katana.units.pcap.tcpflow — tcpflow

tcpflow

This unit will carve out files from a given PCAP file using the tcpflow command-line utility. The syntax runs as:

tcpflow -r <target_path> -o <tcpflow_directory>

The unit inherits from katana.unit.FileUnit to ensure the target is a PCAP file.

class katana.units.pcap.tcpflow.Unit(*args, **kwargs)

Bases: katana.unit.FileUnit

DEPENDENCIES = ['tcpflow']

Required depenencies for this unit “tcpflow”

GROUPS = ['network', 'pcap', 'tcpflow']

These are “tags” for a unit. Considering it is a pcap unit, “pcap” is included, as well as the tag “network”, and unit name “tcpflow”

PRIORITY = 30

Priority works with 0 being the highest priority, and 100 being the lowest priority. 50 is the default priorty. This unit has a moderately high priority due to speed and broadness of applicability

RECURSE_SELF = True

In case we have extract other PCAPs for some reason, we CAN recurse into ourselves.

evaluate(case: Any)

Evaluate the target. Run tcpflow on the target and recurse on any new found files.

Parameters:case – A case returned by enumerate. For this unit, the enumerate function is not used. Returns:None. This function should not return any data.