packettotal/README.md


[![Travis-CI Build
Status](https://travis-ci.org/hrbrmstr/packettotal.svg?branch=master)](https://travis-ci.org/hrbrmstr/packettotal)
[![Coverage
Status](https://codecov.io/gh/hrbrmstr/packettotal/branch/master/graph/badge.svg)](https://codecov.io/gh/hrbrmstr/packettotal)
[![CRAN\_Status\_Badge](https://www.r-pkg.org/badges/version/packettotal)](https://cran.r-project.org/package=packettotal)

# packettotal

Lookup and Analyze Packet Capture (‘PCAP’) Files

## Description

‘PacketTotal’ (<https://packettotal.com/>) is an engine for analyzing,
categorizing, and sharing packet capture (‘PCAP’) files. The tool was
built with the information security community in mind and has
applications in malware analysis and network forensics. Methods are
provided to query search for and analyze packet capture files.

## What’s Inside The Tin

The following functions are implemented:

  - `packettotal_api_key`: Get or set PACKETTOTAL\_API\_KEY value
  - `pt_deep_search`/`pt_get_search_results`: Create a new deep search
    task. Search for a term or with a Lucene query.
  - `pt_detail`: Get a detailed report of PCAP traffic, carved files,
    signatures, and top-talkers.
  - `pt_download`: Download a PCAP analysis archive. The result is a zip
    archive containing the PCAP itself, CSVs representing various
    analysis results, and all carved files.
  - `pt_info`: Get high-level information about a specific PCAP file.
  - `pt_random`: Get high-level information about a random PCAP file.
  - `pt_search`: Search with term or with a valid Lucene query.
  - `pt_similar`: Get a similarity graph relative to the current PCAP
    file.
  - `pt_usage`: Retrive usage and subscription plan information.

