', 'FlowManager',
# Data models
'FlowStats', 'FrameTypeStats', 'AnalysisResult',
# Protocol dissectors
'Chapter10Dissector', 'Chapter10Packet',
'PTPDissector', 'IENADissector', 'StandardProtocolDissectors',
# User interface
'TUIInterface',
# Utilities
'PCAPLoader', 'LiveCapture'
]

9
analyzer/analysis/__init__.py Normal file
View File

@@ -0,0 +1,9 @@
"""
Analysis components for the Ethernet Traffic Analyzer
"""
from .core import EthernetAnalyzer
from .statistics import StatisticsEngine
from .flow_manager import FlowManager
__all__ = ['EthernetAnalyzer', 'StatisticsEngine', 'FlowManager']

115
analyzer/analysis/core.py Normal file
View File

@@ -0,0 +1,115 @@
"""
Core analysis engine for the Ethernet Traffic Analyzer
"""
import sys
import threading
from typing import List, Dict
try:
from scapy.all import rdpcap, sniff, Packet
except ImportError:
print("Error: scapy library required. Install with: pip install scapy")
sys.exit(1)
from .flow_manager import FlowManager
from .statistics import StatisticsEngine
from ..models import AnalysisResult
class EthernetAnalyzer:
"""Main analyzer class for ethernet traffic analysis"""
def __init__(self, enable_realtime: bool = False, outlier_threshold_sigma: float = 3.0):
self.statistics_engine = StatisticsEngine(outlier_threshold_sigma=outlier_threshold_sigma, enable_realtime=enable_realtime)
self.flow_manager = FlowManager(self.statistics_engine)
self.all_packets: List[Packet] = []
self.is_live = False
self.stop_capture = False
# Expose flows for backward compatibility
self.flows = self.flow_manager.flows
# Create a simple dissector for backward compatibility
self.dissector = SimpleFrameDissector(self.flow_manager)
def analyze_pcap(self, pcap_file: str) -> None:
"""Analyze a pcap file"""
print(f"Loading pcap file: {pcap_file}")
try:
packets = rdpcap(pcap_file)
self.all_packets = packets
print(f"Loaded {len(packets)} packets")
self._process_packets(packets)
except Exception as e:
print(f"Error loading pcap file: {e}")
sys.exit(1)
def start_live_capture(self, interface: str = None, filter_str: str = None) -> None:
"""Start live packet capture"""
self.is_live = True
print(f"Starting live capture on interface: {interface or 'default'}")
def packet_handler(packet):
if self.stop_capture:
return
self.all_packets.append(packet)
self._process_single_packet(packet, len(self.all_packets))
try:
sniff(iface=interface, filter=filter_str, prn=packet_handler,
stop_filter=lambda x: self.stop_capture)
except Exception as e:
print(f"Error during live capture: {e}")
def _process_packets(self, packets: List[Packet]) -> None:
"""Process a list of packets"""
for i, packet in enumerate(packets, 1):
self._process_single_packet(packet, i)
def _process_single_packet(self, packet: Packet, frame_num: int) -> None:
"""Process a single packet"""
self.flow_manager.process_packet(packet, frame_num)
def calculate_statistics(self) -> None:
"""Calculate timing statistics and detect outliers"""
self.statistics_engine.calculate_flow_statistics(self.flows)
def get_summary(self) -> Dict:
"""Get analysis summary"""
flow_summary = self.flow_manager.get_flows_summary()
return {
'total_packets': len(self.all_packets),
'unique_flows': flow_summary['total_flows'],
'unique_ips': flow_summary['unique_ips'],
'flows': flow_summary['flows']
}
def get_analysis_result(self) -> AnalysisResult:
"""Get structured analysis result"""
summary = self.get_summary()
return AnalysisResult(
total_packets=summary['total_packets'],
unique_flows=summary['unique_flows'],
unique_ips=summary['unique_ips'],
flows=summary['flows']
)
def get_high_jitter_flows(self, threshold: float = 0.1):
"""Get flows with high timing jitter"""
return self.statistics_engine.identify_high_jitter_flows(self.flows, threshold)
def get_summary_statistics(self) -> Dict:
"""Get summary statistics across all flows"""
return self.statistics_engine.get_flow_summary_statistics(self.flows)
class SimpleFrameDissector:
"""Simple frame dissector for backward compatibility"""
def __init__(self, flow_manager: FlowManager):
self.flow_manager = flow_manager
def dissect_frame(self, packet: Packet, frame_num: int) -> Dict:
"""Dissect a frame using the flow manager's dissection system"""
return self.flow_manager._dissect_packet(packet, frame_num)

328
analyzer/analysis/flow_manager.py Normal file
View File

@@ -0,0 +1,328 @@
"""
Flow tracking and management
"""
from typing import Dict, Set, Tuple
from ..models import FlowStats, FrameTypeStats
from ..protocols import Chapter10Dissector, PTPDissector, IENADissector, StandardProtocolDissectors
try:
from scapy.all import Packet, IP, UDP, TCP
except ImportError:
print("Error: scapy library required. Install with: pip install scapy")
import sys
sys.exit(1)
class FlowManager:
"""Manages network flows and frame type classification"""
def __init__(self, statistics_engine=None):
self.flows: Dict[Tuple[str, str], FlowStats] = {}
self.statistics_engine = statistics_engine
# Initialize dissectors
self.specialized_dissectors = {
'chapter10': Chapter10Dissector(),
'ptp': PTPDissector(),
'iena': IENADissector()
}
self.standard_dissectors = StandardProtocolDissectors()
def process_packet(self, packet: Packet, frame_num: int) -> None:
"""Process a single packet and update flow statistics"""
if not packet.haslayer(IP):
return
ip_layer = packet[IP]
src_ip = ip_layer.src
dst_ip = ip_layer.dst
timestamp = float(packet.time)
packet_size = len(packet)
# Determine basic protocol
protocols = self._detect_basic_protocols(packet)
# Create flow key
flow_key = (src_ip, dst_ip)
# Initialize flow stats if new
if flow_key not in self.flows:
self.flows[flow_key] = FlowStats(
src_ip=src_ip,
dst_ip=dst_ip,
frame_count=0,
timestamps=[],
frame_numbers=[],
inter_arrival_times=[],
avg_inter_arrival=0.0,
std_inter_arrival=0.0,
outlier_frames=[],
outlier_details=[],
total_bytes=0,
protocols=set(),
detected_protocol_types=set(),
frame_types={}
)
# Update flow stats
flow = self.flows[flow_key]
flow.frame_count += 1
flow.timestamps.append(timestamp)
flow.frame_numbers.append(frame_num)
flow.total_bytes += packet_size
flow.protocols.update(protocols)
# Enhanced protocol detection
dissection_results = self._dissect_packet(packet, frame_num)
enhanced_protocols = self._extract_enhanced_protocols(dissection_results)
flow.detected_protocol_types.update(enhanced_protocols)
# Add fallback protocol detection
fallback_protocols = self._detect_fallback_protocols(packet, dissection_results)
flow.detected_protocol_types.update(fallback_protocols)
# Classify and track frame types
frame_type = self._classify_frame_type(packet, dissection_results)
self._update_frame_type_stats(flow, frame_type, frame_num, timestamp, packet_size)
# Calculate inter-arrival time
if len(flow.timestamps) > 1:
inter_arrival = timestamp - flow.timestamps[-2]
flow.inter_arrival_times.append(inter_arrival)
# Update real-time statistics if enabled
if self.statistics_engine and self.statistics_engine.enable_realtime:
self.statistics_engine.update_realtime_statistics(flow_key, flow)
def _detect_basic_protocols(self, packet: Packet) -> Set[str]:
"""Detect basic transport protocols"""
protocols = set()
if packet.haslayer(UDP):
protocols.add('UDP')
if packet.haslayer(TCP):
protocols.add('TCP')
if not protocols:
protocols.add('OTHER')
return protocols
def _dissect_packet(self, packet: Packet, frame_num: int) -> Dict:
"""Comprehensive packet dissection"""
result = {
'frame_number': frame_num,
'timestamp': float(packet.time),
'size': len(packet),
'layers': {},
'protocols': []
}
# Apply standard dissectors
standard_layers = self.standard_dissectors.dissect_all(packet)
result['layers'].update(standard_layers)
# Apply specialized protocol dissectors
for name, dissector in self.specialized_dissectors.items():
try:
if dissector.can_dissect(packet):
dissection = dissector.dissect(packet)
if dissection:
result['layers'][name] = dissection.fields
result['protocols'].append(dissection.protocol.name)
if dissection.errors:
result['layers'][name]['errors'] = dissection.errors
if dissection.payload:
result['layers'][name]['payload_size'] = len(dissection.payload)
except Exception as e:
result['layers'][name] = {'error': str(e)}
return result
def _extract_enhanced_protocols(self, dissection: Dict) -> Set[str]:
"""Extract enhanced protocol types from dissection"""
protocols = set()
if dissection.get('protocols'):
protocols.update(dissection['protocols'])
return protocols
def _detect_fallback_protocols(self, packet: Packet, dissection: Dict) -> Set[str]:
"""Detect protocol types with fallback to generic descriptions"""
protocol_types = set()
if packet.haslayer(UDP):
udp_layer = packet[UDP]
sport, dport = udp_layer.sport, udp_layer.dport
# Check for common protocols by port
port_protocols = {
(67, 68): 'DHCP',
(53,): 'DNS',
(123,): 'NTP',
(161, 162): 'SNMP',
(69,): 'TFTP',
(319, 320): 'PTP',
(50000, 50001): 'IENA'
}
for ports, protocol in port_protocols.items():
if sport in ports or dport in ports:
protocol_types.add(protocol)
break
else:
protocol_types.add('UDP')
if packet.haslayer(TCP):
tcp_layer = packet[TCP]
sport, dport = tcp_layer.sport, tcp_layer.dport
tcp_protocols = {
(80,): 'HTTP',
(443,): 'HTTPS',
(22,): 'SSH',
(23,): 'Telnet',
(21,): 'FTP',
(25,): 'SMTP',
(110,): 'POP3',
(143,): 'IMAP'
}
for ports, protocol in tcp_protocols.items():
if sport in ports or dport in ports:
protocol_types.add(protocol)
break
else:
protocol_types.add('TCP')
# Check for IGMP and ICMP
if packet.haslayer(IP):
ip_layer = packet[IP]
if ip_layer.proto == 2: # IGMP protocol number
protocol_types.add('IGMP')
elif ip_layer.proto == 1: # ICMP protocol number
protocol_types.add('ICMP')
# Check for multicast addresses
if packet.haslayer(IP):
ip_layer = packet[IP]
dst_ip = ip_layer.dst
if dst_ip.startswith('224.') or dst_ip.startswith('239.'):
protocol_types.add('Multicast')
return protocol_types
def _classify_frame_type(self, packet: Packet, dissection: Dict) -> str:
"""Classify the frame type based on dissection results"""
layers = dissection.get('layers', {})
# Check for Chapter 10 first
if 'chapter10' in layers and not layers['chapter10'].get('error'):
ch10_info = layers['chapter10']
# Check if it's a TMATS frame
if self._is_tmats_frame(packet, ch10_info):
return 'TMATS'
else:
return 'CH10-Data'
# Check for other specialized protocols
if 'ptp' in layers and not layers['ptp'].get('error'):
ptp_info = layers['ptp']
msg_type = ptp_info.get('message_type_name', 'Unknown')
return f'PTP-{msg_type}'
if 'iena' in layers and not layers['iena'].get('error'):
iena_info = layers['iena']
packet_type = iena_info.get('packet_type_name', 'Unknown')
return f'IENA-{packet_type}'
# Fallback to basic protocol classification
if packet.haslayer(UDP):
udp_layer = packet[UDP]
sport, dport = udp_layer.sport, udp_layer.dport
if sport == 53 or dport == 53:
return 'DNS'
elif sport in [67, 68] or dport in [67, 68]:
return 'DHCP'
elif sport == 123 or dport == 123:
return 'NTP'
else:
return 'UDP'
if packet.haslayer(TCP):
tcp_layer = packet[TCP]
sport, dport = tcp_layer.sport, tcp_layer.dport
if sport == 80 or dport == 80:
return 'HTTP'
elif sport == 443 or dport == 443:
return 'HTTPS'
else:
return 'TCP'
# Check for other protocols
if packet.haslayer(IP):
ip_layer = packet[IP]
if ip_layer.proto == 2:
return 'IGMP'
elif ip_layer.proto == 1:
return 'ICMP'
return 'OTHER'
def _is_tmats_frame(self, packet: Packet, ch10_info: Dict) -> bool:
"""Check if a Chapter 10 frame contains TMATS data"""
data_type = ch10_info.get('data_type', 0)
# Data type 0x01 is typically TMATS
if data_type == 0x01:
return True
# Also check for TMATS text patterns in the payload
if packet.haslayer('Raw'):
from scapy.all import Raw
raw_data = bytes(packet[Raw])
# Look for TMATS-like patterns (ASCII text with TMATS keywords)
try:
# Check if we can find TMATS signature patterns
text_sample = raw_data[50:200] # Sample middle section to avoid headers
if b'\\' in text_sample and (b':' in text_sample or b';' in text_sample):
# Look for TMATS-style key-value pairs
if any(keyword in text_sample.upper() for keyword in [b'TMATS', b'R-', b'G-', b'P-', b'T-']):
return True
except:
pass
return False
def _update_frame_type_stats(self, flow: FlowStats, frame_type: str,
frame_num: int, timestamp: float, packet_size: int):
"""Update statistics for a specific frame type"""
if frame_type not in flow.frame_types:
flow.frame_types[frame_type] = FrameTypeStats(frame_type=frame_type)
ft_stats = flow.frame_types[frame_type]
ft_stats.count += 1
ft_stats.total_bytes += packet_size
ft_stats.timestamps.append(timestamp)
ft_stats.frame_numbers.append(frame_num)
# Calculate inter-arrival time for this frame type
if len(ft_stats.timestamps) > 1:
inter_arrival = timestamp - ft_stats.timestamps[-2]
ft_stats.inter_arrival_times.append(inter_arrival)
def get_flows_summary(self) -> Dict:
"""Get summary of all flows"""
unique_ips = set()
for flow in self.flows.values():
unique_ips.add(flow.src_ip)
unique_ips.add(flow.dst_ip)
return {
'total_flows': len(self.flows),
'unique_ips': len(unique_ips),
'flows': self.flows
}

