{"id":13650687,"url":"https://github.com/secureworks/flowsynth","last_synced_at":"2025-12-14T01:27:07.776Z","repository":{"id":27027004,"uuid":"100407964","full_name":"secureworks/flowsynth","owner":"secureworks","description":"a network packet capture compiler","archived":false,"fork":false,"pushed_at":"2022-04-28T02:57:34.000Z","size":80,"stargazers_count":202,"open_issues_count":5,"forks_count":31,"subscribers_count":19,"default_branch":"master","last_synced_at":"2025-09-24T22:42:28.826Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secureworks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-08-15T18:41:26.000Z","updated_at":"2025-09-01T21:02:46.000Z","dependencies_parsed_at":"2022-08-07T12:01:27.454Z","dependency_job_id":null,"html_url":"https://github.com/secureworks/flowsynth","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/secureworks/flowsynth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secureworks%2Fflowsynth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secureworks%2Fflowsynth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secureworks%2Fflowsynth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secureworks%2Fflowsynth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secureworks","download_url":"https://codeload.github.com/secureworks/flowsynth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secureworks%2Fflowsynth/sbom","scorecard":{"id":809195,"data":{"date":"2025-08-11","repo":{"name":"github.com/secureworks/flowsynth","commit":"de58ed4ad137bfc55c59857934f76f481edf1978"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.4,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":4,"reason":"Found 6/14 approved changesets -- score normalized to 4","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2019-120 / GHSA-mpf2-q34c-fc6j"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 26 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-23T12:39:09.581Z","repository_id":27027004,"created_at":"2025-08-23T12:39:09.581Z","updated_at":"2025-08-23T12:39:09.581Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":27714662,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-13T02:00:09.769Z","response_time":147,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T02:00:39.431Z","updated_at":"2025-12-14T01:27:07.672Z","avatar_url":"https://github.com/secureworks.png","language":"Python","readme":"# Flowsynth #\n\nFlowsynth is a tool for rapidly modeling network traffic. Flowsynth can be used to generate text-based hexdumps of packets as well as native libpcap format packet captures.\n\n## Installation and Usage Overview ##\n\nFlowsynth has been tested on Python 2.7 and Python 3.\n\n`pip install flowsynth` to install the wheel.\n\n### Python Script ###\n\n\nUsage:\n\n    usage: flowsynth.py [-h] [-f OUTPUT_FORMAT] [-w OUTPUT_FILE] [-q] [-d]\n                        [--display {text,json}] [--no-filecontent]\n                        input\n\n    positional arguments:\n      input                 input files\n\n    optional arguments:\n      -h, --help            show this help message and exit\n      -f OUTPUT_FORMAT      Output format. Valid output formats include: hex, pcap\n      -w OUTPUT_FILE        Output file.\n      -q                    Run silently\n      -d                    Run in debug mode\n      --display {text,json}\n                            Display format\n      --no-filecontent      Disable support for the filecontent attribute\n\n### Python Module ###\n\n\nExample usage:\n\n    import flowsynth\n    fsmodel = flowsynth.Model(input=\"my.synth\", output_file=\"out.pcap\", output_format=\"pcap\")\n    fsmodel.build()\n\nThe Model class function `build()` executes flowsynth and the class constructor takes the same arguments as the script (see above):\n\n    class Model():\n        def __init__(self, input, output_format=\"pcap\", output_file=\"\", quiet=False, debug=False, display=\"text\", no_filecontent=False):\n        ...\n\n*Note:* Because of the current less-than-ideal use of global variables instead of class variables, if more than one Model object is used concurrently, there will be issues. Hopefully this limitation will be remedied in a future release.\n\nIf the module is installed, Flowsynth can be invoked from the command line and run like a script, e.g.:\n\n    python3 -m flowsynth -f pcap -w out.pcap my.synth\n\n## How it works ##\n\nFlowsynth uses a syntax language to describe network flows. The syntax language is made up of individual *instructions* that are parsed by the application and are grouped into *events*, which are a logical representation of the *instructions* in the network domain. After all *instructions* have been parsed, the *events* are iterated over and converted into *packets*, which are the real-world representation of the traffic on the wire.\n\nThese three phases are referred to as the *parsing phase*, *rendering phase*, and the *output phase*.