flow.record.fieldtypes

Subpackages

• flow.record.fieldtypes.net
  • flow.record.fieldtypes.net.ip
  • flow.record.fieldtypes.net.ipv4
  • flow.record.fieldtypes.net.tcp
  • flow.record.fieldtypes.net.udp

Submodules

• flow.record.fieldtypes.credential

Package Contents

Classes

FieldType
Record
dynamic
typedlist	Built-in mutable sequence.
dictlist	Built-in mutable sequence.
stringlist	Built-in mutable sequence.
string	str(object='') -> str
bytes	bytes(iterable_of_ints) -> bytes
datetime	datetime(year, month, day[, hour[, minute[, second[, microsecond[,tzinfo]]]]])
varint	int([x]) -> integer
float	Convert a string or number to a floating point number, if possible.
uint16	int([x]) -> integer
uint32	int([x]) -> integer
boolean	int([x]) -> integer
filesize	int([x]) -> integer
unix_file_mode	int([x]) -> integer
digest
uri	str(object='') -> str
record
path	Base class for manipulating paths without I/O.
posix_path	PurePath subclass for non-Windows systems.
windows_path	PurePath subclass for Windows systems.
command
posix_command
windows_command

Functions

flow_record_tz	Return a ZoneInfo object based on the FLOW_RECORD_TZ environment variable.
defang	Defangs the value to make URLs or ip addresses unclickable
fieldtype_for_value	Returns fieldtype name derived from the value. Returns default if it cannot be derived.
human_readable_size

Attributes

HAS_ZONE_INFO
RE_NORMALIZE_PATH
UTC
PY_311_OR_HIGHER
PY_312_OR_HIGHER
PY_313_OR_HIGHER
TYPE_POSIX
TYPE_WINDOWS
DISPLAY_TZINFO
wstring

flow.record.fieldtypes.HAS_ZONE_INFO = True

class flow.record.fieldtypes.FieldType

classmethod default() → None

Return the default value for the field in the Record template.

class flow.record.fieldtypes.Record

__slots__ = ()

__eq__(other: object) → bool

__setattr__(k: str, v: Any) → None

Enforce setting the fields to their respective types.

__hash__() → int

__repr__() → str

flow.record.fieldtypes.RE_NORMALIZE_PATH

flow.record.fieldtypes.UTC

flow.record.fieldtypes.PY_311_OR_HIGHER

flow.record.fieldtypes.PY_312_OR_HIGHER

flow.record.fieldtypes.PY_313_OR_HIGHER

flow.record.fieldtypes.TYPE_POSIX = 0

flow.record.fieldtypes.TYPE_WINDOWS = 1

flow.record.fieldtypes.flow_record_tz(*, default_tz: str = 'UTC') → zoneinfo.ZoneInfo | UTC | None

Return a ZoneInfo object based on the FLOW_RECORD_TZ environment variable.

Parameters:

default_tz – Default timezone if FLOW_RECORD_TZ is not set (default: UTC).

Returns:

None if FLOW_RECORD_TZ=NONE otherwise ZoneInfo(FLOW_RECORD_TZ) or UTC if ZoneInfo is not found.

flow.record.fieldtypes.DISPLAY_TZINFO = None

flow.record.fieldtypes.defang(value: str) → str

Defangs the value to make URLs or ip addresses unclickable

flow.record.fieldtypes.fieldtype_for_value(value: object, default: str = 'string') → str

Returns fieldtype name derived from the value. Returns default if it cannot be derived.

Parameters:

value – value to derive the fieldtype from

Returns:

the field type name or default if it cannot be derived

Return type:

str

Examples

>>> fieldtype_for_value("hello")
"string"
>>> fieldtype_for_value(1337)
"varint"
>>> fieldtype_for_value(object(), None)
None

class flow.record.fieldtypes.dynamic

Bases: flow.record.base.FieldType

class flow.record.fieldtypes.typedlist(values: list[Any] | None = None)

Bases: list, flow.record.base.FieldType

Built-in mutable sequence.

If no argument is given, the constructor creates a new empty list. The argument must be an iterable if specified.

__type__ = None

classmethod default() → typedlist

Override default so the field is always an empty list.

class flow.record.fieldtypes.dictlist

Bases: list, flow.record.base.FieldType

Built-in mutable sequence.

If no argument is given, the constructor creates a new empty list. The argument must be an iterable if specified.

class flow.record.fieldtypes.stringlist

Bases: list, flow.record.base.FieldType

Built-in mutable sequence.