240
analyzer/analysis/statistics.py Normal file
View File

@@ -0,0 +1,240 @@
"""
Statistical analysis engine for timing and outlier detection
"""
import statistics
from typing import Dict, List, Tuple
from ..models import FlowStats, FrameTypeStats
class StatisticsEngine:
"""Handles statistical calculations and outlier detection"""
def __init__(self, outlier_threshold_sigma: float = 3.0, enable_realtime: bool = False):
"""
Initialize statistics engine
Args:
outlier_threshold_sigma: Number of standard deviations for outlier detection
enable_realtime: Enable real-time running statistics calculation
"""
self.outlier_threshold_sigma = outlier_threshold_sigma
self.enable_realtime = enable_realtime
self.realtime_stats = {} # Cache for running statistics
def calculate_flow_statistics(self, flows: Dict[tuple, FlowStats]) -> None:
"""Calculate timing statistics and detect outliers for all flows"""
for flow in flows.values():
self._calculate_single_flow_statistics(flow)
def _calculate_single_flow_statistics(self, flow: FlowStats) -> None:
"""Calculate statistics for a single flow"""
if len(flow.inter_arrival_times) < 2:
return
# Calculate average and std deviation for overall flow
flow.avg_inter_arrival = statistics.mean(flow.inter_arrival_times)
flow.std_inter_arrival = statistics.stdev(flow.inter_arrival_times)
# Detect outliers (frames with inter-arrival time > threshold * std deviations from mean)
threshold = flow.avg_inter_arrival + (self.outlier_threshold_sigma * flow.std_inter_arrival)
for i, inter_time in enumerate(flow.inter_arrival_times):
if inter_time > threshold:
# Frame number is i+2 because inter_arrival_times[i] is between frame i+1 and i+2
frame_number = flow.frame_numbers[i + 1]
flow.outlier_frames.append(frame_number)
flow.outlier_details.append((frame_number, inter_time))
# Calculate statistics for each frame type
for frame_type, ft_stats in flow.frame_types.items():
self._calculate_frame_type_statistics(ft_stats)
def _calculate_frame_type_statistics(self, ft_stats: FrameTypeStats) -> None:
"""Calculate statistics for a specific frame type"""
if len(ft_stats.inter_arrival_times) < 2:
return
ft_stats.avg_inter_arrival = statistics.mean(ft_stats.inter_arrival_times)
ft_stats.std_inter_arrival = statistics.stdev(ft_stats.inter_arrival_times)
# Detect outliers for this frame type
ft_threshold = ft_stats.avg_inter_arrival + (self.outlier_threshold_sigma * ft_stats.std_inter_arrival)
for i, inter_time in enumerate(ft_stats.inter_arrival_times):
if inter_time > ft_threshold:
frame_number = ft_stats.frame_numbers[i + 1]
ft_stats.outlier_frames.append(frame_number)
ft_stats.outlier_details.append((frame_number, inter_time))
def get_flow_summary_statistics(self, flows: Dict[tuple, FlowStats]) -> Dict[str, float]:
"""Get summary statistics across all flows"""
all_inter_arrivals = []
total_packets = 0
total_outliers = 0
for flow in flows.values():
all_inter_arrivals.extend(flow.inter_arrival_times)
total_packets += flow.frame_count
total_outliers += len(flow.outlier_frames)
if not all_inter_arrivals:
return {}
return {
'overall_avg_inter_arrival': statistics.mean(all_inter_arrivals),
'overall_std_inter_arrival': statistics.stdev(all_inter_arrivals) if len(all_inter_arrivals) > 1 else 0,
'total_packets': total_packets,
'total_outliers': total_outliers,
'outlier_percentage': (total_outliers / total_packets * 100) if total_packets > 0 else 0
}
def identify_high_jitter_flows(self, flows: Dict[tuple, FlowStats],
jitter_threshold: float = 0.1) -> List[FlowStats]:
"""Identify flows with high timing jitter"""
high_jitter_flows = []
for flow in flows.values():
if flow.avg_inter_arrival > 0:
# Calculate coefficient of variation (CV) as a measure of jitter
cv = flow.std_inter_arrival / flow.avg_inter_arrival
if cv > jitter_threshold:
high_jitter_flows.append(flow)
# Sort by coefficient of variation (highest first)
high_jitter_flows.sort(key=lambda f: f.std_inter_arrival / f.avg_inter_arrival
if f.avg_inter_arrival > 0 else 0, reverse=True)
return high_jitter_flows
def calculate_inter_arrival_percentiles(self, flow: FlowStats) -> Dict[str, float]:
"""Calculate percentiles for inter-arrival times"""
if not flow.inter_arrival_times:
return {}
times = sorted(flow.inter_arrival_times)
n = len(times)
def percentile(p: float) -> float:
k = (n - 1) * p / 100
f = int(k)
c = k - f
if f == n - 1:
return times[f]
return times[f] * (1 - c) + times[f + 1] * c
return {
'p50': percentile(50), # Median
'p90': percentile(90),
'p95': percentile(95),
'p99': percentile(99),
'min': min(times),
'max': max(times)
}
def update_realtime_statistics(self, flow_key: tuple, flow: FlowStats) -> None:
"""Update real-time running statistics for a flow"""
if not self.enable_realtime or len(flow.inter_arrival_times) < 2:
return
# Initialize if first time
if flow_key not in self.realtime_stats:
self.realtime_stats[flow_key] = {
'count': 0,
'sum': 0.0,
'sum_squares': 0.0,
'outlier_count': 0,
'last_avg': 0.0,
'last_std': 0.0
}
stats = self.realtime_stats[flow_key]
# Use most recent inter-arrival time
new_time = flow.inter_arrival_times[-1]
stats['count'] += 1
stats['sum'] += new_time
stats['sum_squares'] += new_time * new_time
# Calculate running average and standard deviation
if stats['count'] >= 2:
avg = stats['sum'] / stats['count']
variance = (stats['sum_squares'] / stats['count']) - (avg * avg)
std = variance ** 0.5 if variance > 0 else 0.0
# Update flow statistics with running values
flow.avg_inter_arrival = avg
flow.std_inter_arrival = std
# Check for outliers in real-time
threshold = avg + (self.outlier_threshold_sigma * std)
if new_time > threshold:
frame_number = flow.frame_numbers[-1]
if frame_number not in flow.outlier_frames:
flow.outlier_frames.append(frame_number)
flow.outlier_details.append((frame_number, new_time))
stats['outlier_count'] += 1
stats['last_avg'] = avg
stats['last_std'] = std
# Update frame type statistics
for frame_type, ft_stats in flow.frame_types.items():
self._update_realtime_frame_type_stats(flow_key, frame_type, ft_stats)
def _update_realtime_frame_type_stats(self, flow_key: tuple, frame_type: str, ft_stats: FrameTypeStats) -> None:
"""Update real-time statistics for frame types"""
if len(ft_stats.inter_arrival_times) < 2:
return
ft_key = (flow_key, frame_type)
if ft_key not in self.realtime_stats:
self.realtime_stats[ft_key] = {
'count': 0,
'sum': 0.0,
'sum_squares': 0.0,
'outlier_count': 0,
'last_avg': 0.0,
'last_std': 0.0
}
stats = self.realtime_stats[ft_key]
new_time = ft_stats.inter_arrival_times[-1]
stats['count'] += 1
stats['sum'] += new_time
stats['sum_squares'] += new_time * new_time
if stats['count'] >= 2:
avg = stats['sum'] / stats['count']
variance = (stats['sum_squares'] / stats['count']) - (avg * avg)
std = variance ** 0.5 if variance > 0 else 0.0
ft_stats.avg_inter_arrival = avg
ft_stats.std_inter_arrival = std
# Check for frame type outliers
threshold = avg + (self.outlier_threshold_sigma * std)
if new_time > threshold:
frame_number = ft_stats.frame_numbers[-1]
if frame_number not in ft_stats.outlier_frames:
ft_stats.outlier_frames.append(frame_number)
ft_stats.outlier_details.append((frame_number, new_time))
stats['outlier_count'] += 1
stats['last_avg'] = avg
stats['last_std'] = std
def get_realtime_summary(self) -> Dict[str, any]:
"""Get summary of real-time statistics"""
if not self.enable_realtime:
return {}
total_flows = len([k for k in self.realtime_stats.keys() if isinstance(k, tuple) and len(k) == 2])
total_outliers = sum(stats['outlier_count'] for stats in self.realtime_stats.values())
return {
'realtime_enabled': True,
'tracked_flows': total_flows,
'total_outliers': total_outliers,
'update_frequency': 'per_packet'
}

