Class: Mu::Xtractr::Flow

Inherits:
Object
  • Object
show all
Includes:
Enumerable
Defined in:
lib/mu/xtractr/flow.rb,
lib/mu/xtractr/test/tc_flow.rb

Overview

xtractr.flows(‘flow.service:DNS flow.smsgs:0’).count(‘dns.qry.name’)

Defined Under Namespace

Classes: Test

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(xtractr, json) ⇒ Flow

:nodoc:



79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
 
# File 'lib/mu/xtractr/flow.rb', line 79

def initialize xtractr, json # :nodoc:
    @xtractr  = xtractr
    @id       = json['id']
    @time     = json['time']
    @duration = json['duration']
    @src      = Host.new xtractr, json['src']
    @dst      = Host.new xtractr, json['dst']
    @proto    = json['proto']
    @sport    = json['sport']
    @dport    = json['dport']
    @service  = Service.new xtractr, json['service']
    @title    = json['title']
    @packets  = json['packets']
    @bytes    = json['bytes']
    @cmsgs    = json['cmsgs']
    @smsgs    = json['smsgs']
    @first_id = json['first']
    @last_id  = json['last']
    @iterator = Packets.new(xtractr, :q => "pkt.flow:#{id}")
end

Instance Attribute Details

#bytesObject (readonly)

The total ##bytes (request and response) in the flow.



71
72
73
 
# File 'lib/mu/xtractr/flow.rb', line 71

def bytes
  @bytes
end

#cmsgsObject (readonly)

The logical client messages (payloads) in the flow.



74
75
76
 
# File 'lib/mu/xtractr/flow.rb', line 74

def cmsgs
  @cmsgs
end

#dportObject (readonly)

The destination port of the flow (if applicable).



59
60
61
 
# File 'lib/mu/xtractr/flow.rb', line 59

def dport
  @dport
end

#dstObject (readonly)

The destination host of the flow.



50
51
52
 
# File 'lib/mu/xtractr/flow.rb', line 50

def dst
  @dst
end

#durationObject (readonly)

The duration of the flow, determined by the first and last packet in the flow.



44
45
46
 
# File 'lib/mu/xtractr/flow.rb', line 44

def duration
  @duration
end

#idObject (readonly)

The unique ID of the flow.



38
39
40
 
# File 'lib/mu/xtractr/flow.rb', line 38

def id
  @id
end

#packetsObject (readonly)

The total ##packets in the flow.



68
69
70
 
# File 'lib/mu/xtractr/flow.rb', line 68

def packets
  @packets
end

#protoObject (readonly)

The IP protocol of the flow.



53
54
55
 
# File 'lib/mu/xtractr/flow.rb', line 53

def proto
  @proto
end

#serviceObject (readonly)

The service of the flow (like DNS or HTTP).



62
63
64
 
# File 'lib/mu/xtractr/flow.rb', line 62

def service
  @service
end

#smsgsObject (readonly)

The logical server messages (payloads) in the flow.



77
78
79
 
# File 'lib/mu/xtractr/flow.rb', line 77

def smsgs
  @smsgs
end

#sportObject (readonly)

The source port of the flow (if applicable).



56
57
58
 
# File 'lib/mu/xtractr/flow.rb', line 56

def sport
  @sport
end

#srcObject (readonly)

The source host of the flow.



47
48
49
 
# File 'lib/mu/xtractr/flow.rb', line 47

def src
  @src
end

#timeObject (readonly)

The timestamp of the flow, determined by the first packet in the flow.



41
42
43
 
# File 'lib/mu/xtractr/flow.rb', line 41

def time
  @time
end

#titleObject (readonly)

The title of the flow.



65
66
67
 
# File 'lib/mu/xtractr/flow.rb', line 65

def title
  @title
end

#xtractrObject (readonly)

:nodoc:



35
36
37
 
# File 'lib/mu/xtractr/flow.rb', line 35

def xtractr
  @xtractr
end

Instance Method Details

#contentsObject

A convenience method to fetch the stream for this flow, extract the content and then return an array of contents.

xtractr.flows('flow.service:HTTP favicon.ico').each do |flow|
    flow.contents.each { |c| c.save }
end



139
140
141
 
# File 'lib/mu/xtractr/flow.rb', line 139

def contents
    stream.contents
end

#each_packet(&blk) ⇒ Object Also known as: each

Iterate over each packet in this flow.

flow.each { |pkt| ... }



120
121
122
123
 
# File 'lib/mu/xtractr/flow.rb', line 120

def each_packet(&blk) # :yields: packet
    @iterator.each(&blk)
    return self
end

#firstObject

Return the first packet for this flow. Together the first and last packets make up the span of the flow. Read this blog to see how these spans enable flow visualization.

xtractr.flow(1).first.bytes



105
106
107
 
# File 'lib/mu/xtractr/flow.rb', line 105

def first
    @first ||= xtractr.packet @first_id
end

#inspectObject

:nodoc:



155
156
157
 
# File 'lib/mu/xtractr/flow.rb', line 155

def inspect # :nodoc:
    "#<flow:#{id} #{service.name} #{src.address}:#{sport} > #{dst.address}:#{dport} #{title}"
end

#lastObject

Return the last packet for this flow. Together the first and last packets make up the span of the flow. Read this blog to see how these spans enable flow visualization.

xtractr.flow(2).last.bytes



114
115
116
 
# File 'lib/mu/xtractr/flow.rb', line 114

def last
    @last ||= xtractr.packet @last_id
end

#save(filename) ⇒ Object

Stich together a pcap made up of all packets containing this flow and save it to the filename. It’s possible for the packets to span multiple pcaps, but xtractr makes it seamless.

flow.save("foo.pcap")



147
148
149
150
151
152
153
 
# File 'lib/mu/xtractr/flow.rb', line 147

def save filename
    open(filename, "w") do |ios|
        pcap = xtractr.get "api/packets/slice", :q => "pkt.flow:#{id}"
        ios.write pcap
    end
    return self
end

#streamObject

Reassemble the TCP stream for this flow (assuming it’s a TCP flow) and return the stream. This is the basis for doing content extraction from packets even if the packets span multiple pcaps.

xtractr.service('HTTP').flows.first.stream



129
130
131
132
 
# File 'lib/mu/xtractr/flow.rb', line 129

def stream
    result = xtractr.json "api/flow/#{id}/stream"
    return Stream.new(xtractr, self, result)
end