hrbrmstr
/
packettotal
mirror of https://gitlab.com/hrbrmstr/packettotal.git
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

initial commit

master
boB Rudis 5 years ago
parent
409715fc97
commit
1a35461eab
No known key found for this signature in database GPG Key ID: 1D7529BE14E2BBA9
24 changed files with 710 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      .Rbuildignore
  2. 8
      DESCRIPTION
  3. 8
      NAMESPACE
  4. 7
      R/aaa.R
  5. 36
      R/api-key.R
  6. 30
      R/detail.R
  7. 55
      R/download.R
  8. 46
      R/graph.R
  9. 30
      R/info.R
  10. 15
      R/packettotal-package.R
  11. 28
      R/random.R
  12. 32
      R/search.R
  13. 27
      R/usage.R
  14. 46
      README.Rmd
  15. 140
      README.md
  16. 16
      man/packettotal.Rd
  17. 23
      man/packettotal_api_key.Rd
  18. 23
      man/pt_detail.Rd
  19. 34
      man/pt_download.Rd
  20. 23
      man/pt_info.Rd
  21. 20
      man/pt_random.Rd
  22. 22
      man/pt_search.Rd
  23. 31
      man/pt_similar.Rd
  24. 17
      man/pt_usage.Rd

1
.Rbuildignore
View File

@ -2,6 +2,7 @@
^.*\.Rproj$
^\.Rproj\.user$
^\.travis\.yml$
^CONDUCT\.md$
^README\.*Rmd$
^README\.*html$
^NOTES\.*Rmd$

8
DESCRIPTION
View File

@ -1,6 +1,6 @@
Package: packettotal
Type: Package
Title: packettotal title goes here otherwise CRAN checks fail
Title: Lookup and Analyze Packet Capture ('PCAP') Files
Version: 0.1.0
Date: 2019-03-16
Authors@R: c(
@ -8,7 +8,11 @@ Authors@R: c(
comment = c(ORCID = "0000-0001-5670-2640"))
)
Maintainer: Bob Rudis <bob@rud.is>
Description: A good description goes here otherwise CRAN checks fail.
Description: 'PacketTotal' (<https://packettotal.com/>) is an engine for analyzing,
categorizing, and sharing packet capture ('PCAP') files. The tool was built
with the information security community in mind and has applications in malware
analysis and network forensics. Methods are provided to query search for and
analyze packet capture files.
URL: https://gitlab.com/hrbrmstr/packettotal
BugReports: https://gitlab.com/hrbrmstr/packettotal/issues
Encoding: UTF-8

8
NAMESPACE
View File

@ -1,4 +1,12 @@
# Generated by roxygen2: do not edit by hand
export(packettotal_api_key)
export(pt_detail)
export(pt_download)
export(pt_info)
export(pt_random)
export(pt_search)
export(pt_similar)
export(pt_usage)
import(httr)
importFrom(jsonlite,fromJSON)

7
R/aaa.R
View File

@ -0,0 +1,7 @@
httr::user_agent(
sprintf(
"packettotal package v%s: (<%s>)",
utils::packageVersion("packettotal"),
utils::packageDescription("packettotal")$URL
)
) -> .PACKETTOTAL_UA

36
R/api-key.R
View File

@ -0,0 +1,36 @@
#' Get or set PACKETTOTAL_API_KEY value
#'
#' The API wrapper functions in this package all rely on a PacketTotal API
#' key residing in the environment variable `PACKETTOTAL_API_KEY`.
#' The easiest way to accomplish this is to set it
#' in the `.Renviron` file in your home directory.
#'
#' @md
#' @param force Force setting a new PacketTotal key for the current environment?
#' @return atomic character vector containing the PacketTotal api key
#' @references <https://packettotal.com/api-docs/>
#' @export
packettotal_api_key <- function(force = FALSE) {
env <- Sys.getenv('PACKETTOTAL_API_KEY')
if (!identical(env, "") && !force) return(env)
if (!interactive()) {
stop("Please set env var PACKETTOTAL_API_KEY to your PacketTotal key",
call. = FALSE)
}
message("Couldn't find env var PACKETTOTAL_API_KEY See ?packettotal_api_key for more details.")
message("Please enter your API key:")
pat <- readline(": ")
if (identical(pat, "")) {
stop("PacketTotal key entry failed", call. = FALSE)
}
message("Updating PACKETTOTAL_API_KEY env var")
Sys.setenv(PACKETTOTAL_API_KEY = pat)
pat
}

