gold-miner-trainer: profiles a single PCAP training file

The gold-miner-trainer tool takes a PCAP file as an input and produces a profile for the single dataset. The PCAP file being passed into it must be of a single traffic type to be profiled. It can take an optional tcpdump filter string to limit the traffic that is taken as training data (such as in the example below where “esp and src 10.0.0.1” limits the traffic to just IPsec traffic from a particular source).

Example invocation:

gold-miner-trainer -f "esp and src 10.0.0.1" -T -o web_traffic.fsdb web_traffic.pcap

Next Steps

Once a number of training sets have been created, use the gold-miner-trainer-aggregator tool to compile them all into a single profile that can be passed to the gold-miner tool to attempt detection of unknown traffic types.

Command Line Arguments

introduction - CLI interface

introduction [-h] [-o OUTPUT] [-a [ADDRESSES [ADDRESSES ...]]] [-f FILTER] [-T]
             [--log-level LOG_LEVEL] [-W]
             pcap_files [pcap_files ...]

introduction positional arguments

• pcap_files - Where to read the pcap file(s) from (default: None)

introduction optional arguments

• -h, --help - show this help message and exit

• -o OUTPUT, --output OUTPUT - Where to write the output file (else stdout) (default: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>)

• -a ADDRESSES, --addresses ADDRESSES - Only look at packets from these addresses (default: None)

• -f FILTER, --filter FILTER - Use a pcap filter to filter packets (default: None)

• -T, --no-timing - Don’t do timing analysis (expensive in memory)

• --log-level LOG_LEVEL, --ll LOG_LEVEL - Define the logging verbosity level (debug, info, warning, error, fotal, critical). (default: info)

• -W, --width-trainer - Use the [beta] width trainer