Class: Mu::Xtractr::Packets

Inherits:
Object
  • Object
show all
Includes:
Enumerable
Defined in:
lib/mu/xtractr/packets.rb,
lib/mu/xtractr/test/tc_packets.rb

Overview

xtractr.packets(‘pkt.service:DNS’).count(‘pkt.length’)

Defined Under Namespace

Classes: Test

Constant Summary collapse

MAX_PAGE_SIZE =

:nodoc:

100

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(xtractr, opts) ⇒ Packets

:nodoc:



38
39
40
41
42
 
# File 'lib/mu/xtractr/packets.rb', line 38

def initialize xtractr, opts # :nodoc:
    @xtractr = xtractr
    @opts = opts
    @opts[:q] ||= '*'
end

Instance Attribute Details

#xtractrObject (readonly)

:nodoc:



34
35
36
 
# File 'lib/mu/xtractr/packets.rb', line 34

def xtractr
  @xtractr
end

Instance Method Details

#count(field) ⇒ Object

Count the unique values of the specified field amongst all the packets that matched the query.

xtractr.packets('mozilla').count('http.request.uri')



86
87
88
 
# File 'lib/mu/xtractr/packets.rb', line 86

def count field
    Views.count xtractr, field, '/api/packets/report', @opts
end

#each_packetObject Also known as: each

Iterate over each packet that matches the search criteria. It’s always better to use this with a fine-grained query instead of packets.to_a because it’s going to try and load all packets from the index.

xtractr.packets("pkt.src:192.168.1.1").each do |pkt|
    ...
end



54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
 
# File 'lib/mu/xtractr/packets.rb', line 54

def each_packet() # :yields: packet
    _opts = @opts.dup
    _opts[:start] ||= 1
    _opts[:limit] ||= MAX_PAGE_SIZE
    
    while true
        result = xtractr.json "api/packets", _opts
        rows = result['rows']            
        break if rows.empty?
                    
        rows[0, MAX_PAGE_SIZE-1].each do |row| 
            packet = Packet.new xtractr, row 
            yield packet
        end
        
        break if rows.size < MAX_PAGE_SIZE
        _opts[:start] = rows[MAX_PAGE_SIZE-1]['id']
    end        
    return self
end

#firstObject

Fetch the first packet that matched the query. Mostly used for unit testing.



77
78
79
80
81
 
# File 'lib/mu/xtractr/packets.rb', line 77

def first
    result = xtractr.json "api/packets", :start => 1, :limit => 1, :q => q
    rows = result['rows']
    rows.empty? ? nil : Packet.new(xtractr, rows[0])
end

#inspectObject

:nodoc:



115
116
117
 
# File 'lib/mu/xtractr/packets.rb', line 115

def inspect # :nodoc:
    "#<packets:#{@opts[:q]}>"
end

#qObject

:nodoc:



44
45
46
 
# File 'lib/mu/xtractr/packets.rb', line 44

def q # :nodoc:
    @opts[:q]
end

#save(filename) ⇒ Object

Stich together a pcap made up of all packets that matched the query and save it to the filename.

xtractr.packets('pkt.service:DNS pkt.length:>64').save('foo.pcap')



107
108
109
110
111
112
113
 
# File 'lib/mu/xtractr/packets.rb', line 107

def save filename
    open(filename, "w") do |ios|
        pcap = xtractr.get "api/packets/slice", :q => @opts[:q]
        ios.write pcap
    end
    return self
end

#sum(kfield, vfield) ⇒ Object

Sum the numeric values of vfield, keyed by the unique values of kfield.

xtractr.packets('mozilla').sum('http.request.uri', 'pkt.length')



100
101
102
 
# File 'lib/mu/xtractr/packets.rb', line 100

def sum kfield, vfield
    Views.sum xtractr, kfield, vfield, '/api/packets/report', @opts
end

#values(field) ⇒ Object

Return a list of Field::Value objects for the specified field, sorted by their frequency. This is a convenience method used in method chaining.

xtractr.packets('index.html').values('http.request.uri')



93
94
95
 
# File 'lib/mu/xtractr/packets.rb', line 93

def values field
    count(field).map { |c| c.object }
end