Categories: Kali Linux

Joy : To Capture & Analyse Network Flow Data & Intraflow Data

Joy is a package for capturing and analysing network flow data and intraflow data, for network research, forensics, and security monitoring.

Joy is a BSD-licensed libpcap-based software package for extracting data features from live network traffic or packet capture (pcap) files, using a flow-oriented model similar to that of IPFIX or Netflow, and then representing these data features in JSON.

It also contains analysis tools that can be applied to these data files. Joy can be used to explore data at scale, especially security and threat-relevant data.

JSON is used in order to make the output easily consumable by data analysis tools.

Also Read: Flerken : Obfuscated Command Detection Tool

While the JSON output files are somewhat verbose, they are reasonably small, and they respond well to compression.

Joy can be configured to obtain intraflow data, that is, data and information about events that occur within a network flow, including:

  • The sequence of lengths and arrival times of IP packets, up to some configurable number of packets.
  • The empirical probability distribution of the bytes within the data portion of a flow, and the entropy derived from that value,
  • The sequence of lengths and arrival times of TLS records,
  • Other non-encrypted TLS data, such as the list of offered ciphersuites, the selected ciphersuite, the length of the clientKeyExchange field, and the server certificate strings,
  • DNS names, addresses, and TTLs,
  • HTTP header elements and the first eight bytes of the HTTP body, and
  • The name of the process associated with the flow, for flows originate or terminate on the host on which pcap is running.

Joy is intended for use in security research, forensics, and for the monitoring of (small scale) networks to detect vulnerabilities, threats and other unauthorized or unwanted behavior.

Researchers, administrators, penetration testers, and security operations teams can put this information to good use, for the protection of the networks being monitored, and in the case of vulnerabilities, for the benefit of the broader community through improved defensive posture.

As with any network monitoring tool, Joy could potentially be misused; do not use it on any network of which you are not the owner or the administrator.

Flow, in positive psychology, is a state in which a person performing an activity is fully immersed in a feeling of energized focus, deep involvement, and joy.

This second meaning inspired the choice of name for this software package.

Joy is alpha/beta software; we hope that you use it and benefit from it, but do understand that it is not suitable for production use.

TLS Fingerprinting

We have recently released the largest and most informative open source TLS fingerprint database.

Among other features, our approach builds on previous work by being fully automated and annotating TLS fingerprints with significantly more information.

We have built a set of python tools to enable the application of this database, as well as the generation of new databases with the help of Joy.

Relation to Cisco ETA

Joy has helped support the research that paved the way for Cisco’s Encrypted Traffic Analytics (ETA), but it is not directly integrated into any of the Cisco products or services that implement ETA.

The classifiers in Joy were trained on a small dataset several years ago, and do not represent the classification methods or performance of ETA.

The intent of this feature is to allow network researchers to quickly train and deploy their own classifiers on a subset of the data features that Joy produces.

Release 4.3.0

Add IPv6 support to Joy and libjoy
IPFix collection and export only support IPv4
NFv9 only supports IPv4
Anonymization only supports IPv4 addresses
Subnet labeling only supports IPv4 addresses

Release 4.2.0

Re-write joy.c to use libjoy library
Updated joy.c to utilize multi-threads for flow processing
Updated unit tests and python tests to reflect new code changes
Removed guts of the updater process to prepare for re-write
Fixed bug in processing multiple files on the command line
Other minor bug fixes

Release 4.0.3

Added support for make install for Centos

Credits: David McGrew, Blake Anderson, Philip Perricone and Bill Hudson

R K

Recent Posts

SpyAI : Intelligent Malware With Advanced Capabilities

SpyAI is a sophisticated form of malware that leverages advanced technologies to capture and analyze…

2 days ago

Proxmark3 : The Ultimate Tool For RFID Security And Analysis

The Proxmark3 is a versatile, open-source tool designed for radio-frequency identification (RFID) security analysis, research,…

2 days ago

Awesome Solana Security : Enhancing Program Development

The "Awesome Solana Security" collection is a comprehensive resource designed to help developers build more…

2 days ago

IngressNightmare-POCs : Understanding The Vulnerability Exploitation Flow

The "IngressNightmare" vulnerabilities, disclosed in March 2025, represent a critical set of security issues affecting…

2 days ago

AdaptixC2 : Enhancing Penetration Testing With Advanced Framework Capabilities

AdaptixC2 is an advanced post-exploitation and adversarial emulation framework designed specifically for penetration testers. It…

2 days ago

Bincrypter : Enhancing Linux Binary Security through Runtime Encryption And Obfuscation

Bincrypter is a powerful Linux binary runtime crypter written in BASH. It is designed to…

2 days ago