CLI queries
Sundew provides a built-in CLI for querying captured data.Recent sessions
Filter by classification
Statistics
- Total events and sessions
- Classification breakdown
- Most-hit endpoints
- Trap type distribution
- Top source IPs
MCP server for researchers
Use Sundew as an MCP server to query your honeypot data from Claude or other AI tools:Data format
Request events
Each captured request contains:| Field | Description |
|---|---|
id | Unique event identifier |
timestamp | ISO 8601 timestamp |
session_id | Correlated session |
source_ip | Origin IP address |
method | HTTP method or MCP operation |
path | Request path |
headers | Full HTTP headers |
body | Request body (if present) |
fingerprint_scores | Per-signal scores |
classification | Computed classification |
trap_type | Which trap handled it (rest_api, mcp, discovery) |
Sessions
Sessions aggregate multiple requests:| Field | Description |
|---|---|
id | Session identifier |
source_ip | Shared origin |
first_seen / last_seen | Time range |
request_count | Total requests in session |
classification | Aggregated classification |
fingerprint_scores | Aggregated signal scores |
endpoints_hit | List of endpoints accessed |
trap_types_triggered | Which traps were activated |
Exporting data
For research and sharing:- Hashes IP addresses
- Buckets timestamps to hourly granularity
- Strips any PII from request bodies
- Preserves behavioral data for analysis