## Installation

``` r
install.packages("packettotal", repos = "https://cinc.rud.is/")
```

## Usage

``` r
library(packettotal)

# current version
packageVersion("packettotal")
## [1] '0.1.0'
```

``` r
str(pt_random(), 2)
## List of 1
##  $ pcap_metadata:List of 11
##   ..$ md5               : chr "62286d51c23ee508a4687500becbaf52"
##   ..$ name              : chr "20130820_c_win6_00023_pc.pcap"
##   ..$ byte_size         : int 1538604
##   ..$ logs              : chr [1:8] "conn" "dns" "weird" "files" ...
##   ..$ analyzed_date     : chr "2018-10-19 00:55:42"
##   ..$ download_link     : chr "/pcaps/62286d51c23ee508a4687500becbaf52/download"
##   ..$ analysis_link     : chr "/pcaps/62286d51c23ee508a4687500becbaf52/analysis"
##   ..$ similar_pcaps_link: chr "/pcaps/62286d51c23ee508a4687500becbaf52/similar"
##   ..$ pcap_glyph_link   : chr "https://s3.amazonaws.com/packettotalpub/files/62286d51c23ee508a4687500becbaf52/pcap-mosaic.png"
##   ..$ packettotal_link  : chr "https://packettotal.com/app/analysis?id=62286d51c23ee508a4687500becbaf52"
##   ..$ message           : chr "This PCAP was selected randomly, since no id was specified."
```

``` r
str(pt_search("evil.com"), 2)
## List of 2
##  $ result_count: int 5
##  $ results     :'data.frame':    5 obs. of  3 variables:
##   ..$ id         : chr [1:5] "b2a094b1882f52ab8befd3d8ad9d7f9a" "0826bfbd4a68519945b9af594a5a87d7" "385b9a5b3da0d56260f2be329e110795" "8e13e95bc12ad8415c4d8e8d313affac" ...
##   ..$ found_in   :List of 5
##   ..$ match_score: num [1:5] 49.5 49.3 44.2 31.8 31.6
```

``` r
(res <- pt_deep_search("botnet OR malware"))
## $search_id
## [1] "089f9e75d8142e185e84e8668da4b9b8"
## 
## $message
## [1] "Deep search exists."
## 
## $results_uri
## [1] "/v1/search/deep/results/089f9e75d8142e185e84e8668da4b9b8"
## 
## attr(,"class")
## [1] "pt_search_result"

str(pt_get_search_results(res), 2)
## List of 2
##  $ results     :'data.frame':    1819 obs. of  3 variables:
##   ..$ id         : chr [1:1819] "bd00b1dca3e5586dccffdc23579b0d39" "ba796317651f2064b1ca193e6e2cf947" "52419b8eba8af8fe502f8be324b67cb8" "da0023e2c4ca40ac480a4fdb930e7745" ...
##   ..$ found_in   :List of 1819
##   ..$ match_score: num [1:1819] 1584 1079 749 704 653 ...
##  $ result_count: int 1819
```

``` r
str(pt_info("d210f4dbea97949f694e849507951881"), 2)
## List of 1
##  $ pcap_metadata:List of 10
##   ..$ md5               : chr "d210f4dbea97949f694e849507951881"
##   ..$ name              : chr "20180815Emotetinfectipca.pcap"
##   ..$ byte_size         : int 1583713
##   ..$ logs              : chr [1:10] "conn" "x509" "dns" "ssl" ...
##   ..$ analyzed_date     : chr "2019-01-01 06:40:18"
##   ..$ download_link     : chr "/pcaps/d210f4dbea97949f694e849507951881/download"
##   ..$ analysis_link     : chr "/pcaps/d210f4dbea97949f694e849507951881/analysis"
##   ..$ similar_pcaps_link: chr "/pcaps/d210f4dbea97949f694e849507951881/similar"
##   ..$ pcap_glyph_link   : chr "https://s3.amazonaws.com/packettotalpub/files/d210f4dbea97949f694e849507951881/pcap-mosaic.png"
##   ..$ packettotal_link  : chr "https://packettotal.com/app/analysis?id=d210f4dbea97949f694e849507951881"
```

``` r
str(pt_detail("d210f4dbea97949f694e849507951881"), 2)
## List of 1
##  $ analysis_summary:List of 9
##   ..$ top_talkers          :List of 2
##   ..$ connection_statistics:List of 9
##   ..$ dns_statistics       :List of 2
##   ..$ file_statistics      :List of 3
##   ..$ signatures           : chr [1:4] "ET POLICY Office Document Download Containing AutoOpen Macro" "ET POLICY PE EXE or DLL Windows file download HTTP" "SURICATA TLS invalid record version" "SURICATA TLS invalid record/traffic"
##   ..$ external_references  :'data.frame':    7 obs. of  2 variables:
##   ..$ malicious_traffic    : logi FALSE
##   ..$ accuracy             : chr "perfect"
##   ..$ http_statistics      :List of 3
```

``` r
str(pt_similar("536cf06ca83704844d789f56caf22ee6"), 2)
## List of 4
##  $ similar                   :List of 2
##   ..$ result_count: int 78
##   ..$ results     :'data.frame': 78 obs. of  4 variables:
##  $ intensity                 : chr "minimal"
##  $ prioritize_uncommon_fields: logi TRUE
##  $ weighting_mode            : chr "behavior"
```

## packettotal Metrics

| Lang | \# Files |  (%) | LoC |  (%) | Blank lines |  (%) | \# Lines | (%) |
| :--- | -------: | ---: | --: | ---: | ----------: | ---: | -------: | --: |
| R    |       13 | 0.93 | 200 | 0.94 |          69 | 0.73 |      125 | 0.7 |
| Rmd  |        1 | 0.07 |  13 | 0.06 |          25 | 0.27 |       54 | 0.3 |

## Code of Conduct

Please note that this project is released with a [Contributor Code of
Conduct](CONDUCT.md). By participating in this project you agree to
abide by its terms.
initial commit 5 years ago
			`[![Travis-CI Build`
			`Status](https://travis-ci.org/hrbrmstr/packettotal.svg?branch=master)](https://travis-ci.org/hrbrmstr/packettotal)`
			`[![Coverage`
			`Status](https://codecov.io/gh/hrbrmstr/packettotal/branch/master/graph/badge.svg)](https://codecov.io/gh/hrbrmstr/packettotal)`
			`[![CRAN\_Status\_Badge](https://www.r-pkg.org/badges/version/packettotal)](https://cran.r-project.org/package=packettotal)`