30
R/detail.R
View File

@ -0,0 +1,30 @@
#' Get a detailed report of PCAP traffic, carved files, signatures, and top-talkers.
#'
#' Analysis results contain high-level protocol statistics, signatures, and intelligence that PacketTotal discovered during analysis and enrichment.
#'
#' @param pcap_id An md5 hash corresponding to the PCAP file submission on PacketTotal.com.
#' This hash can be derived by hashing the PCAP file in question.
#' @param api_key your [packettotal_api_key()].
#' @references <https://packettotal.com/api-docs/#/pcaps/get_pcaps>
#' @export
#' @examples
#' str(try(pt_detail("d210f4dbea97949f694e849507951881"), silent=TRUE), 2)
pt_detail <- function(pcap_id, api_key = packettotal_api_key()) {
httr::GET(
url = sprintf("https://api.packettotal.com/v1/pcaps/%s/analysis", pcap_id),
httr::add_headers(
`x-api-key` = api_key
),
.PACKETTOTAL_UA
) -> res
httr::stop_for_status(res)
out <- httr::content(res, as = "text", encoding = "UTF-8")
out <- jsonlite::fromJSON(out)
out
}

55
R/download.R
View File

@ -0,0 +1,55 @@
#' Download a PCAP analysis archive. The result is a zip archive containing the PCAP itself, CSVs representing various analysis results, and all carved files.'
#'
#' @param pcap_id An md5 hash corresponding to the PCAP file submission on PacketTotal.com.
#' This hash can be derived by hashing the PCAP file in question.
#' @param dl_dir directory where to store the download
#' @param archive_name name of the ZIP file. If left `NULL` then a ZIP file
#' will be created with the name `YYYY-mm-dd-pcap_id.zip`.
#' @param api_key your [packettotal_api_key()].
#' @return if successful and the analysis package is ready then the full path
#' to the ZIP file is returned (invisibly). If the analysis package
#' is not ready the return value is "`_PROCESSING_`".
#' @references <https://packettotal.com/api-docs/#/pcaps/get_pcaps__pcap_id__download>
#' @export
#' @examples
#' str(try(pt_download("536cf06ca83704844d789f56caf22ee6"), silent=TRUE), 2)
pt_download <- function(pcap_id, dl_dir = getwd(), archive_name = NULL,
api_key = packettotal_api_key()) {
dl_dir <- path.expand(dl_dir)
stopifnot(dir.exists(dl_dir))
httr::GET(
url = sprintf("https://api.packettotal.com/v1/pcaps/%s/download", pcap_id),
httr::add_headers(
`x-api-key` = api_key
),
.PACKETTOTAL_UA
) -> res
httr::stop_for_status(res)
status_code <- httr::status_code(res)
if (status_code == "200") {
out <- httr::content(res, as = "raw", encoding = "UTF-8")
if (is.null(archive_name)) {
loc <- file.path(dl_dir, sprintf("%s-%s.zip", as.character(Sys.Date()), pcap_id))
} else {
loc <- file.path(dl_dir, archive_name)
}
writeBin(
object = out,
con = loc,
useBytes = TRUE
)
message("Download is at ", loc)
return(invisible(loc))
} else {
message(
"PCAP exists but the analysis package is not ready. ",
"Try calling the function again in a few minutes."
)
}
}

