Tranalyzer2
Version 0.7.1
Flow based forensic and network troubleshooting traffic analyzer
Tranalyzer Development Team
CONTENTS
CONTENTS
Contents
1
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1
1
1
1
2
2
3
Tranalyzer2
2.1 Supported Link-Layer Header Types
2.2 Enabling/Disabling Plugins . . . . .
2.3 Man Page . . . . . . . . . . . . . .
2.4 Invoking Tranalyzer . . . . . . . . .
2.5 Description of ioBuffer.h . . . . . .
2.6 Description of main.h . . . . . . . .
2.7 Description of networkHeaders.h . .
2.8 Description of packetCapture.h . . .
2.9 Description of tranalyzer.h . . . . .
2.10 Tranalyzer2 Output . . . . . . . . .
2.11 Final Report . . . . . . . . . . . . .
2.12 Monitoring Modes During Runtime
2.13 Cancellation of the Sniffing Process
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4
4
4
6
6
11
12
12
13
14
20
20
22
27
arpDecode
3.1 Description . . . . .
3.2 Configuration Flags .
3.3 Flow File Output . .
3.4 Plugin Report Output
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
28
28
28
28
30
basicFlow
4.1 Description . . . .
4.2 Configuration Flags
4.3 Flow File Output .
4.4 Packet File Output
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
31
31
31
31
36
5
basicStats
5.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2 Configuration Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.3 Flow File Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38
38
38
38
6
binSink
6.1 Description . . . .
6.2 Dependencies . . .
6.3 Configuration Flags
6.4 Post-Processing . .
6.5 Custom File Output
39
39
39
39
39
39
2
3
4
Introduction
1.1 Getting Tranalyzer
1.2 Dependencies . . .
1.3 Compilation . . . .
1.4 Installation . . . .
1.5 Getting Started . .
1.6 Getting Help . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
b
c 2008–2017 by Tranalyzer Development Team
Copyright .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
CONTENTS
7
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
40
40
40
40
40
descriptiveStats
8.1 Description . . . . . . . . .
8.2 Dependencies . . . . . . . .
8.3 Configuration Flags . . . . .
8.4 Flow File Output . . . . . .
8.5 Known Bugs and Limitations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
41
41
41
41
41
42
dhcpDecode
9.1 Description . . . . .
9.2 Configuration Flags .
9.3 Flow File Output . .
9.4 Plugin Report Output
9.5 TODO . . . . . . . .
9.6 References . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
43
43
43
43
50
50
50
10 dnsDecode
10.1 Description . . . . .
10.2 Configuration Flags .
10.3 Flow File Output . .
10.4 Plugin Report Output
10.5 Example Output . . .
10.6 TODO . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
51
51
51
51
57
57
57
11 entropy
11.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.2 Configuration Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.3 Flow File Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
58
58
58
58
12 ftpDecode
12.1 Description . . . .
12.2 Configuration Flags
12.3 Flow File Output .
12.4 TODO . . . . . . .
.
.
.
.
59
59
59
59
61
.
.
.
.
.
62
62
62
62
63
64
8
9
connStat
7.1 Description . . . .
7.2 Dependencies . . .
7.3 Configuration Flags
7.4 Flow File Output .
CONTENTS
13 geoip
13.1 Description . . . .
13.2 Dependencies . . .
13.3 Configuration Flags
13.4 Flow File Output .
13.5 Post-Processing . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
c
c 2008–2017 by Tranalyzer Development Team
Copyright .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
CONTENTS
CONTENTS
14 httpSniffer
14.1 Configuration Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14.2 Flow File Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14.3 Plugin Report Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
65
65
66
69
15 icmpDecode
15.1 Description . . . .
15.2 Configuration Flags
15.3 Flow File Output .
15.4 Packet File Output
15.5 Additional Output .
15.6 Post-Processing . .
15.7 TODO . . . . . . .
.
.
.
.
.
.
.
71
71
71
71
74
74
76
76
16 igmpDecode
16.1 Required Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16.2 Plugin Flow File Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16.3 Additional Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
77
77
77
77
17 ircDecode
17.1 Description . . . .
17.2 Configuration Flags
17.3 Flow File Output .
17.4 TODO . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
78
78
78
78
79
18 jsonSink
18.1 Description . . . .
18.2 Dependencies . . .
18.3 Configuration Flags
18.4 Custom File Output
18.5 Example . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
80
80
80
80
80
81
19 macRecorder
19.1 Description . . . .
19.2 Dependencies . . .
19.3 Configuration Flags
19.4 Flow File Output .
19.5 Packet File Output
19.6 Example Output . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
82
82
82
82
82
82
83
.
.
.
.
.
84
84
84
84
86
86
.
.
.
.
.
.
.
20 modbus
20.1 Description . . . . .
20.2 Configuration Flags .
20.3 Flow File Output . .
20.4 Packet File Output .
20.5 Plugin Report Output
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
d
c 2008–2017 by Tranalyzer Development Team
Copyright .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
CONTENTS
CONTENTS
21 nDPI
21.1 Description . . . . . . . . . . . . . . .
21.2 Configuration Flags . . . . . . . . . . .
21.3 Flow File Output . . . . . . . . . . . .
21.4 nDPI Numerical Protocol Classification
21.5 Additional Output . . . . . . . . . . . .
21.6 Post-Processing . . . . . . . . . . . . .
21.7 How to Update nDPI to New Version . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
87
87
87
87
87
90
90
90
22 nFrstPkts
22.1 Description . . . .
22.2 Configuration Flags
22.3 Flow File Output .
22.4 Post-Processing . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
92
92
92
92
92
23 ntpDecode
23.1 Description . . . .
23.2 Configuration Flags
23.3 Flow File Output .
23.4 Examples . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
93
93
93
93
95
96
96
96
96
97
97
24 ospfDecode
24.1 Description . . . .
24.2 Configuration Flags
24.3 Flow File Output .
24.4 Additional Output .
24.5 Post-Processing . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
25 pcapd
25.1 Description . . . .
25.2 Dependencies . . .
25.3 Configuration Flags
25.4 Additional Output .
25.5 Examples . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
99
. 99
. 99
. 99
. 100
. 100
26 pktSIATHisto
26.1 Description . . . .
26.2 Configuration Flags
26.3 Flow File Output .
26.4 Post-Processing . .
26.5 Example Output . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
101
101
101
102
102
103
27 popDecode
27.1 Description . . . .
27.2 Configuration Flags
27.3 Flow File Output .
27.4 TODO . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
104
104
104
104
105
e
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
28 portClassifier
28.1 Description . . . .
28.2 Dependencies . . .
28.3 Configuration Flags
28.4 Flow File Output .
29 protoStats
29.1 Description . . . .
29.2 Dependencies . . .
29.3 Configuration Flags
29.4 Flow File Output .
29.5 Additional Output .
29.6 Post-Processing . .
30 pwX
30.1
30.2
30.3
30.4
CONTENTS
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
106
106
106
106
106
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
107
107
107
107
107
107
107
Description . . . . .
Configuration Flags .
Flow File Output . .
Plugin Report Output
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
108
108
108
108
109
31 regex_pcre
31.1 Description . . . .
31.2 Dependencies . . .
31.3 Configuration Flags
31.4 Flow File Output .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
110
110
110
110
112
32 sctpDecode
32.1 Description . . . .
32.2 Configuration Flags
32.3 Flow File Output .
32.4 sctpStat . . . . . .
32.5 sctpCFlgs . . . . .
32.6 Packet File Output
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
113
113
113
113
113
114
114
33 smbDecode
33.1 Description . . . . .
33.2 Configuration Flags .
33.3 Flow File Output . .
33.4 Plugin Report Output
33.5 Post-Processing . . .
33.6 References . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
115
115
115
115
121
121
121
34 smtpDecode
34.1 Description . . . .
34.2 Configuration Flags
34.3 Flow File Output .
34.4 TODO . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
122
122
122
122
123
.
.
.
.
f
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
35 socketSink
35.1 Description . . . .
35.2 Configuration Flags
35.3 socketSink.h . . . .
35.4 bin2TxtBuf.h . . .
35.5 Additional Output .
35.6 Test . . . . . . . .
CONTENTS
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
124
124
124
124
124
124
125
36 stpDecode
126
36.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
36.2 Flow File Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
37 syslogDecode
37.1 Description . . . .
37.2 Configuration Flags
37.3 Flow File Output .
37.4 Additional Output .
37.5 TODO . . . . . . .
37.6 References . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
127
127
127
127
127
127
128
38 tcpFlags
38.1 Description . . . . .
38.2 Configuration Flags .
38.3 Flow File Output . .
38.4 Packet File Output .
38.5 Additional Output . .
38.6 Plugin Report Output
38.7 Example . . . . . . .
38.8 References . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
129
129
129
129
133
133
134
134
134
39 tcpStates
39.1 Description . . . . .
39.2 Configuration Flags .
39.3 Flow File Output . .
39.4 Plugin Report Output
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
135
135
135
135
136
40 tftpDecode
40.1 Description . . . .
40.2 Configuration Flags
40.3 Flow File Output .
40.4 TODO . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
138
138
138
138
139
Description . . . . . . . . .
Configuration Flags . . . . .
Flow File Output . . . . . .
Plugin Report Output . . . .
Example Output . . . . . . .
Known Bugs and Limitations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
140
140
140
140
141
141
141
41 tp0f
41.1
41.2
41.3
41.4
41.5
41.6
.
.
.
.
g
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
CONTENTS
41.7 TODO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
41.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
42 txtSink
42.1 Description . . . .
42.2 Configuration Flags
42.3 Additional Output .
42.4 Post-Processing . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
142
142
142
142
144
43 voipDetector
43.1 Description . . . .
43.2 Configuration Flags
43.3 Flow File Output .
43.4 TODO . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
145
145
145
145
146
44 vrrpDecode
44.1 Description . . . . .
44.2 Configuration Flags .
44.3 Flow File Output . .
44.4 Additional Output . .
44.5 Plugin Report Output
44.6 Post-Processing . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
147
147
147
147
148
149
149
45 wavelet
150
45.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
45.2 Configuration Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
45.3 Flow File Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
46 scripts
46.1 b64ex . . . . .
46.2 flowstat . . . .
46.3 gpcc . . . . . .
46.4 gpq3x/gpq3x_c
46.5 new_plugin . .
46.6 osStat . . . . .
46.7 rrdmonitor . . .
46.8 rrdplot . . . . .
46.9 segvtrack . . .
46.10t2_aliases . . .
46.11t2alive . . . . .
46.12t2caplist . . . .
46.13t2conf . . . . .
46.14t2dmon . . . .
46.15t2fm . . . . . .
46.16t2plot . . . . .
46.17t2timeline . . .
46.18t2update . . . .
46.19t2utils.sh . . . .
46.20t2wizard . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
h
c 2008–2017 by Tranalyzer Development Team
Copyright .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
151
151
151
151
151
151
151
151
152
152
152
154
155
155
156
157
157
158
158
158
160
CONTENTS
CONTENTS
46.21topNStat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
46.22vc.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
47 tawk
47.1 Description . . . . . . .
47.2 Dependencies . . . . . .
47.3 Installation . . . . . . .
47.4 Usage . . . . . . . . . .
47.5 Related Utilities . . . . .
47.6 Functions . . . . . . . .
47.7 Examples . . . . . . . .
47.8 t2nfdump . . . . . . . .
47.9 t2custom.awk . . . . . .
47.10Writing a tawk Function
47.11Awk Cheat Sheet . . . .
47.12Awk Templates . . . . .
47.13Examples . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
161
161
161
161
161
162
162
166
167
168
168
169
170
172
A Importing Tranalyzer Flows in Splunk
A.1 Prerequisites . . . . . . . . . . . . . . . .
A.2 Select Network Interface . . . . . . . . .
A.3 Configure Tranalyzer jsonSink Plugin . .
A.4 Recompile the jsonSink Plugin . . . . . .
A.5 Start Tranalyzer2 . . . . . . . . . . . . .
A.6 Start Splunk . . . . . . . . . . . . . . . .
A.7 Login to Splunk, Import and Search Data
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
174
174
174
174
174
174
175
175
B PDF Report Generation from PCAP using t2fm
B.1 Introduction . . . . . . . . . . . . . . . . . .
B.2 Prerequisites . . . . . . . . . . . . . . . . . .
B.3 Step-by-Step Instructions . . . . . . . . . . .
B.4 Conclusion . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
185
185
185
186
186
C Creating a Custom Plugin
C.1 Plugin Name . . . . . . . . . . . . . . . .
C.2 Plugin Number . . . . . . . . . . . . . . .
C.3 Plugin Creation . . . . . . . . . . . . . . .
C.4 Compilation . . . . . . . . . . . . . . . . .
C.5 Error, warning, and informational messages
C.6 Accessible structures . . . . . . . . . . . .
C.7 Important structures . . . . . . . . . . . . .
C.8 Generating output . . . . . . . . . . . . . .
C.9 Writing repeated output . . . . . . . . . . .
C.10 Important notes . . . . . . . . . . . . . . .
C.11 Administrative functions . . . . . . . . . .
C.12 Processing functions . . . . . . . . . . . .
C.13 Timeout handlers . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
187
187
187
187
188
188
188
188
188
195
195
195
196
199
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
D Advanced Performance Enhancements with PF_RING
i
c 2008–2017 by Tranalyzer Development Team
Copyright 201
CONTENTS
E Status
E.1 Global Plugins . .
E.2 Basic Plugins . . .
E.3 Protocol Plugins . .
E.4 Application Plugins
E.5 Math Plugins . . .
E.6 Classifier Plugins .
E.7 Output Plugins . .
CONTENTS
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
203
203
203
204
204
205
205
205
F TODO
206
F.1 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
F.2 Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
G FAQ
G.1
G.2
G.3
G.4
G.5
G.6
G.7
G.8
G.9
G.10
If the hashtable is full, how much memory do I need to add? . . . . . . . . . . .
Can I change the timeout of a specific flow in my plugin? . . . . . . . . . . . . .
Can I reduce the maximal flow length? . . . . . . . . . . . . . . . . . . . . . . .
How can I change the separation character in the flow file? . . . . . . . . . . . .
How can I build all the plugins? . . . . . . . . . . . . . . . . . . . . . . . . . .
T2 failed to compile: What can I do? . . . . . . . . . . . . . . . . . . . . . . . .
T2 segfaults: What can I do? . . . . . . . . . . . . . . . . . . . . . . . . . . . .
T2 stalls after USR1 interrupt: What can I do? . . . . . . . . . . . . . . . . . . .
Can I reuse my configuration between different machines or Tranalyzer versions?
How to contribute code, submit a bug or request a feature? . . . . . . . . . . . .
j
c 2008–2017 by Tranalyzer Development Team
Copyright .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
207
207
207
207
207
207
207
208
208
208
208
CONTENTS
1
1. INTRODUCTION
Introduction
Tranalyzer2 is a lightweight flow generator and packet analyzer designed for simplicity, performance and scalability. The
program is written in C and built upon the libpcap library. It provides functionality to pre- and post-process IPv4/IPv6
data into flows and enables a trained user to see anomalies and network defects even in very large datasets. It supports
analysis with special bit coded fields and generates statistics from key parameters of IPv4/IPv6 Tcpdump traces either
being live-captured from an Ethernet interface or one or several pcap files. The quantity of binary and text based output of
Tranalyzer2 depends on enabled modules, herein denoted as plugins. Hence, users have the possibility to tailor the output
according to their needs and developers can develop additional plugins independent of the functionality of other plugins.
1.1
Getting Tranalyzer
Tranalyzer can be downloaded from: https://tranalyzer.com/getit
1.2
Dependencies
Tranalyzer2 requires automake, libpcap and libtool:
Kali/Ubuntu: sudo apt-get install automake libpcap-dev libtool
Arch:
sudo pacman -S automake libpcap libtool
Fedora/Red Hat: sudo yum install automake libpcap libpcap-devel libtool
Gentoo:
sudo emerge autoconf automake libpcap libtool
OpenSUSE: sudo zypper install automake gcc libpcap-devel libtool
Mac OS X:
1.3
brew install autoconf automake libtool1
Compilation
To build Tranalyzer2 and the plugins, run one of the following command:
• Tranalyzer2 only:
cd "$T2HOME/tranalyzer2"; ./autogen.sh
• Tranalyzer2 and a default set of plugins:
cd "$T2HOME"; ./autogen.sh
• Tranalyzer2 and all the plugins in T2HOME:
cd "$T2HOME"; ./autogen.sh -a
• Tranalyzer2 and a custom set of plugins (listed in plugins.build) (Section 1.3.1):
cd "$T2HOME"; ./autogen.sh -b
where T2HOME points to the trunk folder of Tranalyzer, i.e., where the file README.md is located.
For finer control of which plugins to load, refer to Section 2.2.
1 Brew
is a packet manager for Mac OS X that can be found here: http://mxcl.github.com/homebrew
1
c 2008–2017 by Tranalyzer Development Team
Copyright 1. INTRODUCTION
1.3.1
CONTENTS
Custom Build
The -b option of the autogen.sh script takes an optional file name as argument. If none is provided, then the default
plugins.build is used. The format of the file is as follows:
• Empty lines and lines starting with a ’#’ are ignored (can be used to prevent a plugin from being built)
• One plugin name per row
• Example:
# Do not build the tcpStates plugin
#tcpStates
# Build the txtSink plugin
txtSink
A plugins.ignore file can also be used to prevent specific plugins from being built. A different filename can be
used with the -I option.
1.4
Installation
The -i option of the autogen.sh script installs Tranalyzer in /usr/local/bin (as tranalyzer) and the man page in
/usr/local/man/man1. Note that root rights are required for the installation.
Alternatively, use the file t2_aliases or add the following alias to your ~/.bash_aliases:
alias tranalyzer="$T2HOME/tranalyzer2/src/tranalyzer"
where T2HOME points to the trunk folder of Tranalyzer, i.e., where the file README.md is located.
The man page can also be installed manually, by calling (as root):
mkdir -p /usr/local/man/man1 && gzip -c man/tranalyzer.1 > /usr/local/man/man1/tranalyzer.1.gz
1.4.1
Aliases
The file t2_aliases documented in $T2HOME/scripts/doc/scripts.pdf contains a set of aliases and functions to
facilitate working with Tranalyzer. To install it, append the following code to ~/.bashrc or ~/.bash_aliases (make
sure to replace $T2HOME with the actual path, e.g., $HOME/int_tranalyzer/trunk):
if [ -f " $T2HOME / scripts / t2_aliases " ]; then
. " $T2HOME / scripts / t2_aliases "
fi
1.5
# Note the leading ‘.’
Getting Started
Run Tranalyzer as follows:
tranalyzer -r file.pcap -w outfolder/outprefix
For a full list of options, use Tranalyzer -h or --help option: tranalyzer -h or tranalyzer --help or refer to the
complete documentation.
2
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
1.6
Getting Help
1.6.1
Documentation
1. INTRODUCTION
Tranalyzer and every plugin come with their own documentation, which can be found in the doc subfolder. The complete
documentation of Tranalyzer2 and all the locally available plugins can be generated by running make in $T2HOME/doc.
The file t2_aliases provides the function t2doc to allow easy access to the different parts of the documentation from
anywhere.
