# StreamLens - Ethernet Traffic Analyzer Advanced TUI-based network traffic analyzer for pcap files and live streams with specialized protocol dissection for aviation and industrial networks. Features sigma-based outlier identification and real-time statistical analysis. ## Quick Start ```bash # Install dependencies pip install scapy numpy # Analyze pcap file with TUI (flows sorted by largest sigma outliers) python ethernet_analyzer_modular.py --pcap file.pcap # Live capture with real-time statistics python ethernet_analyzer_modular.py --live --interface eth0 # Console output with outlier reporting python ethernet_analyzer_modular.py --pcap file.pcap --no-tui # Generate comprehensive outlier report python ethernet_analyzer_modular.py --pcap file.pcap --report # Get pcap file information python ethernet_analyzer_modular.py --pcap file.pcap --info # Adjust outlier threshold (default: 3.0 sigma) python ethernet_analyzer_modular.py --pcap file.pcap --outlier-threshold 2.0 # With BPF filter for live capture python ethernet_analyzer_modular.py --live --filter "port 319 or port 320" ``` ## Features ### Enhanced TUI Interface - **Three-Panel Layout**: Flows list (top-left), flow details (top-right), timing visualization (bottom) - **Sigma-Based Flow Sorting**: Flows automatically sorted by largest outlier sigma deviation - **Real-time Navigation**: Arrow keys to navigate between flows with instant detail updates - **Protocol-aware Display**: Shows detected protocols in flow list and details - **Smart Protocol Detection**: Prioritizes specialized protocols (Chapter 10, PTP, IENA) over generic ones - **Detailed Outlier Analysis**: Individual rows showing frame numbers and exact time deltas for outlier packets - **Visual Timeline**: ASCII timeline showing frame timing deviations with outlier highlighting - **Live Statistics**: Real-time running averages and outlier detection during capture ### Core Analysis Engine - **Flow-based Analysis**: Groups packets by source-destination IP pairs with timing statistics - **Configurable Outlier Detection**: Adjustable sigma threshold (default: 3.0ฯƒ) - **Multi-layer Protocol Analysis**: Ethernet, IP, UDP, TCP with specialized dissectors - **Real-time Statistical Updates**: Running statistics for live capture mode - **High Jitter Flow Identification**: Coefficient of variation analysis ### Specialized Protocol Dissectors - **Chapter 10 (IRIG 106-17)**: Complete packet dissection including data types, timestamps, and payload analysis - **PTP (IEEE 1588-2019)**: Precision Time Protocol message parsing with sync, delay, and announce messages - **IENA (Airbus)**: Industrial Ethernet Network Architecture with P/D/N/M/Q message types ### Protocol Detection & Fallbacks - Automatic protocol identification based on port numbers and packet structure - Fallback to common protocols: HTTP, HTTPS, SSH, DNS, DHCP, NTP, SNMP, IGMP, ICMP - Multicast detection for aviation/industrial networks - Enhanced error handling and validation ## Installation ```bash # Clone or download the project cd streamlens # Install dependencies pip install scapy numpy # Run the analyzer python ethernet_analyzer_modular.py --help ``` ## Key Features Highlights ### ๐ŸŽฏ Sigma-Based Flow Prioritization Flows are automatically sorted by their largest outlier sigma deviation, putting the most problematic flows at the top of the list for immediate attention. ### ๐Ÿ“Š Real-time Statistics Live capture mode provides running averages and outlier detection as packets arrive, with TUI updates every 500ms. ### ๐Ÿ” Configurable Analysis Adjust outlier detection sensitivity with `--outlier-threshold` (default: 3.0ฯƒ) to fine-tune analysis for your specific network conditions. ### ๐Ÿ“ˆ Comprehensive Reporting Generate detailed outlier reports with `--report` flag showing frame-by-frame sigma deviations and timing analysis. ## TUI Controls - **โ†‘โ†“**: Navigate between flows in main view - **d**: Switch to frame dissection view - **m** or **ESC**: Return to main view - **q**: Quit application ## Timeline Visualization The bottom panel displays a visual timeline of the selected flow's timing behavior: - **Horizontal axis**: Progression through packet sequence - **Vertical axis**: Deviation from average inter-arrival time (centered on average) - **Characters**: `ยท` = normal timing, `โ€ข`/`โ—‹` = moderate deviation, `โ–ˆ`/`โ–„` = outliers - **Scale**: Automatically adjusts to show full range of deviations - **Info bar**: Shows total frames, deviation range, and outlier count ## Project Structure ``` streamlens/ โ”œโ”€โ”€ ethernet_analyzer_modular.py # Main entry point โ”œโ”€โ”€ analyzer/ # Core analysis package โ”‚ โ”œโ”€โ”€ main.py # CLI argument handling and main logic โ”‚ โ”œโ”€โ”€ analysis/ # Analysis engine โ”‚ โ”‚ โ”œโ”€โ”€ core.py # Main analyzer class โ”‚ โ”‚ โ”œโ”€โ”€ flow_manager.py # Flow tracking and management โ”‚ โ”‚ โ””โ”€โ”€ statistics.py # Statistical analysis and outlier detection โ”‚ โ”œโ”€โ”€ models/ # Data structures โ”‚ โ”‚ โ”œโ”€โ”€ flow_stats.py # Flow and frame type statistics โ”‚ โ”‚ โ””โ”€โ”€ analysis_results.py # Analysis result containers โ”‚ โ”œโ”€โ”€ protocols/ # Protocol dissectors โ”‚ โ”‚ โ”œโ”€โ”€ base.py # Base dissector interface โ”‚ โ”‚ โ”œโ”€โ”€ chapter10.py # IRIG106 telemetry protocol โ”‚ โ”‚ โ”œโ”€โ”€ ptp.py # IEEE 1588 Precision Time Protocol โ”‚ โ”‚ โ”œโ”€โ”€ iena.py # Airbus IENA protocol โ”‚ โ”‚ โ””โ”€โ”€ standard.py # Standard protocol detection โ”‚ โ”œโ”€โ”€ tui/ # Text User Interface โ”‚ โ”‚ โ”œโ”€โ”€ interface.py # Main TUI controller โ”‚ โ”‚ โ”œโ”€โ”€ navigation.py # Navigation handling โ”‚ โ”‚ โ””โ”€โ”€ panels/ # UI panel components โ”‚ โ”‚ โ”œโ”€โ”€ flow_list.py # Flow list panel โ”‚ โ”‚ โ”œโ”€โ”€ detail_panel.py # Flow details panel โ”‚ โ”‚ โ””โ”€โ”€ timeline.py # Timeline visualization panel โ”‚ โ””โ”€โ”€ utils/ # Utility modules โ”‚ โ”œโ”€โ”€ pcap_loader.py # PCAP file handling โ”‚ โ””โ”€โ”€ live_capture.py # Live network capture โ””โ”€โ”€ *.pcapng # Sample capture files ```