46
R/graph.R
View File

@ -0,0 +1,46 @@
#' Get a similarity graph relative to the current PCAP file.
#'
#' Results contain PCAPs that exhibit similar behaviors or contain similar content. Results are organized with the most similar PCAPs on top, and the terms that were found shared within both.
#'
#' @param pcap_id An md5 hash corresponding to the PCAP file submission on PacketTotal.com.
#' This hash can be derived by hashing the PCAP file in question.
#' @param weighting_mode One of "`behavior`" (default) or "`content`". Weight search results either based on their similarity to the behaviors exhibited or contents contained within the current PCAP file.
#' @param intensity One of "`minimal`" (default), "`low`", "`medium`", or "`high`". The scope of the search, basically translates to the maximum number of aggregations to exhaust. Using a high level intensity, may result in occassional timeouts.
#' @param prioritize_uncommon_fields By default, the most common values are used to seed the initial similarity search. Enabling this parameter, seeds the initial search with the least common values instead.
#' @param api_key your [packettotal_api_key()].
#' @references <https://packettotal.com/api-docs/#/pcaps/get_pcaps__pcap_id__similar>
#' @export
#' @examples
#' str(try(pt_similar("536cf06ca83704844d789f56caf22ee6"), silent=TRUE), 3)
pt_similar <- function(pcap_id,
weighting_mode = c("behavior", "content"),
intensity = c("minimal", "low", "medium", "high"),
prioritize_uncommon_fields = FALSE,
api_key = packettotal_api_key()) {
weighting_mode <- match.arg(tolower(weighting_mode), c("behavior", "content"))
intensity <- match.arg(tolower(intensity), c("minimal", "low", "medium", "high"))
prioritize_uncommon_fields <- tolower(as.character(FALSE))
httr::GET(
url = sprintf("https://api.packettotal.com/v1/pcaps/%s/similar", pcap_id),
query = list(
weighting_mode = weighting_mode,
intensity = intensity,
prioritize_uncommon_fields = prioritize_uncommon_fields
),
httr::add_headers(
`x-api-key` = api_key
),
.PACKETTOTAL_UA
) -> res
httr::stop_for_status(res)
out <- httr::content(res, as = "text", encoding = "UTF-8")
out <- jsonlite::fromJSON(out)
out
}

30
R/info.R
View File

@ -0,0 +1,30 @@
#' Get high-level information about a specific PCAP file.
#'
#' Results will contain high-level information, such as what logs were extracted, the date it was analyzed, and additional references.
#'
#' @param pcap_id An md5 hash corresponding to the PCAP file submission on PacketTotal.com.
#' This hash can be derived by hashing the PCAP file in question.
#' @param api_key your [packettotal_api_key()].
#' @references <https://packettotal.com/api-docs/#/pcaps/get_pcaps>
#' @export
#' @examples
#' str(try(pt_info("d210f4dbea97949f694e849507951881"), silent=TRUE), 2)
pt_info <- function(pcap_id, api_key = packettotal_api_key()) {
httr::GET(
url = sprintf("https://api.packettotal.com/v1/pcaps/%s", pcap_id),
httr::add_headers(
`x-api-key` = api_key
),
.PACKETTOTAL_UA
) -> res
httr::stop_for_status(res)
out <- httr::content(res, as = "text", encoding = "UTF-8")
out <- jsonlite::fromJSON(out)
out
}

15
R/packettotal-package.R
View File

@ -1,12 +1,21 @@
#' ...
#'
#' Lookup and Analyze Packet Capture ('PCAP') Files
#'
#' 'PacketTotal' (<https://packettotal.com/>) is an engine for analyzing,
#' categorizing, and sharing packet capture ('PCAP') files. The tool was built
#' with the information security community in mind and has applications in malware
#' analysis and network forensics. Methods are provided to query search for and
#' analyze packet capture files.
#'
#' - URL: <https://gitlab.com/hrbrmstr/packettotal>
#' - BugReports: <https://gitlab.com/hrbrmstr/packettotal/issues>
#'
#'
#' @md
#' @name packettotal
#' @docType package
#' @author Bob Rudis (bob@@rud.is)
#' @references - <https://packettotal.com/>
#' - <https://packettotal.com/api-docs/#/>
#' @keywords internal
#' @import httr
#' @importFrom jsonlite fromJSON
NULL

28
R/random.R
View File

@ -0,0 +1,28 @@
#' Get high-level information about a random PCAP file.
#'
#' Randomly selected PCAPs come from a set of pre-selected, interesting PCAP files.
#'
#' @param api_key your [packettotal_api_key()].
#' @references <https://packettotal.com/api-docs/#/pcaps/get_pcaps>
#' @export
#' @examples
#' str(try(pt_random(), silent=TRUE), 1)
pt_random <- function(api_key = packettotal_api_key()) {
httr::GET(
url = "https://api.packettotal.com/v1/pcaps",
httr::add_headers(
`x-api-key` = api_key
),
.PACKETTOTAL_UA
) -> res
httr::stop_for_status(res)
out <- httr::content(res, as = "text", encoding = "UTF-8")
out <- jsonlite::fromJSON(out)
out
}