If no argument is given, the constructor creates a new empty list. The argument must be an iterable if specified.

class flow.record.fieldtypes.string

Bases: str, flow.record.base.FieldType

str(object=’’) -> str str(bytes_or_buffer[, encoding[, errors]]) -> str

Create a new string object from the given object. If encoding or errors is specified, then the object must expose a data buffer that will be decoded using the given encoding and error handler. Otherwise, returns the result of object.__str__() (if defined) or repr(object). encoding defaults to sys.getdefaultencoding(). errors defaults to ‘strict’.

__slots__ = ()

__format__(spec: str) → str

Return a formatted version of the string as described by format_spec.

flow.record.fieldtypes.wstring

class flow.record.fieldtypes.bytes

Bases: _bytes, flow.record.base.FieldType

bytes(iterable_of_ints) -> bytes bytes(string, encoding[, errors]) -> bytes bytes(bytes_or_buffer) -> immutable copy of bytes_or_buffer bytes(int) -> bytes object of size given by the parameter initialized with null bytes bytes() -> empty bytes object

Construct an immutable array of bytes from:

• an iterable yielding integers in range(256)

• a text string encoded using the specified encoding

• any object implementing the buffer API.

• an integer

__format__(spec: str) → str

Default object formatter.

class flow.record.fieldtypes.datetime

Bases: datetime.datetime, flow.record.base.FieldType

datetime(year, month, day[, hour[, minute[, second[, microsecond[,tzinfo]]]]])

The year, month and day arguments are required. tzinfo may be None, or an instance of a tzinfo subclass. The remaining arguments may be ints.

__str__() → str

Convert to string, for str().

__repr__() → str

Convert to formal string, for repr().

__hash__() → int

Hash.

class flow.record.fieldtypes.varint

Bases: int, flow.record.base.FieldType

int([x]) -> integer int(x, base=10) -> integer

Convert a number or string to an integer, or return 0 if no arguments are given. If x is a number, return x.__int__(). For floating point numbers, this truncates towards zero.

If x is not a number or if base is given, then x must be a string, bytes, or bytearray instance representing an integer literal in the given base. The literal can be preceded by ‘+’ or ‘-’ and be surrounded by whitespace. The base defaults to 10. Valid bases are 0 and 2-36. Base 0 means to interpret the base from the string as an integer literal. >>> int(‘0b100’, base=0) 4

class flow.record.fieldtypes.float

Bases: _float, flow.record.base.FieldType

Convert a string or number to a floating point number, if possible.

class flow.record.fieldtypes.uint16(value: int)

Bases: int, flow.record.base.FieldType

int([x]) -> integer int(x, base=10) -> integer

Convert a number or string to an integer, or return 0 if no arguments are given. If x is a number, return x.__int__(). For floating point numbers, this truncates towards zero.

If x is not a number or if base is given, then x must be a string, bytes, or bytearray instance representing an integer literal in the given base. The literal can be preceded by ‘+’ or ‘-’ and be surrounded by whitespace. The base defaults to 10. Valid bases are 0 and 2-36. Base 0 means to interpret the base from the string as an integer literal. >>> int(‘0b100’, base=0) 4

value = None

__repr__() → str

Return repr(self).

class flow.record.fieldtypes.uint32(value: int)

Bases: int, flow.record.base.FieldType

int([x]) -> integer int(x, base=10) -> integer

Convert a number or string to an integer, or return 0 if no arguments are given. If x is a number, return x.__int__(). For floating point numbers, this truncates towards zero.

If x is not a number or if base is given, then x must be a string, bytes, or bytearray instance representing an integer literal in the given base. The literal can be preceded by ‘+’ or ‘-’ and be surrounded by whitespace. The base defaults to 10. Valid bases are 0 and 2-36. Base 0 means to interpret the base from the string as an integer literal. >>> int(‘0b100’, base=0) 4

value = None

class flow.record.fieldtypes.boolean(value: bool)

Bases: int, flow.record.base.FieldType

int([x]) -> integer int(x, base=10) -> integer

Convert a number or string to an integer, or return 0 if no arguments are given. If x is a number, return x.__int__(). For floating point numbers, this truncates towards zero.

If x is not a number or if base is given, then x must be a string, bytes, or bytearray instance representing an integer literal in the given base. The literal can be preceded by ‘+’ or ‘-’ and be surrounded by whitespace. The base defaults to 10. Valid bases are 0 and 2-36. Base 0 means to interpret the base from the string as an integer literal. >>> int(‘0b100’, base=0) 4

value = None

__str__() → str

Return str(self).