300
analyzer/main.py Normal file
View File

@@ -0,0 +1,300 @@
"""
Main entry point for the Ethernet Traffic Analyzer
"""
import sys
import time
import threading
import argparse
import curses
from .analysis import EthernetAnalyzer
from .tui import TUIInterface
from .utils import PCAPLoader, LiveCapture
def main():
"""Main entry point"""
parser = argparse.ArgumentParser(description='Ethernet Traffic Analyzer')
parser.add_argument('--pcap', '-p', help='PCAP file to analyze')
parser.add_argument('--live', '-l', action='store_true', help='Start live capture')
parser.add_argument('--interface', '-i', help='Network interface for live capture')
parser.add_argument('--filter', '-f', help='BPF filter for live capture')
parser.add_argument('--no-tui', action='store_true', help='Disable TUI, print to console')
parser.add_argument('--info', action='store_true', help='Show PCAP file information only')
parser.add_argument('--outlier-threshold', type=float, default=3.0,
help='Outlier detection threshold in standard deviations (default: 3.0)')
parser.add_argument('--report', action='store_true',
help='Generate comprehensive outlier report and exit (no TUI)')
args = parser.parse_args()
if not args.pcap and not args.live:
print("Error: Must specify either --pcap file or --live capture")
sys.exit(1)
# Create analyzer - enable real-time stats for live capture
enable_realtime = args.live
analyzer = EthernetAnalyzer(enable_realtime=enable_realtime, outlier_threshold_sigma=args.outlier_threshold)
# Handle PCAP info mode
if args.info and args.pcap:
print("Analyzing PCAP file information...")
info = PCAPLoader.get_file_info(args.pcap)
if 'error' in info:
print(f"Error: {info['error']}")
sys.exit(1)
print(f"\n=== PCAP FILE INFORMATION ===")
print(f"File: {info['file_path']}")
print(f"Packets: {info['packet_count']:,}")
print(f"Total bytes: {info['total_bytes']:,}")
print(f"Duration: {info['duration_seconds']:.2f} seconds")
print(f"Average packet rate: {info['avg_packet_rate']:.1f} packets/sec")
if info['first_timestamp']:
import datetime
first_time = datetime.datetime.fromtimestamp(info['first_timestamp'])
last_time = datetime.datetime.fromtimestamp(info['last_timestamp'])
print(f"First packet: {first_time}")
print(f"Last packet: {last_time}")
return
# Load PCAP file
if args.pcap:
try:
loader = PCAPLoader(args.pcap)
if not loader.validate_file():
print(f"Error: Invalid or inaccessible PCAP file: {args.pcap}")
sys.exit(1)
packets = loader.load_all()
analyzer.all_packets = packets
print(f"Loaded {len(packets)} packets")
# Process packets
for i, packet in enumerate(packets, 1):
analyzer._process_single_packet(packet, i)
analyzer.calculate_statistics()
except Exception as e:
print(f"Error loading PCAP file: {e}")
sys.exit(1)
# Handle console output mode
if args.no_tui:
print_console_results(analyzer)
return
# Handle report mode
if args.report:
generate_outlier_report(analyzer, args.outlier_threshold)
return
# TUI mode
tui = TUIInterface(analyzer)
if args.live:
# Start live capture
capture = LiveCapture(args.interface, args.filter)
def packet_handler(packet, frame_num):
analyzer.all_packets.append(packet)
analyzer._process_single_packet(packet, frame_num)
capture.add_packet_handler(packet_handler)
try:
capture.start_capture(threaded=True)
analyzer.is_live = True
print("Starting live capture with real-time statistics enabled...")
print("TUI will update every 0.5 seconds with running averages and outlier detection")
# Give capture a moment to start
time.sleep(1)
# Run TUI
curses.wrapper(tui.run)
except KeyboardInterrupt:
print("\nCapture interrupted by user")
finally:
capture.stop_capture()
else:
# PCAP analysis mode
try:
curses.wrapper(tui.run)
except KeyboardInterrupt:
print("\nAnalysis interrupted by user")
def print_console_results(analyzer: EthernetAnalyzer):
"""Print analysis results to console"""
summary = analyzer.get_summary()
print(f"\n=== ETHERNET TRAFFIC ANALYSIS RESULTS ===")
print(f"Total Packets: {summary['total_packets']}")
print(f"Unique IP Flows: {summary['unique_flows']}")
print(f"Unique IP Addresses: {summary['unique_ips']}")
# Show summary statistics
stats = analyzer.get_summary_statistics()
if stats:
print(f"\n=== SUMMARY STATISTICS ===")
print(f"Overall Avg Inter-arrival: {stats.get('overall_avg_inter_arrival', 0):.6f}s")
print(f"Overall Std Deviation: {stats.get('overall_std_inter_arrival', 0):.6f}s")
print(f"Total Outliers: {stats.get('total_outliers', 0)}")
print(f"Outlier Percentage: {stats.get('outlier_percentage', 0):.2f}%")
# Show real-time statistics if enabled
if analyzer.statistics_engine.enable_realtime:
rt_stats = analyzer.statistics_engine.get_realtime_summary()
if rt_stats:
print(f"\n=== REAL-TIME STATISTICS ===")
print(f"Real-time Mode: {rt_stats.get('realtime_enabled', False)}")
print(f"Tracked Flows: {rt_stats.get('tracked_flows', 0)}")
print(f"Update Frequency: {rt_stats.get('update_frequency', 'N/A')}")
print(f"\n=== FLOW STATISTICS ===")
flows_sorted = sorted(summary['flows'].values(), key=lambda x: x.frame_count, reverse=True)
for flow in flows_sorted:
print(f"\nFlow: {flow.src_ip} -> {flow.dst_ip}")
print(f" Packets: {flow.frame_count}")
print(f" Total Bytes: {flow.total_bytes:,}")
print(f" Protocols: {', '.join(flow.protocols)}")
if flow.detected_protocol_types:
print(f" Enhanced Protocols: {', '.join(flow.detected_protocol_types)}")
if flow.avg_inter_arrival > 0:
print(f" Avg Inter-arrival: {flow.avg_inter_arrival:.6f}s")
print(f" Std Deviation: {flow.std_inter_arrival:.6f}s")
if flow.outlier_frames:
print(f" Outlier Frames: {flow.outlier_frames}")
# Show frame type breakdown
if flow.frame_types:
print(f" Frame Types:")
for frame_type, ft_stats in flow.frame_types.items():
avg_str = f"{ft_stats.avg_inter_arrival:.3f}s" if ft_stats.avg_inter_arrival > 0 else "N/A"
print(f" {frame_type}: {ft_stats.count} packets, avg {avg_str}")
# Show high jitter flows
high_jitter = analyzer.get_high_jitter_flows()
if high_jitter:
print(f"\n=== HIGH JITTER FLOWS ===")
for flow in high_jitter[:5]: # Show top 5
cv = flow.std_inter_arrival / flow.avg_inter_arrival if flow.avg_inter_arrival > 0 else 0
print(f"{flow.src_ip} -> {flow.dst_ip}: CV = {cv:.3f}")
def generate_outlier_report(analyzer: EthernetAnalyzer, threshold_sigma: float):
"""Generate comprehensive outlier report without TUI"""
summary = analyzer.get_summary()
print("=" * 80)
print("COMPREHENSIVE OUTLIER ANALYSIS REPORT")
print("=" * 80)
# Analysis parameters
print(f"Outlier Detection Threshold: {threshold_sigma}σ (sigma)")
print(f"Total Packets Analyzed: {summary['total_packets']:,}")
print(f"Unique IP Flows: {summary['unique_flows']}")
print(f"Unique IP Addresses: {summary['unique_ips']}")
# Overall statistics
stats = analyzer.get_summary_statistics()
if stats:
print(f"\nOVERALL TIMING STATISTICS:")
print(f" Average Inter-arrival Time: {stats.get('overall_avg_inter_arrival', 0):.6f}s")
print(f" Standard Deviation: {stats.get('overall_std_inter_arrival', 0):.6f}s")
print(f" Total Outlier Frames: {stats.get('total_outliers', 0)}")
print(f" Outlier Percentage: {stats.get('outlier_percentage', 0):.2f}%")
print("\n" + "=" * 80)
print("DETAILED FLOW ANALYSIS")
print("=" * 80)
flows_sorted = sorted(summary['flows'].values(), key=lambda x: x.frame_count, reverse=True)
for flow_idx, flow in enumerate(flows_sorted, 1):
print(f"\n[FLOW {flow_idx}] {flow.src_ip} -> {flow.dst_ip}")
print("-" * 60)
# Flow summary
print(f"Total Packets: {flow.frame_count:,}")
print(f"Total Bytes: {flow.total_bytes:,}")
print(f"Protocols: {', '.join(flow.protocols)}")
if flow.detected_protocol_types:
print(f"Enhanced Protocols: {', '.join(flow.detected_protocol_types)}")
# Flow timing statistics
if flow.avg_inter_arrival > 0:
print(f"Flow Timing:")
print(f" Average Inter-arrival: {flow.avg_inter_arrival:.6f}s")
print(f" Standard Deviation: {flow.std_inter_arrival:.6f}s")
print(f" Outlier Threshold: {flow.avg_inter_arrival + (threshold_sigma * flow.std_inter_arrival):.6f}s")
print(f" Flow-level Outliers: {len(flow.outlier_details)}")
# Frame type analysis
if flow.frame_types:
print(f"\nFrame Type Breakdown:")
print(f" {'Type':<15} {'Count':<8} {'Avg ΔT':<12} {'Std Dev':<12} {'Out':<6} {'Out %':<8}")
print(f" {'-' * 15} {'-' * 8} {'-' * 12} {'-' * 12} {'-' * 6} {'-' * 8}")
sorted_frame_types = sorted(flow.frame_types.items(),
key=lambda x: x[1].count, reverse=True)
for frame_type, ft_stats in sorted_frame_types:
outlier_count = len(ft_stats.outlier_details)
outlier_pct = (outlier_count / ft_stats.count * 100) if ft_stats.count > 0 else 0
avg_str = f"{ft_stats.avg_inter_arrival:.6f}s" if ft_stats.avg_inter_arrival > 0 else "N/A"
std_str = f"{ft_stats.std_inter_arrival:.6f}s" if ft_stats.std_inter_arrival > 0 else "N/A"
print(f" {frame_type:<15} {ft_stats.count:<8} {avg_str:<12} {std_str:<12} {outlier_count:<6} {outlier_pct:<7.1f}%")
# Detailed outlier frames
has_outliers = any(ft_stats.outlier_details for ft_stats in flow.frame_types.values())
if has_outliers:
print(f"\nOutlier Frame Details:")
for frame_type, ft_stats in flow.frame_types.items():
if ft_stats.outlier_details:
print(f"\n {frame_type} Outliers ({len(ft_stats.outlier_details)} frames):")
if ft_stats.avg_inter_arrival > 0:
threshold = ft_stats.avg_inter_arrival + (threshold_sigma * ft_stats.std_inter_arrival)
print(f" Threshold: {threshold:.6f}s (>{threshold_sigma}σ from mean {ft_stats.avg_inter_arrival:.6f}s)")
print(f" {'Frame#':<10} {'Inter-arrival':<15} {'Deviation':<12}")
print(f" {'-' * 10} {'-' * 15} {'-' * 12}")
for frame_num, inter_arrival_time in ft_stats.outlier_details:
if ft_stats.avg_inter_arrival > 0:
deviation = inter_arrival_time - ft_stats.avg_inter_arrival
sigma_dev = deviation / ft_stats.std_inter_arrival if ft_stats.std_inter_arrival > 0 else 0
dev_str = f"+{sigma_dev:.1f}σ"
else:
dev_str = "N/A"
print(f" {frame_num:<10} {inter_arrival_time:.6f}s{'':<3} {dev_str:<12}")
# High jitter flows summary
high_jitter = analyzer.get_high_jitter_flows()
if high_jitter:
print(f"\n" + "=" * 80)
print("HIGH JITTER FLOWS (Coefficient of Variation > 0.1)")
print("=" * 80)
for flow in high_jitter[:10]: # Show top 10
cv = flow.std_inter_arrival / flow.avg_inter_arrival if flow.avg_inter_arrival > 0 else 0
print(f"{flow.src_ip} -> {flow.dst_ip}: CV = {cv:.3f}")
print(f"\n" + "=" * 80)
print("REPORT COMPLETE")
print("=" * 80)
if __name__ == "__main__":
main()

8
analyzer/models/__init__.py Normal file
View File

@@ -0,0 +1,8 @@
"""
Data models for the Ethernet Traffic Analyzer
"""
from .flow_stats import FlowStats, FrameTypeStats
from .analysis_results import AnalysisResult
__all__ = ['FlowStats', 'FrameTypeStats', 'AnalysisResult']

45
analyzer/models/analysis_results.py Normal file
View File

@@ -0,0 +1,45 @@
"""
Analysis result containers and summary structures
"""
from dataclasses import dataclass
from typing import Dict, Any, List, Set
from .flow_stats import FlowStats
@dataclass
class AnalysisResult:
"""Container for complete analysis results"""
total_packets: int
unique_flows: int
unique_ips: int
flows: Dict[tuple, FlowStats]
def get_summary(self) -> Dict[str, Any]:
"""Get analysis summary dictionary"""
unique_ips = set()
for flow in self.flows.values():
unique_ips.add(flow.src_ip)
unique_ips.add(flow.dst_ip)
return {
'total_packets': self.total_packets,
'unique_flows': len(self.flows),
'unique_ips': len(unique_ips),
'flows': self.flows
}
@dataclass
class DissectionResult:
"""Container for packet dissection results"""
frame_number: int
timestamp: float
size: int
layers: Dict[str, Any]
protocols: List[str]
errors: List[str] = None
def __post_init__(self):
if self.errors is None:
self.errors = []

40
analyzer/models/flow_stats.py Normal file
View File

@@ -0,0 +1,40 @@
"""
Data structures for flow and frame type statistics
"""
from dataclasses import dataclass, field
from typing import Dict, List, Set, Tuple
@dataclass
class FrameTypeStats:
"""Statistics for a specific frame type within a flow"""
frame_type: str
count: int = 0
total_bytes: int = 0
timestamps: List[float] = field(default_factory=list)
frame_numbers: List[int] = field(default_factory=list)
inter_arrival_times: List[float] = field(default_factory=list)
avg_inter_arrival: float = 0.0
std_inter_arrival: float = 0.0
outlier_frames: List[int] = field(default_factory=list)
outlier_details: List[Tuple[int, float]] = field(default_factory=list)
@dataclass
class FlowStats:
"""Statistics for a source-destination IP pair"""
src_ip: str
dst_ip: str
frame_count: int
timestamps: List[float]
frame_numbers: List[int]
inter_arrival_times: List[float]
avg_inter_arrival: float
std_inter_arrival: float
outlier_frames: List[int]
outlier_details: List[Tuple[int, float]] # (frame_number, time_delta)
total_bytes: int
protocols: Set[str]
detected_protocol_types: Set[str] # Enhanced protocol detection (CH10, PTP, IENA, etc)
frame_types: Dict[str, FrameTypeStats] = field(default_factory=dict) # Per-frame-type statistics

16
analyzer/protocols/__init__.py Normal file
View File

@@ -0,0 +1,16 @@
"""
Protocol dissectors for the Ethernet Traffic Analyzer
"""
from .base import ProtocolDissector, DissectionResult
from .chapter10 import Chapter10Dissector, Chapter10Packet
from .ptp import PTPDissector
from .iena import IENADissector
from .standard import StandardProtocolDissectors
__all__ = [
'ProtocolDissector', 'DissectionResult',
'Chapter10Dissector', 'Chapter10Packet',
'PTPDissector', 'IENADissector',
'StandardProtocolDissectors'
]

