====== Traffic analysis ======
{{indexmenu_n>2}}

===== Equipment =====

To configure the correct operation of the Traffic Parsing section, you must add equipment of the "Pcap Parsing Server" type to the [[en:dpi:dpi_components:dpiui:user_guide:admin_section:equipment_management:list:start|Equipment List Management section]].

Traffic parsing equipment configuration:
  - Processor (CPU) 2.5 GHz, 2 pcs
  - Random access memory (RAM) from 4 GB
  - Hard disk drive (HDD) from 100 GB
  - Operating system Ubuntu 20.04

To install the necessary utilities, run the following command:
<code>apt install wireshark tshark sox</code>
===== Section =====

To go to the traffic parsing section in the menu, go to the "Lawful interception"->"Traffic parsing"->"Traffic parsing" section.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_route.png?600 |}}

The Traffic Parsing section looks like the figure below.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode.png?800 |}}

==== Tasks ====

The tasks for Traffic Mining are located on the left side of the Traffic Mining page.

=== Creating a task ===

To create a new Traffic Analysis task, click the "+" button in the toolbar above the list of existing tasks.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_create_task.png?400 |}}

In the task creation form that opens, enter:
  * Task name
  * Description of the task

Click the "Save" button.

=== Editing a task ===

To edit a task, click the edit button next to an existing task.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_edit_task.png?400 |}}

In the task editing form that opens, change:
  * Task name
  * Description of the task

Click the "Save" button.

=== Deleting a task ===

To delete a task, click the "Delete" button next to the existing task and confirm or cancel the action.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_delete_task.png?400 |}}


==== Files ====

The files for Traffic Parsing are located in the central part of the Traffic Parsing page.

=== Add file ===

To add a new file for Traffic Parsing, click on the "+" button in the toolbar above the list of added files.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_add_file.png?400 |}}

In the opened form for adding a file:
  * Upload or drag pcap file;
  * If necessary, set the display name and description for the file;
  * Specify the required types of traffic parsing (Web, Dns, Mail, Voip, Ftp);

Click the "Save" button.

=== Editing the file ===

To edit a file for Traffic Parsing, click the edit button next to an existing file.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_edit_file.png?400 |}}

In the file editing form that opens, you can change:
  * Displayed file name;
  * Description of the file;
  * Types of traffic parsing (Web, Dns, Mail, Voip, Ftp);

Click the "Save" button.

If changes have been made to the types of traffic parsing, a confirmation form for restarting traffic parsing for this file will appear on the screen.

=== Deleting a file ===

To delete a file, click on the "Delete" button next to the existing file and confirm or cancel the action.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_delete_file.png?400 |}}

=== Restart file parsing ===

To restart file parsing:
  - Select the required file from the list;
  - Click on the restart parsing button in the toolbar;
  - Confirm or cancel the action.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reset_file.png?400 |}}

=== Importing files from the traffic capture section ===

Files for traffic parsing can be imported from the "Traffic Capture" section.

Go to the "Lawful Interception"->"Traffic Capture" section.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_capture_route.png?400 |}}

In the list of files, select the files you want to parse and click the parse button.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_capture.png?400 |}}

In the opened form:
  * Select the Traffic Parsing task into which the files will be imported.
  * If "New task" is selected, enter the name of the task that will be created during import.
  * Parse types for imported files (Web, Dns, Mail, Voip, Ftp).

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_capture_decode_form.png?400 |}}

Click on the "Apply" button. After the file import process is completed, a window will appear prompting you to go to the "Traffic Analysis" section.

==== Parsing results ====

The parsing results are located on the right side of the Traffic Parsing page.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports.png?600 |}}

===Web===

The Web parsing results tab displays HTTP requests.

== Requests ==

The "Requests" tab displays "raw" data about requests.