1.6.2
Man Page
If the man page was installed (Section 1.4), then accessing the man page is as simple as calling
man tranalyzer
If it was not installed, then the man page can be invoked by calling
man $T2HOME/tranalyzer2/man/tranalyzer.1
1.6.3
Help
For a full list of options, use Tranalyzer -h option: tranalyzer -h
1.6.4
FAQ
Refer to the complete documentation in $T2HOME/doc for a list of frequently asked questions.
1.6.5
Contact
Any feedback, feature requests and questions are welcome and can be sent to the development team via email at:
tranalyzer@rdit.ch
3
c 2008–2017 by Tranalyzer Development Team
Copyright 2. TRANALYZER2
2
CONTENTS
Tranalyzer2
Tranalyzer2 is designed in a modular way. Thus, the packet flow aggregation and the flow statistics are separated. While
the main program performs the header dissection and flow organisation, the plugins produce specialized output such as
packet statistics, mathematical transformations, signal analysis and result file generation.
2.1
Supported Link-Layer Header Types
Tranalyzer handles most PCAP link-layer header types automatically. Some specific types can be analyzed by switching
on flags in linktypes.h. The following table summarises the link-layer header types handled by Tranalyzer:
Linktype
DLT_C_HDLC
DLT_C_HDLC_WITH_DIR
DLT_EN10MB
DLT_FRELAY
DLT_FRELAY_WITH_DIR
DLT_IEEE802_11
DLT_IEEE802_11_RADIO
DLT_IPV4
DLT_IPV6
DLT_LINUX_SLL
DLT_NULL
DLT_PPI
DLT_PPP
DLT_PPP_WITH_DIR
DLT_PRISM_HEADER
DLT_RAW
DLT_SYMANTEC_FIREWALL
2.2
Description
Cisco PPP with HDLC framing
Cisco PPP with HDLC framing preceded by one byte direction
IEEE 802.3 Ethernet (10Mb, 100Mb, 1000Mb and up)
Frame Relay
Frame Relay preceded by one byte direction
IEEE802.11 wireless LAN
Radiotap link-layer information followed by an 802.11 header
Raw IPv4
Raw IPv6
Linux “cooked” capture encapsulation
BSD loopback encapsulation
Per-Packet Information
Point-to-Point Protocol (partial support)
Point-to-Point Protocol preceded by one byte direction (partial)
Prism monitor mode information followed by an 802.11 header
Raw IP
Symantec Enterprise Firewall
Enabling/Disabling Plugins
The plugins are stored under ~/.tranalyzer/plugins. This folder can be changed with the -p option.
By default, all the plugins found in the plugin folder are loaded. This behaviour can be changed by altering the value
of USE_PLLIST in loadPlugins.h:12. The valid options are
USE_PLLIST
0
1
2
Description
load all plugins in the plugin folder (default)
use a whitelist (loading list)
use a blacklist
This following sections discuss the various ways to selectively enable/disable plugins.
2.2.1
Default
By default, all the files in the plugin folder named according to the following pattern are loaded:
4
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
2. TRANALYZER2
^[0-9]{3}_[a-zA-Z0-9]+.so$
To disable a plugin, it must be removed from the plugin folder. A subfolder, e.g., disabled, can be used to store unused
plugins.
2.2.2
Whitelisting Plugins
If USE_PLLIST=1, the whitelist (loading list) is searched under the plugins folder with the name plugins.txt. The name
can be changed by adapting the value PL_LIST in loadPlugins.h:13. If the file is stored somewhere else, Tranalyzer2 -b
option can be used.
The format of the whitelist is as follows (empty lines and lines starting with a ‘#’ are ignored):
# This is a comment
# This plugin is whitelisted (will be loaded)
001_protoStats.so
# This plugin is NOT whitelisted (will NOT be loaded)
#010_basicFlow.so
Note that if a plugin is not present in the list, it will NOT be loaded.
2.2.3
Blacklisting Plugins
If USE_PLLIST=2, the blacklist is searched under the plugins folder with the name plugins.txt. The name can be
changed by adapting the value PL_LIST in loadPlugins.h:13. If the file is stored somewhere else, Tranalyzer2 -b option
can be used.
The format of the blacklist is as follows (empty lines and lines starting with a ‘#’ are ignored):
# This is a comment
# This plugin is blacklisted (will NOT be loaded)
001_protoStats.so
# This plugin is NOT blacklisted (will be loaded)
#010_basicFlow.so
2.2.4
Graphical Configuration and Building of T2 and Plugins
Tranalyzer2 comes with a script named t2conf allowing easy configuration of all the plugins through a command line
based graphical menu:
Use the arrows on your keyboard to navigate up and down and between the buttons. The first window is only displayed
if the -t2 option is used. The Edit and Configure buttons will launch a text editor ($EDITOR or vim2 if the environment
variable is not defined). The second window can be used to activate and deactivate plugins (toggle the active/inactive state
with the space key).
To access the script from anywhere, use the provided install.sh script, install t2_aliases or manually add the
following alias to ~/.bash_aliases:
2 The
default editor can be changed by editing the variable DEFAULT_EDITOR (line 7)
5
c 2008–2017 by Tranalyzer Development Team
Copyright 2. TRANALYZER2
CONTENTS
alias t2conf="$T2HOME/scripts/t2conf/t2conf"
Where $T2HOME is the folder containing the source code of Tranalyzer2 and its plugins.
A man page for t2conf is also provided and can be installed with the install.sh script.
2.3
Man Page
If the man page was installed (Section 1.4), then accessing the man page is as simple as calling
man tranalyzer
If it was not installed, then the man page can be invoked by calling
man $T2HOME/tranalyzer2/man/tranalyzer.1
2.4
Invoking Tranalyzer
As stated earlier Tranalyzer2 either operates on Ethernet/DAG interfaces or pcap files. It may be invoked using a BPF if
only certain flows are interesting. The required arguments are listed below. Note that the -i, -r, -R and -D options cannot
be used at the same time.
2.4.1
Help
For a full list of options, use the -h option: tranalyzer -h
Tranalyzer 0.7.0 - High performance flow based network traffic analyzer
Usage:
tranalyzer [OPTION...] <INPUT>
Input:
-i
-r
-R
-D
IFACE
Listen on interface IFACE
PCAP
Read packets from PCAP file or from stdin if PCAP is "-"
FILE
Process every PCAP file listed in FILE
EXPR[:SCHR][,STOP]
Process every PCAP file whose name matches EXPR, up to an
6
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
2. TRANALYZER2
optional last index STOP. If STOP is omitted, then Tranalyzer
never stops. EXPR can be a filename, e.g., file.pcap0, or an
expression, such as "dump*.pcap00", where the star matches
anything (note the quotes to prevent the shell from
interpreting the expression). SCHR can be used to specify the
the last character before the index (default: ’p’)
Output:
-w PREFIX
Append PREFIX to any output file produced. If omitted, then
output is diverted to stdout
-W PREFIX[:SIZE][,START]
Like -w, but fragment flow files according to SIZE, producing
files starting with index START. SIZE can be specified in bytes
(default), KB (’K’), MB (’M’) or GB (’G’). Scientific notation,
i.e., 1e5 or 1E5 (=100000), can be used as well. If a ’f’ is appended,
the fragments denote number of flows
-l
Print end report in PREFIX_log.txt instead of stdout
-s
Packet forensics mode
Optional arguments:
-p PATH
Load plugins from path PATH instead of ~/.tranalyzer/plugins
-b FILE
Use plugin list FILE instead of plugin_folder/plugins.txt
-e FILE
Creates a PCAP file by extracting all packets belonging to
flow indexes listed in FILE
-f HashFactor Sets hash multiplication factor
-x ID
Sensor ID
-c CPU
Bind tranalyzer to one core. If CPU is 0 then OS selects the
core to bind
-F FILE
Read BPF filter from FILE
-v
Show the version of the program and exit
-h
Show help options and exit
Remaining arguments:
BPF
Berkely Packet Filter command, as in tcpdump
2.4.2
–i INTERFACE
Capture data from an Ethernet interface INTERFACE. Note that this option requires root privileges.
tranalyzer -i eth0 -w out
2.4.3
–r FILE
Capture data from a pcap file FILE.
tranalyzer -r file.pcap -w out
7
c 2008–2017 by Tranalyzer Development Team
Copyright 2. TRANALYZER2
CONTENTS
The special file ‘-’ can be used to read data from stdin. This can be used, e.g., to process compressed pcap files, e.g.,
file.pcap.gz, using the following command:
zcat file.pcap.gz | tranalyzer -r - -w out
2.4.4
–R FILE
Process all the pcap files listed in FILE. All files are being treated as one large file. The life time of a flow can extend over
many files. The processing order is defined by the location of the filenames in the text file. The absolute path has to be
specified. The gpl script documented in $T2HOME/scripts/scripts.pdf can be used to generate such a list. All lines
starting with a ‘#’ are considered as comments and thus ignored.
cd ~/pcap/
$T2HOME/scripts/gpl > pcap_list.txt
tranalyzer -R pcap_list.txt -w out
2.4.5
–D FILE[*][.ext]#1[:SCHR][,#2]
Process files in a directory using file start and stop index, defined by #1 and #2 respectively. ext can be anything, e.g.,
.pcap, and can be omitted. If #2 is omitted and not in round robin mode, then Tranalyzer2 never stops and waits until
the next file in the increment is available. If leading zeroes are used, #2 defaults to 10number_length − 1. Note that only the
last occurence of SCHR is considered, e.g., if SCHR=‘p’, then out.pcap001 will work, but out001pcap, will not. with the
:[SCHR] option a new separation character can be set, superseeding SCHR defined in tranalyzer.h.
The following variables in tranalyzer.h can be used to configure this mode:
Name
RROP
Default
0
POLLTM
MFPTMOUT
SCHR
5
0
‘p’
Description
Whether (1) or not (0) to activate round robin operations
WARNING: if set to 1, then findexer will not work anymore
Poll timing (in seconds) for files
> 0: timeout for poll > POLLTM, 0: no poll timout
Separating character for file number
For example, when using tcpdump to capture traffic from an interface (eth0) and produce 100MB files as follows:
sudo tcpdump -C 100 -i eth0 -w out.pcap
The following files are generated: out.pcap, out.pcap1, out.pcap2, . . . , out.pcap10, . . .
Then SCHR must be set to ‘p’, i.e., the last character before the file number (out.pcapNUM) and Tranalyzer must be
run as follows:
tranalyzer -D out.pcap -w out
Or to process files 10 to 100:
tranalyzer -D out.pcap10,100 -w out
Or to process files 10 to 100 in another format:
8
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
2. TRANALYZER2
tranalyzer -D out10.pcap,100 -w out
Or to process files from 0 to 232 − 1 using regex characters:
tranalyzer -D "out*.pcap" -w out
The last command can be shortened further, the only requirement being the presence of SCHR (the last character before
the file number) in the pattern:
tranalyzer -D "*p" -w out
Note the quotes (") which are necessary to avoid preemptive interpretation of regex characters and SCHR which MUST appear in the pattern. The same configuration can be used for filenames using one or more leading zeros, e.g., out.pcap000,
out.pcap001, out.pcap002, . . . , out.pcap010, . . .
The following table summarises the supported naming patterns and the configuration required:
Filenames
out.pcap, out.pcap1, out.pcap2, . . .
out.pcap00, out.pcap01, out.pcap02, . . .
out0.pcap, out1.pcap, out2.pcap, . . .
out00.pcap, out01.pcap, out02.pcap, . . .
out_24.04.2016.20h00.pcap,
out_24.04.2016.20h00.pcap1, . . .
out_24.04.2016.20h00.pcap00,
out_24.04.2016.20h00.pcap01, . . .
out0.pcap, out1.pcap, out2.pcap, . . .
out.pcap00, out.pcap01, out.pcap02, . . .
2.4.6
SCHR
‘p’
‘p’
‘t’
‘t’
Command
tranalyzer
tranalyzer
tranalyzer
tranalyzer
‘p’
tranalyzer -D "out*.pcap" -w out
‘p’
‘t’
‘p’
tranalyzer -D "out*.pcap00" -w out
tranalyzer -D out0.pcap:t -w out
tranalyzer -D out.pcap00:p -w out
-D
-D
-D
-D
out.pcap -w out
out.pcap00 -w out
out0.pcap -w out
out00.pcap -w out
–w PREFIX
Use a PREFIX for all output file types. The number of files being produced vary with the number of activated plugins.
The file suffixes are defined in the file tranalyzer.h (see Section 2.9.14) or in the header files for the plugins. If you forget
to specify an output file, Tranalyzer will use the input interface name or the file name as file prefix and print the flows to
stdout. Thus, Tranalyzer output can be piped into other command line tools, such as netcat in order to produce centralized
logging to another host or an AWK script for further post processing without intermediate writing to a slow disk storage.
2.4.7
–W PREFIX[:SIZE][,START]
This option allows the fragmentation of flow files produced by Tranalyzer independent of the input mode. The expression
before the ’:’ is the output prefix, the expression after the ’:’ denotes the maximal file size for each fragment and the
number after the ’,’ denotes the start index of the first file. If omitted it defaults to 0. The size of the files can be specified
in bytes (default), KB (’K’), MB (’M’) or GB (’G’). Scientific notation, i.e., 1e5 or 1E5 (=100000), can be used as well.
If no size is specified, the default value of 500MB, defined by OFRWFILELN in tranalyzer.h is used. If no size is specified,
then the ’:’ can be omitted. The same happens if no start index is specified. If an additional ’f’ is appended the unit is
flow count. This enables the user to produce file chunks containing the same amount of flows. Some typical examples are
shown below.
Command
tranalyzer -r nudel.pcap -W out:1.5E9,10
Fragment Size
1.5GB
Start Index
10
9
c 2008–2017 by Tranalyzer Development Team
Copyright Output Files
out10, out11, . . .
2. TRANALYZER2
Command
tranalyzer
tranalyzer
tranalyzer
tranalyzer
tranalyzer
tranalyzer
tranalyzer
tranalyzer
2.4.8
CONTENTS
-r
-r
-r
-r
-r
-r
-r
-r
nudel.pcap
nudel.pcap
nudel.pcap
nudel.pcap
nudel.pcap
nudel.pcap
nudel.pcap
nudel.pcap
-W
-W
-W
-W
-W
-W
-W
-W
Fragment Size
1.5GB
1.5GB
0.5MB
5000 Flows
180MB
2.5GB
OFRWFILELN
OFRWFILELN
out:1.5e9,5
out:1.5G,1
out:5000K
out:5Kf
out:180M
out:2.5G
out,5
out
Start Index
5
1
0
0
0
0
0
0
Output Files
out5, out6, . . .
out1, out2, . . .
out0, out1, . . .
out0, out1, . . .
out0, out1, . . .
out0, out1, . . .
out0, out1, . . .
out0, out1, . . .
–l
All Tranalyzer command line and report output is diverted to the log file: PREFIX_log.txt. Fatal error messages still
appear on the command line.
2.4.9
–s
Initiates the packet mode, where a file with the suffix PREFIX_packets.txt is created. The content of the file depends
on the plugins loaded. The display of the packet number (first column is controlled by SPKTMD_PKTNO in main.h. The
layer 7 payload can be displayed in hexadecimal and/or as characters by using the SPKTMD_PCNTH and SPKTMD_PCNTC
respectively. A tab separated header description line is printed at the beginning of the packet file. The first two lines then
read as follows:
% pktNo
time
pktIAT
duration
flowInd
flowStat
numHdrDesc
hdrDesc
ethVlanID
ethType
macS
macD
srcIP4
srcPort
dstIP4
dstPort
l4Proto
ipTOS
ipID
ipIDDiff
ipFrag
ipTTL
ipHdrChkSum
ipCalChkSum
l4HdrChkSum
l4CalChkSum
ipFlags
pktLen
ipOptLen
ipOpts
seq
ack
seqDiff
ackDiff
seqPktLen
ackPktLen
tcpStat
tcpFlags
specialFlags
tcpWin
tcpOptLen
tcpOpts
l7Content
...
25
1291753225.446846
0.000000
0.000000
23
0 x00006000
6
eth : vlan : mpls {2}: ipv4 :
tcp
20
0 x0800
00:90:1 a :41: fa :45
00:13: c4 :52:4 a :07
188.62.56.56
62701
212.243.221.241
80
6
0 x00
0 x26f6
0
0 x4000
62
0 x6ca6
0 x6ca6
0
x0247
0 x0247
0 x0040
460
0
0 xb2a08909
0 x90314073
0
0
0
0
0
x59
0 x18
0 x0000
65535
12
0 x01 0 x01 0 x08 0 x0a 0 x29 0 x2d 0 xc3 0 x6e 0 x83 0 x63 0 xc5
0 x76
GET / images /I /01 TnJ0 + mhnL . png HTTP /1.1\ r\ nHost : ecx . images - amazon . com \r\ nUser - Agent :
Mozilla /5.0 ( Macintosh ; U; Intel Mac OS X 10.6; de ; rv :1.9.2.8) Gecko /20100722 Firefox /3.6.8\ r
\ nAccept : image /png , image /*; q =0.8 ,*/*; q =0.5\ r\ nAccept - Language : de -de , de ;q =0.8 , en - us ;q =0.5 , en ;
q =0.3\ r\ nAccept - Encoding : gzip , deflate \r\ nAccept - Charset : ISO -8859 -1 , utf -8; q =0.7 ,*; q =0.7\ r\
nKeep - Alive : 115\ r\ nConnection : keep - alive \r\ nReferer : http ://z - ecx . images - amazon . com / images /I
/11 J5cf408UL . css \r\n\r\n
...
2.4.10
–p FOLDER
Changes the plugin folder from standard ~/.tranalyzer/plugins to FOLDER.
2.4.11
–b FILE
Changes the plugin blacklist file from plugin_folder/plugin_blacklist.txt to FILE, where plugin_folder is either
~/.tranalyzer/plugins or the folder specified with the -p option.
10
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
2.4.12
2. TRANALYZER2
–e FLOWINDEXFILE
Denotes the filename and path of the flow index file when the pcapd plugin is loaded. The path and name of the pcap file
depends on FLOWINDEXFILE. If omitted the default names for the PCAP file are defined in pcapd.h. The format of the
FLOWINDEXFILE is a list of 64 bit flow indices which define the packets to be extracted from the pcap being read by the
-r option. In general the user should use a plain file with the format displayed below:
# Comments ( ignored )
% Flow file info ( ignored )
30
3467
656697
5596
For more information on the pcapd plugin please refer to its documentation.
2.4.13
–f HASHFACTOR
Sets and superseeds the HASHFACTOR constant in tranalyzer.h.
2.4.14
–x SENSORID
Each T2 can have a separate sensor ID which can be listed in a flow file in order to differentiate flows originating from
several interfaces during post processing, e.g., in a DB. If not specified T2_SENSORID (666), defined in tranalyzer.h, will
be the default value.
2.4.15
–c CPU
Bind Tranalyzer to core number CPU; if CPU == 0 then the operating system selects the core to bind.
2.4.16
–F FILE
Read BPF filter from FILE. A filter can span multiple lines and can be commented using the ’#’ character (everything
following a ’#’ is ignored).
2.4.17
BPF Filter
A Berkeley Packet Filter (BPF) can be specified at any time in order to reduce the amount of flows being produced and to
increase speed during life capture ops. All rules of pcap BPF apply.
