analyze_tcp_anomalies
Analyze TCP traffic to detect observable patterns and anomalies in connection establishment, termination, reliability, and lifecycle. Provides factual metrics for further investigation.
Instructions
Detect TCP traffic patterns through statistical analysis.
This tool analyzes TCP traffic to identify observable patterns without making assumptions about root causes. It provides factual metrics and pattern detection that can be used for further investigation.
Args: pcap_file: HTTP URL or absolute local file path to PCAP file server_ip: Optional filter for server IP address server_port: Optional filter for server port
Returns: A structured dictionary containing: - statistics: Comprehensive TCP metrics (handshakes, flags, RST distribution, etc.) - patterns: Observable patterns detected in the traffic - summary: High-level summary of findings
Detected pattern categories:
connection_establishment: Handshake success/failure rates, SYN response ratios
connection_termination: RST distribution, normal vs abnormal closes
reliability: Retransmission rates, packet loss indicators
connection_lifecycle: Connection state transitions
The analysis is purely observational - it reports what is seen in the traffic without attempting to diagnose specific issues like "firewall block" or "network congestion". This allows the data to be interpreted in context.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| pcap_file | Yes | ||
| server_ip | No | ||
| server_port | No |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||