54
analyzer/protocols/base.py Normal file
View File

@@ -0,0 +1,54 @@
"""
Base protocol dissector interface and common structures
"""
from abc import ABC, abstractmethod
from dataclasses import dataclass
from enum import IntEnum
from typing import Dict, List, Optional, Any
try:
from scapy.all import Packet
except ImportError:
print("Error: scapy library required. Install with: pip install scapy")
import sys
sys.exit(1)
class ProtocolType(IntEnum):
"""Protocol type identifiers"""
UNKNOWN = 0
CHAPTER10 = 1
PTP = 2
IENA = 3
@dataclass
class DissectionResult:
"""Container for dissection results"""
protocol: ProtocolType
fields: Dict[str, Any]
payload: Optional[bytes] = None
errors: List[str] = None
def __post_init__(self):
if self.errors is None:
self.errors = []
class ProtocolDissector(ABC):
"""Abstract base class for protocol dissectors"""
@abstractmethod
def can_dissect(self, packet: Packet) -> bool:
"""Check if this dissector can handle the given packet"""
pass
@abstractmethod
def dissect(self, packet: Packet) -> Optional[DissectionResult]:
"""Dissect the packet and return structured data"""
pass
def get_protocol_type(self) -> ProtocolType:
"""Get the protocol type this dissector handles"""
return ProtocolType.UNKNOWN

352
analyzer/protocols/chapter10.py Normal file
View File

@@ -0,0 +1,352 @@
"""
Chapter 10 (IRIG106) protocol dissector and packet handling
"""
import struct
from typing import Dict, List, Optional, Any, Tuple
from dataclasses import dataclass, field
from abc import ABC, abstractmethod
try:
from scapy.all import Packet, Raw, IP, UDP
except ImportError:
print("Error: scapy library required. Install with: pip install scapy")
import sys
sys.exit(1)
try:
import numpy as np
except ImportError:
print("Error: numpy library required. Install with: pip install numpy")
import sys
sys.exit(1)
from .base import ProtocolDissector, DissectionResult, ProtocolType
class Chapter10Dissector(ProtocolDissector):
"""Chapter 10 packet dissector based on IRIG 106-17 specification"""
# Channel data types from Chapter 10 spec
CH10_DATA_TYPES = {
0x08: "PCM Format 1",
0x09: "Time Format 1",
0x11: "1553 Format 1",
0x19: "Image Format 0",
0x21: "UART Format 0",
0x30: "1394 Format 1",
0x38: "Parallel Format 1",
0x40: "Ethernet Format 0",
0x48: "TSPI/CTS Format 1",
0x50: "Controller Area Network Bus",
0x58: "Fibre Channel Format 1",
0x60: "IRIG 106 Format 1",
0x68: "Video Format 0",
0x69: "Video Format 1",
0x6A: "Video Format 2",
0x70: "Message Format 0",
0x78: "ARINC 429 Format 0",
0x04: "PCM Format 0",
0x72: "Analog Format 2",
0x73: "Analog Format 3",
0x74: "Analog Format 4",
0x75: "Analog Format 5",
0x76: "Analog Format 6",
0x77: "Analog Format 7",
0x78: "Analog Format 8",
0xB4: "User Defined Format"
}
def __init__(self):
self.sync_pattern = 0xEB25 # Chapter 10 sync pattern
def can_dissect(self, packet: Packet) -> bool:
"""Check if packet contains Chapter 10 data"""
if not packet.haslayer(Raw):
return False
raw_data = bytes(packet[Raw])
if len(raw_data) < 24: # Minimum Ch10 header size
return False
return self._find_chapter10_offset(raw_data) is not None
def get_protocol_type(self) -> ProtocolType:
return ProtocolType.CHAPTER10
def dissect(self, packet: Packet) -> Optional[DissectionResult]:
"""Dissect Chapter 10 packet (handles embedded formats)"""
if not packet.haslayer(Raw):
return None
raw_data = bytes(packet[Raw])
if len(raw_data) < 24: # Minimum Ch10 header size
return None
# Search for Chapter 10 sync pattern in the payload
ch10_offset = self._find_chapter10_offset(raw_data)
if ch10_offset is None:
return None
try:
# Parse Chapter 10 header starting at the found offset
if ch10_offset + 24 > len(raw_data):
return None
header_data = raw_data[ch10_offset:ch10_offset + 24]
header = self._parse_header(header_data)
if header.get('sync_pattern') != self.sync_pattern:
return None
result = DissectionResult(
protocol=ProtocolType.CHAPTER10,
fields=header
)
# Add container information
if ch10_offset > 0:
result.fields['container_offset'] = ch10_offset
result.fields['container_header'] = raw_data[:ch10_offset].hex()
# Extract payload if present
packet_length = header.get('packet_length', 0)
payload_start = ch10_offset + 24
if packet_length > 24 and payload_start + (packet_length - 24) <= len(raw_data):
result.payload = raw_data[payload_start:payload_start + (packet_length - 24)]
# Try to parse specific data formats
data_type = header.get('data_type', 0)
if data_type == 0x40: # Ethernet Format 0
eth_data = self._parse_ethernet_fmt0(result.payload)
if eth_data:
result.fields.update(eth_data)
return result
except Exception as e:
return DissectionResult(
protocol=ProtocolType.CHAPTER10,
fields={},
errors=[f"Parsing error: {str(e)}"]
)
def _find_chapter10_offset(self, raw_data: bytes) -> Optional[int]:
"""Find the offset of Chapter 10 sync pattern in raw data"""
# Search for the sync pattern throughout the payload
for offset in range(len(raw_data) - 1):
if offset + 1 < len(raw_data):
try:
word = struct.unpack('<H', raw_data[offset:offset+2])[0]
if word == self.sync_pattern:
# Verify we have enough space for a full header
if offset + 24 <= len(raw_data):
return offset
except struct.error:
continue
return None
def _parse_header(self, header_data: bytes) -> Dict[str, Any]:
"""Parse Chapter 10 header"""
if len(header_data) < 24:
raise ValueError(f"Header too short: {len(header_data)} bytes, need 24")
try:
sync_pattern = struct.unpack('<H', header_data[0:2])[0]
channel_id = struct.unpack('<H', header_data[2:4])[0]
packet_length = struct.unpack('<I', header_data[4:8])[0]
data_length = struct.unpack('<I', header_data[8:12])[0]
data_type = struct.unpack('<H', header_data[12:14])[0]
flags = struct.unpack('<H', header_data[14:16])[0]
# Time counter is 6 bytes - combine into single value
time_bytes = header_data[16:22]
time_counter = int.from_bytes(time_bytes, 'little')
sequence_number = struct.unpack('<H', header_data[22:24])[0]
return {
'sync_pattern': sync_pattern,
'channel_id': channel_id,
'packet_length': packet_length,
'data_length': data_length,
'data_type': data_type,
'relative_time_counter': time_counter,
'packet_flags': flags,
'sequence_number': sequence_number,
'data_type_name': self.CH10_DATA_TYPES.get(data_type, f"Unknown (0x{data_type:02x})")
}
except struct.error as e:
raise ValueError(f"Struct unpack error: {str(e)}")
def _parse_ethernet_fmt0(self, payload: bytes) -> Optional[Dict[str, Any]]:
"""Parse Ethernet Format 0 data"""
if len(payload) < 12:
return None
try:
# Parse intra-packet header and frame word
iph, ts, frame_word = struct.unpack('<III', payload[:12])
frame_length = frame_word & 0x3FFF
length_error = bool(frame_word & 0x8000)
crc_error = bool(frame_word & 0x10000)
content_type = (frame_word >> 28) & 0x3
content_types = {0: "Full MAC frame", 1: "Payload only", 2: "Reserved", 3: "Reserved"}
return {
'ethernet_iph': iph,
'ethernet_timestamp': ts,
'ethernet_frame_length': frame_length,
'ethernet_length_error': length_error,
'ethernet_crc_error': crc_error,
'ethernet_content_type': content_types.get(content_type, "Unknown")
}
except:
return None
class Chapter10Packet:
"""Represents an IRIG106 Chapter 10 packet"""
def __init__(self, packet, original_frame_num: Optional[int] = None):
"""
Initialize Chapter 10 packet from raw scapy packet
Args:
packet: Raw scapy packet
original_frame_num: Original frame number in PCAP file
"""
self.raw_packet = packet
self.original_frame_num: Optional[int] = original_frame_num
# Extract basic packet info
self.timestamp = float(packet.time)
self.packet_size = len(packet)
# Extract IP/UDP info if available
if packet.haslayer(IP) and packet.haslayer(UDP):
ip_layer = packet[IP]
udp_layer = packet[UDP]
self.src_ip = ip_layer.src
self.dst_ip = ip_layer.dst
self.src_port = udp_layer.sport
self.dst_port = udp_layer.dport
self.payload = bytes(udp_layer.payload)
else:
self.src_ip = ""
self.dst_ip = ""
self.src_port = 0
self.dst_port = 0
self.payload = bytes()
# Parse Chapter 10 header
self.ch10_header = self._parse_ch10_header()
def _parse_ch10_header(self) -> Optional[Dict]:
"""Parse Chapter 10 header from payload"""
if len(self.payload) < 28: # Minimum payload size (4-byte prefix + 24-byte Ch10 header)
return None
try:
# Look for Ch10 sync pattern in first several bytes
ch10_offset = None
for offset in range(min(8, len(self.payload) - 24)):
sync_pattern = struct.unpack('<H', self.payload[offset:offset+2])[0]
if sync_pattern == 0xEB25: # Ch10 sync pattern
ch10_offset = offset
break
if ch10_offset is None:
return None
# Parse Chapter 10 header starting at found offset
base = ch10_offset
sync_pattern = struct.unpack('<H', self.payload[base:base+2])[0]
channel_id = struct.unpack('<H', self.payload[base+2:base+4])[0]
packet_length = struct.unpack('<I', self.payload[base+4:base+8])[0]
data_length = struct.unpack('<I', self.payload[base+8:base+12])[0]
header_version = self.payload[base+12]
sequence_number = self.payload[base+13]
packet_flags = self.payload[base+14]
data_type = self.payload[base+15]
rtc_low = struct.unpack('<I', self.payload[base+16:base+20])[0]
rtc_high = struct.unpack('<H', self.payload[base+20:base+22])[0]
checksum = struct.unpack('<H', self.payload[base+22:base+24])[0]
# Store the offset for reference
self.ch10_offset = ch10_offset
return {
'sync_pattern': f'0x{sync_pattern:04X}',
'channel_id': channel_id,
'packet_length': packet_length,
'data_length': data_length,
'header_version': header_version,
'sequence_number': sequence_number,
'packet_flags': f'0x{packet_flags:02X}',
'data_type': f'0x{data_type:02X}',
'rtc_low': rtc_low,
'rtc_high': rtc_high,
'checksum': f'0x{checksum:04X}',
'rtc_timestamp': (rtc_high << 32) | rtc_low,
'ch10_offset': ch10_offset
}
except (struct.error, IndexError):
return None
def get_data_payload(self) -> Optional[bytes]:
"""Extract the data payload from the Chapter 10 packet"""
if not self.ch10_header:
return None
# Data starts after the 24-byte Chapter 10 header
data_start = self.ch10_offset + 24
data_length = self.ch10_header['data_length']
if data_start + data_length > len(self.payload):
return None
return self.payload[data_start:data_start + data_length]
# Data decoders and related classes would go here, extracted from chapter10_packet.py
# For brevity, I'll include the key classes but the full implementation would include
# all the decoder classes (AnalogDecoder, PCMDecoder, etc.)
@dataclass
class DecodedData:
"""Base class for decoded Chapter 10 data"""
def __init__(self, data_type: str, channel_data: Dict[str, np.ndarray],
timestamps: Optional[np.ndarray] = None, metadata: Optional[Dict] = None):
self.data_type = data_type
self.channel_data = channel_data
self.timestamps = timestamps
self.metadata = metadata or {}
def get_channels(self) -> List[str]:
"""Get list of available channels"""
return list(self.channel_data.keys())
def get_channel_data(self, channel: str) -> Optional[np.ndarray]:
"""Get data for a specific channel"""
return self.channel_data.get(channel)
class DataDecoder(ABC):
"""Abstract base class for Chapter 10 data decoders"""
def __init__(self, tmats_scaling_dict: Optional[Dict] = None):
self.tmats_scaling_dict = tmats_scaling_dict or {}
@abstractmethod
def decode(self, data_payload: bytes, ch10_header: Dict) -> Optional[DecodedData]:
"""Decode the data payload"""
pass

