plugkit

Release 0.0.9

Deplug Package Development Kit

Homepage Repository Cargo Rust Documentation Download

Keywords
cpp, electron, javascript, packet-analyzer, pcap, rust, typescript
License
MIT

Documentation

Deplug

Deplug is a graphical network analyzer powered by web technologies.

Features

  • Cross-Platform (macOS, Linux, Windows)
  • Web-based UI (Electron)
  • Built-in Package Manager
  • SDK for JavaScript and Rust
  • Concurrency Support

Screenshot in Ubuntu

Import / Export

Deplug supports following formats by default.

  • Pcap File (*.pcap)

Preferences

Configuration files are located in $HOME/.deplug/profile/default.

  • config.yml General and Package-specific Configs
  • keybind.yml Keybind Configs
  • workspace.yml Workspace Configs (Window Size, Layout, Filter History, etc.)

Packages

Installed packages are located in $HOME/.deplug/package.

Display Filter

Deplug has a simple DSL(Domain Specific Language) to filter packets. It is very similar to JavaScript.

Display filter applies the filter program to each frame and shows them only if the result value is truthy. Therefore, following filters do nothing: always show all frames.

  • true
  • !0
  • 1
  • 1 + 2 == 3
  • 'ok!'

There are some language extensions suitable for the packet filtering:

  • Extended operators
  • Pipeline syntax (Not implemented yet)
  • Macro syntax

Extended operators

Some operators (==, ===, !=, !==, <, <=, >, >=) can take an iterable object as the operand.

ipv4.src == [127, 0, 0, 1] // IPv4 source address equals 127.0.0.1

Pipeline syntax

(Not implemented yet)

Pipeline syntax provides chained function calls. You can put a function after the expression to manipulate the returned value.

http.path toLowerCase === '/login'

// almost equivalent to:
('toLowerCase' in Object(http.path)) 
  ? http.path.toLowerCase()
  : null
    === '/login'

Use : to pass arguments:

http.path split:/\d+/:2

// almost equivalent to:
('slice' in Object(http.path)) 
  ? http.path.split(/\d+/, 2)
  : null

Note that you can not write a method call like `http.path.toLowerCase()` because Deplug resolves `http.path.toLowerCase` as a layer attribute named `http.path.toLowerCase`.

Macro syntax

Macro provides a familiar way to write compound constants.

For example, an IPv4 address is represented as just an array of integers but you are also able to write it as @127.0.0.1. That will be converted into [127, 0, 0, 1] before parsing.

ipv4.src == @127.0.0.1 // Same as ipv4.src == [127, 0, 0, 1]

A macro expression starts with @ and ends with whitespace or the line ending. You can create an extension package to add custom macros, of course.

There are some macros defined in the built-in packages:

Name Format Example Expanded
MAC Address @XX:XX:XX:XX:XX:XX @11:22:33:44:55:66 [0x11, 0x22, 0x33, 0x44, 0x55, 0x66]
IPv4 Address @X.X.X.X @127.0.0.1 [127, 0, 0, 1]
IPv6 Address @XXXX:XXXX:...:XXXX @::ffff [0, 0, ..., 0, 0, 0xff, 0xff]
DateTime @YYYY-MM-DDThh:mm:ss @2018-03-01T00:00:00 1519862400000 (Depends on timezone)

Examples

Protocol

Expression Description
tcp TCP only
udp UDP only
udp && ipv6 UDP over IPv6 only
udp || arp UDP or ARP
!arp All frames except ARP

Attributes

Expression Description
tcp.flags.ack TCP frames with the ACK flag
tcp.flags & 0b000010000 TCP frames with the ACK flag
tcp.flags.ack && tcp.flags.fin TCP frames with the ACK and the FIN flag
tcp.flags == 16 TCP frames with only the ACK flag
tcp.src < 1024 || tcp.dst < 1024 TCP with well-known ports
http.method.get HTTP GET Requests

Frame Metadata

Expression Description
$.actualLength > 1024 Actual frame length is larger than 1024
$.timestamp < @2018-03-15T22:00:00 Frame timestamp is before 2018-03-15T22:00:00

Confidence

Confidence is a 2-bit value represents an accuracy of the dissected layer.

Confidence Value Description Example
Exact 3 Protocol is specified in the lower layer. IPv4 over Ethernet
Probable 2 Protocol could not be determined precisely, but a usual port or parameter is used. SSH on TCP port 20
Possible 1 Protocol is decodable but an unusual port or parameter is used. SSH on TCP port 5555
Error 0 Protocol has an invalid parameter. -

Increasing the confidence threshold level produces cleaner results. On the other hand, the lower level is a better choice for catching broken/camouflaged packets.

Stats

Dependencies
2
Dependent packages
0
Dependent repositories
0
Total releases
9
Latest release
First release
Stars
104
Forks
13
Watchers
5
Contributors
1
Repository size
4.38 MB
SourceRank
9

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.0.9
0.0.8
0.0.7
0.0.6
0.0.5
0.0.4
0.0.3
0.0.2
0.0.1

Maintainers

Ron Hashimoto

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2018-03-23 16:00:22 UTC

Login to resync this project