stan(1) | General Commands Manual | stan(1) |

# NAME¶

stan - Stream Analyzer

# SYNOPSIS¶

stan [ -bhvV ] [ -f *filter* ] [ -n *number* ] [ -p
*patlen* ] [ *file ... ]*

# DESCRIPTION¶

Stan is a console application that analyzes binary streams and calculates several useful statistical information from the observed data. It features statistical, pattern and bit analysis. Stan has been designed as a "swiss-knife" for first steps in reverse engineering and cryptographic analysis.

Stan expects a list of files at the end of the command line. If no files are specified data is read from Standard Input (stdin).

Stan's functionality can be divided into three types of analysis:
*general statistics,* *pattern analysis* and *bit
analysis.*

## General Statistics¶

Stan uses the bytes of the input data to calculate statistic standard values, such as the mean, the median, the deviation, the chi-square value, and the entropy per byte. Where possible the corresponding ASCII characters are printed after the decimal value in order to simplify text analysis.

## Pattern Analysis¶

Stan records all observed patterns up to the pattern length
*patlen* and efficiently stores them in a treap (binary tree with heap
properties). Stan can easily process patterns up to a length of 10 on
non-random data

## Bit Analysis¶

Stan observes so called runs which are sequences of the same bit, e.g. 000 or 11. According to the analysis of pseudo random number generators, it then calculates the following ratios:

*Length Ratios.* The number runs of length n is divided by
the number of runs of length (n+1). If the input data is rather random, the
ratio should be 2.

*0/1 Ratios.* The number of 0-runs of length n is divided by
the number of 1-runs of the same length. If the input data is rather random,
this ratio should be 1.

# OPTIONS¶

-b

-h

-v

-V

-f *filter*

*filter*before passing the data to the analysis engine. The following

*filter*may be used to restrict the range of data.

0 No filter (default)

1 Analyze only printable characters.

2 Analise only alphanumeric characters.

-n *number*

*number*of patterns. The default value is 10. You should keep this value rather small because a lot of patterns may be found in a large data stream.

-p *patlen*

*patlen*length. The length of the pattern is measured in bytes.

# EXAMPLES¶

Learn about your password file. Before you execute the following command, guess which is the most common 2 byte pattern.

If you want to analyse your PRNG device, try the following setup

You may also use stan to analyse text. Let's look at the most common letter patterns in this man page.

# NOTES¶

Stan was designed with efficiency in mind, but if you are using a
large *patlen* e.g. 6 or above, you may run into memory problems,
especially if you are analyzing random or nearly random data. Just remember
that there are 256^6 patterns of the length 6, which could require 281
terabyte of memory!

If you discover bugs or want to contribute improvements contact the Konrad Rieck <kr _at_ roqe _dot_ org>. You can always grab the latest version of stan at http://www.roqe.org/stan.

15. September 2004 | Konrad Rieck |