32
R/search.R
View File

@ -0,0 +1,32 @@
#' Search with term or with a valid Lucene query.
#'
#' Receive a set of matches for given query.
#'
#' @param query search term (e.g. an IP address, domain, or file hash) or valid Lucene query
#' @param api_key your [packettotal_api_key()].
#' @export
#' @references <https://packettotal.com/api-docs/#/search
#' @examples
#' str(try(pt_search("evil.com"), silent=TRUE), 1)
pt_search <- function(query, api_key = packettotal_api_key()) {
httr::GET(
url = "https://api.packettotal.com/v1/search",
query = list(
query = query
),
httr::add_headers(
`x-api-key` = api_key
),
.PACKETTOTAL_UA
) -> res
httr::stop_for_status(res)
out <- httr::content(res, as = "text", encoding = "UTF-8")
out <- jsonlite::fromJSON(out)
out
}

27
R/usage.R
View File

@ -0,0 +1,27 @@
#' Retrive usage and subscription plan information.
#'
#' Handy helper to determine how many requests you have remaining.
#'
#' @param api_key your [packettotal_api_key()].
#' @export
#' @examples
#' str(try(pt_usage(), silent=TRUE), 2)
pt_usage <- function(api_key = packettotal_api_key()) {
httr::GET(
url = "https://api.packettotal.com/v1/usage",
httr::add_headers(
`x-api-key` = api_key
),
.PACKETTOTAL_UA
) -> res
httr::stop_for_status(res)
out <- httr::content(res, as = "text")
out <- jsonlite::fromJSON(out, encoding = "UTF-8")
out
}