2.5
Description of ioBuffer.h
Name
ENABLE_IO_BUFFERING
Default
0
Description
Enables buffering of the packets in a queue
If ENABLE_IO_BUFFERING == 1, the following flags are available:
IO_BUFFER_FULL_WAIT_MS
IO_BUFFER_SIZE
IO_BUFFER_MAX_MTU
200
8192
2048
Number of milliseconds to wait if queue is full
Maximum number of packets that can be stored in the buffer (power of 2)
Maximum size of a packet (divisible by 4)
11
c 2008–2017 by Tranalyzer Development Team
Copyright 2. TRANALYZER2
2.6
CONTENTS
Description of main.h
The monitoring mode can be configured with the following constants:
Name
SPKTMD_PKTNO
SPKTMD_PCNTC
SPKTMD_PCNTH
Default
1
1
0
MAXSTATCHARS
MONINTTHRD
MONINTBLK
500
0
0
MONINTSYNC
MONINTTMPCP
MONINTV
0
0
1
MONPROTMD
MONPROTL3
MONPROTL2
MONPROTFL
MIN_MAX_ESTMATE
Description
Whether or not to print the packet number
Whether or not to print L7 content as characters
Whether or not to print L7 content as hex
1
1,2,6,17,132
0x0042,0x00fe,0x0806,0x0800,0x86dd
"proto.txt"
0
Maximum input line length for statistics file
1: Monitoring: Threaded interrupt handling
1: Monitoring: Block interrupts in main loop during
packet processing, disables MONINTTHRD
1: Monitoring: Synchronized print statistics
Monitoring: 1: pcap time base, 0: real time base.
>= 1 sec interval of monitoring output if USR2 is sent
or MONINTTMPCP=1
Monitoring: 0: protocol numbers; 1: protocol names
L3 protocol numbers to monitor
L2 Ether type numbers to monitor
proto file
Min/Max bandwidth statistics
USRINT submits a ^C to Tranalyzer interrupting the flow production process. If two USRINT interrupts are being sent
in short order Tranalyzer will be terminated instantly. It is the same behaviour as a command line ^C invocation.
2.7
Description of networkHeaders.h
Name
IPV6_ACTIVATE
ETH_ACTIVATE
ALL_L2_ACTIVE
SCTP_ACTIVATE
Default
0
0
0
0
SCTP_STATFINDEX
0
MULTIPKTSUP
T2_PRI_HDRDESC
T2_HDRDESC_AGGR
T2_HDRDESC_LEN
0
1
1
128
Description
1: Activate IPv6 dissection, deactivate IPv4
1: Activate Ethernet flows, only known protocols
All L2 protocols, even crafted, will be coded into a flow
SCTP protocol decoder for stream → flow generation is activated
1: findex constant for all SCTP streams in a packet
0: findex increments
Multi-packet suppression (discard duplicated packets)
1: keep track of the headers traversed
1: aggregate repetitive headers, e.g., vlan{2}
max length of the headers description
12
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
ETH_ACTIVATE=1
SCTP_ACTIVATE=1
IPV6_ACTIVATE=0
T2_PRI_HDRDESC=1
T2_PRI_HDRDESC=1
CONTENTS
2.8
2. TRANALYZER2
Description of packetCapture.h
The config file packetCapture.h provides control about the packet capture and packet structure process of Tranalyzer2.
The most important fields are described below. Please note that after changing any value in define statements a rebuild is
required. Note that the PACKETLENGTH switch controles the packetLength variable in the packet structure, from where
the packet length is measured from. So statistical plugins such as basicStats can have a layer dependent output. If only
L7 length is needed, use the packetL7length variable in the packet structure.
Name
PACKETLENGTH
Default
3
FRGIPPKTLENVIEW
1
NOLAYER2
0
NOL2_L3HDROFFSET
MAXHDRCNT
0
5
Description
0: including L2, L3 and L4 header
1: including L3 and L4 header
2: including L4 header
3: only higher layer payload (Layer 7)
0: IP header stays with 2nd++ fragmented packets
1: IP header stripped from 2nd++ fragmented packets
0: Automatic L3 header discovery
1: Manual L3 header positioning
Offset of L3 header
Maximal header count (MUST be ≥ 3)
13
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
PACKETLENGTH=1
NOLAYER2=1
IPV6_ACTIVATE=1
2. TRANALYZER2
2.9
CONTENTS
Description of tranalyzer.h
Name
REPSUP
PID_FNM_ACT
Default
0
0
DEBUG
0
VERBOSE
2
MEMORY_DEBUG
0
NO_PKTS_DELAY_US
NON_BLOCKING_MODE
MAIN_OUTPUT_BUFFER_SIZE
SNAPLEN
CAPTURE_TIMEOUT
ENABLE_BPF_OPTIMIZATION
TSTAMP_PREC
TSTAMP_UTC
TSTAMP_R_UTC
ALARM_MODE
ALARM_AND
FORCE_MODE
BLOCK_BUF
1000
1
1000000
BUFSIZ
1000
0
0
1
0
0
0
0
0
Description
Activate alive mode
Save the PID into a file PID_FNM (default:
"tranalyzer.pid")
0: no debug output
1: debug output occurs only once or very seldom
2: debug output occurs in special situations, but not regularly
3: debug output occurs regularly (every packet)
0: no output
1: basic pcap report
2: full traffic statistics
0: no memory debug
1: detect leaks and overflows (see utils/memdebug.h)
If no packets are available, sleep for n microseconds
Non-blocking mode
Size of the main output buffer
Snapshot length (live capture)
Read timeout in milliseconds (live capture)
Optimize BPF filters
Timestamp precision: 0: microseconds, 1: nanoseconds
Time representation: 0: localtime, 1: UTC
Time report representation: 0: localtime, 1: UTC
Only output flow if an alarm-based plugin fires
0: logical OR, 1: logical AND
Parameter induced flow termination (NetFlow mode)
Block unnecessary buffer output when non Tranalyzer
format event based plugins are active
14
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
ALARM_MODE=1
CONTENTS
2. TRANALYZER2
Name
PLUGIN_REPORT
DIFF_REPORT
Default
1
0
MACHINE_REPORT
REPORT_HIST
0
0
ESOM_DEP
TEREDO
AYIYA
L2TP
GRE
GTP
VXLAN
0
1
1
1
1
1
1
IPIP
ETHIP
CAPWAP
FRAGMENTATION
FRAG_HLST_CRFT
FRAG_ERROR_DUMP
IPVX_INTERPRET
RELTIME
1
1
1
1
1
0
0
0
FDURLIMIT
FLOW_TIMEOUT
2.9.1
0
182
Description
Enable plugins to contribute to Tranalyzer end report
0: absolute Tranalyzer command line USR1 report
1: differential report
USR1 report: 0: human compliant, 1: machine compliant
Store statistical report history in REPORT_HIST_FILE after
shutdown and reload it when restarted
Allow plugins to globally access plugin dependent variables
Activate TEREDO processing
Activate AYIYA processing
Activate L2TP processing
Activate GRE processing
Activate GTP (GPRS Tunneling Protocol) processing
Activate VXLAN (Virtual eXtensible Local Area Network)
processing
Activate IPv4/6 in IPv4/6 processing
Activate Ethernet within IP IPv4/6 processing
Activate CAPWAP processing
Activate fragmentation processing
Enables crafted packet processing
Dumps flawed fragmented packet to stdout
Interpret bogus IPvX packets
0: absolute time
1: relative time
If > 0, force flow life span to n ± 1 seconds
Flow timeout after a packet is not seen after n seconds
Flags
FRAGMENTATION=1
FRAGMENTATION=1
PLUGIN_FOLDER
This constant defines the standard directory where all plugins including necessary files reside. The standard path is
.tranalyzer/plugins/.
2.9.2
-D constants
the following constants influence the file name convention:
Name
RROP
POLLTM
SCHR
2.9.3
Default
0
5
’p’
Description
round robin operations
poll timing for files
separating character for file number
alive signal
The alive signal is a derivate of the passive monitoring mode by the USR1 signal, where the report is deactivated. If
REPSUP=1 then only the command defined by REPCMDAS/W is sent to the control program defined by ALVPROG as defined
below:
Name
REPSUP
Default
0
Description
0: alive mode off,
15
c 2008–2017 by Tranalyzer Development Team
Copyright 2. TRANALYZER2
Name
ALVPROG
REPCMDAS
REPCMDAW
CONTENTS
Default
"t2alive"
"a=‘pgrep "ALVPROG"‘; \
if [ $a ]; then kill -USR1 $a; fi"
"a=‘pgrep "ALVPROG"‘; \
if [ $a ]; then kill -USR2 $a; fi"
Description
1: alive mode on, monitoring report suppressed
name of control program
alive and stall USR1 signal (no packets)
alive and well USR2 signal (working)
If T2 crashes or is stopped a syslog message is issued by the t2alive deamon. Same if T2 gets started.
2.9.4
FORCE_MODE
A 1 enables the force mode which enables any plugin to force the output of flows independent of the timeout value. Hence,
Cisco NetFlow similar periodic output can be produced or overflows of counters can produce a flow and restart a new one.
2.9.5
ALARM_MODE
A 1 enables the alarm mode which differs from the default flow mode by the plugin based control of the Tranalyzer core
flow output. It is useful for classification plugins generating alarms, thus emulating alarm based SW such as Snort, etc.
The default value is 0. The plugin sets the global output suppress variable supOut=1 in the onFlowTerminate() function
before any output is generated. This mode also allows multiple classification plugins producing an ‘AND’ or an ‘OR’
operation if many alarm generating plugins are loaded. The variable ALARM_AND controls the logical alarm operation. A
sample code which has to be present at the beginning of the onFlowTerminate() function is shown below:
# if ALARM_MODE == 1
# if ALARM_AND == 0
if (! Alarm ) supOut = 0;
# else // ALARM_AND == 1
if (! Alarm ) {
supOut = 1;
return ;
}
# endif // ALARM_AND
# endif // ALARM_MODE == 1
Figure 1: A sample code in the onFlowTerminate() routine
2.9.6
BLOCK_BUF
if set to ‘1’ unnecessary buffered output from all plugins is blocked when non Tranalyzer format event based plugins are
active: e.g. syslog, arcsight and text-based or binary output plugins are not loaded.
2.9.7
Report Modes
Tranalyzer provides a user interrupt based report and a final report. The interrupt based mode can be configured in a
variety of ways being defined below.
Name
PLUGIN_REPORT
Default
0
Description
enable plugins to contribute to the tranalyzer command line end report
16
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
Name
DIFF_REPORT
MACHINE_REPORT
2. TRANALYZER2
Default
0
0
Description
1: differential, 0: Absolute tranalyzer command line USR1 report
USR1 Report 1: machine compliant; 0: human compliant
The following interrupts are being caught by Tranalyzer2:
Signal Name
SIGINT
SIGTERM
SIGUSR1
SIGUSR2
2.9.8
Description
like ^C terminates new flow production
terminates tranalyzer
prints statistics report
toggles repetitive statistics report
State and statistical save mode
T2 is capable to preserve its internal statistical state and certain viable global variables, such as the findex.
Name
REPORT_HIST
REPORT_HIST_FILE
Default
0
"stat_hist.txt"
Description
Store statistical report history after shutdown, reload it upon restart
default statistical report history filename
The history file is stored by default under ./tranalyzer/plugins or under the directory defined by a -p option.
2.9.9
L2TP
A ‘1’ activates the L2TP processing of the Tranalyzer2 core. All L2TP headers either encapsulated in MPLS or not will
be processed and followed down via PPP headers to the IP header and then passed to the IP processing. The default value
of the variable is ‘0’. Then the stack will be parsed until the first IP header is detected. So all L2TP UDP headers having
src and dest port 1701 will be processed as normal UDP packets.
2.9.10
GRE
A ‘1’ activates the L3 General Routing Encapsulation (L4proto=47) processing of the Tranalyzer2 core. All GRE headers
either encapsulated in MPLS or not will be processed and followed down via PPP headers to the IP header and then
passed to the IP processing. The default value of the variable is 0. Then the stack will be parsed until the first IP header
is detected. If the following content is not existing or compressed the flow will contain only L4proto = 47 information.
2.9.11
FRAGMENTATION
A ‘1’ activates the fragmentation processing of the Tranalyzer2 core. All packets following the header packet will be
assembled in the same flow. The core and the plugin tcpFlags will provide special flags for fragmentation anomalies. If
FRAGMENTATION is set to 0 only the initial fragment will be processed; all later fragments will be ignored.
2.9.12
FRAG_HLST_CRFT
A ‘1’ enables crafted packet processing even when the lead fragment is missing or packets contain senseless flags as being
used in attacks or equipment failure. The default value is 0.
17
c 2008–2017 by Tranalyzer Development Team
Copyright 2. TRANALYZER2
2.9.13
CONTENTS
FRAG_ERROR_DUMP
A ‘1’ activates the dump of packet information on the command line for time based identification of ill-fated or crafted
fragments in tcpdump or wireshark. It provides the Unix timestamp, the six tuple, IPID and fragID as outlined in figure
below. The default value is 0.
1. frag not
0 x00AC
1. frag not
0 x00A0
1. frag not
0 x00AC
1. frag not
0 x00AC
time
vlan
srcIP
srcPort
dstIP
found @ 1291753225.639627 20 86.51.18.243 17664
dstPort proto
92.105.108.208
fragID frag offset
54
17
- 0 x0DAE
found @ 1291753225.655378 20 92.104.181.154 17664 93.144.66.3
150
17
- 0 x1941
found @ 1291753225.825724 20 86.51.18.243 17664
92.105.108.208
54
17
- 0 x0DC1
found @ 1291753225.850076 20 86.51.18.243 17664
92.105.108.208
54
17
- 0 x0DC2
Figure 2: A sample report on stdout for packets with an elusive first fragment
WARNING: If FRAG_HLST_CRFT == 1 then every fragmented headerless packet will be reported!
2.9.14
*_SUFFIX
This constant defines the suffix of all plugin output files. For example if you specify the output foo.foo (with the -w
option), the generated file for the per-packet output will be in the default setting foo.foo_packets.
2.9.15
RELTIME
RELTIME renders all time based plugin output into relative to the beginning of the pcap or start of packet capture. In -D or
-R read operation the first file defines the start time.
2.9.16
FLOW_TIMEOUT
This constant specifies the default time in seconds (182) after which a flow will be considered as terminated since the last
packet is captured. Note: Plugins are able to change the timeout values of a flow. For example the tcpStates plugin adjusts
the timeout of a flow according to the TCP state machine. A reduction of the flow timeout has an effect on the necessary
flow memory defined in HASHCHAINTABLE_SIZE, see below.
2.9.17
FDURLIMIT
FDURLIMIT defines the maximum flow duration in seconds which is then forced to be released. It is a special force
mode for the duration of flows and a special feature for Dalhousie University. If FDURLIMIT > 0 then FLOW_TIMEOUT is
overwritten if FURLIMIT seconds are reached.
2.9.18
HASHFACTOR
A factor to be multiplied with the HASHTABLE_SIZE and HASHCHAINTABLE_SIZE described below. It facilitates the correct setting of the hash space. Moreover, if T2 runs out of hash it will give an upper estimate the user can choose for
HASHFACTOR. Set it to this value, recompile and rerun T2. This constant is superseeded by the -f option.
18
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
2.9.19
2. TRANALYZER2
HASHTABLE_SIZE
The number of buckets in the hash table. As a separate chaining hashing method is used, this value does not denote the
amount of elements the hash table is able to manage! The larger, the less likely are hash collisions. The current default
value is 218 . Its value should be selected at least two times larger as the value of HASHCHAINTABLE_SIZE discussed in the
following chapter.
2.9.20
HASHCHAINTABLE_SIZE
Specifies the amount of flows the main hash table is able to manage. The default value is 219 , so roughly half the size
of HASHTABLE_SIZE. T2 supplies information about the hash space in memory in: Max number of IPv4 flows in
memory: 113244 (50.220%). Together with the amount of traffic already processed the total value can be computed.
An example is given Figure 1.
2.9.21
L2PROTO
Specifies the OSI layer 2 protocol of the network to be analyzed. The available protocols are listed below:
Name
L2_ETHERNET
2.9.22
Description
Ethernet (default)
Aggregation Mode
The aggregation mode enables the user to confine certain IP, port or protocol ranges into a single flow. The variable
AGGREGATIONFLAG in tranalyzer.h defines a bit field which enables specific aggregation modes according to the six tuple
values listed below.
Aggregation Flag
L4PROT
DSTPORT
SRCPORT
DSTIP
SRCIP
VLANID
SUBNET
Value
0x01
0x02
0x04
0x08
0x10
0x20
0x80
If a certain aggregation mode is enabled the following variables in tranalyzer.h define the aggregation range.
Aggregation Flag
SRCIPMASKn
DSTIPMASKn
SRCPORTLW
SRCPORTHW
DSTPORTLW
DSTPORTHW
Type
uint32_t
uint32_t
uint16_t
uint16_t
uint16_t
uint16_t
Description
src IP aggregation hex bit mask network order
dst IP aggregation hex bit mask network order
src port lower bound
src port upper bound
dst port lower bound
dst port upper bound
19
c 2008–2017 by Tranalyzer Development Team
Copyright 2. TRANALYZER2
2.10
CONTENTS
Tranalyzer2 Output
As stated before, the functionality and output of Tranalyzer2 is defined by the activated plugins. Basically, there are two
ways a plugin can generate output. First, it can generate its own output file and write any arbitrary content into any stream.
The second way is called standard output or per-flow output. After flow termination Tranalyzer2 provides an output buffer
and appends the direction of the flow to it. For example, in case of textual output, an “A” flow is normally followed by
a “B” flow or if the “B” flow does not exist it is followed by the next “A” flow. Then, the output buffer is passed to the
plugins providing their per-flow output. Finally the buffer is sent to the activated output plugins. This process repeats
itself for the “B” flow. For detailed explanation about the functionality of the output plugins refer to the section plugins.
2.10.1
Hierarchical Ordering of Numerical or Text Output
Tranalyzer2 provides a hierarchical ordering of each output. Each plugin controls the:
• volume of its output
• number of values or bins
• hierarchical ordering of the data
• repetition of data substructures
Thus, complex structures such as lists or matrices can be presented in a single line.
The following sample of text output shows the hierarchical ordering for four data outputs, separated by tabulators:
A
0.3
2.0 _3 .4 _2 .1
2;4;2;1
(1 _2_9 )_ (1 _3_1 )_ (7 _5_3 )_ (2 _3_7 )
The A indicates the direction of the flow; in this case it is the initial flow. The next number denotes a singular descriptive
statistical result. Output number two consists of three values separated by “_” characters. Output number three consists of
one value, that can be repeated, indicated by the character “;”. Output number four is a more complex example: It consists
of four values containing three subvalues indicated by the braces. This could be interpreted as a matrix of size 4x3.
2.11
Final Report
Standard configuration of Tranalyzer2 produces a statistical report to stdout about timing, packets, protocol encapsulation
type, average bandwidth, dump length, etc. A sample report including some current protocol relevant warnings is depicted
in the figure below. Warnings are not fatal hence are listed at the end of the statistical report when Tranalyzer2 terminates
naturally. The Average total Bandwidth estimation refers to the processed bandwidth during the data acquisition process.
