Joy v1.1- A package for capturing and analyzing for network research, forensics & security monitoring.
+ bumping version b/c of changes to TLS and BD
+ data tranlation, and SELECT can now have multiple comma-separated fields
+ added support for a compact byte distribution. Given a mapping file for byte values 256->16, export a length-16 array of the byte
Joy is A package for capturing and analyzing network flow data and intraflow data, for network research, forensics, and security monitoring.
Joy is a BSD-licensed libpcap-based software package for extracting data features from live network traffic or packet capture (pcap) files, using a flow-oriented model similar to that of IPFIX or Netflow, and then representing these data features in JSON. It also contains analysis tools that can be applied to these data files. Joy can be used to explore data at scale, especially security and threat-relevant data.
JSON is used in order to make the output easily consumable by data analysis tools. While the JSON output files are somewhat verbose, they are reasonably small, and they respond well to compression.
Joy can be configured to obtain intraflow data, that is, data and information about events that occur within a network flow, including:
* the sequence of lengths and arrival times of IP packets, up to some configurable number of packets,
* the empirical probability distribution of the bytes within the data portion of a flow, and the entropy derived from that value,
* the sequence of lengths and arrival times of TLS records,
* other non-encrypted TLS data, such as the list of offered ciphersuites, the selected ciphersuite, and the length of the clientKeyExchange field,
* the name of the process associated with the flow, for flows originate or terminate on the
Joy is intended for use by security research, forensics, and for the monitoring of (small scale) networks to detect vulnerabilities, threats and other unauthorized or unwanted behavior. Researchers, administrators, penetration testers, and security operations teams can put this information to good use, for the protection of the networks being monitored, and in the case of vulnerabilities, for the benefit of the broader community through improved defensive
posture. As with any network monitoring tool, Joy could potentially be misused; do not use it on any network of which you are not the owner or the administrator.
Flow, in positive psychology, is a state in which a person performing an activity is fully immersed in a feeling of energized focus, deep involvement, and joy. This second meaning inspired the choice of name for this software package.
Joy is alpha/beta software; we hope that you use it and benefit from it, but do understand that it is not suitable for production use.
Joy has been successfully run and tested on Linux (Debian, Ubuntu, and CentOS) and Mac OSX.
Installation & Usage:
Git clone https://github.com/davidmcgrew/joy && cd joy
sudo ./pcap2flow interface=eth0 bidir=1 output=data.json (and see picture for output)
git pull origin master