46
README.Rmd
View File

@ -4,22 +4,44 @@ editor_options:
chunk_output_type: inline
---
```{r pkg-knitr-opts, include=FALSE}
knitr$opts_chunk$set(collapse=TRUE, fig.retina=2, message=FALSE, warning=FALSE)
knitr::opts_chunk$set(collapse=TRUE, fig.retina=2, message=FALSE, warning=FALSE)
options(width=120)
```
[![Travis-CI Build Status](https://travis-ci.org/hrbrmstr/packettotal.svg?branch=master)](https://travis-ci.org/hrbrmstr/packettotal)
[![Coverage Status](https://codecov.io/gh/hrbrmstr/packettotal/branch/master/graph/badge.svg)](https://codecov.io/gh/hrbrmstr/packettotal)
[![CRAN_Status_Badge](http://www.r-pkg.org/badges/version/packettotal)](https://cran.r-project.org/package=packettotal)
[![CRAN_Status_Badge](https://www.r-pkg.org/badges/version/packettotal)](https://cran.r-project.org/package=packettotal)
# packettotal
Lookup and Analyze Packet Capture ('PCAP') Files
## Description
'PacketTotal' (<https://packettotal.com/>) is an engine for analyzing,
categorizing, and sharing packet capture ('PCAP') files. The tool was built
with the information security community in mind and has applications in malware
analysis and network forensics. Methods are provided to query search for and
analyze packet capture files.
## TODO
- `/search/deep/` : <https://packettotal.com/api-docs/#/search/post_search_deep>
- `/search/deep/results/{search_id}` : <https://packettotal.com/api-docs/#/search/get_search_deep_results__search_id_>
## What's Inside The Tin
The following functions are implemented:
- `packettotal_api_key`: Get or set PACKETTOTAL_API_KEY value
- `pt_detail`: Get a detailed report of PCAP traffic, carved files, signatures, and top-talkers.
- `pt_download`: Download a PCAP analysis archive. The result is a zip archive containing the PCAP itself, CSVs representing various analysis results, and all carved files.
- `pt_info`: Get high-level information about a specific PCAP file.
- `pt_random`: Get high-level information about a random PCAP file.
- `pt_search`: Search with term or with a valid Lucene query.
- `pt_similar`: Get a similarity graph relative to the current PCAP file.
- `pt_usage`: Retrive usage and subscription plan information.
## Installation
```{r install-ex, eval=FALSE}
@ -38,6 +60,26 @@ packageVersion("packettotal")
```
```{r random}
str(pt_random(), 2)
```
```{r search}
str(pt_search("evil.com"), 2)
```
```{r info}
str(pt_info("d210f4dbea97949f694e849507951881"), 2)
```
```{r detail}
str(pt_detail("d210f4dbea97949f694e849507951881"), 2)
```
```{r similar}
str(pt_similar("536cf06ca83704844d789f56caf22ee6"), 2)
```
## packettotal Metrics
```{r cloc, echo=FALSE}

140
README.md
View File

@ -1,2 +1,142 @@
[![Travis-CI Build
Status](https://travis-ci.org/hrbrmstr/packettotal.svg?branch=master)](https://travis-ci.org/hrbrmstr/packettotal)
[![Coverage
Status](https://codecov.io/gh/hrbrmstr/packettotal/branch/master/graph/badge.svg)](https://codecov.io/gh/hrbrmstr/packettotal)
[![CRAN\_Status\_Badge](https://www.r-pkg.org/badges/version/packettotal)](https://cran.r-project.org/package=packettotal)
# packettotal
Lookup and Analyze Packet Capture (‘PCAP’) Files
## Description
‘PacketTotal’ (<https://packettotal.com/>) is an engine for analyzing,
categorizing, and sharing packet capture (‘PCAP’) files. The tool was
built with the information security community in mind and has
applications in malware analysis and network forensics. Methods are
provided to query search for and analyze packet capture files.
## TODO
- `/search/deep/` :
<https://packettotal.com/api-docs/#/search/post_search_deep>
- `/search/deep/results/{search_id}` :
<https://packettotal.com/api-docs/#/search/get_search_deep_results__search_id_>
## What’s Inside The Tin
The following functions are implemented:
- `packettotal_api_key`: Get or set PACKETTOTAL\_API\_KEY value
- `pt_detail`: Get a detailed report of PCAP traffic, carved files,
signatures, and top-talkers.
- `pt_download`: Download a PCAP analysis archive. The result is a zip
archive containing the PCAP itself, CSVs representing various
analysis results, and all carved files.