It is only equivalent to the actual bandwidth if the total packet length including all encapsulations is not truncated and all
traffic is IP. The Average IP Traffic Bandwidth is an estimate comprising all IP traffic actually present on the wire. Plugins
can report extra information when PLUGIN_REPORT is activated. This report can be saved in a file, by using one of the
following command:
tranalyzer -r file.pcap -w out -l (See Section 2.4.8)
tranalyzer -r file.pcap -w out | tee out_stdout.txt
tranalyzer -r file.pcap -w out > out_stdout.txt
Both commands will create a file out_stdout.txt containing the report. The only difference between those two
commands is that the first one still outputs the report to stdout.
20
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
2. TRANALYZER2
Fatal errors regarding the invocation, configuration and operation of Tranalyzer2 are printed to stdout after the plugins
are loaded, thus before the processing is activated, see the Hash table error example in Listing 1. These errors terminate
Tranalyzer2 immediately and are located before the final statistical report as being indicated by the “Shutting down ...”
key phrase. If the final report is to be used in a following script a pipe can be appended and certain lines can be filtered
using grep or awk.
$ ./ tranalyzer -r ~/ wurst / data / knoedel . pcap -w ~/ test_data / results / knoedel
================================================================================
Tranalyzer 0.7.1 ( Anteater ) , beta Boeing . PID : 6783
================================================================================
Active plugins :
00: protoStats , version 0.7.0
01: basicFlow , version 0.7.0
02: macRecorder , version 0.7.0
03: portClassifier , version 0.7.0
04: basicStats , version 0.7.0
05: tcpFlags , version 0.7.0
06: tcpStates , version 0.7.0
07: icmpDecode , version 0.7.0
08: connStat , version 0.7.0
09: txtSink , version 0.7.0
[ INF ] basicFlow : Ver : 1, Rev : 20170601 , subnets ranges loaded : 5783437
Processing file : / home / stefan / test_data / data / BW_2013 / wurst . dmp
Link layer type : Ethernet [ EN10MB /1]
Dump start : 1291753225.446732 sec ( Tue 07 Dec 2010 20:20:25.446732 GMT )
[ WRN ] snapL2Length : 1550 - snapL3Length : 1484 - IP length in header : 1492
[ ERR ] mainHashMap is full : set HASHFACTOR to maximal 5 ( use the ’-f ’ option or edit tranalyzer .h)
Dump stop : 1291753265.963737 sec ( Tue 07 Dec 2010 20:21:05.963737 GMT )
Total dump duration : 40.517005 sec
Finished processing . Elapsed time : 49.857922 sec
Percentage completed : 18.22%
Number of processed packets : 9754725 (9.75 M)
Number of processed bytes : 7669488558 (7.67 G)
Number of raw bytes : 7672087872 (7.67 G)
Number of pad bytes : 0
Number of pcap bytes : 42949673232 (42.95 G)
Number of IPv4
packets : 9754677 (9.75 M)
Number of IPv6
packets : 0
Number of IPv4 A packets : 5575726 (5.58 M)
Number of IPv4 B packets : 4159812 (4.16 M)
Number of IPv4 A bytes : 2576875319 (2.58 G)
Number of IPv4 B bytes : 5093022346 (5.09 G)
Average IPv4 A packet load : 462.16
Average IPv4 B packet load : 1224.34 (1.22 K)
-------------------------------------------------------------------------------tcpFlags : Anomaly flags IP , TCP : 0 x3d6e , 0 xfe07
Number of IPv4 TCP scans , succ scans , retries : 37368 , 6145 , 2634
tcpStates : Aggregated anomaly flags : 0 xdf
Number of ICMP IPv4 EchoReq packets : 2666 (2.67 K)
Number of ICMP IPv4 EchoRepl packets : 569
ICMP / Total traffic [%]: 0.239
ICMP Echo reply / request : 0.213
connStat : Max unique number of IPv4 scon , dcon , sdcon , prtcon : 67107 , 73426 , 797 , 797
connStat : prtcon / sdcon , prtcon / scon : 1.000000 , 0.011877
connStat : IPv4 with max source connections : 81.221.208.211 (500 connections )
-------------------------------------------------------------------------------MinHdrCnt : 2, MaxHdrCnt : 13 , aveHdrCnt : 7
Max VLAN Header Count : 1
Max MPLS Header Count : 2
21
c 2008–2017 by Tranalyzer Development Team
Copyright 2. TRANALYZER2
CONTENTS
Number of GRE packets : 4286 (4.29 K)
Number of Teredo packets : 37724 (37.72 K)
Number of AYIYA packets : 40
Number of IGMP packets : 66
Number of LLC packets : 30
Number of ICMP IPv4 packets : 23330 (23.33 K)
Number of TCP IPv4 packets : 7838482 (7.84 M)
Number of UDP IPv4 packets : 1851147 (1.85 M)
Number of IPv4 fragmented packets : 2960 (2.96 K)
Number of processed IPv4
flows : 301909 (301.91 K)
Number of processed IPv4 A flows : 254019 (254.02 K)
Number of processed IPv4 B flows : 47890 (47.89 K)
Total A/B IPv4 flow asymmetry : 0.6828
Number of processed IPv4
packets / flows : 32.31
Number of processed IPv4 A packets / flows : 21.95
Number of processed IPv4 B packets / flows : 86.86
Number of processed total packets /s: 240756.31 (240.76 K)
Number of processed IPv4 (A+B) packets /s: 240282.77 (240.28 K)
Number of processed IPv4 A packets /s: 137614.47 (137.61 K)
Number of processed IPv4 B packets /s: 102668.30 (102.67 K)
Number of average processed IPv4 flows /s: 7451.415 (7.45 K)
Average full raw bandwidth : 1514838016 b/s (1.51 Gb /s)
Average snapped bandwidth : 1514324736 b/s (1.51 Gb /s)
Average full IP bandwidth : 1514126080 b/s (1.51 Gb /s)
Max number of flows in memory : 262144 (100.00%)
Memory usage : 0.522 GB (0.77%)
Aggregate flow status : 0 x0000045202187f04
[ WRN ] L3 SnapLength < Length in IP header
[ INF ] IPv4 /6 fragmentation
[ WRN ] IPv4 /6 fragmentation header packet missing
[ INF ] IPv6
[ INF ] VLAN encapsulation
[ INF ] MPLS encapsulation
[ INF ] L2TP encapsulation
[ INF ] PPP encapsulation
[ INF ] GRE encapsulation
[ INF ] AYIYA Tunnel
[ INF ] Teredo Tunnel
[ INF ] SSDP / UPnP flows
[ INF ] Ethernet flows
Listing 1: A sample Tranalyzer2 final report including encapsulation warning and hash table full error
T2 runs in ipv4 mode, but warns the user that there is ipv6 encapsulated. Note that T2 warns you when the main hash
map is full. Taking the percentage completed into consideration (circa 0.2 in this case), HASHCHAINTABLE_BASE_SIZE
should be increased by a factor of at least 1/0.2 = 5 and HASHTABLE_BASE_SIZE should be at least a factor two bigger than
HASHCHAINTABLE_BASE_SIZE. As stated in the error message, rerun T2 with using -f 4 as an additional commandline
option.
2.12
Monitoring Modes During Runtime
If debugging is deactivated or the verbose level is zero (see 2.9), Tranalyzer2 prints no status information or end report.
Interrupt signal has been introduced to force intermediate status information to stdout. Appropriate Unix commands and
their effect are listed below:
Command
kill -USR1 PID
kill -USR2 PID
Description
T2 sends configured monitoring report to stdout
T2 toggles between on demand and continuous monitoring operation
22
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
2. TRANALYZER2
The script t2stat has the same function as kill –USR1 PID. An example of a typical signal requested report (MACHINE_REPORT=0)
is shown in Listing 2.
@
|
=========================== vVv ==( a
=================================\
==================================\
@
|
a) == vVv ================================
/======================================
/=======================================
oo
USR1 A type report : Tranalyzer 0.7.1 ( Anteater ) , beta Boeing . PID : 2676
PCAP time : 1291753241.799924 sec ( Tue 07 Dec 2010 20:20:41.799924 GMT )
PCAP duration : 16.353192 sec
Time : 1497967379.307634 sec ( Tue 20 Jun 2017 16:02:59.307634 CEST )
Elapsed duration : 5.016890 sec
Total bytes to process : 42949673232 (42.95 G)
Total file bytes processed so far : 3206202368 (3.21 G)
Percentage completed : 7.47%
Remaining time : 62.188411 sec (1 m 2s)
ETF : 1497967441.496045 sec ( Tue 20 Jun 2017 16:04:01.496045 CEST )
Number of processed A packets : 2264330 (2.26 M)
Number of processed B packets : 1705829 (1.71 M)
Number of processed A bytes : 1045784458 (1045.78 M)
Number of processed B bytes : 2096819850 (2.10 G)
Number of ICMP packets : 9555 (9.55 K)
Number of ICMP EchoReq packets : 1072 (1.07 K)
Number of ICMP EchoRepl packets : 275
Number of DNS packets : 0
Number of DNS Q packets : 0
Number of DNS R packets : 0
Number of HTTP packets : 0
Number of processed packets : 3977930 (3.98 M)
Number of processed bytes : 3142555426 (3.14 G)
Number of IGMP IPv4 packets : 26
Number of TCP IPv4 packets : 3205984 (3.21 M)
Number of UDP IPv4 packets : 746232 (746.23 K)
Number of GRE packets : 1706 (1.71 K)
Number of Teredo packets : 14713 (14.71 K)
Number of AYIYA packets : 14
Number of LLC packets : 14
Number of IPv4 fragmented packets : 1155 (1.16 K)
Number of IPv4 packets : 3977909 (3.98 M)
Number of IPv6 packets : 0
Number of processed IPv4 flows : 145888 (145.89 K)
Number of processed IPv4
packets / flows : 27.27
Number of processed IPv4 A packets / flows : 18.40
Number of processed IPv4 B packets / flows : 74.68
A/B IPv4 flow asymmetry : 0.6869
Max unique number of IPv4 scon , dcon , sdcon , prtcon : 37727 , 40704 , 459 , 459
IPv4 prtcon / sdcon , prtcon / scon : 1.000000 , 0.012166
Number of IPv4 TCP scans , succ scans , retries : 4798 , 1785 , 925
Average snapped bandwidth : 1537341696 b/s (1.54 Gb /s)
Average full IP bandwidth : 1537084928 b/s (1.54 Gb /s)
Average full raw bandwidth : 1537854848 b/s (1.54 Gb /s)
Fill size of main hash map : 132625 (50.59%)
Max number of flows in memory : 132627 (50.59%)
Memory usage : 0.391 GB (0.58%)
Aggregate flow status : 0 x0000045202187f04
[ WRN ] L3 SnapLength < Length in IP header
[ INF ] IPv4 /6 fragmentation
[ WRN ] IPv4 /6 fragmentation header packet missing
23
c 2008–2017 by Tranalyzer Development Team
Copyright 2. TRANALYZER2
CONTENTS
[ INF ] IPv6
[ INF ] VLAN encapsulation
[ INF ] MPLS encapsulation
[ INF ] L2TP encapsulation
[ INF ] PPP encapsulation
[ INF ] GRE encapsulation
[ INF ] AYIYA Tunnel
[ INF ] Teredo Tunnel
[ INF ] SSDP / UPnP flows
[ INF ] Ethernet flows
================================================================================
Listing 2: A sample Tranalyzer2 human readable report aggregate mode
Listing 3 illustrates the output of the header line and subsequent data lines generated when MACHINE_REPORT=1.
% RepTyp Time
Dur memUsg [ KB ] fillSzHashMap
Flws
AFlws
BFlws
SIP DIP SDIP
Prts
Pkts
APkts
BPkts
V4Pkts V6Pkts VxPkts Byts
AByts
BByts
ARPPkts RARPPkts
ICMPPkts
EchoReq EchoRep DnsPkts DnsQPkts
DnsRPkts
HttpPkts
FrgV4Pkts
FrgV6Pkts
Alrms
TCPScn TCPSScn TcpRtry RawBndWdth Fave
GlblWrn ICMP
IGMP
TCP UDP SCTP
0 x0042 0 x00fe 0 x0806 0 x0800 0 x86dd
USR1MR_A
1175364020.458606
103.877184 1856384
6456055 518079 360556 157523 92140
153825 765 1706
9453374 5485249 3967298 9452802 0
0
680258574
2271454049 3288136123
0
0
492113898
1244
0
0
0
3309
20599
0
0
26244
22467
14833
428175.000 2.230065
0 x02030052 49211
102 8186447 1169051 0
284 0
0
9452802 0
USR1MR_A
1175364043.564798
126.983376 2030752
6945643 680946 462230 218716 118181
183651 1164
3626
13104550
7235588 5867866 13103799
0
0
944828393
3007472308
4847491640 0
066918 5110
1695
0
0
0
4738
28844
0
0
33600
32326
23344
494874.688 3.115120
0 x02030052 66918
130 11364263
1611189 0
372 0
0
13103799
0
USR1MR_A
1175364072.842855
156.261433 2184732
7103403 860105 573862 286243 148357
217272 1164
3626
17716953
9443884 8271657 17715947
0
0
1278800701 3927484585
6829832070 0
086334 6700
2226
0
0
0
6572
38940
0
0
48853
45035
34063
550743.562 3.115120
0 x02030052 86334
177 15394866
2158059 0
492 0
0
17715947
0
Listing 3: A sample Tranalyzer2 machine report aggregate mode
2.12.1
Configuration for Monitoring Mode
To enable monitoring mode, configure Tranalyzer as follows:
main.h:
#define MONINTPSYNC
#define MONINTTMPCP
#define MONINTTHRD
tranalyzer.h:
#define VERBOSE
#define DIFF_REPORT
#define MACHINE_REPORT
1
1
1
24
c 2008–2017 by Tranalyzer Development Team
Copyright 0
1
1
CONTENTS
2. TRANALYZER2
The following plugins contribute to the output:
• basicStats
• httpBCmp
• connStat
• icmpDecode
• dnsBCmp
• dnsDecode
• protoStats
The generated output is illustrated in Figure 3. The columns are as follows:
1. RepType
14. BPkts
27. DnsQPkts
2. Time
15. V4Pkts
28. DnsRPkts
3. Dur
16. V6Pkts
29. HttpPkts
4. memUsg[KB]
17. VxPkts
5. Flws
18. Byts
6. AFlws
19. AByts
7. BFlws
20. BByts
8. SIP
21. ARPPkts
9. DIP
22. RARPPkts
10. SDIP
23. ICMPPkts
11. Prts
24. EchoReq
36. RawBndWdth
12. Pkts
25. EchoRep
37. Fave
13. APkts
26. DnsPkts
38. GlblWrn
30. FrgV4Pkts
31. FrgV6Pkts
32. Alrms
33. TCPScn
34. TCPSScn
35. TcpRtry
When capturing from a live interface, the following three columns are output (between Dur and Flws):
• PktsRec
2.12.2
• PktsDrp
• IfDrp
Monitoring Mode to syslog
In order to send monitoring info to a syslog server T2 must be configured in machine mode as indicated above. Then the
output has to be piped into the following script:
t2 -D ... -w ... | awk -F "\ t" ’{ print " <25 > ", strftime ("% b %d %T ") , " Monitoring : " $0 ; }’ | \
nc -u w.x.y.z 514
Netcat will send it to the syslog server at address w.x.y.z. Specific columns from the monitoring output can be selected
in the awk script.
25
c 2008–2017 by Tranalyzer Development Team
Copyright 2. TRANALYZER2
2.12.3
CONTENTS
RRD Graphing of Monitoring Output
The monitoring output can be stored in a RRD database using the rrdmonitor script. To start creating a RRD database,
launch Tranalyzer2 (in monitoring mode) as follows:
./tranalyzer2/src/tranalyzer -r file.pcap | ./scripts/rrdmonitor
Or for monitoring from a live interface:
sudo ./tranalyzer2/src/tranalyzer -i eth0 | ./scripts/rrdmonitor
Plots for the various fields can then be generated using the rrdplot script:
Usage:
./rrdplot [OPTION] [FIELD1=flows] [FIELD2]
Options:
-d name
-p name
-r wxh
name of the database to use [default: monitoring.rrd]
name of the PNG to generate [default: field1[_field2].png]
size of the generated PNG (width x height) [default: 640x480]
-s start
-t end
-i int
start time of the plot [default: end-10m]
end time of the plot [default: latest_update]
interval to plot [default: 10m (last 10min)]
-f
-t win
display Holt-Winters confidence bands
display the ’win’ hour trend
-x
-u max
-l min
use logarithmic axis
crop values to ’max’
crop values to ’min’
-b
do not display the anteater banner
-h
display this help and exit
FIELD1 and FIELD2 can be one of the following:
ifPsRecv
ifPsDrop
ifPsIfDrop
flows
aflows
bflows
sip
dip
sdip
ports
pkts
apkts
bpkts
v4pkts
v6pkts
vxpkts
bytes
abytes
bbytes
arp
rarp
icmp
echoreq
echorep
dns
dnsq
dnsr
http
fragv4pkts
fragv6pkts
alarms
tcpscans
tcpsuccscans
tcpretries
rawbytes
fave
26
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
2. TRANALYZER2
To specify intervals, use s (seconds), h (hour), d (day), w (week), m (month), y (year). For example, to plot the date from
the last two weeks, use -i 2w or -s -2w.
An example graph is depicted in Figure 3.
Figure 3: T2 monitoring using RRD
2.13
Cancellation of the Sniffing Process
Processing of a pcap file stops upon end of file. In case of live capture from an interface Tranalyzer2 stops upon CTRL+C
interrupt or a kill -9 PID signal. The disconnection of the interface cable will stop Tranalyzer2 also after a timeout
of 182 seconds. The console based CTRL+C interrupt does not immediately terminate the program to avoid corrupted
entries in the output files. It stops creating additional flows and finishes only currently active flows. Note that waiting
the termination of active flow depends on the activity or the lifetime of a connection and can take a very long time. In
order to mitigate that problem the user can issue the CTRL+C for GI_TERM_THRESHOLD times to immediately terminate the
program.
27
c 2008–2017 by Tranalyzer Development Team
Copyright 3. ARPDECODE
3
3.1
CONTENTS
arpDecode
Description
The arpDecode plugin analyzes ARP traffic.