284
analyzer/protocols/iena.py Normal file
View File

@@ -0,0 +1,284 @@
"""
IENA (Improved Ethernet Network Architecture) dissector for Airbus protocols
"""
import struct
import time
from typing import Dict, Optional, Any
try:
from scapy.all import Packet, UDP, Raw
except ImportError:
print("Error: scapy library required. Install with: pip install scapy")
import sys
sys.exit(1)
from .base import ProtocolDissector, DissectionResult, ProtocolType
class IENADissector(ProtocolDissector):
"""Airbus IENA (Improved Ethernet Network Architecture) dissector"""
IENA_TYPES = {
0: "P-type",
1: "D-type (with delay)",
2: "N-type",
3: "M-type (with delay)",
4: "Q-type"
}
def __init__(self):
self.iena_ports = {50000, 50001}
self.lxrs_id = 0xF6AE
def can_dissect(self, packet: Packet) -> bool:
"""Check if packet is IENA"""
if not packet.haslayer(UDP):
return False
udp_layer = packet[UDP]
if udp_layer.dport not in self.iena_ports and udp_layer.sport not in self.iena_ports:
return False
if not packet.haslayer(Raw):
return False
raw_data = bytes(packet[Raw])
return len(raw_data) >= 14 # Minimum IENA header size
def get_protocol_type(self) -> ProtocolType:
return ProtocolType.IENA
def dissect(self, packet: Packet) -> Optional[DissectionResult]:
"""Dissect IENA packet"""
if not self.can_dissect(packet):
return None
raw_data = bytes(packet[Raw])
try:
header = self._parse_iena_header(raw_data[:14])
result = DissectionResult(
protocol=ProtocolType.IENA,
fields=header
)
# Parse payload based on packet type
packet_type = header.get('packet_type', 0)
iena_size = header.get('size_in_words', 0)
if iena_size > 8 and len(raw_data) >= iena_size * 2:
payload_data = raw_data[14:iena_size * 2 - 2] # Exclude trailer
payload_info = self._parse_payload(packet_type, payload_data, header)
if payload_info:
result.fields.update(payload_info)
result.payload = payload_data
return result
except Exception as e:
return DissectionResult(
protocol=ProtocolType.IENA,
fields={},
errors=[f"IENA parsing error: {str(e)}"]
)
def _parse_iena_header(self, header_data: bytes) -> Dict[str, Any]:
"""Parse IENA header (14 bytes)"""
if len(header_data) < 14:
raise ValueError("IENA header too short")
# Unpack header fields (big endian for most fields)
key_id = struct.unpack('>H', header_data[0:2])[0]
size_words = struct.unpack('>H', header_data[2:4])[0]
# Time field is 6 bytes
time_bytes = header_data[4:10]
time_value = int.from_bytes(time_bytes, 'big')
key_status = header_data[10]
n2_status = header_data[11]
sequence_num = struct.unpack('>H', header_data[12:14])[0]
# Parse key status bits
is_positional = bool(key_status & 0x80)
is_discard = bool(key_status & 0x40)
is_msg = bool(key_status & 0x20)
has_delay = bool(key_status & 0x10)
n4_restriction = bool(key_status & 0x08)
word_size = key_status & 0x07
# Determine packet type
packet_type = 0 # P-type default
if not is_positional and is_msg:
packet_type = 3 if has_delay else 4 # M-type or Q-type
elif not is_positional and not is_msg:
packet_type = 1 if has_delay else 2 # D-type or N-type
# Convert time to readable format
current_year = time.gmtime().tm_year
year_start = time.mktime((current_year, 1, 1, 0, 0, 0, 0, 0, 0))
time_sec = year_start + (time_value / 1000000.0) # IENA time is in microseconds
return {
'key_id': key_id,
'size_in_words': size_words,
'time_value': time_value,
'time_readable': time.strftime("%H:%M:%S %d %b %Y", time.gmtime(time_sec)),
'key_status': key_status,
'is_positional': is_positional,
'is_discard': is_discard,
'is_message': is_msg,
'has_delay': has_delay,
'n4_restriction': n4_restriction,
'word_size': word_size,
'n2_status': n2_status,
'sequence_number': sequence_num,
'packet_type': packet_type,
'packet_type_name': self.IENA_TYPES.get(packet_type, "Unknown")
}
def _parse_payload(self, packet_type: int, payload: bytes, header: Dict) -> Optional[Dict[str, Any]]:
"""Parse IENA payload based on packet type"""
try:
word_size = header.get('word_size', 0)
if packet_type == 2: # N-type
return self._parse_n_type(payload, word_size)
elif packet_type == 1: # D-type
return self._parse_d_type(payload, word_size)
elif packet_type in [3, 4]: # M-type or Q-type
return self._parse_mq_type(payload, packet_type)
else: # P-type
return {'payload_data': payload.hex()}
except Exception as e:
return {'parse_error': str(e)}
def _parse_n_type(self, payload: bytes, word_size: int) -> Dict[str, Any]:
"""Parse N-type message payload"""
if len(payload) < 2:
return {}
n_len_bytes = (word_size + 1) * 2
if n_len_bytes <= 0:
return {}
n_instances = len(payload) // n_len_bytes
messages = []
for i in range(min(n_instances, 10)): # Limit to first 10 messages
offset = i * n_len_bytes
if offset + 2 <= len(payload):
param_id = struct.unpack('>H', payload[offset:offset+2])[0]
data_words = []
for j in range(word_size):
word_offset = offset + 2 + (j * 2)
if word_offset + 2 <= len(payload):
word = struct.unpack('>H', payload[word_offset:word_offset+2])[0]
data_words.append(word)
messages.append({
'param_id': param_id,
'data_words': data_words
})
return {
'n_message_count': n_instances,
'n_messages': messages
}
def _parse_d_type(self, payload: bytes, word_size: int) -> Dict[str, Any]:
"""Parse D-type message payload"""
if len(payload) < 4:
return {}
d_len_bytes = (word_size + 2) * 2 # ParamID + Delay + data words
if d_len_bytes <= 0:
return {}
d_instances = len(payload) // d_len_bytes
messages = []
for i in range(min(d_instances, 10)):
offset = i * d_len_bytes
if offset + 4 <= len(payload):
param_id = struct.unpack('>H', payload[offset:offset+2])[0]
delay = struct.unpack('>H', payload[offset+2:offset+4])[0]
data_words = []
for j in range(word_size):
word_offset = offset + 4 + (j * 2)
if word_offset + 2 <= len(payload):
word = struct.unpack('>H', payload[word_offset:word_offset+2])[0]
data_words.append(word)
messages.append({
'param_id': param_id,
'delay': delay,
'data_words': data_words
})
return {
'd_message_count': d_instances,
'd_messages': messages
}
def _parse_mq_type(self, payload: bytes, packet_type: int) -> Dict[str, Any]:
"""Parse M-type or Q-type message payload"""
messages = []
offset = 0
msg_count = 0
while offset < len(payload) - 4 and msg_count < 20: # Limit messages
try:
if packet_type == 3: # M-type
if offset + 6 > len(payload):
break
param_id = struct.unpack('>H', payload[offset:offset+2])[0]
delay = struct.unpack('>H', payload[offset+2:offset+4])[0]
length = struct.unpack('>H', payload[offset+4:offset+6])[0]
data_offset = offset + 6
else: # Q-type
if offset + 4 > len(payload):
break
param_id = struct.unpack('>H', payload[offset:offset+2])[0]
length = struct.unpack('>H', payload[offset+2:offset+4])[0]
delay = None
data_offset = offset + 4
# Ensure length is reasonable
if length > len(payload) - data_offset:
break
msg_data = payload[data_offset:data_offset + length] if length > 0 else b''
msg_info = {
'param_id': param_id,
'length': length,
'data': msg_data.hex() if len(msg_data) <= 32 else f"{msg_data[:32].hex()}..."
}
if delay is not None:
msg_info['delay'] = delay
messages.append(msg_info)
# Calculate next offset (ensure even alignment)
next_offset = data_offset + length
if next_offset % 2 == 1:
next_offset += 1
offset = next_offset
msg_count += 1
except:
break
type_key = 'm' if packet_type == 3 else 'q'
return {
f'{type_key}_message_count': len(messages),
f'{type_key}_messages': messages
}

143
analyzer/protocols/ptp.py Normal file
View File

@@ -0,0 +1,143 @@
"""
PTP (IEEE 1588-2019) Precision Time Protocol dissector
"""
import struct
from typing import Dict, Optional, Any
try:
from scapy.all import Packet, UDP, Raw
except ImportError:
print("Error: scapy library required. Install with: pip install scapy")
import sys
sys.exit(1)
from .base import ProtocolDissector, DissectionResult, ProtocolType
class PTPDissector(ProtocolDissector):
"""IEEE 1588-2019 Precision Time Protocol dissector"""
PTP_MESSAGE_TYPES = {
0x0: "Sync",
0x1: "Delay_Req",
0x2: "Pdelay_Req",
0x3: "Pdelay_Resp",
0x8: "Follow_Up",
0x9: "Delay_Resp",
0xA: "Pdelay_Resp_Follow_Up",
0xB: "Announce",
0xC: "Signaling",
0xD: "Management"
}
def __init__(self):
self.ptp_ports = {319, 320} # PTP event and general ports
def can_dissect(self, packet: Packet) -> bool:
"""Check if packet is PTP"""
if not packet.haslayer(UDP):
return False
udp_layer = packet[UDP]
if udp_layer.dport not in self.ptp_ports and udp_layer.sport not in self.ptp_ports:
return False
if not packet.haslayer(Raw):
return False
raw_data = bytes(packet[Raw])
return len(raw_data) >= 34 # Minimum PTP header size
def get_protocol_type(self) -> ProtocolType:
return ProtocolType.PTP
def dissect(self, packet: Packet) -> Optional[DissectionResult]:
"""Dissect PTP packet"""
if not self.can_dissect(packet):
return None
raw_data = bytes(packet[Raw])
try:
header = self._parse_ptp_header(raw_data[:34])
result = DissectionResult(
protocol=ProtocolType.PTP,
fields=header
)
# Parse message-specific fields
msg_type = header.get('message_type', 0)
if len(raw_data) > 34:
msg_fields = self._parse_message_fields(msg_type, raw_data[34:])
if msg_fields:
result.fields.update(msg_fields)
return result
except Exception as e:
return DissectionResult(
protocol=ProtocolType.PTP,
fields={},
errors=[f"PTP parsing error: {str(e)}"]
)
def _parse_ptp_header(self, header_data: bytes) -> Dict[str, Any]:
"""Parse PTP common header"""
if len(header_data) < 34:
raise ValueError("PTP header too short")
# Parse first 4 bytes
first_word = struct.unpack('>I', header_data[:4])[0]
message_type = first_word & 0xF
transport_specific = (first_word >> 4) & 0xF
ptp_version = (first_word >> 8) & 0xFF
domain_number = (first_word >> 24) & 0xFF
# Parse remaining header fields
message_length = struct.unpack('>H', header_data[4:6])[0]
flags = struct.unpack('>H', header_data[6:8])[0]
correction = struct.unpack('>Q', header_data[8:16])[0]
source_port_id = header_data[20:28]
sequence_id = struct.unpack('>H', header_data[30:32])[0]
control = header_data[32]
log_mean_message_interval = struct.unpack('b', header_data[33:34])[0]
return {
'message_type': message_type,
'message_type_name': self.PTP_MESSAGE_TYPES.get(message_type, f"Unknown (0x{message_type:x})"),
'transport_specific': transport_specific,
'ptp_version': ptp_version,
'domain_number': domain_number,
'message_length': message_length,
'flags': flags,
'correction_field': correction,
'source_port_identity': source_port_id.hex(),
'sequence_id': sequence_id,
'control_field': control,
'log_mean_message_interval': log_mean_message_interval
}
def _parse_message_fields(self, msg_type: int, payload: bytes) -> Optional[Dict[str, Any]]:
"""Parse message-specific fields"""
if msg_type in [0x0, 0x1, 0x2, 0x3]: # Sync, Delay_Req, Pdelay_Req, Pdelay_Resp
if len(payload) >= 10:
timestamp = struct.unpack('>HI', payload[:6]) # seconds_msb, seconds_lsb, nanoseconds
nanoseconds = struct.unpack('>I', payload[6:10])[0]
return {
'origin_timestamp_sec': (timestamp[0] << 32) | timestamp[1],
'origin_timestamp_nsec': nanoseconds
}
elif msg_type == 0xB: # Announce
if len(payload) >= 20:
return {
'current_utc_offset': struct.unpack('>h', payload[10:12])[0],
'grandmaster_priority1': payload[13],
'grandmaster_clock_quality': payload[14:18].hex(),
'grandmaster_priority2': payload[18],
'grandmaster_identity': payload[19:27].hex()
}
return None

97
analyzer/protocols/standard.py Normal file
View File

@@ -0,0 +1,97 @@
"""
Standard protocol dissectors (Ethernet, IP, TCP, UDP, etc.)
"""
from typing import Dict, Optional
try:
from scapy.all import Packet, Ether, IP, UDP, TCP
except ImportError:
print("Error: scapy library required. Install with: pip install scapy")
import sys
sys.exit(1)
class StandardProtocolDissectors:
"""Collection of standard protocol dissectors"""
def __init__(self):
self.dissectors = {
'ethernet': self._dissect_ethernet,
'ip': self._dissect_ip,
'udp': self._dissect_udp,
'tcp': self._dissect_tcp
}
def dissect_all(self, packet: Packet) -> Dict[str, Optional[Dict]]:
"""Apply all standard dissectors to a packet"""
results = {}
for name, dissector in self.dissectors.items():
try:
results[name] = dissector(packet)
except Exception as e:
results[name] = {'error': str(e)}
return results
def _dissect_ethernet(self, packet: Packet) -> Optional[Dict]:
"""Dissect Ethernet layer"""
try:
if packet.haslayer(Ether):
eth = packet[Ether]
return {
'src_mac': eth.src,
'dst_mac': eth.dst,
'type': hex(eth.type)
}
except:
pass
return None
def _dissect_ip(self, packet: Packet) -> Optional[Dict]:
"""Dissect IP layer"""
try:
if packet.haslayer(IP):
ip = packet[IP]
return {
'version': ip.version,
'src': ip.src,
'dst': ip.dst,
'protocol': ip.proto,
'ttl': ip.ttl,
'length': ip.len
}
except:
pass
return None
def _dissect_udp(self, packet: Packet) -> Optional[Dict]:
"""Dissect UDP layer"""
try:
if packet.haslayer(UDP):
udp = packet[UDP]
return {
'src_port': udp.sport,
'dst_port': udp.dport,
'length': udp.len,
'checksum': hex(udp.chksum)
}
except:
pass
return None
def _dissect_tcp(self, packet: Packet) -> Optional[Dict]:
"""Dissect TCP layer"""
try:
if packet.haslayer(TCP):
tcp = packet[TCP]
return {
'src_port': tcp.sport,
'dst_port': tcp.dport,
'seq': tcp.seq,
'ack': tcp.ack,
'flags': tcp.flags,
'window': tcp.window
}
except:
pass
return None