\n\nTake the following synfile as an example:\n\n    flow default tcp myhost.corp.acme.net:12323 \u003e google.com:80 (   tcp.initialize; );\n    default \u003e ( content:\"GET / HTTP/1.1\\x0d\\x0a\"; content:\"Host: google.com\\x0d\\x0a\\x0d\\x0a\"; );\n    default \u003c ( content:\"HTTP/1.1 200 OK\"; );\n\nThis sample contains two types of instructions: Flow declarations and event declarations. The first line (*flow default tcp...*) declares to Flowsynth that a flow is being tracked between myhost.corp.acme.net and google.com. The flow name is *default*. All events that apply to this flow will use this name (*default*) to identify which flow they apply to. The third argument specifies which protocol the flow will use. In this case it's *tcp*. Next we specify the source and destination addresses and ports. Finally, an optional attributes section is included at the end. The *tcp.initialize* attribute is included, which tells Flowsynth to automatically generate a three-way handshake for this flow. It's worth nothing that each attribute and line should be closed with a semicolon (;), as shown above. When this flow declaration instruction is parsed by Flowsynth the application will automatically generate event entries in the compiler timeline to establish a three way handshake.\n\nNext, Flowsynth will parse the event declaration *default \u003e ( content ...*. Flowsynth will immediately identify that this event declaration belongs to the 'default' flow that was just declared. Once this event is associated with the flow any protocol specific values (like TCP SEQ and ACK numbers) will automatically be applied to the event. The directionality for this specific event is '\u003e', or TO_SERVER. Once the parent flow and directionality have been established Flowsynth will parse the optional attributes section. Just like the flow declaration, each optional attribute must be closed with a semicolon (;). The two 'content' attributes are used to specify the packet's payload. In this case, a HTTP request is being rendered. Flowsynth will read these instructions and generate an entry in the compiler timeline for this event.\n\nThe last event declaration that is parsed by the application shows the server's response to the client. Using the same methods described above, Flowsynth will parse the event declaration and add it to the compiler timeline.\n\nOnce all the instructions have been parsed and processed, Flowsynth iterates over the compiler timeline and renders any events to native packets. In this phase of the application several important things happen:\n\n1.   Protocol-specific intelligence, like TCP SEQ/ACK calculations, and ACK generation take place.\n2.   Specific features of attributes, like converting '*\\x3A*' to '*:*' take place.\n\nOnce all of the events have been rendered to native pcaps the output phase occurs. During the output phase the native packets are delivered to the user in one of the two output formats, as a hexdump, or as a native PCAP file.\n\n## Usage ##\n\n    flowsynth.py input.syn\n\nIn this most basic example, Flowsynth will read input.syn and output the resulting hexdump to the screen. By default Flowsynth will use 'hex' format.\n\n    flowsynth.py input.syn -f pcap -w /tmp/test.pcap\n\nIn this example, Flowsynth reads input.syn and outputs a libpcap formatted .pcap file to /tmp/test.pcap\n\n\n## Syntax ##\nAll Flowsynth syntax files are plain-text files. Currently three types of instructions are supported.\n\n+   Comments\n+   Flow Declarations\n+   Event Declarations\n\nAs new features are added, this syntax reference will be updated.\n\n### Comments ###\n\nComments are supported using the *#* symbol.\n\n    # This is a synfile comment\n\n### Flows ###\n\n#### Declaring a Flow ####\nYou can declare a flow using the following syntax:\n\n    flow [flow name] [proto] [src]:[srcport] [directionality] [dst]:[dstport] ([flow options]);\n\n\n*src* and *dst* can be IPv4 addresses, IPv6 addresses, or resolvable domain names.  For IPv6, the address(es) must be enclosed in square brackets ('[' and ']').\n\nThe following flow declaration would describe a flow going from a computer to google.com:\n\n    flow my_connection tcp mydesktop.corp.acme.com:44123 \u003e google.com:80 (tcp.initialize;);\n\nThe following flow declaration would describe a flow going from a computer to a DNS server:\n\n    flow dns_request udp  mydesktop.corp.acme.com:11234 \u003e 8.8.8.8:53;\n\nThe following flow declaration would describe a flow using IPv6 addresses:\n\n    flow default tcp [2600:1337:2800:1:248:1893:25c8:d1]:31337 \u003e [2600:1337:2800::f1]:80 (tcp.initialize;);\n\nFor the interim, directionality should always be specified as to server: \u003e\n\nIf a DNS record is specified in the flow declaration (instead of an explicit IP address) then Flowsynth will resolve the DNS entry at the time of the flow's declaration. The first A record returned for DNS entry will be used as the IP address throughout the session. The DNS query and response is not included in the output.