
DoHlyzer is a DNS over HTTPS (DoH) traffic flow generator and analyzer for anomaly detection and characterization.

Primary LanguagePython


Set of tools to capture HTTPS traffic, extract statistical and time-series features from it, and analyze them with a focus on detecting and characterizing DoH (DNS-over-HTTPS) traffic.


This project has been made possible through funding from the Canadian Internet Registration Authority (CIRA) fron July 2019 to Jyly 2020.


DoHlyzer currently consists of several independent modules, each carrying some of the functionality needed to analyze the data for DoH flows.


DoHMeter module is responsible for:

  1. Capturing HTTPS packets from network interfaces or reading input PCAP files
  2. Grouping packets into flows by their source and destination addresses and ports
  3. Extracting features for traffic analysis, including statistical and time-series features


This module can be used to create the proposed DNN models and benchmark them against the aggregated clumps file that can be created by the Meter module.


This module can be used to visualize the clumps files created by the Meter module.


Python packages needed for running DoHlyzer are listed in requirements.txt file. You can install them (preferably in virtualenv) by:

pip install -r requirements.txt


Each of the modules come with their own README files to describe how they can be used.


The project is not currently in development but any contribution is welcome in form of pull requests.

Project Team members