9
analyzer/tui/__init__.py Normal file
View File

@@ -0,0 +1,9 @@
"""
Text User Interface components for the Ethernet Traffic Analyzer
"""
from .interface import TUIInterface
from .navigation import NavigationHandler
from .panels import FlowListPanel, DetailPanel, TimelinePanel
__all__ = ['TUIInterface', 'NavigationHandler', 'FlowListPanel', 'DetailPanel', 'TimelinePanel']

182
analyzer/tui/interface.py Normal file
View File

@@ -0,0 +1,182 @@
"""
Main TUI interface controller
"""
import curses
from typing import TYPE_CHECKING
from .navigation import NavigationHandler
from .panels import FlowListPanel, DetailPanel, TimelinePanel
if TYPE_CHECKING:
from ..analysis.core import EthernetAnalyzer
class TUIInterface:
"""Text User Interface for the analyzer"""
def __init__(self, analyzer: 'EthernetAnalyzer'):
self.analyzer = analyzer
self.navigation = NavigationHandler()
# Initialize panels
self.flow_list_panel = FlowListPanel()
self.detail_panel = DetailPanel()
self.timeline_panel = TimelinePanel()
def run(self, stdscr):
"""Main TUI loop"""
curses.curs_set(0) # Hide cursor
stdscr.keypad(True)
# Set timeout based on whether we're in live mode
if self.analyzer.is_live:
stdscr.timeout(500) # 0.5 second timeout for live updates
else:
stdscr.timeout(1000) # 1 second timeout for static analysis
while True:
stdscr.clear()
if self.navigation.current_view == 'main':
self._draw_main_view(stdscr)
elif self.navigation.current_view == 'dissection':
self._draw_dissection(stdscr)
# Draw status bar
self._draw_status_bar(stdscr)
stdscr.refresh()
# Handle input
key = stdscr.getch()
# Handle timeout (no key pressed) - refresh for live capture
if key == -1 and self.analyzer.is_live:
continue # Just refresh the display
action = self.navigation.handle_input(key, self._get_flows_list())
if action == 'quit':
if self.analyzer.is_live:
self.analyzer.stop_capture = True
break
def _draw_main_view(self, stdscr):
"""Draw three-panel main view: flows list, details, and timeline"""
height, width = stdscr.getmaxyx()
# Calculate panel dimensions based on timeline visibility
if self.navigation.show_timeline:
# Top section: 70% of height, split into left 60% / right 40%
# Bottom section: 30% of height, full width
top_height = int(height * 0.7)
bottom_height = height - top_height - 2 # -2 for separators and status bar
else:
# Use full height for top section when timeline is hidden
top_height = height - 2 # -2 for status bar
bottom_height = 0
left_width = int(width * 0.6)
right_width = width - left_width - 1 # -1 for separator
# Draw title
stdscr.addstr(0, 0, "=== ETHERNET TRAFFIC ANALYZER ===", curses.A_BOLD)
# Draw summary info
summary = self.analyzer.get_summary()
info_line = f"Packets: {summary['total_packets']} | " \
f"Flows: {summary['unique_flows']} | " \
f"IPs: {summary['unique_ips']}"
# Add real-time statistics if enabled
if self.analyzer.is_live and self.analyzer.statistics_engine.enable_realtime:
rt_summary = self.analyzer.statistics_engine.get_realtime_summary()
info_line += f" | Outliers: {rt_summary.get('total_outliers', 0)}"
stdscr.addstr(1, 0, info_line)
if self.analyzer.is_live:
status_text = "LIVE CAPTURE" if not self.analyzer.statistics_engine.enable_realtime else "LIVE+STATS"
stdscr.addstr(1, left_width - len(status_text) - 2, status_text, curses.A_BLINK)
flows_list = self._get_flows_list()
# Draw left panel (flows list)
self.flow_list_panel.draw(stdscr, 0, 3, left_width, top_height - 3,
flows_list, self.navigation.selected_flow)
# Draw vertical separator for top section
for y in range(1, top_height):
stdscr.addstr(y, left_width, "")
# Draw right panel (details)
self.detail_panel.draw(stdscr, left_width + 2, 1, right_width - 2,
flows_list, self.navigation.selected_flow, top_height - 2)
# Draw timeline panel if enabled
if self.navigation.show_timeline and bottom_height > 0:
# Draw horizontal separator
separator_line = "" * width
stdscr.addstr(top_height, 0, separator_line)
# Draw bottom panel (timeline)
timeline_start_y = top_height + 1
self.timeline_panel.draw(stdscr, 0, timeline_start_y, width, bottom_height,
flows_list, self.navigation.selected_flow)
def _draw_dissection(self, stdscr):
"""Draw frame dissection view"""
stdscr.addstr(0, 0, "=== FRAME DISSECTION ===", curses.A_BOLD)
if not self.analyzer.all_packets:
stdscr.addstr(2, 0, "No packets available")
return
# Show dissection of first few packets
for i, packet in enumerate(self.analyzer.all_packets[:5]):
if i * 6 + 2 >= curses.LINES - 3:
break
dissection = self.analyzer.dissector.dissect_frame(packet, i + 1)
y_start = i * 6 + 2
stdscr.addstr(y_start, 0, f"Frame {dissection['frame_number']}:", curses.A_BOLD)
stdscr.addstr(y_start + 1, 2, f"Timestamp: {dissection['timestamp']:.6f}")
stdscr.addstr(y_start + 2, 2, f"Size: {dissection['size']} bytes")
# Show detected protocols
protocols = dissection.get('protocols', [])
if protocols:
proto_str = ", ".join(protocols)
stdscr.addstr(y_start + 3, 2, f"Protocols: {proto_str}")
layers_str = ", ".join([k for k in dissection['layers'].keys() if not dissection['layers'][k].get('error')])
stdscr.addstr(y_start + 4, 2, f"Layers: {layers_str}")
# Show specialized protocol info
if 'chapter10' in dissection['layers'] and 'data_type_name' in dissection['layers']['chapter10']:
ch10_info = dissection['layers']['chapter10']
stdscr.addstr(y_start + 5, 2, f"CH10: {ch10_info['data_type_name']}")
elif 'ptp' in dissection['layers'] and 'message_type_name' in dissection['layers']['ptp']:
ptp_info = dissection['layers']['ptp']
stdscr.addstr(y_start + 5, 2, f"PTP: {ptp_info['message_type_name']}")
elif 'iena' in dissection['layers'] and 'packet_type_name' in dissection['layers']['iena']:
iena_info = dissection['layers']['iena']
stdscr.addstr(y_start + 5, 2, f"IENA: {iena_info['packet_type_name']}")
elif 'ip' in dissection['layers']:
ip_info = dissection['layers']['ip']
stdscr.addstr(y_start + 5, 2, f"IP: {ip_info['src']} -> {ip_info['dst']}")
def _draw_status_bar(self, stdscr):
"""Draw status bar at bottom"""
height, width = stdscr.getmaxyx()
status_y = height - 1
status = self.navigation.get_status_bar_text()
stdscr.addstr(status_y, 0, status[:width-1], curses.A_REVERSE)
def _get_flows_list(self):
"""Get sorted list of flows"""
flows_list = list(self.analyzer.flows.values())
flows_list.sort(key=lambda x: x.frame_count, reverse=True)
return flows_list

77
analyzer/tui/navigation.py Normal file
View File

@@ -0,0 +1,77 @@
"""
Navigation and input handling for the TUI
"""
import curses
from typing import List
from ..models import FlowStats
class NavigationHandler:
"""Handles navigation and input for the TUI"""
def __init__(self):
self.current_view = 'main' # main, dissection
self.selected_flow = 0
self.scroll_offset = 0
self.show_timeline = True # Toggle for bottom timeline plot
def handle_input(self, key: int, flows_list: List[FlowStats]) -> str:
"""
Handle keyboard input and return action
Returns:
Action string: 'quit', 'view_change', 'selection_change', 'none'
"""
if key == ord('q'):
return 'quit'
elif key == ord('d'):
self.current_view = 'dissection'
return 'view_change'
elif key == ord('m') or key == 27: # 'm' or ESC to return to main
self.current_view = 'main'
return 'view_change'
elif key == curses.KEY_UP and self.current_view == 'main':
self.selected_flow = max(0, self.selected_flow - 1)
return 'selection_change'
elif key == curses.KEY_DOWN and self.current_view == 'main':
max_items = self._get_total_display_items(flows_list)
self.selected_flow = min(max_items - 1, self.selected_flow + 1)
return 'selection_change'
elif key == ord('t'): # Toggle timeline plot
self.show_timeline = not self.show_timeline
return 'view_change'
elif key == curses.KEY_PPAGE and self.current_view == 'main': # Page Up
self.selected_flow = max(0, self.selected_flow - 10)
return 'selection_change'
elif key == curses.KEY_NPAGE and self.current_view == 'main': # Page Down
max_items = self._get_total_display_items(flows_list)
self.selected_flow = min(max_items - 1, self.selected_flow + 10)
return 'selection_change'
elif key == curses.KEY_HOME and self.current_view == 'main': # Home
self.selected_flow = 0
return 'selection_change'
elif key == curses.KEY_END and self.current_view == 'main': # End
max_items = self._get_total_display_items(flows_list)
self.selected_flow = max_items - 1
return 'selection_change'
return 'none'
def _get_total_display_items(self, flows_list: List[FlowStats]) -> int:
"""Calculate total number of selectable items (flows + frame types)"""
total = 0
for flow in flows_list:
total += 1 # Flow itself
total += len(flow.frame_types) # Frame types under this flow
return total
def get_status_bar_text(self) -> str:
"""Get status bar text based on current view"""
if self.current_view == 'main':
timeline_status = "ON" if self.show_timeline else "OFF"
return f"[↑↓]navigate [PgUp/PgDn]scroll [t]imeline:{timeline_status} [d]issection [q]uit"
elif self.current_view == 'dissection':
return "[m]ain view [q]uit"
else:
return "[m]ain [d]issection [q]uit"

9
analyzer/tui/panels/__init__.py Normal file
View File

@@ -0,0 +1,9 @@
"""
TUI Panel components
"""
from .flow_list import FlowListPanel
from .detail_panel import DetailPanel
from .timeline import TimelinePanel
__all__ = ['FlowListPanel', 'DetailPanel', 'TimelinePanel']