- `pt_info`: Get high-level information about a specific PCAP file.
- `pt_random`: Get high-level information about a random PCAP file.
- `pt_search`: Search with term or with a valid Lucene query.
- `pt_similar`: Get a similarity graph relative to the current PCAP
file.
- `pt_usage`: Retrive usage and subscription plan information.
## Installation
``` r
devtools::install_git("https://gitlab.com/hrbrmstr/packettotal.git")
# or
devtools::install_github("hrbrmstr/packettotal")
```
## Usage
``` r
library(packettotal)
# current version
packageVersion("packettotal")
## [1] '0.1.0'
```
``` r
str(pt_random(), 2)
## List of 1
## $ pcap_metadata:List of 11
## ..$ md5 : chr "4be31ddcbfe4af10f0fbcb83681d1b67"
## ..$ name : chr "20130820_c_win6_00012_pc.pcap"
## ..$ byte_size : int 1552408
## ..$ logs : chr [1:8] "conn" "dns" "weird" "files" ...
## ..$ analyzed_date : chr "2018-10-19 00:50:01"
## ..$ download_link : chr "/pcaps/4be31ddcbfe4af10f0fbcb83681d1b67/download"
## ..$ analysis_link : chr "/pcaps/4be31ddcbfe4af10f0fbcb83681d1b67/analysis"
## ..$ similar_pcaps_link: chr "/pcaps/4be31ddcbfe4af10f0fbcb83681d1b67/similar"
## ..$ pcap_glyph_link : chr "https://s3.amazonaws.com/packettotalpub/files/4be31ddcbfe4af10f0fbcb83681d1b67/pcap-mosaic.png"
## ..$ packettotal_link : chr "https://packettotal.com/app/analysis?id=4be31ddcbfe4af10f0fbcb83681d1b67"
## ..$ message : chr "This PCAP was selected randomly, since no id was specified."
```
``` r
str(pt_search("evil.com"), 2)
## List of 2
## $ result_count: int 5
## $ results :'data.frame': 5 obs. of 3 variables:
## ..$ id : chr [1:5] "b2a094b1882f52ab8befd3d8ad9d7f9a" "0826bfbd4a68519945b9af594a5a87d7" "385b9a5b3da0d56260f2be329e110795" "8e13e95bc12ad8415c4d8e8d313affac" ...
## ..$ found_in :List of 5
## ..$ match_score: num [1:5] 49.5 49.3 44.2 31.8 31.6
```
``` r
str(pt_info("d210f4dbea97949f694e849507951881"), 2)
## List of 1
## $ pcap_metadata:List of 10
## ..$ md5 : chr "d210f4dbea97949f694e849507951881"
## ..$ name : chr "20180815Emotetinfectipca.pcap"
## ..$ byte_size : int 1583713
## ..$ logs : chr [1:10] "conn" "x509" "dns" "ssl" ...
## ..$ analyzed_date : chr "2019-01-01 06:40:18"
## ..$ download_link : chr "/pcaps/d210f4dbea97949f694e849507951881/download"
## ..$ analysis_link : chr "/pcaps/d210f4dbea97949f694e849507951881/analysis"
## ..$ similar_pcaps_link: chr "/pcaps/d210f4dbea97949f694e849507951881/similar"
## ..$ pcap_glyph_link : chr "https://s3.amazonaws.com/packettotalpub/files/d210f4dbea97949f694e849507951881/pcap-mosaic.png"
## ..$ packettotal_link : chr "https://packettotal.com/app/analysis?id=d210f4dbea97949f694e849507951881"
```
``` r
str(pt_detail("d210f4dbea97949f694e849507951881"), 2)
## List of 1
## $ analysis_summary:List of 9
## ..$ top_talkers :List of 2
## ..$ connection_statistics:List of 9
## ..$ dns_statistics :List of 2
## ..$ file_statistics :List of 3
## ..$ signatures : chr [1:4] "ET POLICY Office Document Download Containing AutoOpen Macro" "ET POLICY PE EXE or DLL Windows file download HTTP" "SURICATA TLS invalid record version" "SURICATA TLS invalid record/traffic"
## ..$ external_references :'data.frame': 7 obs. of 2 variables:
## ..$ malicious_traffic : logi FALSE
## ..$ accuracy : chr "perfect"
## ..$ http_statistics :List of 3
```
``` r
str(pt_similar("536cf06ca83704844d789f56caf22ee6"), 2)
## List of 4
## $ similar :List of 2
## ..$ result_count: int 78
## ..$ results :'data.frame': 78 obs. of 4 variables:
## $ intensity : chr "minimal"
## $ prioritize_uncommon_fields: logi TRUE
## $ weighting_mode : chr "behavior"
```
## packettotal Metrics
| Lang | \# Files | (%) | LoC | (%) | Blank lines | (%) | \# Lines | (%) |
| :--- | -------: | ---: | --: | ---: | ----------: | ---: | -------: | ---: |
| R | 12 | 0.92 | 152 | 0.93 | 52 | 0.68 | 111 | 0.67 |
| Rmd | 1 | 0.08 | 12 | 0.07 | 25 | 0.32 | 55 | 0.33 |
## Code of Conduct
Please note that this project is released with a [Contributor Code of
Conduct](CONDUCT.md). By participating in this project you agree to
abide by its terms.

16
man/packettotal.Rd
View File

@ -4,13 +4,27 @@
\name{packettotal}
\alias{packettotal}
