diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2024-05-08 00:25:31 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2024-05-08 00:25:31 +0200 |
| commit | 5290f76b5f599357331d9a06e75dd89ca3ee1523 (patch) | |
| tree | b981dd3bff5b0c5acd6b4fc2468cb3e8af5b5af8 | |
| parent | f4d0f807118dc4b1ddc1013ad5ebde80a730c23c (diff) | |
flow-info.py: Set min risk severity required to print a risk.
* ReadMe update
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | README.md | 20 | ||||
| -rwxr-xr-x | examples/py-flow-info/flow-info.py | 6 |
2 files changed, 12 insertions, 14 deletions
@@ -81,9 +81,9 @@ JSON messages streamed by both `nDPId` and `nDPIsrvd` are presented with: as with the following example: ```text -01223{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":12,"packet_id":307,"source":"wlan0",[...]} -00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":11,"packet_id":324,"source":"wlan0",[...]]} -00572{"flow_event_id":1,"flow_event_name":"new","thread_id":11,"packet_id":324,"source":"wlan0",[...]} +01223{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":12,"packet_id":307,"source":"wlan0", ...snip...} +00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":11,"packet_id":324,"source":"wlan0", ...snip...} +00572{"flow_event_id":1,"flow_event_name":"new","thread_id":11,"packet_id":324,"source":"wlan0", ...snip...} ``` The full stream of `nDPId` generated JSON-events can be retrieved directly from `nDPId`, without relying on `nDPIsrvd`, by providing a properly managed UNIX-socket. @@ -158,7 +158,8 @@ Detailed JSON-schema is available [here](schema/flow_event_schema.json). Also, a A flow can have three different states while it is been tracked by `nDPId`. -1. skipped: the flow will be tracked, but no detection will happen to safe memory. See command line argument `-I` and `-E` +1. skipped: the flow will be tracked, but no detection will happen to reduce memory usage. + See command line argument `-I` and `-E` 2. finished: detection finished and the memory used for the detection is freed 3. info: detection is in progress and all flow memory required for `libnDPI` is allocated (this state consumes most memory) @@ -276,11 +277,6 @@ And why not a flow-info example? ./examples/py-flow-info/flow-info.py ``` -or -```shell -./nDPIsrvd-json-dump -``` - or anything below `./examples`. # nDPId tuning @@ -297,7 +293,7 @@ Format: `subopt` (unit, comment): description * `max-reader-threads` (N, safe): amount of packet processing threads, every thread can have a max. of `max-flows-per-thread` flows * `daemon-status-interval` (ms, safe): specifies how often daemon event `status` is generated * `compression-scan-interval` (ms, untested): specifies how often `nDPId` scans for inactive flows ready for compression - * `compression-flow-inactivity` (ms, untested): the shortest period of time elapsed before `nDPId` considers compressing a flow that neither sent nor received any data + * `compression-flow-inactivity` (ms, untested): the shortest period of time elapsed before `nDPId` considers compressing a flow (e.g. nDPI flow struct) that neither sent nor received any data * `flow-scan-interval` (ms, safe): min. amount of time after which `nDPId` scans for idle or long-lasting flows * `generic-max-idle-time` (ms, untested): time after which a non TCP/UDP/ICMP flow times out * `icmp-max-idle-time` (ms, untested): time after which an ICMP flow times out @@ -327,14 +323,12 @@ Alternatively you can run some integration tests manually: e.g.: -`./test/run_tests.sh [${HOME}/git/nDPI] [${HOME}/git/nDPId/build/nDPId-test]` +`./test/run_tests.sh "${HOME}/git/nDPI "${HOME}/git/nDPId/build/nDPId-test"` Remember that all test results are tied to a specific libnDPI commit hash as part of the `git submodule`. Using `test/run_tests.sh` for other commit hashes will most likely result in PCAP diffs. -Why not use `examples/py-flow-dashboard/flow-dash.py` to visualize nDPId's output. - # Contributors Special thanks to Damiano Verzulli ([@verzulli](https://github.com/verzulli)) from [GARRLab](https://www.garrlab.it) for providing server and test infrastructure. diff --git a/examples/py-flow-info/flow-info.py b/examples/py-flow-info/flow-info.py index 99eadb9ac..c5193f9ee 100755 --- a/examples/py-flow-info/flow-info.py +++ b/examples/py-flow-info/flow-info.py @@ -408,7 +408,10 @@ def onJsonLineRecvd(json_dict, instance, current_flow, global_user_data): else: color = '' - next_lines[0] = '{}{}{}: {}'.format(color, 'RISK', TermColor.END, next_lines[0][:-2]) + if severity >= args.min_risk_severity: + next_lines[0] = '{}{}{}: {}'.format(color, 'RISK', TermColor.END, next_lines[0][:-2]) + else: + del next_lines[0] line_suffix = '' flow_event_name = '' @@ -594,6 +597,7 @@ if __name__ == '__main__': argparser.add_argument('--ignore-category', action='append', help='Ignore printing lines with a certain category.') argparser.add_argument('--ignore-breed', action='append', help='Ignore printing lines with a certain breed.') argparser.add_argument('--ignore-hostname', action='append', help='Ignore printing lines with a certain hostname.') + argparser.add_argument('--min-risk-severity', action='store', type=int, default=0, help='Print only risks with a risk severity greater or equal to the given argument') args = argparser.parse_args() if args.no_color is True: |