\n\n#### Flow Attributes #####\nThe following flow attributes are currently supported:\n\n##### tcp.initialize #####\nThe *tcp.initialize* attribute informs Flowsynth that the flow should have an autogenerated TCP three-way handshake included in the output. The handshake is always added relative to the location of the flow declaration in the synfile.\n\nusage:\n\n`(tcp.initialize; );`\n\n##### src_mac #####\nThe *src_mac* attribute explicitly sets the MAC address for packets from the flow source. If no MAC is supplied, a random one is chosen.\n\nusage:\n`(tcp.initialize; src_mac: 37:16:3a:4e:6a:12; );`\n\n##### dst_mac #####\nThe *dst_mac* attribute explicitly sets the MAC address for packets from the flow destination. If no MAC is supplied, a random one is chosen.\n\nusage:\n`(tcp.initialize; dst_mac: 37:16:3a:4e:6a:13; );`\n\n\n### Events ###\n\n#### Transferring Data ####\nData can be transferred between hosts using two methods. The example below outlines a data exchange between a client and a webserver:\n\n    my_connection \u003e (content:\"GET / HTTP/1.1\\x0d\\x0aHost:google.com\\x0d\\x0aUser-Agent: DogBot\\x0d\\x0a\\x0d\\x0a\";);\n    my_connection \u003c (content:\"HTTP/1.1 200 OK\\x0d\\x0aContent-Length: 300\\x0d\\x0a\\x0d\\x0aWelcome to Google.com!\";);\n\nIn this example, the flow *my_connection* must have been previously declared. A single packet with the content specified will be transmitted from the client to the server. The following method is also accepted, however, this may change in the future as the syntax is formalized.:\n\n    my_connection.to_server (content:\"GET / HTTP/1.1\\x0d\\x0aHost:google.com\\x0d\\x0aUser-Agent: DogBot\\x0d\\x0a\\x0d\\x0a\";);\n    my_connection.to_client (content:\"HTTP/1.1 200 OK\\x0d\\x0aContent-Length: 300\\x0d\\x0a\\x0d\\x0aWelcome to Google.com!\";);\n\n Each content keyword within the () should be closed by a semicolon. Each line should also be closed with a semicolon. Failure to do so will generate a lexer error. Multiple content matches can also be used to logically seperate parts of the response, for example:\n\n    # the commands below describe a simple HTTP request\n    my_connection \u003e (content:\"GET / HTTP/1.1\\x0d\\x0aHost:google.com\\x0d\\x0a\\x0d\\x0a\";);\n    my_connection \u003c (content:\"HTTP/1.1 200 OK\\x0d\\x0aContent-Type: text/html\\x0d\\x0a\\x0d\\x0a\"; content:\"This is my response body.\";);\n\n#### Event Attributes ####\nThe following event attributes are currently supported:\n\n+   content\n+   filecontent\n+   tcp.seq\n+   tcp.ack\n+   tcp.noack\n+   tcp.flags.syn\n+   tcp.flags.ack\n+   tcp.flags.rst\n\n##### Content Attribute #####\nThe *content* attribute is used to specify the payload of a packet. Content attributes must be enclosed in double quotes. UTF-8 is supported and arbitrary bytes can be expressed with the \"\\xHH\" notation where \"HH\" is the hexidecimal representation of the byte. For example, a carriage return (ASCII 0x0D) followed by a line feed (ASCII 0x0A) can be defined like this: *\\x0D\\x0A*.  This translation takes place during the render phase.\n\nExample:\n\n    default \u003e ( content: \"GET / HTTP/1.1\\x0d\\x0a\"; );\n\n##### Filecontent Attribute #####\nThe *filecontent* attribute is used to specify a file that can be used as the payload of a packet. The value of a filecontent attribute is the file that will be read into the payload.\n\nExample:\n\n    default \u003e ( content: \"HTTP/1.1 200 OK\\x0d\\x0a\\x0d\\x0a\"; filecontent: \"index.html\"; );\n\n##### tcp.seq Attribute #####\nThe *tcp.seq* attribute lets you set the sequence number for the event's packet.\n\n##### tcp.ack Attribute #####\nThe *tcp.ack* attribute lets you set the acknowledgement number for the event's packet.\n\n##### tcp.noack Attribute #####\nThe *tcp.noack* attribute tells Flowsynth to not generate an ACK for this event.\n\n##### tcp.flags.syn Attribute #####\nThe *tcp.flags.syn* attribute tells Flowsynth to force the packet to be a SYN packet.\n\n##### tcp.flags.ack Attribute #####\nThe *tcp.flags.ack* attribute tells Flowsynth to force the packet to be an ACK packet.\n\n##### tcp.flags.rst Attribute #####\nThe *tcp.flags.rst* attribute tells Flowsynth to force the packet to be a RST packet.\n\n## Authors ###\n\n+   Will Urbanski (will dot urbanski at gmail dot com)\n\n#### Contributors ####\n\n+   David Wharton\n+   @2xyo\n+   @bhaan\n+   Brad Crittenden (@bac)\n","funding_links":[],"categories":["Tools","\u003ca id=\"7bf0f5839fb2827fdc1b93ae6ac7f53d\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"d7485f829bd85cd784ff582cbddc8624\"\u003e\u003c/a\u003e捕获\u0026\u0026Capture"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecureworks%2Fflowsynth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecureworks%2Fflowsynth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecureworks%2Fflowsynth/lists"}