__repr__() → str

Return repr(self).

flow.record.fieldtypes.human_readable_size(x: int) → str

class flow.record.fieldtypes.filesize

Bases: varint

int([x]) -> integer int(x, base=10) -> integer

Convert a number or string to an integer, or return 0 if no arguments are given. If x is a number, return x.__int__(). For floating point numbers, this truncates towards zero.

If x is not a number or if base is given, then x must be a string, bytes, or bytearray instance representing an integer literal in the given base. The literal can be preceded by ‘+’ or ‘-’ and be surrounded by whitespace. The base defaults to 10. Valid bases are 0 and 2-36. Base 0 means to interpret the base from the string as an integer literal. >>> int(‘0b100’, base=0) 4

__repr__() → str

Return repr(self).

class flow.record.fieldtypes.unix_file_mode

Bases: varint

int([x]) -> integer int(x, base=10) -> integer

Convert a number or string to an integer, or return 0 if no arguments are given. If x is a number, return x.__int__(). For floating point numbers, this truncates towards zero.

If x is not a number or if base is given, then x must be a string, bytes, or bytearray instance representing an integer literal in the given base. The literal can be preceded by ‘+’ or ‘-’ and be surrounded by whitespace. The base defaults to 10. Valid bases are 0 and 2-36. Base 0 means to interpret the base from the string as an integer literal. >>> int(‘0b100’, base=0) 4

__repr__() → str

Return repr(self).

class flow.record.fieldtypes.digest(value: tuple[str, str, str] | list[str] | dict[str, str] | None = None, **kwargs)

Bases: flow.record.base.FieldType

classmethod default() → digest

Override default so the field is always a digest() instance.

__repr__() → str

property md5: str | None

property sha1: str | None

property sha256: str | None

class flow.record.fieldtypes.uri(value: str)

Bases: string, flow.record.base.FieldType

str(object=’’) -> str str(bytes_or_buffer[, encoding[, errors]]) -> str

Create a new string object from the given object. If encoding or errors is specified, then the object must expose a data buffer that will be decoded using the given encoding and error handler. Otherwise, returns the result of object.__str__() (if defined) or repr(object). encoding defaults to sys.getdefaultencoding(). errors defaults to ‘strict’.

static normalize(path: str) → str

Normalize Windows paths to posix.

c:windowssystem32cmd.exe -> c:/windows/system32/cmd.exe

classmethod from_windows(path: str) → uri

Initialize a uri instance from a windows path.

property scheme: str

property protocol: str

property netloc: str

property path: str

property params: str

property query: str

property args: str

property fragment: str

property username: str | None

property password: str | None

property hostname: str | None

property port: int | None

property filename: str

property dirname: str

class flow.record.fieldtypes.record

Bases: flow.record.base.FieldType

class flow.record.fieldtypes.path

Bases: pathlib.PurePath, flow.record.base.FieldType

Base class for manipulating paths without I/O.

PurePath represents a filesystem path and offers operations which don’t imply any actual filesystem I/O. Depending on your system, instantiating a PurePath will return either a PurePosixPath or a PureWindowsPath object. You can also instantiate either of these classes directly, regardless of your system.

__eq__(other: object) → bool

__str__() → str

Return the string representation of the path, suitable for passing to system calls.

__repr__() → str

property parent: path

The logical parent of the path.

classmethod from_posix(path_: str) → posix_path

Initialize a path instance from a posix path string using / as a separator.

classmethod from_windows(path_: str) → windows_path

Initialize a path instance from a windows path string using or / as a separator.

class flow.record.fieldtypes.posix_path

Bases: pathlib.PurePosixPath, path

PurePath subclass for non-Windows systems.

On a POSIX system, instantiating a PurePath should return this object. However, you can also instantiate it directly on any system.

class flow.record.fieldtypes.windows_path

Bases: pathlib.PureWindowsPath, path

PurePath subclass for Windows systems.

On a Windows system, instantiating a PurePath should return this object. However, you can also instantiate it directly on any system.

__repr__() → str

class flow.record.fieldtypes.command(value: str | tuple[str, tuple[str]] | None)

Bases: flow.record.base.FieldType

executable: path | None = None

args: list[str] | None = None

__repr__() → str

__eq__(other: object) → bool

classmethod from_posix(value: str) → command

classmethod from_windows(value: str) → command

class flow.record.fieldtypes.posix_command(value: str | tuple[str, tuple[str]] | None)

Bases: command

class flow.record.fieldtypes.windows_command(value: str | tuple[str, tuple[str]] | None)

Bases: command