Initial commit 5 years ago			`# packettotal`

initial commit 5 years ago			`Lookup and Analyze Packet Capture (‘PCAP’) Files`

			`## Description`

			`‘PacketTotal’ (<https://packettotal.com/>) is an engine for analyzing,`
			`categorizing, and sharing packet capture (‘PCAP’) files. The tool was`
			`built with the information security community in mind and has`
			`applications in malware analysis and network forensics. Methods are`
			`provided to query search for and analyze packet capture files.`

			`## What’s Inside The Tin`

			`The following functions are implemented:`

			- `packettotal_api_key`: Get or set PACKETTOTAL\_API\_KEY value
API complete 5 years ago			- `pt_deep_search`/`pt_get_search_results`: Create a new deep search
			`task. Search for a term or with a Lucene query.`
initial commit 5 years ago			- `pt_detail`: Get a detailed report of PCAP traffic, carved files,
			`signatures, and top-talkers.`
			- `pt_download`: Download a PCAP analysis archive. The result is a zip
			`archive containing the PCAP itself, CSVs representing various`
			`analysis results, and all carved files.`
			- `pt_info`: Get high-level information about a specific PCAP file.
			- `pt_random`: Get high-level information about a random PCAP file.
			- `pt_search`: Search with term or with a valid Lucene query.
			- `pt_similar`: Get a similarity graph relative to the current PCAP
			`file.`
			- `pt_usage`: Retrive usage and subscription plan information.

			`## Installation`

			``` r
cinc 5 years ago			`install.packages("packettotal", repos = "https://cinc.rud.is/")`
initial commit 5 years ago			```

			`## Usage`

			``` r
			`library(packettotal)`

			`# current version`
			`packageVersion("packettotal")`
			`## [1] '0.1.0'`
			```

			``` r
			`str(pt_random(), 2)`
			`## List of 1`
			`## $ pcap_metadata:List of 11`
cinc 5 years ago			`## ..$ md5 : chr "62286d51c23ee508a4687500becbaf52"`
			`## ..$ name : chr "20130820_c_win6_00023_pc.pcap"`
			`## ..$ byte_size : int 1538604`
initial commit 5 years ago			`## ..$ logs : chr [1:8] "conn" "dns" "weird" "files" ...`
cinc 5 years ago			`## ..$ analyzed_date : chr "2018-10-19 00:55:42"`
			`## ..$ download_link : chr "/pcaps/62286d51c23ee508a4687500becbaf52/download"`
			`## ..$ analysis_link : chr "/pcaps/62286d51c23ee508a4687500becbaf52/analysis"`
			`## ..$ similar_pcaps_link: chr "/pcaps/62286d51c23ee508a4687500becbaf52/similar"`
			`## ..$ pcap_glyph_link : chr "https://s3.amazonaws.com/packettotalpub/files/62286d51c23ee508a4687500becbaf52/pcap-mosaic.png"`
			`## ..$ packettotal_link : chr "https://packettotal.com/app/analysis?id=62286d51c23ee508a4687500becbaf52"`
initial commit 5 years ago			`## ..$ message : chr "This PCAP was selected randomly, since no id was specified."`
			```

			``` r
			`str(pt_search("evil.com"), 2)`
			`## List of 2`
			`## $ result_count: int 5`
			`## $ results :'data.frame': 5 obs. of 3 variables:`
			`## ..$ id : chr [1:5] "b2a094b1882f52ab8befd3d8ad9d7f9a" "0826bfbd4a68519945b9af594a5a87d7" "385b9a5b3da0d56260f2be329e110795" "8e13e95bc12ad8415c4d8e8d313affac" ...`
			`## ..$ found_in :List of 5`
			`## ..$ match_score: num [1:5] 49.5 49.3 44.2 31.8 31.6`
			```

			``` r
API complete 5 years ago			`(res <- pt_deep_search("botnet OR malware"))`
			`## $search_id`
			`## [1] "089f9e75d8142e185e84e8668da4b9b8"`
			`##`
			`## $message`
			`## [1] "Deep search exists."`
			`##`
			`## $results_uri`
			`## [1] "/v1/search/deep/results/089f9e75d8142e185e84e8668da4b9b8"`
			`##`
			`## attr(,"class")`
			`## [1] "pt_search_result"`