3.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
MAX_IP
3.3
Default
10
Description
maximal number of IPs listed
Flow File Output
The arpDecode plugin outputs the following columns:
Column
arpStat
arpHwType
arpOpcode
ipMacCnt
MAC_IP_cnt
3.3.1
Type
H8
U16
H16
U8
MAC_IP4_U8
Description
Status
Hardware type
Operational code
IP MAC pair count
MAC, IP pairs found
arpStat
The arpStat column is to be interpreted as follows:
arpStat
0x01
0x02
0x04
0x08
0x10
0x20
0x40
0x80
3.3.2
Description
ARP detected
—
—
gratuitous ARP response
—
—
MAC change
MAC spoofing
arpHwType
The arpHwType column is to be interpreted as follows:
arpHwType
1
2
3
4
5
Description
Ethernet
Experimental Ethernet
Amateur Radio AX.25
Proteon ProNET Token Ring
Chaos
28
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
3. ARPDECODE
arpHwType
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
3.3.3
Description
IEEE 802
ARCNET
Hyperchannel
Lanstar
Autonet Short Address
LocalTalk
LocalNet (IBM PCNet or SYTEK LocalNET)
Ultra link
SMDS
Frame Relay
Asynchronous Transmission Mode (ATM)
HDLC
Fibre Channel
Asynchronous Transmission Mode (ATM)
Serial Line
Asynchronous Transmission Mode (ATM)
MIL-STD-188-220
Metricom
IEEE 1394.1995
MAPOS
Twinaxial
EUI-64
HIPARP
IP and ARP over ISO 7816-3
ARPSec
IPsec tunnel
Infiniband
CAI, TIA-102 Project 25 Common Air Interface
Wiegand Interface
Pure IP
arpOpcode
The arpOpcode column is to be interpreted as follows:
arpOpcode
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24 (=0x0010)
25 (=0x0020)
26 (=0x0040)
27 (=0x0080)
28 (=0x0100)
29 (=0x0200)
210 (=0x0400)
Description
ARP Request
ARP Reply
Reverse ARP (RARP) Request
Reverse ARP (RARP) Reply
Dynamic RARP (DRARP) Request
Dynamic RARP (DRARP) Reply
Dynamic RARP (DRARP) Error
Inverse ARP (InARP) Request
Inverse ARP (InARP) Reply
ARP NAK
29
c 2008–2017 by Tranalyzer Development Team
Copyright 3. ARPDECODE
3.4
CONTENTS
Plugin Report Output
The following information is reported:
• Aggregated status flags (arpStat)
30
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
4
4. BASICFLOW
basicFlow
4.1
Description
The basicFlow plugin provides host identification fields and timing information.
4.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
SPKTMD_DATE_TIME
Default
0
BFO_SENSORID
BFO_DATE_TIME
0
0
BFO_HDRDESC_PKTCNT
BFO_IP_HEX
BFO_MAC
BFO_ETHERTYPE
BFO_ETHERTYPE_HEX
0
0
1
1
0
BFO_MPLS
BFO_MPLS_DETAIL
BFO_L2TP
BFO_GRE
BFO_PPP
BFO_ETHIP
BFO_TRDO
BFO_SUBNET_HEX
BFO_SUBNET_LL
BFO_SUBNET_TEST
BFO_SUBNET_TEST_L2TP
BFO_SUBNET_TEST_GRE
0
0
0
0
0
0
0
0
0
1
0
0
BFO_HDRDESC_DEPTH
4
MAX_MPLS_DEPTH
3
MAX_ETHTYPE_DEPTH
3
4.3
Description
timestamp format for packet mode:
0: Unix timestamp,
1: Date time local,
2: Date time UTC
1:
0:
1:
1:
1:
1:
1:
0:
1:
1:
1:
1:
1:
1:
1:
1:
1:
1:
1:
1:
1:
sensorID on / 0: sensorID off
Unix time format for timestamps
Human readable date time
Enables / 0: Disables Pkt count for header description
Enables IP hex output
Enables / 0: Disables MAC output
Enables / 0: Disables Ether Type header output
Ethertype as integers
Ethertype as hexadecimal
Enables MPLS header output
MPLS detail header output
Enables L2TP header information
Enables GRE header information
Enables PPP header information
Enables ETHIP header information
Enables Teredo IP, Port information
Human readable, 0: hex ID output
Longitude, latitude, 0: no output
Enables subnet test
Enables subnet test on L2TP addresses
Enable subnet test on GRE addresses
Max. number of headers descriptions to store
0: switch off output
Max. number of MPLS Header pointer to store
0: switch off output
Max. number of Ethertypes to store
0: switch off output
Flow File Output
The basicFlow plugin outputs the following columns:
31
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
IPV6_ACTIVATE=0
IPV6_ACTIVATE=0
IPV6_ACTIVATE=0
T2_PRI_HDRDESC
4. BASICFLOW
CONTENTS
Column
dir
flowInd
sensorID
flowStat
Type
C
U64
U32
H32
Description
Flow direction A / B
Flow index
Sensor ID
Flow status
dateTimeFirst
dateTimeLast
unixTimeFirst
unixTimeLast
duration
T
T
UT
UT
UT
Date time of first packet
Date time of last packet
System time of first packet
System time of last packet
Flow duration
Flags
BFO_SENSORID=1
BFO_DATE_TIME=1
BFO_DATE_TIME=1
BFO_DATE_TIME=0
BFO_DATE_TIME=0
If T2_PRI_HDRDESC=1 and BFO_HDRDESC_DEPTH>0, the following columns are displayed:
numHdrDesc
numHdrs
hdrDesc_PktCnt
U8
RU8
RS_U64
Number of different headers descriptions
Number of headers (depth) in hdrDesc
Headers description and packet count
BFO_HDRDESC_PKTCNT=1
macS
macD
ethType
MAC
MAC
H16
Source MAC address
Destination MAC address
Ethernet type
ETH_ACTIVATE=1&&BFO_MAC=1
ETH_ACTIVATE=1&&BFO_MAC=1
ETH_ACTIVATE=1&&BFO_MAC=1
ethVlanID
U16R
VLAN IDs
ethVlanHdr
RH32
VLAN headers (hex)
BFO_ETHERTYPE=1&&
BF_MAX_ETHTYPE_DEPTH>0&&
BFO_ETHERTYPE_HEX=0
BFO_ETHERTYPE=1&&
BF_MAX_ETHTYPE_DEPTH>0&&
BFO_ETHERTYPE_HEX=1
If BFO_MPLS=1 and MAX_MPLS_DEPTH>0, the following column is displayed:
mplsTagsHex
mplsLabel_ToS_
S_TTL
H32
U32_U8_
U8_U8
MPLS tag
MPLS tags detail
BFO_MPLS_DETAIL=0
BFO_MPLS_DETAIL=1
If BFO_PPP=1, the following column is displayed:
pppHdr
H32
PPP header
If BFO_L2TP=1, the following columns are displayed:
l2tpHdr
l2tpTID
l2tpSID
l2tpsrcIP
l2tpsrcIPCC
l2tpSrcIPLng_Lat
H16
H16
H16
IP4
S/H32
F_F
L2TP header
L2TP tunnel ID
L2TP session ID
L2TP source IP address
L2TP source IP country code
L2TP source IP longitude, latitude
BFO_SUBNET_TEST_L2TP=1
BFO_SUBNET_TEST_L2TP=1&&
BFO_SUBNET_LL=1
32
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
Column
l2tpdstIP
l2tpdstIPCC
l2tpDstIPLng_Lat
4. BASICFLOW
Type
IP4
S/H32
F_F
Description
L2TP destination IP address
L2TP destination IP country code
L2TP destination IP longitude, latitude
Flags
BFO_SUBNET_TEST_L2TP=1
BFO_SUBNET_TEST_L2TP=1&&
BFO_SUBNET_LL=1
If BFO_GRE=1, the following columns are displayed:
greHdr
greSrcIP
greSrcIPCC
greDstIPLng_Lat
H32
IP4
S/H32
F_F
GRE header
GRE source IP address
GRE source IP country code
GRE source IP longitude, latitude
greDstIP
greDstIPCC
greDstIPLng_Lat
IP4
S/H32
F_F
GRE destination IP address
GRE destination IP country code
GRE destination IP longitude, latitude
BFO_SUBNET_TEST_GRE=1
BFO_SUBNET_TEST_GRE=1&&
BFO_SUBNET_LL=1
BFO_SUBNET_TEST_GRE=1
BFO_SUBNET_TEST_GRE=1&&
BFO_SUBNET_LL=1
If BFO_TRDO=1, the following columns are displayed:
trdoDstIP
trdoDstPort
IP4
U16
Nxt Teredo Flow: Dest IPv4 address
Nxt Teredo Flow: Destination port
BFO_TRDO=1
BFO_TRDO=1
If BFO_TRDO=1 and IPV6_ACTIVATE=1 then the following lines are displayed:
trdo6SrcFlgs
trdo6SrcSrvIP4
H8
IP4
trdo6SrcCPIP4
IP4
trdo6SrcCPPort
U16
trdo6DstFlgs
H8
trdo6DstSrvIP4
IP4
trdo6DstCPIP4
IP4
trdo6DstCPPort
U16
Teredo IPv6 source address decode: Flags
Teredo IPv6 source address decode:
Server IPv4
Teredo IPv6 source address decode:
Client Public IPv4
Teredo IPv6 source address decode:
Client Public Port
Teredo IPv6 destination address decode:
Flags
Teredo IPv6 destination address decode:
Server IPv4
Teredo IPv6 destination address decode:
Client Public IPv4
Teredo IPv6 destination address decode:
Client Public Port
Standard six Tuple output including GeoLabeling:
srcIP4
srcIP6
srcIPCC
srcIPLng_Lat
IP4/H32
IP6/H64_H64
S/H32
F_F
Source IPv4 address
Source IPv6 address
Source IP country code/Hex ID
Source IP longitude, latitude
IPV6_ACTIVATE=1
BFO_SUBNET_TEST=1
BFO_SUBNET_TEST=1&&
BFO_SUBNET_LL=1
33
c 2008–2017 by Tranalyzer Development Team
Copyright 4. BASICFLOW
CONTENTS
Column
srcPort
Type
U16
Description
Source Port
dstIP4
dstIP6
dstIPCC
dstIPLng_Lat
IP4/H32
IP6/H64_H64
S/H32
F_F
Destination IPv4 address
Destination IPv6 address
Destination IP country code/Hex ID
Destination IP longitude, latitude
dstPort
l4Proto
U16
U8
Destination port
Layer 4 protocol
4.3.1
Flags
IPV6_ACTIVATE = 1
BFO_SUBNET_TEST=1
BFO_SUBNET_TEST=1&&
BFO_SUBNET_LL=1
flowInd
It is useful to identify flows when post processing operations, such as sort or filters are applied to a flow file and only a B
or an A flow is selected. Moreover a packet file generated with the -s option supplies the flow index which simplifies the
mapping of singular packets to the appropriate flow.
4.3.2
flowStat
The flowStat column is to be interpreted as follows:
200 (=0x00000000
201 (=0x00000000
202 (=0x00000000
203 (=0x00000000
flowStat
00000001)
00000002)
00000004)
00000008)
Description
Inverted Flow, did not initiate connection
no Ethernet header
pure L2 Flow
Point to Point Protocol oE Discovery
204 (=0x00000000
205 (=0x00000000
206 (=0x00000000
207 (=0x00000000
00000010)
00000020)
00000040)
00000080)
Point to Point Protocol oE Service
Link Layer Discovery Protocol
ARP
Reverse ARP
208 (=0x00000000
209 (=0x00000000
210 (=0x00000000
211 (=0x00000000
00000100)
00000200)
00000400)
00000800)
VLANs
MPLS unicast
MPLS multicast
L2TP v2/3
212 (=0x00000000
213 (=0x00000000
214 (=0x00000000
215 (=0x00000000
00001000)
00002000)
00004000)
00008000)
GRE V1/2
PPP header after L2TP or GRE
IPv6, 0: IPv4
IPvX bogus packets
216 (=0x00000000
217 (=0x00000000
218 (=0x00000000
219 (=0x00000000
00010000)
00020000)
00040000)
00080000)
Authentication Header
IPv4/6 in IPv4/6
Ethernet via IP
Teredo tunnel
220 (=0x00000000 00100000)
Anything in Anything Tunnel
34
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
4. BASICFLOW
flowStat
221 (=0x00000000 00200000)
222 (=0x00000000 00400000)
223 (=0x00000000 00800000)
Description
GPRS Tunneling Protocol (GTP)
Virtual eXtensible Local Area Network (VXLAN)
Control and Provisioning of Wireless Access Points (CAPWAP)
224 (=0x00000000 01000000)
225 (=0x00000000 02000000)
Stream Control Transmission Flows
SSDP/UPnP
228 (=0x00000000 10000000)
SIP/RTP
231 (=0x00000001
232 (=0x00000002
233 (=0x00000004
234 (=0x00000008
00000000)
00000000)
00000000)
00000000)
acquired packet length < minimal L2 datagram
Acquired packet length < packet length in L3 header
Acquired packet length < minimal L3 Header
Acquired packet length < minimal L4 Header
235 (=0x00000010
236 (=0x00000020
237 (=0x00000040
238 (=0x00000080
00000000)
00000000)
00000000)
00000000)
IPv4 fragmentation present
IPv4 fragmentation error (refer to the tcpFlags plugin for more details)
IPv4 1. fragment out of sequence or missing
Fragmentation sequence not completed when flow timeout
239 (=0x00000100
240 (=0x00000200
241 (=0x00000400
243 (=0x00001000
00000000)
00000000)
00000000)
00000000)
user defined max flow timeout instead of protocol termination
Flow or packet alarm mode flag: remove this flow instantly
Stop dissecting, error or not capable to do e.g. IP4/6 config
PPPL3 header not readable, compressed
261 (=0x20000000 00000000)
262 (=0x40000000 00000000)
263 (=0x80000000 00000000)
4.3.3
If set by any plugin, pcapd writes packets from current flow to current pcap
Land attack: same srcIP && dstIP && srcPort && dstPort
Time slip in the pcap file mostly due to NTP operations on the capture machine
hdrDesc
The hdrDesc column describes the protocol stack in the flow in a human readable way. Note that it gives the user a
lookahead of what is to be expected, even if not in the appropriate IPv4/6 mode. For example, in IPv4 several different
headers stacks can be displayed by one flow if Teredo or different fragmentation is involved. T2 then dissects only to the
last header above the said protocol and sets the Stop dissecting bit in the flow status (241 (=0x00000400 00000000)).
4.3.4
trdoFlags
The trdoFlags column is to be interpreted as follows:
trdoFlags
27 (=0x01)
26 (=0x02)
22 (=0x04)
23 (=0x08)
24 (=0x10)
25 (=0x20)
21 (=0x40)
Description
Group/individual
Universal/local
0
0
0
0
Currently Unassigned
35
c 2008–2017 by Tranalyzer Development Team
Copyright 4. BASICFLOW
CONTENTS
trdoFlags
20 (=0x80)
4.3.5
Description
Behind Nat, new version do not set this bit anymore
Subnet detection
Warning: subnet labeling is currently only available in IPv4 mode. For the time being, use the geoip plugin (slower and
less accurate) to label IPv6 addresses.
If BFO_SUBNET_TEST/L2TP/GRE is enabled, source and destination IP/L2TP/GRE addresses will be marked according
to their membership to a defined set of subnets. This definition is supplied in the file subnetfile4.txt which is automatically converted into a binary compressed version readable by the basicFlow plugin during the compilation sequence.
If no subnet file exists in ~/.tranalyzer/plugins, then the binary file is automatically copied. The text file can be edited and
manually converted by the script subconv. Countries are currently coded by a string or a hex ID. The coding scheme is
defined in the top two lines of the subnetfile. The text format is defined as follows:
#
1
20170515
# prefix / mask | 1 st_code32_cc_ccOpt_rir_function | 2 nd_code32_lat_long plaintext_stuff
# prefix / mask
8 bit_cc 4 bit_rir_and_ccOpt_ ( highest_bit_set_if_opt_countries_available ) 8
bit_function_groups
32 bit_lat_long plaintext_stuff
# private adresses
10.0.0.0/8
0 x00000001
0 x00000000
666
666
10.0.0.0 -10.255.255.255 64345
0
apnic
rir
private 01
172.16.0.0/12
0 x00000001
0 x00000000
666
666
172.16.0.0 -172.240.255.255
64345
0
apnic
rir
private 01
192.168.0.0/16 0 x00000001
0 x00000000
666
666
192.168.0.0 -192.168.255.255
64345
0
apnic
rir
private 01
# public
1.0.0.0/24
0 x0e500000
0 x00000067
-33.490002
143.210007
1.0.0.0 -1.0.0.255
74924
0
_none_ _none_ australia
au
apnic
1.0.1.0/24
0 x2e500000
0 x00000000
666
666
1.0.1.0 -1.0.1.255
74925
0
_none_ _none_ china
cn
apnic
...
4.4
Packet File Output
In packet mode (-s option), the basicFlow plugin outputs the following columns:
Column
flowInd
flowStat
time
pktIAT
duration
numHdrs
hdrDesc
ethVlanID
ethType
macS
macD
srcIP4
srcIP6
Description
Flow index
Flow status
Time
Packet inter-arrival time
Flow duration
Number of headers (depth) in hdrDesc
Headers description
VLAN number (inner VLAN)
Ethernet type
Source MAC address
Destination MAC address
Source IPv4 address
Source IPv6 address
Flags
T2_PRI_HDRDESC=1
T2_PRI_HDRDESC=1
IPV6_ACTIVATE=0
IPV6_ACTIVATE=1
36
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
4. BASICFLOW
Column
srcPort
dstIP4
dstIP6
dstPort
l4Proto
Description
Source port
Destination IPv4 address
Destination IPv6 address
Destination port
Layer 4 protocol
Flags
IPV6_ACTIVATE=0
IPV6_ACTIVATE=1
37
c 2008–2017 by Tranalyzer Development Team
Copyright 5. BASICSTATS
5
5.1
CONTENTS
basicStats
Description
The basicStats plugin supplies basic layer four statistics for each flow.
5.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
BS_AGGR_CNT
BS_REV_CNT
BS_STATS
Default
0
1
1
Description
1: add A+B counts 0: A+B counts off
1: add reverse counts from opposite flow, 0: native send counts
Whether (1) or not (0) to output statistics (min, max, average, . . . )
Flags
If BS_STATS==1, the following additional flags can be used:
BS_VARSTD
BS_XCLD
BS_XMIN
BS_XMAX
5.3
2
0
1
65535
0: no var/std calculation, 1: variance, 2: stddev
0: do not exclude any value from statistics,
1: include (BS_XMIN,UINT16_MAX],
2: include [0,BS_XMAX),
3: include [BS_XMIN,BS_XMAX]
4: exclude (BS_XMIN,BS_XMAX)
minimal included/excluded from statistics
maximal included/excluded from statistics
BS_XCLD>0
BS_XCLD>0
Flow File Output
The basicStats outputs the following fields:
Column
numPktsSnt
numPktsRcvd
numBytesSnt
numBytesRcvd
Type
U64
U64
U64
U64
Description
Number of transmitted packets
Number of received packets
Number of transmitted bytes
Number of received bytes
Flags
If BS_STATS==1, the following columns, whose value depends on BS_XCLD, are provided
minPktSz
maxPktSz
avePktSize
stdPktSize
varPktSize
pktps
bytps
pktAsm
bytAsm
U16
U16
U16
F
F
F
F
F
F
Minimum layer 3 packet size
Maximum layer 3 packet size
Average packet load ratio
Filt std packet load ratio
Filt std/var packet load ratio
Sent packets per second
Sent bytes per second
Packet stream asymmetry
Byte stream asymmetry
BS_VARSTD=2
BS_VARSTD=1
38
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
6
6. BINSINK
binSink
6.1
Description
The binSink plugin is one of the basic output plugin for Tranalyzer2. It uses the output prefix (-w option) to generate a
binary flow file with suffix _flows.bin. All standard output from every plugin is stored in binary format in this file.
6.2
Dependencies
6.2.1
External Libraries
If gzip compression is activated (GZ_COMPRESS=1), then zlib must be installed.
