docketapi package

Module contents

docketapi

class docketapi.DocketClient(base_url, username, password, verify=True, proxies=None)

Bases: object

Docket API Client

Core class used for interacting with the Docket RESTful API.

Args:

base_url (str): URL pointing to the ROCK NSM (or Docket) instance username (str): Authentication username password (str): Authentication password verify (bool): Verify SSL (ignored on HTTP). Disable to use self-signed certificates proxies (dict): Optional requests-style proxies dict

Attributes:

base_url (str): Full RFC-1738 URL pointing to the ROCK NSM (or Docket) instance query_url (str): URL pointing to Docket query endpoint username (str): Authentication username session (requests.sessions.Session): Requests session used for all outbound requests

Examples:

from docketapi import DocketClient

# create a client
docket = DocketClient('https://rock_nsm_url', 'username', 'password', verify=False)

# perform a query
my_query = docket.query(
    after='2019-04-20T21:07:59.689Z',
    before='2019-04-30T21:07:59.689Z',
    host=['151.101.68.223'],
    proto_name='TCP',
    port=['443']
)

# retrieve pcap
pcap = docket.get_pcap(my_query)

# save pcap
docket.save_pcap(pcap, filename='my_traffic.pcap')

get_pcap(query_result)

Docket get PCAP, returns raw data

Args:

query_result (dict): Response from a docket query

query(**kwargs)

Docket query

Args:

after (str): After datetime in ISO-8601 format (e.g. ‘2019-04-20T21:07:59.689Z’) before (str): Before datetime in ISO-8601 format (e.g. ‘2019-04-20T21:07:59.689Z’) host (list): List of IP addresses to filter on (e.g. [‘192.168.1.1’]) net (list): List of CIDR notation networks to filter on (e.g. [‘192.168.1.0/24’]) port (list): List of Ports to filter on (e.g. [‘22’]) proto_name (str): TCP, UDP, or ICMP

save_pcap(pcap, filename='merged.pcap')

Docket save PCAP to disk

Args:

pcap (str): Raw pcap data, response from docket get PCAP filename (str): Optional filename to save as, default is merged.pcap