\alias{packettotal-package}
\title{...}
\title{Lookup and Analyze Packet Capture ('PCAP') Files}
\description{
'PacketTotal' (\url{https://packettotal.com/}) is an engine for analyzing,
categorizing, and sharing packet capture ('PCAP') files. The tool was built
with the information security community in mind and has applications in malware
analysis and network forensics. Methods are provided to query search for and
analyze packet capture files.
}
\details{
\itemize{
\item URL: \url{https://gitlab.com/hrbrmstr/packettotal}
\item BugReports: \url{https://gitlab.com/hrbrmstr/packettotal/issues}
}
}
\references{
\itemize{
\item \url{https://packettotal.com/}
\item \url{https://packettotal.com/api-docs/#/}
}
}
\author{
Bob Rudis (bob@rud.is)
}
\keyword{internal}

23
man/packettotal_api_key.Rd
View File

@ -0,0 +1,23 @@
% Generated by roxygen2: do not edit by hand
% Please edit documentation in R/api-key.R
\name{packettotal_api_key}
\alias{packettotal_api_key}
\title{Get or set PACKETTOTAL_API_KEY value}
\usage{
packettotal_api_key(force = FALSE)
}
\arguments{
\item{force}{Force setting a new PacketTotal key for the current environment?}
}
\value{
atomic character vector containing the PacketTotal api key
}
\description{
The API wrapper functions in this package all rely on a PacketTotal API
key residing in the environment variable \code{PACKETTOTAL_API_KEY}.
The easiest way to accomplish this is to set it
in the \code{.Renviron} file in your home directory.
}
\references{
\url{https://packettotal.com/api-docs/}
}

23
man/pt_detail.Rd
View File

@ -0,0 +1,23 @@
% Generated by roxygen2: do not edit by hand
% Please edit documentation in R/detail.R
\name{pt_detail}
\alias{pt_detail}
\title{Get a detailed report of PCAP traffic, carved files, signatures, and top-talkers.}
\usage{
pt_detail(pcap_id, api_key = packettotal_api_key())
}
\arguments{
\item{pcap_id}{An md5 hash corresponding to the PCAP file submission on PacketTotal.com.
This hash can be derived by hashing the PCAP file in question.}
\item{api_key}{your \code{\link[=packettotal_api_key]{packettotal_api_key()}}.}
}
\description{
Analysis results contain high-level protocol statistics, signatures, and intelligence that PacketTotal discovered during analysis and enrichment.
}
\examples{
str(try(pt_detail("d210f4dbea97949f694e849507951881"), silent=TRUE), 2)
}
\references{
\url{https://packettotal.com/api-docs/#/pcaps/get_pcaps}
}

34
man/pt_download.Rd
View File

@ -0,0 +1,34 @@
% Generated by roxygen2: do not edit by hand
% Please edit documentation in R/download.R
\name{pt_download}
\alias{pt_download}
\title{Download a PCAP analysis archive. The result is a zip archive containing the PCAP itself, CSVs representing various analysis results, and all carved files.'}
\usage{
pt_download(pcap_id, dl_dir = getwd(), archive_name = NULL,
api_key = packettotal_api_key())
}
\arguments{
\item{pcap_id}{An md5 hash corresponding to the PCAP file submission on PacketTotal.com.
This hash can be derived by hashing the PCAP file in question.}
\item{dl_dir}{directory where to store the download}
\item{archive_name}{name of the ZIP file. If left \code{NULL} then a ZIP file
will be created with the name \code{YYYY-mm-dd-pcap_id.zip}.}
\item{api_key}{your \code{\link[=packettotal_api_key]{packettotal_api_key()}}.}
}
\value{
if successful and the analysis package is ready then the full path
to the ZIP file is returned (invisibly). If the analysis package
is not ready the return value is "\code{_PROCESSING_}".
}
\description{
Download a PCAP analysis archive. The result is a zip archive containing the PCAP itself, CSVs representing various analysis results, and all carved files.'
}
\examples{
str(try(pt_download("536cf06ca83704844d789f56caf22ee6"), silent=TRUE), 2)
}
\references{
\url{https://packettotal.com/api-docs/#/pcaps/get_pcaps__pcap_id__download}
}

23
man/pt_info.Rd
View File

@ -0,0 +1,23 @@
% Generated by roxygen2: do not edit by hand
% Please edit documentation in R/info.R
\name{pt_info}
\alias{pt_info}
\title{Get high-level information about a specific PCAP file.}
\usage{