Ubuntu: sudo apt-get install zlib1g-dev
Arch:
6.3
sudo pacman -S zlib
Configuration Flags
The following flags can be used to control the output of the plugin:
6.4
Name
GZ_COMPRESS
SFS_SPLIT
Default
0
1
FLOWS_SUFFIX
GZ_SUFFIX
STD_BUFSHFT
“_flows.bin”
“.gz”
BUF_DATA_SHFT * 4
Description
Whether (1) or not (0) to compress the output (gzip)
Whether (1) or not (0) to split the output file (Tranalyzer -W option)
Suffix to use for the output file
Suffix to use for the compressed file
Post-Processing
The program tranalyzer-b2t shipped with the txtSink plugin can be used to convert the binary format generated by
this plugin to a text based format.
6.5
Custom File Output
• PREFIX_flows.bin: Binary representation of Tranalyzer output
39
c 2008–2017 by Tranalyzer Development Team
Copyright 7. CONNSTAT
7
7.1
CONTENTS
connStat
Description
The connStat plugin counts the connections between different IPs and ports per flow and during the pcap lifetime in order
to produce an operational picture for anomaly detection. This plugin is more elaborate as connectionCounter because it
uses the findex to determine which flow started the communication, but uses more hash space.
7.2
Dependencies
connStat must never be loaded in conjunction with connection counter because then all global statistics for the end report
is wrong.
7.3
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
CS_HSDRM
CS_SDIPMAX
7.4
Default
1
1
Description
decrement IP counters when flows die
1: IP src dst connection with the highest count, 0: number of src dst IP connnections
Flow File Output
The connStat plugin outputs the following columns:
Column
connSip
connDip
connSipDip
connSipDprt
connF
Type
U32
U32
U32
U32
U32
Description
Number of connections from source IP to different hosts
Number of connections from destination IP to different hosts
Number of connections between source IP and destination IP
Number of connections between source IP and destination port
the f number, experimental: connSipDprt/connSip
40
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
8
8.1
8. DESCRIPTIVESTATS
descriptiveStats
Description
The descriptiveStats plugin analyzes calculates various statistics about a flow. Because the inter-arrival time of the first
packet is per definition always zero, it is removed from the statistics. Therefore the inter-arrival time statistics values for
flows with only one packet is set to zero.
8.2
Dependencies
8.2.1
Other Plugins
This plugin requires the pktSIATHisto plugin.
8.3
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
ENABLE_PS_CALC
ENABLE_IAT_CALC
8.4
Default
1
1
Description
1: Enables / 0: Disables calculation of statistics for packet sizes
1: Enables / 0: Disables calculation of statistics for inter-arrival times
Flow File Output
The descriptiveStats plugin outputs the following columns:
Column
MinPl
MaxPl
MeanPl
LowQuartilePl
MedianPl
UppQuartilePl
IqdPl
ModePl
RangePl
StdPl
RobStdPl
SkewPl
ExcPl
Type
F
F
F
F
F
F
F
F
F
F
F
F
F
Description
Minimum packet length
Maximum packet length
Mean packet length
Lower quartile of packet lengths
Median of packet lengths
Upper quartile of packet lengths
Inter quartile distance of packet lengths
Mode of packet lengths
Range of packet lengths
Standard deviation of packet lengths
Robust standard deviation of packet lengths
Skewness of packet lengths
Excess of packet lengths
Flags
ENABLE_PS_CALC=1
ENABLE_PS_CALC=1
ENABLE_PS_CALC=1
ENABLE_PS_CALC=1
ENABLE_PS_CALC=1
ENABLE_PS_CALC=1
ENABLE_PS_CALC=1
ENABLE_PS_CALC=1
ENABLE_PS_CALC=1
ENABLE_PS_CALC=1
ENABLE_PS_CALC=1
ENABLE_PS_CALC=1
ENABLE_PS_CALC=1
MinIat
MaxIat
MeanIat
LowQuartileIat
MedianIat
UppQuartileIat
IqdIat
ModeIat
F
F
F
F
F
F
F
F
Minimum inter-arrival time
Maximum inter-arrival time
Mean inter-arrival time
Lower quartile of inter-arrival times
Median of inter-arrival times
Upper quartile of inter-arrival times
Inter quartile distance of inter-arrival times
Mode of inter-arrival times
ENABLE_IAT_CALC=1
ENABLE_IAT_CALC=1
ENABLE_IAT_CALC=1
ENABLE_IAT_CALC=1
ENABLE_IAT_CALC=1
ENABLE_IAT_CALC=1
ENABLE_IAT_CALC=1
ENABLE_IAT_CALC=1
41
c 2008–2017 by Tranalyzer Development Team
Copyright 8. DESCRIPTIVESTATS
RangeIat
StdIat
RobStdIat
SkewIat
ExcIat
8.5
CONTENTS
F
F
F
F
F
Range of inter-arrival times
Standard deviation of inter-arrival times
Robust standard deviation of inter-arrival times
Skewness of inter-arrival times
Excess of inter-arrival times
ENABLE_IAT_CALC=1
ENABLE_IAT_CALC=1
ENABLE_IAT_CALC=1
ENABLE_IAT_CALC=1
ENABLE_IAT_CALC=1
Known Bugs and Limitations
Because the packet length and inter-arrival time plugin stores the inter-arrival times in statistical bins the original time
information is lost. Therefore the calculation of the inter-arrival times statistics is due to its logarithmic binning only
a rough approximation of the original timing information. Nevertheless, this representation has shown to be useful in
practical cases of anomaly and application classification.
42
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
9
9.1
9. DHCPDECODE
dhcpDecode
Description
This dhcpDecode plugin analyzes DHCP traffic.
9.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
DHCPBITFLD
DHCPMAXOPT
DHCPNMMAX
DHCPMASKFRMT
9.3
Default
1
50
10
1
Description
Options representation: 1: bitfield, 0: option numbers in a row
maximum stored options
maximal number of domain/host names per flow
Netmask representation: 0: hex, 1: IP
Flags
DHCPBITFLD=0
Flow File Output
The dhcpDecode plugin outputs the following columns:
Column
dhcpStat
dhcpMTyp
dhcpMTyp
Type
H16
H8
H32
Description
Status, warnings and errors
Message type
Message type
Flags
IPV6_ACTIVATE=0
IPV6_ACTIVATE=1
If IPV6_ACTIVATE == 0, the following columns are output:
dhcpHWTyp
dhcpCHWAdd_HWCnt
dhcpNetmask
dhcpNetmask
dhcpGWIP
dhcpDnsIP
dhcpHopCnt
dhcpSrvName
dhcpBootFile
dhcpOptCnt
dhcpOptBF
dhcpOpts
dhcpHosts_HCnt
dhcpDomains_DCnt
dhcpMaxSecEl
dhcpLeaseT
dhcpRenewT
dhcpRebindT
dhcpCliIP
dhcpYourIP
dhcpNextServer
H32
R(MAC_H32)
H32
IP4
IP4
IP4
H32
S
S
U16
H64_H64_H64
RU8
R(S_U16)
R(S_U16)
U16
U32
U32
U32
IP4
IP4
IP4
Hardware Type
Client hardware addresses and count
Network mask
Network mask
Gateway IP
DNS IP
Hop Count
Server host name
Boot file name
Option Count
Option Bit field
Options
Maximal DHCPNMMAX hosts and count
Maximal DHCPNMMAX domains and count
Maximum seconds elapsed
Lease time
Renewal time
Rebind time
DHCP client IP
DHCP your (client) IP
DHCP next server IP
43
c 2008–2017 by Tranalyzer Development Team
Copyright DHCPMASKFRMT=0
DHCPMASKFRMT=1
DHCPBITFLD=1
DHCPBITFLD=0
9. DHCPDECODE
Column
dhcpRelay
dhcpLFlow
9.3.1
CONTENTS
Type
IP4
U64
Description
DHCP relay agent IP
DHCP linked flow
Flags
dhcpStat
The dhcpStat status bit field is to be interpreted as follows:
dhcpStat
0x0001
0x0002
0x0004
0x0008
0x0010
0x0020
0x0100
0x0200
0x2000
0x4000
0x8000
9.3.2
Description
DHCP detected
Boot request
Boot reply
Broadcast
Client ID (option 61) different from Client MAC address
Option overload: server host name and/or boot file name carry options
Option list truncated... increase DHCPMAXOPT
Client HW address, domain or host name list truncated... increase DHCPNMMAX
Error: DHCP magic number corrupt
Error: DHCP options corrupt
Something weird happened...
dhcpMTyp
If IPV6_ACTIVATE=0, then the dhcpMTyp column is to be interpreted as follows:
dhcpMTyp
0x01
0x02
0x04
0x08
0x10
0x20
0x40
0x80
Description
Discover Message
Offer Message
Request Message
Decline Message
Acknowledgment Message
Negative Acknowledgment Message
Release Message
Informational Message
Else if IPV6_ACTIVATE=1, then the dhcpMTyp column is to be interpreted as follows:
44
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
9. DHCPDECODE
dhcpMTyp
0x0000 0001
0x0000 0002
0x0000 0004
0x0000 0008
0x0000 0010
0x0000 0020
0x0000 0040
0x0000 0080
0x0000 0100
0x0000 0200
0x0000 0400
0x0000 0800
9.3.3
Description
Reserved
SOLICIT
ADVERTISE
REQUEST
CONFIRM
RENEW
REBIND
REPLY
RELEASE
DECLINE
RECONFIGURE
INFORMATION-REQUEST
dhcpMTyp
0x0000 1000
0x0000 2000
0x0000 4000
0x0000 8000
0x0001 0000
0x0002 0000
0x0004 0000
0x0008 0000
0x0010 0000
0x0020 0000
0x0040 0000
0x0080 0000
Description
RELAY-FORW
RELAY-REPL
LEASEQUERY
LEASEQUERY-REPLY
LEASEQUERY-DONE
LEASEQUERY-DATA
RECONFIGURE-REQUEST
RECONFIGURE-REPLY
DHCPV4-QUERY
DHCPV4-RESPONSE
ACTIVELEASEQUERY
STARTTLS
dhcpHWTyp
The dhcpHWTyp column is to be interpreted as follows:
dhcpHWTyp
20 (=0x0000.0000.0000.0001)
21 (=0x0000.0000.0000.0002)
22 (=0x0000.0000.0000.0004)
23 (=0x0000.0000.0000.0008)
24 (=0x0000.0000.0000.0010)
25 (=0x0000.0000.0000.0020)
26 (=0x0000.0000.0000.0040)
27 (=0x0000.0000.0000.0080)
28 (=0x0000.0000.0000.0100)
29 (=0x0000.0000.0000.0200)
21 0 (=0x0000.0000.0000.0400)
211 (=0x0000.0000.0000.0800)
212 (=0x0000.0000.0000.1000)
213 (=0x0000.0000.0000.2000)
214 (=0x0000.0000.0000.4000)
215 (=0x0000.0000.0000.8000)
216 (=0x0000.0000.0001.0000)
217 (=0x0000.0000.0002.0000)
218 (=0x0000.0000.0004.0000)
219 (=0x0000.0000.0008.0000)
220 (=0x0000.0000.0010.0000)
221 (=0x0000.0000.0020.0000)
222 (=0x0000.0000.0040.0000)
223 (=0x0000.0000.0080.0000)
224 (=0x0000.0000.0100.0000)
225 (=0x0000.0000.0200.0000)
226 (=0x0000.0000.0400.0000)
227 (=0x0000.0000.0800.0000)
Description
—
Ethernet
Experimental Ethernet
Amateur Radio AX.25
Proteon ProNET Token Ring
Chaos
IEEE 802
ARCNET
Hyperchannel
Lanstar
Autonet Short Address
LocalTalk
LocalNet (IBM PCNet or SYTEK LocalNET)
Ultra link
SMDS
Frame Relay
ATM, Asynchronous Transmission Mode
HDLC
Fibre Channel
ATM, Asynchronous Transmission Mode
Serial Line
ATM, Asynchronous Transmission Mode
MIL-STD-188-220
Metricom
IEEE 1394.1995
MAPOS
Twinaxia
EUI-64
45
c 2008–2017 by Tranalyzer Development Team
Copyright 9. DHCPDECODE
CONTENTS
dhcpHWTyp
228 (=0x0000.0000.1000.0000)
229 (=0x0000.0000.2000.0000)
230 (=0x0000.0000.4000.0000)
231 (=0x0000.0000.8000.0000)
9.3.4
Description
HIPARP
IP and ARP over ISO 7816-3
ARPSec
IPsec tunnel
dhcpHopCnt
The dhcpHopCnt column is to be interpreted as follows:
dhcpHopCnt
0x00000000-0x00010000
0x80000000
9.3.5
Description
Number of hops (0-16) 2HopCount
Invalid hop count (> 16)
dhcpOptBF
The dhcpOptBF status bit field is to be interpreted as follows:
20
21
22
23
24
25
26
27
28
29
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
dhcpOptBF_1
(=0x0000.0000.0000.0001)
(=0x0000.0000.0000.0002)
(=0x0000.0000.0000.0004)
(=0x0000.0000.0000.0008)
(=0x0000.0000.0000.0010)
(=0x0000.0000.0000.0020)
(=0x0000.0000.0000.0040)
(=0x0000.0000.0000.0080)
(=0x0000.0000.0000.0100)
(=0x0000.0000.0000.0200)
(=0x0000.0000.0000.0400)
(=0x0000.0000.0000.0800)
(=0x0000.0000.0000.1000)
(=0x0000.0000.0000.2000)
(=0x0000.0000.0000.4000)
(=0x0000.0000.0000.8000)
(=0x0000.0000.0001.0000)
(=0x0000.0000.0002.0000)
(=0x0000.0000.0004.0000)
(=0x0000.0000.0008.0000)
(=0x0000.0000.0010.0000)
(=0x0000.0000.0020.0000)
(=0x0000.0000.0040.0000)
(=0x0000.0000.0080.0000)
(=0x0000.0000.0100.0000)
(=0x0000.0000.0200.0000)
(=0x0000.0000.0400.0000)
(=0x0000.0000.0800.0000)
(=0x0000.0000.1000.0000)
(=0x0000.0000.2000.0000)
(=0x0000.0000.4000.0000)
Length
0
4
4
4+
4+
4+
4+
4+
4+
4+
4+
4+
1+
2
1+
1+
4
1+
1+
1
1
8+
2
1
4
2+
2
1
4
1
1
Description
Pad
Subnet Mask
Time Offset (deprecated)
Router
Time Server
Name Server
Domain Name Server
Log Server
Quote Server
LPR Server
Impress Server
Resource Location Server
Host Name
Boot File Size
Merit Dump File
Domain Name
Swap Server
Root Path
Extensions Path
IP Forwarding enable/disable
Non-local Source Routing enable/disable
Policy Filter
Maximum Datagram Reassembly Size
Default IP Time-to-live
Path MTU Aging Timeout
Path MTU Plateau Table
Interface MTU
All Subnets are Local
Broadcast Address
Perform Mask Discovery
Mask supplier
46
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
9. DHCPDECODE
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
dhcpOptBF_1
(=0x0000.0000.8000.0000)
(=0x0000.0001.0000.0000)
(=0x0000.0002.0000.0000)
(=0x0000.0004.0000.0000)
(=0x0000.0008.0000.0000)
(=0x0000.0010.0000.0000)
(=0x0000.0020.0000.0000)
(=0x0000.0040.0000.0000)
(=0x0000.0080.0000.0000)
(=0x0000.0100.0000.0000)
(=0x0000.0200.0000.0000)
(=0x0000.0400.0000.0000)
(=0x0000.0800.0000.0000)
(=0x0000.1000.0000.0000)
(=0x0000.2000.0000.0000)
(=0x0000.4000.0000.0000)
(=0x0000.8000.0000.0000)
(=0x0001.0000.0000.0000)
(=0x0002.0000.0000.0000)
(=0x0004.0000.0000.0000)
(=0x0008.0000.0000.0000)
(=0x0010.0000.0000.0000)
(=0x0020.0000.0000.0000)
(=0x0040.0000.0000.0000)
(=0x0080.0000.0000.0000)
(=0x0100.0000.0000.0000)
(=0x0200.0000.0000.0000)
(=0x0400.0000.0000.0000)
(=0x0800.0000.0000.0000)
(=0x1000.0000.0000.0000)
(=0x2000.0000.0000.0000)
(=0x4000.0000.0000.0000)
(=0x8000.0000.0000.0000)
Length
1
4
8+
1
4
1
1
4
1
1+
4+
4+
1+
4+
4+
1
1+
4+
4+
4
4
4
4
1
1+
1+
2
4
4
1+
2+
1-255
1
Description
Perform router discovery
Router solicitation address
Static routing table
Trailer encapsulation
ARP cache timeout
Ethernet encapsulation
Default TCP TTL
TCP keepalive interval
TCP keepalive garbage
Network Information Service Domain
Network Information Servers
NTP servers
Vendor specific information
NetBIOS over TCP/IP name server
NetBIOS over TCP/IP Datagram Distribution Server
NetBIOS over TCP/IP Node Type
NetBIOS over TCP/IP Scope
X Window System Font Server
X Window System Display Manager
Requested IP Address
IP address lease time
Option overload
DHCP message type
Server identifier
Parameter request list
Message
Maximum DHCP message size
Renew time value
Rebinding time value
Class-identifier
Client-identifier
NetWare/IP Domain Name
NetWare/IP information
Table 43: dhcpDecode aggregated type 64 bit field
264
265
266
267
268
269
270
271
272
273
274
275
DHCPOptiBF_2
(=0x0000.0000.0000.0001)
(=0x0000.0000.0000.0002)
(=0x0000.0000.0000.0004)
(=0x0000.0000.0000.0008)
(=0x0000.0000.0000.0010)
(=0x0000.0000.0000.0020)
(=0x0000.0000.0000.0040)
(=0x0000.0000.0000.0080)
(=0x0000.0000.0000.0100)
(=0x0000.0000.0000.0200)
(=0x0000.0000.0000.0400)
(=0x0000.0000.0000.0800)
Length
1+
4+
1+
1+
0+
4+
4+
4+
4+
4+
4+
4+
Description
Network Information Service+ Domain
Network Information Service+ Servers
TFTP server name
Bootfile name
Mobile IP Home Agen
Simple Mail Transport Protocol Server
Post Office Protocol Server
Network News Transport Protocol Server
Default World Wide Web Server
Default Finger Server
Default Internet Relay Chat Server
StreetTalk Server
47
c 2008–2017 by Tranalyzer Development Team
Copyright 9. DHCPDECODE
CONTENTS
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
DHCPOptiBF_2
(=0x0000.0000.0000.1000)
(=0x0000.0000.0000.2000)
(=0x0000.0000.0000.4000)
(=0x0000.0000.0000.8000)
(=0x0000.0000.0001.0000)
(=0x0000.0000.0002.0000)
(=0x0000.0000.0004.0000)
(=0x0000.0000.0008.0000)
(=0x0000.0000.0010.0000)
(=0x0000.0000.0020.0000)
(=0x0000.0000.0040.0000)
(=0x0000.0000.0080.0000)
(=0x0000.0000.0100.0000)
(=0x0000.0000.0200.0000)
(=0x0000.0000.0400.0000)
(=0x0000.0000.0800.0000)
(=0x0000.0000.1000.0000)
(=0x0000.0000.2000.0000)
(=0x0000.0000.4000.0000)
(=0x0000.0000.8000.0000)
(=0x0000.0001.0000.0000)
(=0x0000.0002.0000.0000)
(=0x0000.0004.0000.0000)
(=0x0000.0008.0000.0000)
(=0x0000.0010.0000.0000)
(=0x0000.0020.0000.0000)
(=0x0000.0040.0000.0000)
(=0x0000.0080.0000.0000)
(=0x0000.0100.0000.0000)
(=0x0000.0200.0000.0000)
(=0x0000.0400.0000.0000)
(=0x0000.0800.0000.0000)
(=0x0000.1000.0000.0000)
(=0x0000.2000.0000.0000)
(=0x0000.4000.0000.0000)
(=0x0000.8000.0000.0000)
(=0x0001.0000.0000.0000)
(=0x0002.0000.0000.0000)
(=0x0004.0000.0000.0000)
(=0x0008.0000.0000.0000)
(=0x0010.0000.0000.0000)
(=0x0020.0000.0000.0000)
(=0x0040.0000.0000.0000)
(=0x0080.0000.0000.0000)
(=0x0100.0000.0000.0000)
(=0x0200.0000.0000.0000)
(=0x0400.0000.0000.0000)
(=0x0800.0000.0000.0000)
(=0x1000.0000.0000.0000)
(=0x2000.0000.0000.0000)
Length
4+
0-255
0-255
0-255
0
4+
0-255
14+
—
8+
2
1
4
2+
2
1
4
1
1
1
—
—
—
—
—
—
—
—
1+
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
5+
0-255
16
—
—
Description
StreetTalk Directory Assistance Server
User Class Information
SLP Directory Agent
SLP Service Scope
Rapid Commit
FQDN, Fully Qualified Domain Name
Relay Agent Information
Internet Storage Name Service
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
48
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
9. DHCPDECODE
DHCPOptiBF_2
