Scroll to navigation

stan(1) General Commands Manual stan(1)


stan - Stream Analyzer


stan [ -bhvV ] [ -f filter ] [ -n number ] [ -p patlen ] [ file ... ]


Stan is a console application that analyzes binary streams and calculates several useful statistical information from the observed data. It features statistical, pattern and bit analysis. Stan has been designed as a "swiss-knife" for first steps in reverse engineering and cryptographic analysis.

Stan expects a list of files at the end of the command line. If no files are specified data is read from Standard Input (stdin).

Stan's functionality can be divided into three types of analysis: general statistics, pattern analysis and bit analysis.

General Statistics

Stan uses the bytes of the input data to calculate statistic standard values, such as the mean, the median, the deviation, the chi-square value, and the entropy per byte. Where possible the corresponding ASCII characters are printed after the decimal value in order to simplify text analysis.

Pattern Analysis

Stan records all observed patterns up to the pattern length patlen and efficiently stores them in a treap (binary tree with heap properties). Stan can easily process patterns up to a length of 10 on non-random data

Bit Analysis

Stan observes so called runs which are sequences of the same bit, e.g. 000 or 11. According to the analysis of pseudo random number generators, it then calculates the following ratios:

Length Ratios. The number runs of length n is divided by the number of runs of length (n+1). If the input data is rather random, the ratio should be 2.

0/1 Ratios. The number of 0-runs of length n is divided by the number of 1-runs of the same length. If the input data is rather random, this ratio should be 1.



Enable bit analysis.


Print a help screen to stderr.


Print verbose information.


Display the version and copyright notice.

-f filter

Use a filter before passing the data to the analysis engine. The following filter may be used to restrict the range of data.

0 No filter (default)

1 Analyze only printable characters.

2 Analise only alphanumeric characters.

-n number

Display number of patterns. The default value is 10. You should keep this value rather small because a lot of patterns may be found in a large data stream.

-p patlen

Analise patterns from 1 to patlen length. The length of the pattern is measured in bytes.


Learn about your password file. Before you execute the following command, guess which is the most common 2 byte pattern.

$ stan /etc/passwd.

If you want to analyse your PRNG device, try the following setup

$ dd if=/dev/urandom count=10 | stan -b

You may also use stan to analyse text. Let's look at the most common letter patterns in this man page.

$ man stan | stan -p 5 -f 2


Stan was designed with efficiency in mind, but if you are using a large patlen e.g. 6 or above, you may run into memory problems, especially if you are analyzing random or nearly random data. Just remember that there are 256^6 patterns of the length 6, which could require 281 terabyte of memory!

If you discover bugs or want to contribute improvements contact the Konrad Rieck <kr _at_ roqe _dot_ org>. You can always grab the latest version of stan at

15. September 2004 Konrad Rieck