English | 中文

Issue Feedback

• GitHub Release: 👉 https://github.com/CuriousLearnerDev/TrafficEye/releases)
• Quark Drive (Windows x64) (Code: KZa8): 👉 https://pan.quark.cn/s/082731993d03
• Quark Drive (Linux x64) (Code: ZAtt): 👉 https://pan.quark.cn/s/bf0f84e1c1e3

📺 Video Tutorials:https://www.bilibili.com/video/BV1VTMRz1ENN

⚠️ Dependency Required: tshark must be installed

Install with:

sudo apt install tshark

Run:

unzip linux_amd_x64_0.0.8.9-2.zip
cd linux_amd_x64_0.0.8.9-2
chmod +x trafficeye
./trafficeye

✅ tshark is already integrated, no need to install separately.

Run:

Double-click to launch the main executable.

Security detection rules are defined under the safety_testing section in the config.yaml file.

safety_testing:
 Directory_Traversal_Attack:
 name:
 - "Directory traversal payload using (/../) or (/.../)"
 detection_location:
 - 'URI|forms_key_body|multipart_file_name_body|ALL_headers|xml_value_body|!headers:referer'
 rules:
 - >-
 (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}[\x5c/;])
 severity:
 - Medium

For example

safety_testing:
 Directory_Traversal_Attack:
 name:
 - "Directory traversal payload using (/../) or (/.../)"
 detection_location:
 - 'URI|forms_key_body|multipart_file_name_body|ALL_headers|xml_value_body|!headers:referer'
 rules:
 - >-
 (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}[\x5c/;])
 severity:
 - Medium

This rule will detect directory traversal in the following fields:

1. URI → The entire URL string, e.g.:

   http://example.com/download.php?file=../../etc/passwd
   

2. forms_key_body → The key name in a form submission, e.g.:

   username=admin&file=../../../etc/shadow
   ↑ This is detected in forms_key_body
   

3. multipart_file_name_body → The filename field during file uploads, e.g.:

   Content-Disposition: form-data; name="upload"; filename="../../shell.php"
   

4. ALL_headers → All HTTP headers, such as User-Agent, Cookie, X-Forwarded-For, etc.

5. xml_value_body → The value of a node in XML content, e.g.:

   <config>../../etc/passwd</config>
   

6. !headers:referer → Excludes detection in the Referer HTTP header.

• Note: The source code is no longer publicly available after version 0.0.7.

  • 2025年07月12日:The problem of the large security analysis file crashing (with size analysis set)

  • 2025年07月10日:Add geoip2IP query

  • 2025年07月09日: Beautification generation Report

  • 2025年07月08日: Add English display

  • 2025年06月07日: Security detection rule writing completed

  • 2025年05月25日: Added detailed rule matching display, including rule, severity level, match location, and risk highlight

  • 2025年05月24日: Introduced risk analysis module

  • 2025年05月10日: Performance optimization: separated data and view, avoided repeated icon loading, reduced GUI overhead, and made models lazy-loaded

  • 2025年05月03日: Added statistics for IP access to URIs

  • 2025年05月02日: Real-time interactive experience for log analysis (dynamic updates)

  • 2025年05月01日: Fixed display bugs, improved multi-core processing for large LOG file analysis

  • 2025年04月28日: Optimized memory usage for large traffic file analysis; auto-write to disk when output exceeds 200,000 lines

  • 2025年04月28日: Performance testing completed — WEB log module can handle 2GB files and 4 million entries

  • 2025年04月26日: By default, AI detection and binary traffic identification are disabled to improve speed

  • 2025年04月24日: Further performance tuning

  • 2025年04月23日: Statistical analysis charts now support full-screen view

  • 2025年04月20日: Optimized traffic parsing speed and GUI; added AI analysis for URI, headers, and body content

  • 2025年04月19日: Improved basic AI threat detection module

  • 2025年04月18日: Began development of threat intelligence module

  • 2025年04月17日: Started working on AI analysis engine

  • 2025年04月15日: Added TLS decryption support

  • 2025年04月14日: GUI optimization and feature refinement

  • 2025年04月13日: Introduced binary file extraction functionality

  • 2025年04月12日: Started development of binary extraction module

  • 2025年04月11日: Began GUI modifications

  • 2025年04月10日: Started writing detection regex patterns

  • 2025年04月10日: Refactored core processing logic

  • 2025年04月09日: Initiated log extraction module

  • 2025年04月08日: Started working on regex patterns for log parsing

  • 2025年04月06日: Session replay module development begins

  • 2025年04月05日: Designed structured output stream logic

  And more under continuous development...

TrafficEye is a modular traffic analysis and threat detection tool tailored for blue team operations, penetration testing, and network defense. It helps uncover web-based threats (e.g., SQLi, XSS, Webshells) and supports extensive customization and automation.

Architecture

• Supports .pcapng files
• HTTP data extraction for Burp Suite
• POST data in text and hex
• Filtered URI & HTTP payload output

• Apache, Nginx, JSON, F5, HAProxy, Tomcat, IIS

• Raw request replay
• Binary request replay
• Session-based replay (e.g., Godzilla multi-request WebShell sessions)

• Java, C# serialized data
• ZIP, 7z, RAR, TAR, GZ
• Images (JPG, PNG, etc.)
• Audio/Video (MP3, MP4, etc.)
• Scripts, documents, emails, databases

• URI, IP, methods, frequency
• GeoIP resolution

• Info leak
• Directory traversal
• LFI/RFI
• RCE
• SQL injection
• XSS

• URI/body/header focused analysis
• Automated batch threat analysis

• Dashboard stats

• Binary Extraction

• statistical analysis

  image-20250710132043074

• Log Analysis

• main.py: Entry point
• core_processing.py: HTTP parsing engine
• binary_extraction.py: Binary extraction logic
• log_parsing/: Log format identification and parsers
• replay_request.py: Traffic replay
• url_statistics.py: URI & IP statistics
• history/: Persistent scan results
• lib/: IP location, CLI, icons, etc.
• modsec/: OWASP ModSecurity rule integration
• config.yaml: All customizable rules & settings

• Zhigong Shanfang Lab
• SnowBaby
• ChinaRan404
• TangTang
• niuᴗu
• SnowBaby
• Woshuwacao

• ✅ Log alerting system
• ✅ Threat Intelligence API integration (VT, CriminalIP, AbuseIPDB)
• ✅ ModSecurity rule simulation
• ✅ WebShell detection (Godzilla, Behinder, AntSword, etc.)

img