2126 (=0x4000.0000.0000.0000)
2127 (=0x8000.0000.0000.0000)
Length
—
—
Description
—
—
Table 44: dhcpDecode aggregated type 64 bit field
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
DHCPOptiBF_3
(=0x0000.0000.0000.0001)
(=0x0000.0000.0000.0002)
(=0x0000.0000.0000.0004)
(=0x0000.0000.0000.0008)
(=0x0000.0000.0000.0010)
(=0x0000.0000.0000.0020)
(=0x0000.0000.0000.0040)
(=0x0000.0000.0000.0080)
(=0x0000.0000.0000.0100)
(=0x0000.0000.0000.0200)
(=0x0000.0000.0000.0400)
(=0x0000.0000.0000.0800)
(=0x0000.0000.0000.1000)
(=0x0000.0000.0000.2000)
(=0x0000.0000.0000.4000)
(=0x0000.0000.0000.8000)
(=0x0000.0000.0001.0000)
(=0x0000.0000.0002.0000)
(=0x0000.0000.0004.0000)
(=0x0000.0000.0008.0000)
(=0x0000.0000.0010.0000)
(=0x0000.0000.0020.0000)
(=0x0000.0000.0040.0000)
(=0x0000.0000.0080.0000)
(=0x0000.0000.0100.0000)
(=0x0000.0000.0200.0000)
(=0x0000.0000.0400.0000)
(=0x0000.0000.0800.0000)
(=0x0000.0000.1000.0000)
(=0x0000.0000.2000.0000)
(=0x0000.0000.4000.0000)
(=0x0000.0000.8000.0000)
(=0x0000.0001.0000.0000)
(=0x0000.0002.0000.0000)
(=0x0000.0004.0000.0000)
(=0x0000.0008.0000.0000)
(=0x0000.0010.0000.0000)
(=0x0000.0020.0000.0000)
(=0x0000.0040.0000.0000)
(=0x0000.0080.0000.0000)
(=0x0000.0100.0000.0000)
(=0x0000.0200.0000.0000)
(=0x0000.0400.0000.0000)
Length
—
—
—
—
—
—
—
—
4+
0-255
—
—
—
2+
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
Description
TFTP Server IP address
Call Server IP addres
Discrimination string
Remote statistics server IP address
802.1P VLAN ID
802.1Q L2 Priority
Diffserv Code Point
HTTP Proxy for phone-specific applications
PANA Authentication Agent
LoST Server
CAPWAP Access Controller addresses
OPTION-IPv4_Address-MoS
OPTION-IPv4_FQDN-MoS
SIP UA Configuration Service Domains
OPTION-IPv4_Address-ANDSF
OPTION-IPv6_Address-ANDSF
—
—
—
—
—
—
TFTP server address or Etherboot-GRUB configuration path name
status-code
base-time
start-time-of-state
query-start-time
query-end-time
dhcp-state
data-source
—
—
—
—
—
—
—
—
—
—
—
—
—
49
c 2008–2017 by Tranalyzer Development Team
Copyright 9. DHCPDECODE
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
CONTENTS
DHCPOptiBF_3
(=0x0000.0800.0000.0000)
(=0x0000.1000.0000.0000)
(=0x0000.2000.0000.0000)
(=0x0000.4000.0000.0000)
(=0x0000.8000.0000.0000)
(=0x0001.0000.0000.0000)
(=0x0002.0000.0000.0000)
(=0x0004.0000.0000.0000)
(=0x0008.0000.0000.0000)
(=0x0010.0000.0000.0000)
(=0x0020.0000.0000.0000)
(=0x0040.0000.0000.0000)
(=0x0080.0000.0000.0000)
(=0x0100.0000.0000.0000)
(=0x0200.0000.0000.0000)
(=0x0400.0000.0000.0000)
(=0x0800.0000.0000.0000)
(=0x1000.0000.0000.0000)
(=0x2000.0000.0000.0000)
(=0x4000.0000.0000.0000)
(=0x8000.0000.0000.0000)
Length
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
Description
—
—
—
—
Etherboot
IP Telephone
Etherboot, PacketCable and CableHome
—
—
—
—
—
—
—
—
—
—
—
—
—
—
Table 45: dhcpDecode aggregated type 64 bit field
9.4
Plugin Report Output
The number of DHCP packets of each type (Section 9.3.2) is reported.
9.5
TODO
• DHCPv6
9.6
References
• RFC2131: Dynamic Host Configuration Protocol
• RFC2132: DHCP Options and BOOTP Vendor Extensions
50
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
10
dnsDecode
10.1
Description
10. DNSDECODE
This plugin produces DNS header and content information encountered during the lifetime of a flow. The idea is to
identify DNS header and payload features using flow parameters in order to extract information about applications or
users. The DNS plugin requires no dependencies and produces only output to the flow file. User defined compiler
switches in dnsDecode.h, malsite.h produce optimized code for the specific application.
10.2
Configuration Flags
The flow based output and the extracted information can be controlled by switches and constants listed in the table below.
The most important one is DNS_MODE which controls the amount of information in the flow file. DNS_AGGR controls the
aggregation of duplicate names and values. The last three limit the amount of memory allocated for flow based DNS
record storage. The default values revealed reasonable performance in practise.
Name
TF_MALSITE_TEST
DNS_MODE
Default
0
0xf
0
0
10
10
50
DNS_REQA
DNS_ANSA
DNS_QRECMAX
DNS_ARECMAX
DNS_HNLMAX
Description
1: activate blacklist malware test mode (IPv4 only)
0: Only aggregated header count info
1: REQ records
2: +ANS records
3: +AUX records
4: +ADD records
0: full vectors, 1: Aggregate request records
0: full vectors, 1: Aggregate answer records
Max # of query records / flow
Max # of answer records / flow
Max name length in flow structure
Flags
The following additional flag is available in malsite.h:
TF_MALSITE_DOMAIN
10.3
0
1: malsite domain labeling mode
0: malsite ip address labeling mode
Flow File Output
The default settings will result in 11 tab separated columns in the flow file where the items in column 6-11 are sequences of
strings containing DNS record name, address entries and specific DNS entry information such as Type or TTL separated
by semicolons. The idea is that the array elements of strings of the different columns correspond to each other so that
easy script based post processing is possible. The different output modes controlled by DNS_MODE provide an incremental
method from a high speed compressed representation to a full human readable representation.
Column
dnsStat
dnsHdriOPField
DnsStat_
OpC_
RetC
Type
H16
H16
H8_
H16_
H16
Description
Status Bit Field, warnings and errors
Header Field of last packet in flow
Aggregated Header Status
Aggregated Header OpcodeRCode flags
Aggregated Header RCode flags
51
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
10. DNSDECODE
CONTENTS
Column
dnsCntQu_
Asw_
Aux_
Add
dnsAAAqF
dnsTypeBF
dnsQname
Type
R:U16_
U16_
U16_
U16
F
H8_H16_H16_H64
RS
Description
# of question records
# answer records
# of auxiliary records
# additional records
DDOS DNS AAA / Query factor
Type bitfields
Query Name records
dnsNMalCode
RH32
Domain Malware code
dnsAname
dnsAPname
dns4Address
dns6Address
dnsIPMalCode
RS
RS
RIP4
RIP6
RH32
Answer Name records
Name CNAME entries
Address entries IPv4
Address entries IPv6
IP Malware code
dnsAType
dnsAClass
dnsATTL
dnsMXpref
dnsSRVprio
dnsSRVwgt
RU16
RU16
RU32
RU16
RU16
RU16
Answer record Type entries
Answer record Class entries
Answer record TTL entries
MX record preference entries
SRV record priority entries
SRV record weight entries
10.3.1
Flags
DNS_MODE > 0
DNS_MODE > 1
TF_MALSITE_TEST=1 &&
TF_MALSITE_DOMAIN=1
TF_MALSITE_TEST=1 &&
TF_MALSITE_DOMAIN=0
dnsStat
The DNS status bit field listed below provides an efficient method to post process flow data files in order to detect incidents
during flow processing.
dnsStat
(=0x0001)
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24 (=0x0010)
25 (=0x0020)
26 (=0x0040)
27 (=0x0080)
28 (=0x0100)
29 (=0x0200)
210 (=0x0400)
211 (=0x0800)
212 (=0x1000)
213 (=0x2000)
214 (=0x4000)
215 (=0x8000)
20
Type
DNS_PRTDT
DNS_NBIOS
DNS_FRAGA
DNS_FRAGS
DNS_FTRUNC
DNS_ANY
DNS_IZTRANS
DNS_ZTRANS
DNS_WRNULN
DNS_WRNIGN
DNS_WRNDEX
DNS_WRNAEX
DNS_ERRLEN
DNS_ERRPTR
DNS_WRNMLN
DNS_ERRCRPT
Description
DNS ports detected
NetBios DNS
DNS TCP aggregated fragmented content
DNS TCP fragmented content state
Warning: Name truncated
Warning: ANY: Zone all from a domain or cached server
Warning: Incremental DNS zone transfer detected
Warning: DNS zone transfer detected
Warning: DNS UDP Length exceeded
Warning: following Records ignored
Warning: Max DNS name records exceeded
Warning: Max address records exceeded
Error: DNS record length error
Error: Wrong DNS PTR detected
Warning: DNS length undercut
Error: UDP/TCP DNS Header corrupt or TCP packets missing
52
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
10.3.2
10. DNSDECODE
dnsHdriOPField
From the 16 Bit DNS header the QR Bit and Bit five to nine are extracted and mapped in their correct sequence into a
byte as indicated below. It provides for a normal single packet exchange flow an accurate status of the DNS transfer. For
a multiple packet exchange only the last packet is mapped into the variable. In that case the aggregated header state flags
should be considered.
QR
1
10.3.3
Opcode
0000
AA
1
TC
0
RD
1
RA
1
Z
1
AD
0
CD
0
Rcode
0000
dnsStat_OpC_RetC
For multi-packet DNS flows e.g. via TCP the aggregated header state bit field describes the status of all packets in a flow.
Thus, flows with certain client and server states can be easily identified and extracted during post-processing.
27
26
25
24
23
22
21
20
dnsStat
(=0x01)
(=0x02)
(=0x04)
(=0x08)
(=0x10)
(=0x20)
(=0x40)
(=0x80)
Short
CD
AD
Z
RA
RD
TC
AA
QR
Description
Checking Disabled
Authenticated Data
Zero
Recursion Available
Recursion Desired
Truncated
Authoritative Answer
Query / Response
The four bit OpCode field of the DNS header is mapped via [2Opcode ] and an OR into a 16 Bit field. Thus, the client
can be monitored or anomalies easily identified. E.g. appearance of reserved bits might be an indication for a covert
channel or malware operation.
dnsOpC
20 (=0x0001)
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24 (=0x0010)
24 (=0x0020)
25 (=0x0040)
26 (=0x0080)
28 (=0x0100)
29 (=0x0200)
210 (=0x0400)
211 (=0x0800)
212 (=0x1000)
213 (=0x2000)
214 (=0x4000)
215 (=0x8000)
Description
QUERY, Standard query
IQUERY, Inverse query
STATUS, Server status request
—
Notify
Update
reserved
reserved
reserved
reserved
reserved
reserved
reserved
reserved
reserved
reserved
The four bit RCode field of the DNS header is mapped via [2Rcode ] and an OR into a 16 Bit field. It provides
53
c 2008–2017 by Tranalyzer Development Team
Copyright 10. DNSDECODE
CONTENTS
valuable information about success of DNS queries and therefore facilitates the detection of failures, misconfigurations
and malicious operations.
dnsRetC
20 (=0x0001)
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24 (=0x0010)
24 (=0x0020)
25 (=0x0040)
26 (=0x0080)
28 (=0x0100)
29 (=0x0200)
210 (=0x0400)
211 (=0x0800)
212 (=0x1000)
213 (=0x2000)
214 (=0x4000)
215 (=0x8000)
10.3.4
Short
No error
Format error
Server failure
Name Error
Not Implemented
Refused
YXDomain
YXRRSet
NXRRSet
NotAuth
NotZone
—
—
—
—
—
Description
Request completed successfully
Name server unable to interpret query
Name server unable to process query due to problem with name server
Authoritative name server only: Domain name in query does not exist
Name server does not support requested kind of query.
Name server refuses to perform the specified operation for policy reasons.
Name Exists when it should not
RR Set Exists when it should not
RR Set that should exist does not
Server Not Authoritative for zone
Name not contained in zone
—
—
—
—
—
dnsTypeBF
The 16 bit Type Code field is extracted from each DNS record and mapped via [2Typecode ] into a 64 Bit fields. Gaps are
avoided by additional higher bitfields defining higher codes.
dnsTypeBF3
20 (=0x01)
21 (=0x02)
22 (=0x04)
23 (=0x08)
24 (=0x10)
25 (=0x20)
26 (=0x40)
27 (=0x80)
dnsTypeBF2
20 (=0x0001)
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24 (=0x0010)
25 (=0x0020)
26 (=0x0040)
27 (=0x0080)
28 (=0x0100)
29 (=0x0200)
Short
TKEY
TSIG
IXFR
AXFR
MAILB
MAILA
ZONEALL
URI
CAA
—
Short
TA
DLV
—
—
—
—
—
—
Description
DNSSEC Trust Authorities
DNSSEC Lookaside Validation
—
—
—
—
—
—
Description
Transaction Key
Transaction Signature
Incremental transfer
Transfer of an entire zone
Mailbox-related RRs (MB, MG or MR)
Mail agent RRs (OBSOLETE - see MX)
Request for all records the server/cache has available
URI
Certification Authority Restriction
—
54
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
10. DNSDECODE
dnsTypeBF2
210 (=0x0400)
211 (=0x0800)
212 (=0x1000)
213 (=0x2000)
214 (=0x4000)
215 (=0x8000)
Short
—
—
—
—
—
—
Description
—
—
—
—
—
—
dnsTypeBF1
20 (=0x0001)
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24 (=0x0010)
24 (=0x0020)
25 (=0x0040)
26 (=0x0080)
28 (=0x0100)
29 (=0x0200)
210 (=0x0400)
211 (=0x0800)
212 (=0x1000)
213 (=0x2000)
214 (=0x4000)
215 (=0x8000)
dnsTypeBF
20 (=0x0000.0000.0000.0001)
21 (=0x0000.0000.0000.0002)
22 (=0x0000.0000.0000.0004)
23 (=0x0000.0000.0000.0008)
24 (=0x0000.0000.0000.0010)
25 (=0x0000.0000.0000.0020)
26 (=0x0000.0000.0000.0040)
27 (=0x0000.0000.0000.0080)
28 (=0x0000.0000.0000.0100)
29 (=0x0000.0000.0000.0200)
210 (=0x0000.0000.0000.0400)
211 (=0x0000.0000.0000.0800)
212 (=0x0000.0000.0000.1000)
213 (=0x0000.0000.0000.2000)
214 (=0x0000.0000.0000.4000)
215 (=0x0000.0000.0000.8000)
216 (=0x0000.0000.0001.0000)
217 (=0x0000.0000.0002.0000)
218 (=0x0000.0000.0004.0000)
Short
SPF
UINFO
UID
GID
UNSPEC
NID
L32
L64
LP
EUI48
EUI64
—
—
—
—
—
Short
—
A
NS
MD
MF
CNAME
SOA
MB
MG
MR
NULL
WKS
PTR
HINFO
MINFO
MX
TXT
—
AFSDB
Description
EUI-48 address
EUI-48 address
—
—
—
—
—
Description
—
IPv4 address
Authoritative name server
Mail destination. Obsolete use MX instead
Mail forwarder. Obsolete use MX instead
Canonical name for an alias
Marks the start of a zone of authority
Mailbox domain name
Mail group member
Mail rename domain name
Null resource record
Well known service description
Domain name pointer
Host information
Mailbox or mail list information
Mail exchange
Text strings
Responsible Person
AFS Data Base location
55
c 2008–2017 by Tranalyzer Development Team
Copyright 10. DNSDECODE
CONTENTS
dnsTypeBF
219 (=0x0000.0000.0008.0000)
220 (=0x0000.0000.0010.0000)
221 (=0x0000.0000.0020.0000)
222 (=0x0000.0000.0040.0000)
223 (=0x0000.0000.0080.0000)
224 (=0x0000.0000.0100.0000)
225 (=0x0000.0000.0200.0000)
226 (=0x0000.0000.0400.0000)
227 (=0x0000.0000.0800.0000)
228 (=0x0000.0000.1000.0000)
229 (=0x0000.0000.2000.0000)
230 (=0x0000.0000.4000.0000)
231 (=0x0000.0000.8000.0000)
232 (=0x0000.0001.0000.0000)
233 (=0x0000.0002.0000.0000)
234 (=0x0000.0004.0000.0000)
235 (=0x0000.0008.0000.0000)
236 (=0x0000.0010.0000.0000)
237 (=0x0000.0020.0000.0000)
238 (=0x0000.0040.0000.0000)
239 (=0x0000.0080.0000.0000)
240 (=0x0000.0100.0000.0000)
241 (=0x0000.0200.0000.0000)
242 (=0x0000.0400.0000.0000)
243 (=0x0000.0800.0000.0000)
244 (=0x0000.1000.0000.0000)
245 (=0x0000.2000.0000.0000)
246 (=0x0000.4000.0000.0000)
247 (=0x0000.8000.0000.0000)
248 (=0x0001.0000.0000.0000)
249 (=0x0002.0000.0000.0000)
250 (=0x0004.0000.0000.0000)
251 (=0x0008.0000.0000.0000)
252 (=0x0010.0000.0000.0000)
253 (=0x0020.0000.0000.0000)
254 (=0x0040.0000.0000.0000)
255 (=0x0080.0000.0000.0000)
256 (=0x0100.0000.0000.0000)
257 (=0x0200.0000.0000.0000)
258 (=0x0400.0000.0000.0000)
259 (=0x0800.0000.0000.0000)
260 (=0x1000.0000.0000.0000)
261 (=0x2000.0000.0000.0000)
262 (=0x4000.0000.0000.0000)
263 (=0x8000.0000.0000.0000)
Short
X25
ISDN
RT
NSAP
NSAP-PTR
SIG
KEY
PX
GPOS
AAAA
LOC
NXT
EID
NIMLOC/NB
SRV/NBSTAT
ATMA
NAPTR
KX
CERT
A6
DNAME
SINK
OPT
APL
DS
SSHFP
IPSECKEY
RRSIG
NSEC
DNSKEY
DHCID
NSEC3
NSEC3PARAM
TLSA
SMIMEA
—
HIP
NINFO
RKEY
TALINK
CDS
CDNSKEY
OPENPGPKEY
CSYNC
—
Description
X.25 PSDN address
ISDN address
Route Through
NSAP address. NSAP style A record
—
Security signature
Security key
X.400 mail mapping information
Geographical Position
IPv6 Address
Location Information
Next Domain (obsolete)
Endpoint Identifier
Nimrod Locator / NetBIOS general Name Service
Server Selection / NetBIOS NODE STATUS
ATM Address
Naming Authority Pointer
Key Exchanger
—
A6 (OBSOLETE - use AAAA)
—
—
—
—
Delegation Signer
SSH Key Fingerprint
—
—
NextSECure
—
DHCP identifier
—
—
—
S/MIME cert association
Host Identity Protocol
—
—
Trust Anchor LINK
Child DS
DNSKEY(s) the Child wants reflected in DS
OpenPGP Key
Child-To-Parent Synchronization
56
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
10.4
10. DNSDECODE
Plugin Report Output
The following information is reported:
• Number of DNS IPv4/6 packets
• Number of DNS IPv4/6 Q,R packets
• Aggregated status flags (dnsStat)
10.5
Example Output
The idea is that the string and integer array elements of question, answer, TTL and Type record entries match by column
index so that easy script based mapping and post processing is possible. A sample output is shown below. Especially
when large records are present the same name is printed several times which might degrade the readability. Therefore, a
next version will have a multiple Aname suppressor switch, which should be off for script based post-processing.