The following data is available in the table:
  * Date and time of request
  * Request address
  * Size of response in bytes
  * Method

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_web_requests.png?600 |}}

When you click on the "Additional information about the request" (?) button, a popup will open with additional information about the request:
  * Agent
  * Host
  * Url
  * Type of content
  * Encoding
  * Request method
  * Response code
  * Size of response in bytes
  * Sender port
  * Destination port
  *TCP time
  * IP protocol
  * IP version
  * Sender IP
  * IP received
  *Eth type
  * Sender's Eth
  *Eth of the recipient
  * File ID to parse
  * Filename to parse
  * Filename with response content

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_web_requests_details.png?400 |}}

== Pictures ==

The Images tab displays queries that returned images.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_web_images.png?400 |}}

===DNS===

The DNS parsing results tab displays the hosts.

The following data is available in the table:
  * Date and time of request
  * Host

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_dns.png?400 |}}

== Additional information ==
When you click on the "Additional information about the request" (?) button, a popup will open with additional information about the request:
  * List of hosts
  * Address list
  * List of certificates
  * Request date
  * Response time
  * Sender port
  * Destination port
  * IP protocol
  * IP version
  * Sender IP
  * Destination IP
  *Eth type
  * Sender's Eth
  *Eth of the recipient
  * Request ID
  * File ID to parse
  * Filename to parse

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_dns_info.png?400 |}}

=== Mail ===
On the MAIL parsing results tab, sent/received Emails.

The following data is available in the table:
  * Date and time of sending / receiving;
  * Sender
  * Recipient
  * Letter subject

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_mail.png?400 |}}

== Content ==
When you click on the Message Content button, a popup will open in which are available:
  * Sender
  * Recipient
  * Letter subject
  * Text of the letter
  * List of attached files to the letter (can be downloaded)

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_mail_content.png?400 |}}

== Additional information ==
Clicking on the Additional Information(?) button will open a popup with additional information about the letter:
  * Sender port
  * Destination port
  * IP protocol
  * IP version
  * Sender IP
  * Destination IP
  *Eth type
  * Sender's Eth
  *Eth of the recipient
  * Sender
  * Recipient
  * Topic
  * Letter ID
  * User Agent
  * MIME version
  * Type of content
  * Language
  * Composite type
  * Composite content type
  * Multipart content encoding
  * Disposition of compound content
  * Request ID
  * File ID to parse
  * Eml file name

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_mail_info.png?400 |}}

==Voip==
On the Voip parsing results tab, information about completed Voip sessions.

The following data is available in the table:
  * Date and time of the session
  * Session duration
  * caller
  * Callable

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_voip.png?400 |}}

== Audio recording ==
When you click on the Recordings button, a popup will open where you can listen to audio recordings:
  * caller
  * Callable
  * Combined

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_voip_record.png?400 |}}

== Query Logs ==
When you click on the Request logs button, a popup will open with the logs of all session requests.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_voip_logs.png?400 |}}

== Additional information ==
When you click on the "Additional information" (?) button, a popup will open with additional information about the session:
  * Sender port
  * Destination port
  * IP protocol
  * IP version
  * Sender IP
  * Destination IP
  *Eth type
  * Sender's Eth
  *Eth of the recipient
  * Session duration
  * caller
  * Callable
  * Call ID
  * Ssrc outgoing
  * Ssrc incoming
  * Audio file names
  * File ID to parse

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_voip_info.png?400 |}}

=== FTP ===

The FTP parsing results tab displays files sent/received via FTP.
The following data is available in the table:
  * Date and time of request
  * File name
  * Direction (Download/Upload)
  * File size in bytes
  * Customer address
  * Server address

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_ftp.png?400 |}}

== Additional information ==
When you click on the "Additional information" (?) button, a popup will open with additional information about the request:
  * Sender port
  * Destination port
  * IP protocol
  * IP version
  * Sender IP
  * Destination IP
  *Eth type
  * Sender's Eth
  *Eth of the recipient
  * File name
  * Ftp Directory
  * File size in bytes
  * Direction
  * File ID to parse
  * Response file

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_reports_ftp_info.png?400 |}}


===== Traffic parsing logs =====
To go to the section of traffic parsing logs in the menu, go to the "Lawful interception"->"Traffic parsing"->"Traffic parsing logs" section.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_logs_route.png?600 |}}

The traffic parsing log section looks like the figure below.

{{ :dpi:dpi_components:dpiui:user_guide:lawful_interception:dpiui2_traffic_decode_logs.png?600 |}}