Class: Mu::Xtractr::Flows

Inherits:
Object
  • Object
show all
Includes:
Enumerable
Defined in:
lib/mu/xtractr/flows.rb,
lib/mu/xtractr/test/tc_flows.rb

Overview

over all the flows in the index.

Defined Under Namespace

Classes: Test

Constant Summary collapse

MAX_PAGE_SIZE =

:nodoc:

100

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(xtractr, opts) ⇒ Flows

:nodoc:



27
28
29
30
31
 
# File 'lib/mu/xtractr/flows.rb', line 27

def initialize xtractr, opts # :nodoc:
    @xtractr = xtractr
    @opts = opts.dup
    @opts[:q] ||= '*'
end

Instance Attribute Details

#xtractrObject (readonly)

:nodoc:



23
24
25
 
# File 'lib/mu/xtractr/flows.rb', line 23

def xtractr
  @xtractr
end

Instance Method Details

#count(field) ⇒ Object

Count the unique values of the specified field amongst all the flows that matched the query.

xtractr.flows('index.html').count('http.request.uri')



74
75
76
 
# File 'lib/mu/xtractr/flows.rb', line 74

def count field
    Views.count xtractr, field, '/api/flows/report', @opts
end

#each_flowObject Also known as: each

Iterate over each flow that matches the search criteria. It’s always better to use this with a fine-grained query instead of flows.to_a because it’s going to try and load all flows from the index.

xtractr.flows("flow.src:192.168.1.1").each { |flow| ... }



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
 
# File 'lib/mu/xtractr/flows.rb', line 41

def each_flow() # :yields: flow
    _opts = @opts.dup
    _opts[:start] ||= 1
    _opts[:limit] ||= MAX_PAGE_SIZE
    
    while true
        result = xtractr.json "api/flows", _opts
        rows = result['rows']            
        break if rows.empty?
                    
        rows[0, MAX_PAGE_SIZE-1].each do |row| 
            flow = Flow.new xtractr, row 
            yield flow
        end
        
        break if rows.size < MAX_PAGE_SIZE
        _opts[:start] = rows[MAX_PAGE_SIZE-1]['id']
    end
    return self
end

#firstObject

Fetch the first flow that matched the query. This is mainly used for unit testing, but useful within IRB to experiment with method chaining.

flows.first.save("1.pcap")



65
66
67
68
69
 
# File 'lib/mu/xtractr/flows.rb', line 65

def first
    result = xtractr.json "api/flows", :start => 1, :limit => 1, :q => q
    rows = result['rows']
    rows.empty? ? nil : Flow.new(xtractr, rows[0])
end

#inspectObject

:nodoc:



111
112
113
 
# File 'lib/mu/xtractr/flows.rb', line 111

def inspect # :nodoc:
    "#<flows:#{@opts[:q]}>"
end

#qObject

:nodoc:



33
34
35
 
# File 'lib/mu/xtractr/flows.rb', line 33

def q # :nodoc:
    @opts[:q]
end

#save(filename) ⇒ Object

Save all the packets for this collection of flows into a pcap. It’s possible that the packets for the flows might span multiple indexed pcaps.

xtractr.flows('flow.service:DNS AAAA').save('dns.pcap')



96
97
98
99
100
101
102
103
104
105
106
107
108
109
 
# File 'lib/mu/xtractr/flows.rb', line 96

def save filename
    flow_ids = []
    each_flow do |flow| 
        flow_ids << flow.id.to_s
        break if flow_ids.size >= 1024
    end
    
    _q = "pkt.flow:(" << flow_ids.join('||') << ')'
    open(filename, "w") do |ios|
        pcap = xtractr.get "api/packets/slice", :q => _q
        ios.write pcap
    end
    return self
end

#sum(kfield, vfield) ⇒ Object

Sum the numeric values of vfield, keyed by the unique values of kfield.

xtractr.flows('index.html').sum('http.request.uri', 'flow.bytes')



88
89
90
 
# File 'lib/mu/xtractr/flows.rb', line 88

def sum kfield, vfield
    Views.sum xtractr, kfield, vfield, '/api/flows/report', @opts
end

#values(field) ⇒ Object

Return a list of Field::Value objects for the specified field, sorted by their frequency. This is a convenience method used in method chaining.

xtractr.flows('index.html').values('http.request.uri')



81
82
83
 
# File 'lib/mu/xtractr/flows.rb', line 81

def values field
    count(field).map { |c| c.object }
end