Home

Welcome to PyNfSA's documentation!

.. toctree::
   :maxdepth: 2

Introduction

PyNfSA - NetFlow Spectral Analyzer for Python is software to conveniently perform frequency analysis on PCAP or NetFlow dataset.

Installation

1. installation of dependecies
2. download pynfsa repository at github

3. enter the directory and invoke

   python nfsa.py load dataset.h5 (dataset will be created if not existing and interactive mode will be entered)

Dependencies

• python v2.7.3 - Python programming language
• impacket v0.9.6.0 - library to craft and decode network packets
• python-libpcap v0.6.2 - packet capture library bindings for python
• numpy v1.6.2 - software for mathematics, science, and engineering
• scipy v0.10.1 - software for mathematics, science, and engineering
• matplotlib v1.1.1 - python 2D plotting library
• ipaddr-py v2.1.10 - IPv4/IPv6 manipulation library in Python
• pytables v2.3.1 - package for managing hierarchical datasets and designed to cope with extremely large amounts of data
• h5py v2.0.1 - Python interface to the Hierarchical Data Format library, version 5
• fabulous v0.1.5 - library designed to make the output of terminal applications look fabulous
• scapy v2.2.0 - a powerful interactive packet manipulation program
• iPython - and powerful interactive shell

Usage

nfsa.py [-h]

nfsa.py [--version]

nfsa.py [<options>] raw|flow|sample|model|filter|load|annotate <database file> [<input file> [<input file> ...]]

Positional arguments

• raw|flow|sample|model|filter|load|annotate action to execute; raw stores "pcap" or netflow data in h5 database, "flow" marks flows and extracts attributes, "sample" computes sampling at given sample rate and tranformations at given windowing, "model" fits model to data stored in database, filter converts XML Ip filters to JSON format and "load" loads database into memory
• <database file> hdf5 array database
• <input file> input files to process

Optional arguments

• -h, --help show this help message and exit
• --version show version information
• -f pcap|netflow input file format
• -o <output file> output file
• -m <min packets> min packets per flow
• -n don`t do reverse dns
• -v, --verbose increase verbosity
• -q, --quiet do not dump to terminal

Flow extraction options Required for "flow", "sample" and "model" actions

• -i 3|4 flow identification <3-tuple or 4-tuple>
• -u don`t use SYN packets to distinguish flow start
• -p <protocol> protocol to take in account, default = 6 <TCP>

Sampling options Required for "sample" and "model" actions

• -s <sample rate> sample rate to use, can be specified multiple times
• -w <window length> window lengths to use, can be specified multiple times
• -t csd|psd tranformation to use, can be: "csd" for cross spectral density or "psd" for power spectral density

Model estimation options Required for "model" action

• -a <file> annotation file
• --legit <int>,<int>,.. comma-separated list of classes considered legitimate
• --malicious <int>,<int>,.. comma-separated list of classes considered malicious
• --model <int>,<int>,.. comma-separated list of classes included in model
• --sample <pattern> regex to filter sampleset by name
• --computation <step>,<step>,... computation to evaluate
• --tex <file> append tex-like tables into <file>

Indices and tables

• :ref:`genindex`
• :ref:`modindex`
• :ref:`search`

Class Reference

.. automodule:: pynfsa.models
   :members:

.. automodule:: pynfsa.sampler
   :members:

.. automodule:: pynfsa.dataset
    :members:

.. automodule:: pynfsa.labeling
   :members:

.. automodule:: pynfsa.extractor
    :members:

.. automodule:: pynfsa.flowizer
    :members:

.. automodule:: pynfsa.util
    :members: