This should be placed on top of !2 (merged) (once merged).
This contains scripts for CLI - handler (daemon) and show script.
Handler script is listening on unix socket for requests, and handles them (gets result from database, filters them and returns them to
Show script only creates the query (from its arguments), sends it to handler and shows nicely (with human readable dates, times, sizes,...) the result.
Filtering in handler differs for aggregated and timeline mode:
- in timeline mode, concurrent connections to the same host+port are merged together. Typically, while loading web page, many connections are created at the same time. I believe that this is not interesting for end-user, so these are merged together
- in aggregated mode, tuples (src_mac, dest_hostname, dest_port) are unique, so everything is aggregated based on this. There are some complicated parts in
handlerto calculate overlapping time intervals.
In addition, filter for advertisement and other rubbish domain is applied if requested (enabled by default).
The API (query+result format) provided by
handler is likely to be changed in the future (maybe providing also some raw mode without any aggregation). But this is the state as released in 3.9, so I would like to merge it as it is (without changing the functionality), some functional changes might come in some next branch.