177
analyzer/tui/panels/detail_panel.py Normal file
View File

@@ -0,0 +1,177 @@
"""
Right panel - Flow details with frame type table
"""
from typing import List, Optional, Tuple
import curses
from ...models import FlowStats, FrameTypeStats
class DetailPanel:
"""Right panel showing detailed flow information"""
def draw(self, stdscr, x_offset: int, y_offset: int, width: int,
flows_list: List[FlowStats], selected_flow: int, max_height: Optional[int] = None):
"""Draw detailed information panel for selected flow or frame type"""
if not flows_list:
stdscr.addstr(y_offset, x_offset, "No flows available")
return
# Get the selected flow and frame type
flow, selected_frame_type = self._get_selected_flow_and_frame_type(flows_list, selected_flow)
if not flow:
stdscr.addstr(y_offset, x_offset, "No flow selected")
return
if max_height is None:
height, _ = stdscr.getmaxyx()
max_lines = height - y_offset - 2
else:
max_lines = y_offset + max_height
try:
# ALWAYS show flow details first
stdscr.addstr(y_offset, x_offset, f"FLOW DETAILS: {flow.src_ip} -> {flow.dst_ip}", curses.A_BOLD)
y_offset += 2
stdscr.addstr(y_offset, x_offset, f"Packets: {flow.frame_count} | Bytes: {flow.total_bytes:,}")
y_offset += 1
# Frame types table
if flow.frame_types and y_offset < max_lines:
y_offset += 1
stdscr.addstr(y_offset, x_offset, "Frame Types:", curses.A_BOLD)
y_offset += 1
# Table header
header = f"{'Type':<12} {'#Pkts':<6} {'Bytes':<8} {'Avg ΔT':<8} {'2σ Out':<6}"
stdscr.addstr(y_offset, x_offset, header, curses.A_UNDERLINE)
y_offset += 1
sorted_frame_types = sorted(flow.frame_types.items(), key=lambda x: x[1].count, reverse=True)
for frame_type, ft_stats in sorted_frame_types:
if y_offset >= max_lines:
break
avg_str = f"{ft_stats.avg_inter_arrival:.3f}s" if ft_stats.avg_inter_arrival > 0 else "N/A"
bytes_str = f"{ft_stats.total_bytes:,}" if ft_stats.total_bytes < 10000 else f"{ft_stats.total_bytes/1000:.1f}K"
outliers_count = len(ft_stats.outlier_details) if ft_stats.outlier_details else 0
# Truncate frame type name if too long
type_name = frame_type[:11] if len(frame_type) > 11 else frame_type
ft_line = f"{type_name:<12} {ft_stats.count:<6} {bytes_str:<8} {avg_str:<8} {outliers_count:<6}"
stdscr.addstr(y_offset, x_offset, ft_line)
y_offset += 1
# Timing statistics
if y_offset < max_lines:
y_offset += 1
stdscr.addstr(y_offset, x_offset, "Timing:", curses.A_BOLD)
y_offset += 1
if flow.avg_inter_arrival > 0:
stdscr.addstr(y_offset, x_offset + 2, f"Avg: {flow.avg_inter_arrival:.6f}s")
y_offset += 1
if y_offset < max_lines:
stdscr.addstr(y_offset, x_offset + 2, f"Std: {flow.std_inter_arrival:.6f}s")
y_offset += 1
else:
stdscr.addstr(y_offset, x_offset + 2, "No timing data")
y_offset += 1
# Display outlier frame details for each frame type
if flow.frame_types and y_offset < max_lines:
outlier_frame_types = [(frame_type, ft_stats) for frame_type, ft_stats in flow.frame_types.items()
if ft_stats.outlier_details]
if outlier_frame_types:
y_offset += 1
if y_offset < max_lines:
stdscr.addstr(y_offset, x_offset, "Outlier Frames:", curses.A_BOLD)
y_offset += 1
for frame_type, ft_stats in outlier_frame_types:
if y_offset >= max_lines:
break
# Display frame type header
if y_offset < max_lines:
stdscr.addstr(y_offset, x_offset + 2, f"{frame_type}:", curses.A_UNDERLINE)
y_offset += 1
# Display outlier details as individual table rows in format "frame# | deltaT"
for frame_num, frame_inter_arrival_time in ft_stats.outlier_details:
if y_offset >= max_lines:
break
outlier_line = f"{frame_num} | {frame_inter_arrival_time:.3f}s"
stdscr.addstr(y_offset, x_offset + 4, outlier_line)
y_offset += 1
# If a frame type is selected, show additional frame type specific details
if selected_frame_type and selected_frame_type in flow.frame_types and y_offset < max_lines:
ft_stats = flow.frame_types[selected_frame_type]
# Add separator
y_offset += 2
if y_offset < max_lines:
stdscr.addstr(y_offset, x_offset, "" * min(width-2, 40))
y_offset += 1
# Frame type specific header
if y_offset < max_lines:
stdscr.addstr(y_offset, x_offset, f"FRAME TYPE: {selected_frame_type}", curses.A_BOLD)
y_offset += 2
# Frame type specific info
if y_offset < max_lines:
stdscr.addstr(y_offset, x_offset, f"Count: {ft_stats.count}")
y_offset += 1
if y_offset < max_lines:
stdscr.addstr(y_offset, x_offset, f"Bytes: {ft_stats.total_bytes:,}")
y_offset += 1
# Frame type timing
if y_offset < max_lines:
y_offset += 1
stdscr.addstr(y_offset, x_offset, "Timing:", curses.A_BOLD)
y_offset += 1
if ft_stats.avg_inter_arrival > 0:
if y_offset < max_lines:
stdscr.addstr(y_offset, x_offset + 2, f"Avg: {ft_stats.avg_inter_arrival:.6f}s")
y_offset += 1
if y_offset < max_lines:
stdscr.addstr(y_offset, x_offset + 2, f"Std: {ft_stats.std_inter_arrival:.6f}s")
y_offset += 1
else:
if y_offset < max_lines:
stdscr.addstr(y_offset, x_offset + 2, "No timing data")
y_offset += 1
except curses.error:
# Ignore curses errors from writing outside screen bounds
pass
def _get_selected_flow_and_frame_type(self, flows_list: List[FlowStats],
selected_flow: int) -> Tuple[Optional[FlowStats], Optional[str]]:
"""Get the currently selected flow and frame type based on selection index"""
current_item = 0
for flow in flows_list:
if current_item == selected_flow:
return flow, None # Selected the main flow
current_item += 1
# Check frame types for this flow
if flow.frame_types:
sorted_frame_types = sorted(flow.frame_types.items(), key=lambda x: x[1].count, reverse=True)
for frame_type, ft_stats in sorted_frame_types:
if current_item == selected_flow:
return flow, frame_type # Selected a frame type
current_item += 1
# Fallback to first flow if selection is out of bounds
return flows_list[0] if flows_list else None, None

127
analyzer/tui/panels/flow_list.py Normal file
View File

@@ -0,0 +1,127 @@
"""
Left panel - Flow list with frame type breakdowns
"""
from typing import List, Optional
import curses
from ...models import FlowStats
class FlowListPanel:
"""Left panel showing flows and frame type breakdowns"""
def __init__(self):
self.selected_item = 0
self.scroll_offset = 0
def draw(self, stdscr, x_offset: int, y_offset: int, width: int, height: int,
flows_list: List[FlowStats], selected_flow: int):
"""Draw the flow list panel"""
# Draw flows table header
stdscr.addstr(y_offset, x_offset, "FLOWS:", curses.A_BOLD)
headers = f"{'Source IP':15} {'Dest IP':15} {'Pkts':5} {'Protocol':18} {'ΔT Avg':10} {'Out':4}"
stdscr.addstr(y_offset + 1, x_offset, headers[:width-1], curses.A_UNDERLINE)
# Calculate scrolling parameters
start_row = y_offset + 2
max_rows = height - 3 # Account for header and title
total_items = self._get_total_display_items(flows_list)
# Calculate scroll offset to keep selected item visible
scroll_offset = self._calculate_scroll_offset(selected_flow, max_rows, total_items)
# Draw flows list with frame type breakdowns
current_row = start_row
display_item = 0 # Track selectable items (flows + frame types)
visible_items = 0 # Track items actually drawn
for flow_idx, flow in enumerate(flows_list):
# Check if main flow line should be displayed
if display_item >= scroll_offset and visible_items < max_rows:
# Draw main flow line
protocol_str = self._get_protocol_display(flow)
avg_time = f"{flow.avg_inter_arrival:.3f}s" if flow.avg_inter_arrival > 0 else "N/A"
line = f"{flow.src_ip:15} {flow.dst_ip:15} {flow.frame_count:5} {protocol_str:18} {avg_time:10} {'':4}"
if display_item == selected_flow:
stdscr.addstr(current_row, x_offset, line[:width-1], curses.A_REVERSE)
else:
stdscr.addstr(current_row, x_offset, line[:width-1], curses.A_BOLD)
current_row += 1
visible_items += 1
display_item += 1
# Draw frame type breakdowns for this flow
if flow.frame_types:
sorted_frame_types = sorted(flow.frame_types.items(), key=lambda x: x[1].count, reverse=True)
for frame_type, ft_stats in sorted_frame_types:
if display_item >= scroll_offset and visible_items < max_rows:
# Calculate frame type timing display
ft_avg = f"{ft_stats.avg_inter_arrival:.3f}s" if ft_stats.avg_inter_arrival > 0 else "N/A"
outlier_count = len(ft_stats.outlier_details) if ft_stats.outlier_details else 0
# Create frame type line aligned with columns
ft_line = f"{'':15} {'':15} {ft_stats.count:5} {frame_type:18} {ft_avg:10} {outlier_count:4}"
if display_item == selected_flow:
stdscr.addstr(current_row, x_offset, ft_line[:width-1], curses.A_REVERSE)
else:
stdscr.addstr(current_row, x_offset, ft_line[:width-1])
current_row += 1
visible_items += 1
display_item += 1
def _get_protocol_display(self, flow: FlowStats) -> str:
"""Get display string for flow protocols"""
if flow.detected_protocol_types:
# Prioritize specialized protocols
specialized = {'CHAPTER10', 'PTP', 'IENA'}
found_specialized = flow.detected_protocol_types & specialized
if found_specialized:
return list(found_specialized)[0]
# Use first detected protocol type
return list(flow.detected_protocol_types)[0]
# Fallback to basic protocols
if flow.protocols:
return list(flow.protocols)[0]
return "Unknown"
def _get_total_display_items(self, flows_list: List[FlowStats]) -> int:
"""Calculate total number of selectable items (flows + frame types)"""
total = 0
for flow in flows_list:
total += 1 # Flow itself
total += len(flow.frame_types) # Frame types under this flow
return total
def _calculate_scroll_offset(self, selected_item: int, max_visible: int, total_items: int) -> int:
"""Calculate scroll offset to keep selected item visible"""
if total_items <= max_visible:
return 0 # No scrolling needed
# Keep selected item in the middle third of visible area when possible
middle_position = max_visible // 3
# Calculate ideal scroll offset
scroll_offset = max(0, selected_item - middle_position)
# Ensure we don't scroll past the end
max_scroll = max(0, total_items - max_visible)
scroll_offset = min(scroll_offset, max_scroll)
return scroll_offset
def get_total_display_items(self, flows_list: List[FlowStats]) -> int:
"""Public method to get total display items"""
return self._get_total_display_items(flows_list)