			`str(pt_get_search_results(res), 2)`
			`## List of 2`
			`## $ results :'data.frame': 1819 obs. of 3 variables:`
			`## ..$ id : chr [1:1819] "bd00b1dca3e5586dccffdc23579b0d39" "ba796317651f2064b1ca193e6e2cf947" "52419b8eba8af8fe502f8be324b67cb8" "da0023e2c4ca40ac480a4fdb930e7745" ...`
			`## ..$ found_in :List of 1819`
			`## ..$ match_score: num [1:1819] 1584 1079 749 704 653 ...`
			`## $ result_count: int 1819`
			```

			``` r
initial commit 5 years ago			`str(pt_info("d210f4dbea97949f694e849507951881"), 2)`
			`## List of 1`
			`## $ pcap_metadata:List of 10`
			`## ..$ md5 : chr "d210f4dbea97949f694e849507951881"`
			`## ..$ name : chr "20180815Emotetinfectipca.pcap"`
			`## ..$ byte_size : int 1583713`
			`## ..$ logs : chr [1:10] "conn" "x509" "dns" "ssl" ...`
			`## ..$ analyzed_date : chr "2019-01-01 06:40:18"`
			`## ..$ download_link : chr "/pcaps/d210f4dbea97949f694e849507951881/download"`
			`## ..$ analysis_link : chr "/pcaps/d210f4dbea97949f694e849507951881/analysis"`
			`## ..$ similar_pcaps_link: chr "/pcaps/d210f4dbea97949f694e849507951881/similar"`
			`## ..$ pcap_glyph_link : chr "https://s3.amazonaws.com/packettotalpub/files/d210f4dbea97949f694e849507951881/pcap-mosaic.png"`
			`## ..$ packettotal_link : chr "https://packettotal.com/app/analysis?id=d210f4dbea97949f694e849507951881"`
			```

			``` r
			`str(pt_detail("d210f4dbea97949f694e849507951881"), 2)`
			`## List of 1`
			`## $ analysis_summary:List of 9`
			`## ..$ top_talkers :List of 2`
			`## ..$ connection_statistics:List of 9`
			`## ..$ dns_statistics :List of 2`
			`## ..$ file_statistics :List of 3`
			`## ..$ signatures : chr [1:4] "ET POLICY Office Document Download Containing AutoOpen Macro" "ET POLICY PE EXE or DLL Windows file download HTTP" "SURICATA TLS invalid record version" "SURICATA TLS invalid record/traffic"`
			`## ..$ external_references :'data.frame': 7 obs. of 2 variables:`
			`## ..$ malicious_traffic : logi FALSE`
			`## ..$ accuracy : chr "perfect"`
			`## ..$ http_statistics :List of 3`
			```

			``` r
			`str(pt_similar("536cf06ca83704844d789f56caf22ee6"), 2)`
			`## List of 4`
			`## $ similar :List of 2`
			`## ..$ result_count: int 78`
			`## ..$ results :'data.frame': 78 obs. of 4 variables:`
			`## $ intensity : chr "minimal"`
			`## $ prioritize_uncommon_fields: logi TRUE`
			`## $ weighting_mode : chr "behavior"`
			```

			`## packettotal Metrics`

cinc 5 years ago			`\| Lang \| \# Files \| (%) \| LoC \| (%) \| Blank lines \| (%) \| \# Lines \| (%) \|`
			`\| :--- \| -------: \| ---: \| --: \| ---: \| ----------: \| ---: \| -------: \| --: \|`
			`\| R \| 13 \| 0.93 \| 200 \| 0.94 \| 69 \| 0.73 \| 125 \| 0.7 \|`
			`\| Rmd \| 1 \| 0.07 \| 13 \| 0.06 \| 25 \| 0.27 \| 54 \| 0.3 \|`
initial commit 5 years ago
			`## Code of Conduct`

			`Please note that this project is released with a [Contributor Code of`
			`Conduct](CONDUCT.md). By participating in this project you agree to`
			`abide by its terms.`