pt_info(pcap_id, api_key = packettotal_api_key())
}
\arguments{
\item{pcap_id}{An md5 hash corresponding to the PCAP file submission on PacketTotal.com.
This hash can be derived by hashing the PCAP file in question.}
\item{api_key}{your \code{\link[=packettotal_api_key]{packettotal_api_key()}}.}
}
\description{
Results will contain high-level information, such as what logs were extracted, the date it was analyzed, and additional references.
}
\examples{
str(try(pt_info("d210f4dbea97949f694e849507951881"), silent=TRUE), 2)
}
\references{
\url{https://packettotal.com/api-docs/#/pcaps/get_pcaps}
}

20
man/pt_random.Rd
View File

@ -0,0 +1,20 @@
% Generated by roxygen2: do not edit by hand
% Please edit documentation in R/random.R
\name{pt_random}
\alias{pt_random}
\title{Get high-level information about a random PCAP file.}
\usage{
pt_random(api_key = packettotal_api_key())
}
\arguments{
\item{api_key}{your \code{\link[=packettotal_api_key]{packettotal_api_key()}}.}
}
\description{
Randomly selected PCAPs come from a set of pre-selected, interesting PCAP files.
}
\examples{
str(try(pt_random(), silent=TRUE), 1)
}
\references{
\url{https://packettotal.com/api-docs/#/pcaps/get_pcaps}
}

22
man/pt_search.Rd
View File

@ -0,0 +1,22 @@
% Generated by roxygen2: do not edit by hand
% Please edit documentation in R/search.R
\name{pt_search}
\alias{pt_search}
\title{Search with term or with a valid Lucene query.}
\usage{
pt_search(query, api_key = packettotal_api_key())
}
\arguments{
\item{query}{search term (e.g. an IP address, domain, or file hash) or valid Lucene query}
\item{api_key}{your \code{\link[=packettotal_api_key]{packettotal_api_key()}}.}
}
\description{
Receive a set of matches for given query.
}
\examples{
str(try(pt_search("evil.com"), silent=TRUE), 1)
}
\references{
<https://packettotal.com/api-docs/#/search
}

31
man/pt_similar.Rd
View File

@ -0,0 +1,31 @@
% Generated by roxygen2: do not edit by hand
% Please edit documentation in R/graph.R
\name{pt_similar}
\alias{pt_similar}
\title{Get a similarity graph relative to the current PCAP file.}
\usage{
pt_similar(pcap_id, weighting_mode = c("behavior", "content"),
intensity = c("minimal", "low", "medium", "high"),
prioritize_uncommon_fields = FALSE, api_key = packettotal_api_key())
}
\arguments{
\item{pcap_id}{An md5 hash corresponding to the PCAP file submission on PacketTotal.com.
This hash can be derived by hashing the PCAP file in question.}
\item{weighting_mode}{One of "\code{behavior}" (default) or "\code{content}". Weight search results either based on their similarity to the behaviors exhibited or contents contained within the current PCAP file.}
\item{intensity}{One of "\code{minimal}" (default), "\code{low}", "\code{medium}", or "\code{high}". The scope of the search, basically translates to the maximum number of aggregations to exhaust. Using a high level intensity, may result in occassional timeouts.}
\item{prioritize_uncommon_fields}{By default, the most common values are used to seed the initial similarity search. Enabling this parameter, seeds the initial search with the least common values instead.}
\item{api_key}{your \code{\link[=packettotal_api_key]{packettotal_api_key()}}.}
}
\description{
Results contain PCAPs that exhibit similar behaviors or contain similar content. Results are organized with the most similar PCAPs on top, and the terms that were found shared within both.
}
\examples{
str(try(pt_similar("536cf06ca83704844d789f56caf22ee6"), silent=TRUE), 3)
}
\references{
\url{https://packettotal.com/api-docs/#/pcaps/get_pcaps__pcap_id__similar}
}

17
man/pt_usage.Rd
View File

@ -0,0 +1,17 @@
% Generated by roxygen2: do not edit by hand
% Please edit documentation in R/usage.R
\name{pt_usage}
\alias{pt_usage}
\title{Retrive usage and subscription plan information.}
\usage{
pt_usage(api_key = packettotal_api_key())
}
\arguments{
\item{api_key}{your \code{\link[=packettotal_api_key]{packettotal_api_key()}}.}
}
\description{
Handy helper to determine how many requests you have remaining.
}
\examples{
str(try(pt_usage(), silent=TRUE), 2)
}
Write Preview
Loading…
Cancel
Save