269
analyzer/tui/panels/timeline.py Normal file
View File

@@ -0,0 +1,269 @@
"""
Bottom panel - Timeline visualization
"""
from typing import List, Tuple, Optional
import curses
from ...models import FlowStats, FrameTypeStats
class TimelinePanel:
"""Bottom panel for timeline visualization"""
def draw(self, stdscr, x_offset: int, y_offset: int, width: int, height: int,
flows_list: List[FlowStats], selected_flow: int):
"""Draw timeline visualization panel for selected flow or frame type"""
if not flows_list or height < 5:
return
# Get the selected flow and frame type
flow, selected_frame_type = self._get_selected_flow_and_frame_type(flows_list, selected_flow)
if not flow:
return
try:
# Panel header
stdscr.addstr(y_offset, x_offset, "TIMING VISUALIZATION", curses.A_BOLD)
if selected_frame_type:
stdscr.addstr(y_offset + 1, x_offset, f"Flow: {flow.src_ip} -> {flow.dst_ip} | Frame Type: {selected_frame_type}")
else:
stdscr.addstr(y_offset + 1, x_offset, f"Flow: {flow.src_ip} -> {flow.dst_ip} | All Frames")
# Get the appropriate data for timeline
if selected_frame_type and selected_frame_type in flow.frame_types:
# Use frame type specific data
ft_stats = flow.frame_types[selected_frame_type]
if len(ft_stats.inter_arrival_times) < 2:
stdscr.addstr(y_offset + 2, x_offset, f"Insufficient data for {selected_frame_type} timeline")
return
deviations = self._calculate_frame_type_deviations(ft_stats)
timeline_flow = ft_stats # Use frame type stats for timeline
else:
# Use overall flow data
if len(flow.inter_arrival_times) < 2:
stdscr.addstr(y_offset + 2, x_offset, "Insufficient data for timeline")
return
deviations = self._calculate_frame_deviations(flow)
timeline_flow = flow # Use overall flow stats for timeline
if not deviations:
stdscr.addstr(y_offset + 2, x_offset, "No timing data available")
return
# Timeline dimensions
timeline_width = width - 10 # Leave space for labels
timeline_height = height - 6 # Leave space for header, labels, and time scale
timeline_y = y_offset + 3
timeline_x = x_offset + 5
# Draw timeline
self._draw_ascii_timeline(stdscr, timeline_x, timeline_y, timeline_width,
timeline_height, deviations, timeline_flow)
except curses.error:
# Ignore curses errors from writing outside screen bounds
pass
def _get_selected_flow_and_frame_type(self, flows_list: List[FlowStats],
selected_flow: int) -> Tuple[Optional[FlowStats], Optional[str]]:
"""Get the currently selected flow and frame type based on selection index"""
current_item = 0
for flow in flows_list:
if current_item == selected_flow:
return flow, None # Selected the main flow
current_item += 1
# Check frame types for this flow
if flow.frame_types:
sorted_frame_types = sorted(flow.frame_types.items(), key=lambda x: x[1].count, reverse=True)
for frame_type, ft_stats in sorted_frame_types:
if current_item == selected_flow:
return flow, frame_type # Selected a frame type
current_item += 1
# Fallback to first flow if selection is out of bounds
return flows_list[0] if flows_list else None, None
def _calculate_frame_deviations(self, flow: FlowStats) -> List[Tuple[int, float]]:
"""Calculate frame deviations from average inter-arrival time"""
if len(flow.inter_arrival_times) < 1 or flow.avg_inter_arrival == 0:
return []
deviations = []
# Each inter_arrival_time[i] is between frame[i] and frame[i+1]
for i, inter_time in enumerate(flow.inter_arrival_times):
if i + 1 < len(flow.frame_numbers):
frame_num = flow.frame_numbers[i + 1] # The frame that this inter-arrival time leads to
deviation = inter_time - flow.avg_inter_arrival
deviations.append((frame_num, deviation))
return deviations
def _calculate_frame_type_deviations(self, ft_stats: FrameTypeStats) -> List[Tuple[int, float]]:
"""Calculate frame deviations for a specific frame type"""
if len(ft_stats.inter_arrival_times) < 1 or ft_stats.avg_inter_arrival == 0:
return []
deviations = []
# Each inter_arrival_time[i] is between frame[i] and frame[i+1]
for i, inter_time in enumerate(ft_stats.inter_arrival_times):
if i + 1 < len(ft_stats.frame_numbers):
frame_num = ft_stats.frame_numbers[i + 1] # The frame that this inter-arrival time leads to
deviation = inter_time - ft_stats.avg_inter_arrival
deviations.append((frame_num, deviation))
return deviations
def _draw_ascii_timeline(self, stdscr, x_offset: int, y_offset: int, width: int, height: int,
deviations: List[Tuple[int, float]], flow):
"""Draw ASCII timeline chart"""
if not deviations or width < 10 or height < 3:
return
# Find min/max deviations for scaling
deviation_values = [dev for _, dev in deviations]
max_deviation = max(abs(min(deviation_values)), max(deviation_values))
if max_deviation == 0:
max_deviation = 0.001 # Avoid division by zero
# Calculate center line
center_y = y_offset + height // 2
# Draw center line (represents average timing)
center_line = "" * width
stdscr.addstr(center_y, x_offset, center_line)
# Add center line label
if x_offset > 4:
stdscr.addstr(center_y, x_offset - 4, "AVG")
# Scale factor for vertical positioning
scale_factor = (height // 2) / max_deviation
# Always scale to use the entire width
# Calculate the time span of the data
if len(flow.timestamps) < 2:
return
start_time = flow.timestamps[0]
end_time = flow.timestamps[-1]
time_span = end_time - start_time
if time_span <= 0:
return
# Create a mapping from deviation frame numbers to actual timestamps
frame_to_timestamp = {}
for i, (frame_num, deviation) in enumerate(deviations):
if i < len(flow.timestamps):
frame_to_timestamp[frame_num] = flow.timestamps[i]
# Plot points across entire width
for x in range(width):
# Calculate which timestamp this x position represents
time_ratio = x / (width - 1) if width > 1 else 0
target_time = start_time + (time_ratio * time_span)
# Find the closest deviation to this time
closest_deviation = None
min_time_diff = float('inf')
for frame_num, deviation in deviations:
# Use the correct timestamp mapping
if frame_num in frame_to_timestamp:
frame_time = frame_to_timestamp[frame_num]
time_diff = abs(frame_time - target_time)
if time_diff < min_time_diff:
min_time_diff = time_diff
closest_deviation = deviation
if closest_deviation is not None:
# Calculate vertical position
y_pos = center_y - int(closest_deviation * scale_factor)
y_pos = max(y_offset, min(y_offset + height - 1, y_pos))
# Choose character based on deviation magnitude
char = self._get_timeline_char(closest_deviation, flow.avg_inter_arrival)
# Draw the point
try:
stdscr.addstr(y_pos, x_offset + x, char)
except curses.error:
pass
# Draw scale labels and timeline info
self._draw_timeline_labels(stdscr, x_offset, y_offset, width, height,
max_deviation, deviations, flow, time_span)
def _get_timeline_char(self, deviation: float, avg_time: float) -> str:
"""Get character representation for timeline point based on deviation"""
if abs(deviation) < avg_time * 0.1: # Within 10% of average
return "·"
elif abs(deviation) < avg_time * 0.5: # Within 50% of average
return "" if deviation > 0 else ""
else: # Significant deviation (outlier)
return "" if deviation > 0 else ""
def _draw_timeline_labels(self, stdscr, x_offset: int, y_offset: int, width: int, height: int,
max_deviation: float, deviations: List[Tuple[int, float]],
flow, time_span: float):
"""Draw timeline labels and summary information"""
# Draw scale labels
if height >= 5:
# Top label (positive deviation)
top_dev = max_deviation
if x_offset > 4:
stdscr.addstr(y_offset, x_offset - 4, f"+{top_dev:.2f}s")
# Bottom label (negative deviation)
bottom_dev = -max_deviation
if x_offset > 4:
stdscr.addstr(y_offset + height - 1, x_offset - 4, f"{bottom_dev:.2f}s")
# Timeline info with time scale above summary
info_y = y_offset + height + 1
if info_y < y_offset + height + 3: # Make sure we have space for two lines
total_frames = len(deviations)
# First line: Time scale
relative_start = 0.0
relative_end = time_span
relative_middle = time_span / 2
# Format time scale labels
start_label = f"{relative_start:.1f}s"
middle_label = f"{relative_middle:.1f}s"
end_label = f"{relative_end:.1f}s"
# Draw time scale labels at left, middle, right
stdscr.addstr(info_y, x_offset, start_label)
# Middle label
middle_x = x_offset + width // 2 - len(middle_label) // 2
if middle_x > x_offset + len(start_label) + 1 and middle_x + len(middle_label) < x_offset + width - len(end_label) - 1:
stdscr.addstr(info_y, middle_x, middle_label)
# Right label
end_x = x_offset + width - len(end_label)
if end_x > x_offset + len(start_label) + 1:
stdscr.addstr(info_y, end_x, end_label)
# Second line: Frame count and deviation range
summary_y = info_y + 1
if summary_y < y_offset + height + 3:
left_info = f"Frames: {total_frames} | Range: ±{max_deviation:.3f}s"
stdscr.addstr(summary_y, x_offset, left_info)
# Right side outliers count with 2σ threshold
threshold_2sigma = flow.avg_inter_arrival + (2 * flow.std_inter_arrival)
outliers_info = f"Outliers: {len(flow.outlier_frames)} (>2σ: {threshold_2sigma:.4f}s)"
outliers_x = x_offset + width - len(outliers_info)
if outliers_x > x_offset + len(left_info) + 2: # Make sure there's space
stdscr.addstr(summary_y, outliers_x, outliers_info)

8
analyzer/utils/__init__.py Normal file
View File

@@ -0,0 +1,8 @@
"""
Utility modules for the Ethernet Traffic Analyzer
"""
from .pcap_loader import PCAPLoader
from .live_capture import LiveCapture
__all__ = ['PCAPLoader', 'LiveCapture']

129
analyzer/utils/live_capture.py Normal file
View File

@@ -0,0 +1,129 @@
"""
Live network capture utilities
"""
import sys
import threading
import time
from typing import Callable, Optional, List
try:
from scapy.all import sniff, Packet, get_if_list
except ImportError:
print("Error: scapy library required. Install with: pip install scapy")
sys.exit(1)
class LiveCapture:
"""Utility class for live network capture"""
def __init__(self, interface: Optional[str] = None, filter_str: Optional[str] = None):
self.interface = interface
self.filter_str = filter_str
self.is_capturing = False
self.stop_requested = False
self.packet_count = 0
self.capture_thread: Optional[threading.Thread] = None
self.packet_handlers: List[Callable[[Packet, int], None]] = []
def add_packet_handler(self, handler: Callable[[Packet, int], None]) -> None:
"""Add a packet handler function"""
self.packet_handlers.append(handler)
def remove_packet_handler(self, handler: Callable[[Packet, int], None]) -> None:
"""Remove a packet handler function"""
if handler in self.packet_handlers:
self.packet_handlers.remove(handler)
def start_capture(self, threaded: bool = True) -> None:
"""Start packet capture"""
if self.is_capturing:
raise RuntimeError("Capture is already running")
self.stop_requested = False
self.packet_count = 0
if threaded:
self.capture_thread = threading.Thread(target=self._capture_loop, daemon=True)
self.capture_thread.start()
else:
self._capture_loop()
def stop_capture(self) -> None:
"""Stop packet capture"""
self.stop_requested = True
if self.capture_thread and self.capture_thread.is_alive():
self.capture_thread.join(timeout=5.0)
if self.capture_thread.is_alive():
print("Warning: Capture thread did not stop gracefully")
def _capture_loop(self) -> None:
"""Main capture loop"""
self.is_capturing = True
try:
def packet_handler(packet: Packet) -> None:
if self.stop_requested:
return
self.packet_count += 1
# Call all registered handlers
for handler in self.packet_handlers:
try:
handler(packet, self.packet_count)
except Exception as e:
print(f"Error in packet handler: {e}")
sniff(
iface=self.interface,
filter=self.filter_str,
prn=packet_handler,
stop_filter=lambda x: self.stop_requested
)
except Exception as e:
print(f"Error during live capture: {e}")
finally:
self.is_capturing = False
def get_capture_stats(self) -> dict:
"""Get capture statistics"""
return {
'is_capturing': self.is_capturing,
'packet_count': self.packet_count,
'interface': self.interface,
'filter': self.filter_str
}
@staticmethod
def list_interfaces() -> List[str]:
"""List available network interfaces"""
try:
return get_if_list()
except Exception as e:
print(f"Error listing interfaces: {e}")
return []
@staticmethod
def validate_interface(interface: str) -> bool:
"""Validate that an interface exists"""
try:
available_interfaces = LiveCapture.list_interfaces()
return interface in available_interfaces
except Exception:
return False
@staticmethod
def test_capture_permissions() -> bool:
"""Test if we have permissions for packet capture"""
try:
# Try a very short capture to test permissions
def dummy_handler(packet):
pass
sniff(count=1, timeout=1, prn=dummy_handler)
return True
except Exception:
return False

96
analyzer/utils/pcap_loader.py Normal file
View File

@@ -0,0 +1,96 @@
"""
PCAP file loading utilities
"""
import sys
from typing import List, Iterator, Optional
try:
from scapy.all import rdpcap, PcapReader, Packet
except ImportError:
print("Error: scapy library required. Install with: pip install scapy")
sys.exit(1)
class PCAPLoader:
"""Utility class for loading PCAP files"""
def __init__(self, file_path: str):
self.file_path = file_path
self._packet_count: Optional[int] = None
def load_all(self) -> List[Packet]:
"""Load all packets from the PCAP file"""
try:
packets = rdpcap(self.file_path)
self._packet_count = len(packets)
return packets
except Exception as e:
raise IOError(f"Error loading PCAP file {self.file_path}: {e}")
def load_streaming(self, chunk_size: int = 1000) -> Iterator[List[Packet]]:
"""Load packets in chunks for memory efficiency"""
try:
with PcapReader(self.file_path) as pcap_reader:
chunk = []
for packet in pcap_reader:
chunk.append(packet)
if len(chunk) >= chunk_size:
yield chunk
chunk = []
# Yield remaining packets
if chunk:
yield chunk
except Exception as e:
raise IOError(f"Error streaming PCAP file {self.file_path}: {e}")
def get_packet_count(self) -> Optional[int]:
"""Get the total number of packets (if loaded)"""
return self._packet_count
def validate_file(self) -> bool:
"""Validate that the file exists and is a valid PCAP"""
try:
with PcapReader(self.file_path) as pcap_reader:
# Try to read first packet
next(iter(pcap_reader))
return True
except (IOError, StopIteration):
return False
except Exception:
return False
@staticmethod
def get_file_info(file_path: str) -> dict:
"""Get basic information about a PCAP file"""
try:
packet_count = 0
first_timestamp = None
last_timestamp = None
total_bytes = 0
with PcapReader(file_path) as pcap_reader:
for packet in pcap_reader:
packet_count += 1
total_bytes += len(packet)
if first_timestamp is None:
first_timestamp = float(packet.time)
last_timestamp = float(packet.time)
duration = (last_timestamp - first_timestamp) if first_timestamp and last_timestamp else 0
return {
'file_path': file_path,
'packet_count': packet_count,
'total_bytes': total_bytes,
'duration_seconds': duration,
'first_timestamp': first_timestamp,
'last_timestamp': last_timestamp,
'avg_packet_rate': packet_count / duration if duration > 0 else 0
}
except Exception as e:
return {'error': str(e)}

18
ethernet_analyzer_modular.py Normal file
View File

@@ -0,0 +1,18 @@
#!/usr/bin/env python3
"""
Modular Ethernet Traffic Analyzer - Entry point that uses the new modular structure
This script provides the same interface as the original ethernet_analyzer.py
but uses the new modular architecture for better maintainability.
"""
import sys
import os
# Add the analyzer package to the path
sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
from analyzer.main import main
if __name__ == "__main__":
main()

6
started Normal file
View File

@@ -0,0 +1,6 @@
Script started on Fri Jul 25 15:24:50 2025
Command: on Fri Jul 25 15:23:57 2025
Script: on: No such file or directory
Command exit status: 1
Script done on Fri Jul 25 15:24:50 2025