Query name
www.macromedia.com;
10.6
Answer name
www.macromedia.com;www-mm.wip4.adobe.com
Answer address
0.0.0.0;8.118.124.64
TODO
• Compressed mode for DNS records
57
c 2008–2017 by Tranalyzer Development Team
Copyright TTL
2787;4
Type
5;1
11. ENTROPY
11
CONTENTS
entropy
11.1
Description
The entropy plugin calculates the entropy of the snapped IP payload distribution. The calculation of the entropy demands
a number elements equal to the SQR(alphabet) = 16 in the default case. The size of the alphabet is variable. By default,
one byte = 256 characters. Two other key parameters, a binary and text based ratio, in combination with the entropy serve
as input for AI for content and application classification. The character and binary ratio denote the degree of text or binary
content respectively.
The entropy plugin operates in two modes:
• entropy payload
• entropy payload + time series
and for production purposes by default deactivated. The parameter ENT_MAXPBIN controls the size of the alphabet and
ENT_ALPHA_D the output of the payload character distribution per flow.
11.1.1
Entropy Time Series (Experimental)
The reason for this flow file addition is the exploration of entropy chunks calculated over the whole payload as a series.
11.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
ENT_THRES
ENT_ALPHA_D
ENT_D_OFFSET
Default
1
0
0
Description
calc entropy only if number of payload bytes >
1: print Alphabet distribution in flow file
start of entropy calc in payload
The following flags are experimental for the MAC anomaly detection end report:
ENT_FLOW
ENT_NTUPLE
11.3
0
55
global flow entropy: 1: entropy, 0 output; 2: + distribution
Flow File Output
The entropy plugin outputs the following columns:
Column
PyldEntropy
PyldChRatio
PyldBinRatio
Pyldlen
PyldHisto
Type
F
F
F
U32
RU32
Description
Payload entropy: no entropy calculated:-1.0
Payload Character ratio
Payload Binary ratio
Payload length
Payload histogram
58
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
ENT_ALPHA_D=1
ENT_ALPHA_D=1
CONTENTS
12
ftpDecode
12.1
Description
12. FTPDECODE
The ftpDecode plugin analyses FTP traffic. User defined compiler switches are in ftpDecode.h.
12.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
FTP_SAVE
BITFIELD
FTP_MXNMUN
FTP_MXNMPN
FTP_MXNMLN
FTP_MAXCPFI
MAXUNM
MAXPNM
MAXCNM
FTP_F_PATH
Default
0
0
10
10
50
10
5
5
20
"/tmp/FTPFILES/"
Description
Save content to FTP_F_PATH
Bitfield coding of FTP commands
maximal USER name length
maximal PW length
maximal name length
Maximal number of parent findex
maximal number of users
maximal number of passwords
maximal number of parameters
Path for extracted content
The plugin identifies the client ftp flows automatically and links them via the ftpCDFindex, identifiying the findex of
the associated flows.
12.3
Flow File Output
The ftpDecode plugin outputs the following columns:
Column
ftpStat
ftpCBF
ftpCDFindex
ftpCC
ftpRC
ftpUsrNum
ftpPwNum
ftpCNum
ftpUsr
ftpPw
ftpC
12.3.1
Type
H8
H64
RU64
RSC
RU16
U8
U8
U8
RS
RS
RS
Description
Status bit field
Command bit field
Command/data findex link
FTP Command Codes
FTP Response Codes
number of FTP users
number of FTP passwords
number of FTP parameters
FTP users
FTP passwords
FTP content
Flags
BITFIELD=1
ftpStat
The ftpStat column describes the errors encountered during the flow lifetime:
20
ftpStat
(=0x01)
Name
FTP_INIT
Description
FTP control port found
59
c 2008–2017 by Tranalyzer Development Team
Copyright 12. FTPDECODE
CONTENTS
21
22
23
24
25
26
27
12.3.2
ftpStat
(=0x02)
(=0x04)
(=0x08)
(=0x10)
(=0x20)
(=0x40)
(=0x80)
Name
FTP_PPRNT
FTP_PPWF
FTP_APRNT
FTP_PPWFERR
FTP_NDFLW
FTP_OVFL
Description
FTP passive parent flow
FTP passive write finished
FTP active parent flow
File error
Data flow not detected
Array overflow
ftpCBF
The ftpCBF column is to be interpreted as follows:
ftpCBF
20 (=0x0000000000000001)
21 (=0x0000000000000002)
22 (=0x0000000000000004)
23 (=0x0000000000000008)
24 (=0x0000000000000010)
25 (=0x0000000000000020)
26 (=0x0000000000000040)
27 (=0x0000000000000080)
28 (=0x0000000000000100)
29 (=0x0000000000000200)
210 (=0x0000000000000400)
211 (=0x0000000000000800)
212 (=0x0000000000001000)
213 (=0x0000000000002000)
214 (=0x0000000000004000)
215 (=0x0000000000008000)
216 (=0x0000000000010000)
217 (=0x0000000000020000)
218 (=0x0000000000040000)
219 (=0x0000000000080000)
220 (=0x0000000000100000)
221 (=0x0000000000200000)
222 (=0x0000000000400000)
223 (=0x0000000000800000)
224 (=0x0000000001000000)
225 (=0x0000000002000000)
226 (=0x0000000004000000)
227 (=0x0000000008000000)
228 (=0x0000000010000000)
229 (=0x0000000020000000)
ftpCBF
230 (=0x0000000040000000)
231 (=0x0000000080000000)
232 (=0x0000000100000000)
233 (=0x0000000200000000)
234 (=0x0000000400000000)
235 (=0x0000000800000000)
236 (=0x0000001000000000)
237 (=0x0000002000000000)
238 (=0x0000004000000000)
239 (=0x0000008000000000)
240 (=0x0000010000000000)
241 (=0x0000020000000000)
242 (=0x0000040000000000)
243 (=0x0000080000000000)
244 (=0x0000100000000000)
245 (=0x0000200000000000)
246 (=0x0000400000000000)
247 (=0x0000800000000000)
248 (=0x0001000000000000)
249 (=0x0002000000000000)
250 (=0x0004000000000000)
251 (=0x0008000000000000)
252 (=0x0010000000000000)
253 (=0x0020000000000000)
254 (=0x0040000000000000)
255 (=0x0080000000000000)
256 (=0x0100000000000000)
257 (=0x0200000000000000)
258 (=0x0400000000000000)
259 (=0x0800000000000000)
260 (=0x1000000000000000)
Description
ABOR
ACCT
ADAT
ALLO
APPE
AUTH
CCC
CDUP
CONF
CWD
DELE
ENC
EPRT
EPSV
FEAT
HELP
LANG
LIST
LPRT
LPSV
MDTM
MIC
MKD
MLSD
MLST
MODE
NLST
NOOP
OPTS
PASS
60
c 2008–2017 by Tranalyzer Development Team
Copyright Description
PASV
PBSZ
PORT
PROT
PWD
QUIT
REIN
REST
RETR
RMD
RNFR
RNTO
SITE
SIZE
SMNT
STAT
STOR
STOU
STRU
SYST
TYPE
USER
XCUP
XMKD
XPWD
XRCP
XRMD
XRSQ
XSEM
XSEN
CLNT
CONTENTS
12.4
12. FTPDECODE
TODO
• fragmentation
• reply address extraction
• ftp parent hash
61
c 2008–2017 by Tranalyzer Development Team
Copyright 13. GEOIP
13
CONTENTS
geoip
13.1
Description
This plugin outputs the geographic location of IP addresses.
13.2
Dependencies
This product includes GeoLite2 data created by MaxMind, available from http://www.maxmind.com. Legacy databases
(GeoLiteCity.data.gz and GeoLiteCityv6.dat.gz) require libgeoip, while GeoLite2 require libmaxminddb.
Ubuntu: sudo apt-get install libgeoip-dev libmaxminddb-dev
Kali: sudo apt-get install libgeoip-dev
OpenSUSE: sudo zypper install libGeoIP-devel
Arch:
sudo pacman -S geoip
libmaxminddb can be found in the Arch User Repository (AUR) at
https://aur.archlinux.org/packages/libmaxminddb.
13.2.1
Databases Update
Latest version of the databases can be found at https://dev.maxmind.com/geoip/geoip2/geolite2/ (GeoLite2City). Legacy databases, the latest version of which can be found at https://dev.maxmind.com/geoip/legacy/
geolite (Geo Lite City and Geo Lite City IPv6), are also supported. Alternatively, the databases can be updated with the
updatedb.sh script.
13.3
Configuration Flags
The following flags can be used to control the output of the plugin (Information in italic only applies to legacy databases):
Name
GEOIP_LEGACY
Default
1
Description
Whether to use GeoLite2 (0) or the GeoLite legacy database (1)
GEOIP_SRC
GEOIP_DST
1
1
Whether (1) or not (0) to display geo info for the source IP
Whether (1) or not (0) to display geo info for the destination IP
GEOIP_CONTINENT
GEOIP_COUNTRY
GEOIP_REGION
GEOIP_CITY
GEOIP_POSTCODE
GEOIP_ACCURACY
GEOIP_POSITION
GEOIP_METRO_CODE
GEOIP_AREA_CODE
GEOIP_NETMASK
2
2
1
1
1
1
1
0
0
2
0: no continent, 1: name (GeoLite2), 2: two letters code
0: no country, 1: name, 2: two letters code, 3: three letters code
0: no region, 1: name, 2: code
Whether (1) or not (0) to display the city of the IP
Whether (1) or not (0) to display the postal code of the IP
Whether (1) or not (0) to display the accuracy of the geolocation
Whether (1) or not (0) to display the position (latitude, longitude) of the IP
Whether (1) or not (0) to display the metro (dma) code of the IP (US only)
Whether (1) or not (0) to display the telephone area code of the IP
0: no netmask, 1: netmask as int (cidr), 2: netmask as hex, 3: netmask as IP
62
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
13. GEOIP
Name
GEOIP_TIME_ZONE
GEOIP_LANG
Default
1
“en”
Description
(GeoLite2) Whether (1) or not (0) to display the time zone
(GeoLite2) Language to use:
Brazilian Portuguese (pt-BR), English (en), French (fr), German (de),
Japanese (jp), Russian (ru), Simplified Chinese (zh-CN) or Spanish (es)
GEOIP_BUFSIZE
64
(GeoLite2) Buffer size
GEOIP_DB_CACHE
2
0: read DB from file system (slower, least memory)
1: index cache (cache frequently used index only)
2: memory cache (faster, more memory)
GEOIP_UNKNOWN
“--”
13.4
Representation of unknown locations (GeoIP’s default)
Flow File Output
The geoip plugin outputs the following columns (for src and dst IP):
Column
srcIpContinent
srcIpContinent
srcIpCountry
srcIpCountry
srcIpRegion
srcIpRegion
srcIpCity
srcIpPostcode
srcIpAccuracy
srcIpLatitude
srcIpLongitude
srcIpLatitude
srcIpLongitude
srcIpMetroCode
srcIpMetroCode
srcIpAreaCode
srcIpNetmask
srcIpNetmask
srcIpNetmask
srcIpTimeZone
geoStat
Type
S
SC
S
SC
SC
S
S
SC
U16
D
D
F
F
U16
I32
I32
U32
H32
IP4
S
H8
Description
Continent name
Continent code
Country name
Country code
Region
Region
City
Postal code
Accuracy of the geolocation (in km)
Latitude
Longitude
Latitude
Longitude
Metro (DMA) code (US only)
Metro (DMA) code (US only)
Area code
Netmask (CIDR)
Netmask
Netmask
Time zone
Status
Flags
GEOIP_CONTINENT=1
GEOIP_CONTINENT=2
GEOIP_COUNTRY=1
GEOIP_COUNTRY=2|3
GEOIP_REGION=1
GEOIP_REGION=2
GEOIP_LEGACY=0
GEOIP_LEGACY=0
GEOIP_LEGACY=1
GEOIP_LEGACY=1
GEOIP_LEGACY=0
GEOIP_LEGACY=1
GEOIP_NETMASK=1
GEOIP_NETMASK=2
GEOIP_NETMASK=3
63
c 2008–2017 by Tranalyzer Development Team
Copyright 13. GEOIP
13.4.1
CONTENTS
srcIpContinent
Continent codes are as follows:
Code
AF
AS
EU
NA
OC
SA
-13.4.2
Description
Africa
Asia
Europe
North America
Oceania
South America
Unknown (see GEOIP_UNKNOWN)
geoStat
The geoStat column is to be interpreted as follows:
geoStat
20 (=0x01)
13.5
Description
A string had to be truncated... increase GEOIP_BUFSIZE
Post-Processing
The geoIP plugin comes with the genkml.sh script which generates a KML (Keyhole Markup Language) file from a flow
file. This KML file can then be loaded in Google Earth to display the location of the IP addresses involved in the dump
file. Its usage is straightforward:
./genkml.sh FILE_flows.txt
64
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
14
14. HTTPSNIFFER
httpSniffer
The httpSniffer plugin processes HTTP header and content information of a flow. The idea is to identify certain HTTP features using flow parameters and to extract certain content such as text or images for further investigation. The httpSniffer
plugin requires no dependencies and produces only output to the flow file. User defined compiler switches in httpSniffer.h
produce optimized code for the specific application.
14.1
Configuration Flags
The flow based output and the extracted information can be controlled by switches and constants listed in the table
below. They control the output of host, URL and method counts, names and cookies and the function of content storage.
WARNING: The amount of being stored on disk can be substantial, make sure that the number of concurrent file handles
is large enough, use ulimit -n.
Name
HTTP_MIME
HTTP_STAT
HTTP_MCNT
HTTP_HOST
HTTP_URL
HTTP_COOKIE
HTTP_IMAGE
HTTP_VIDEO
HTTP_AUDIO
HTTP_MSG
HTTP_APPL
HTTP_TEXT
HTTP_PUNK
HTTP_BODY
HTTP_BDURL
HTTP_USRAG
HTTP_XFRWD
HTTP_REFRR
HTTP_VIA
HTTP_LOC
HTTP_SERV
HTTP_PWR
HTTP_STATA
HTTP_HOSTAGA
HTTP_URLAGA
HTTP_USRAGA
HTTP_XFRWDA
HTTP_REFRRA
HTTP_VIAA
HTTP_LOCA
HTTP_SERVA
HTTP_PWRA
Default
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
0
1
1
1
1
1
1
1
1
1
0
1
1
Description
mime types
status codes
mime count: get, post
hosts
URLs
cookies
image names
video names
audio names
message names
application names
text names
post/else/unknown names
analyse body and print anomalies
refresh and set-cookie URLs
user agents
X-Forward
Referer
Via
Location
Server
Powered by
aggregate status response codes
aggregate hosts
aggregate URLs
aggregate user agents
aggregate X-Forward-For
aggregate Referer
aggregate Via
aggregate Location
aggregate Server
aggregate Powered by
65
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
HTTP_BODY=1
14. HTTPSNIFFER
CONTENTS
Name
HTTP_SAVE_IMAGE
HTTP_SAVE_VIDEO
HTTP_SAVE_AUDIO
HTTP_SAVE_MSG
HTTP_SAVE_TEXT
HTTP_SAVE_APPL
HTTP_SAVE_PUNK
HTTP_RM_PICDIR
Default
0
0
0
0
0
0
0
0
Description
save images
save videos
save audios
save messages
save texts
save applications
save put/else
delete directories at T2 start
Flags
Aggregate mode is on by default to save memory space. Note that HTTP_SAVE_* refers to the Content-Type, e.g.,
HTTP_SAVE_APPL, will save all payload whose Content-Type starts with application/ (including forms, such as
application/x-www-form-urlencoded). The maximum memory allocation per item is defined by HTTP_DATA_C_MAX
listed below. The path of each extracted http content can be set by the HTTP_XXXX_PATH constant. HTTP content having no
name is assigned a default name defined by HTTP_NONAME_IMAGE. Each name is appended by the findex, packet number
and an index to facilitate the mapping between flows and its content. The latter constant has to be chosen carefully
because for each item: mime, cookie, image, etc, HTTP_MXFILE_LEN * HTTP_DATA_C_MAX * HASHCHAINTABLE_SIZE
* HASHFACTOR bytes are allocated.
Name
HTTP_PATH
HTTP_IMAGE_PATH
HTTP_VIDEO_PATH
HTTP_AUDIO_PATH
HTTP_MSG_PATH
HTTP_TEXT_PATH
HTTP_APPL_PATH
HTTP_PUNK_PATH
HTTP_NONAME_IMAGE
HTTP_DATA_C_MAX
HTTP_CNT_LEN
HTTP_FINDEX_LEN
HTTP_MXFILE_LEN
HTTP_MXUA_LEN
HTTP_MXXF_LEN
HTTP_AVID_LEN
14.2
Default
"/tmp/"
HTTP_PATH"httpPicture/"
HTTP_PATH"httpVideo/"
HTTP_PATH"httpAudio/"
HTTP_PATH"httpMSG/"
HTTP_PATH"httpText/"
HTTP_PATH"httpAppl/"
HTTP_PATH"httpPunk/"
"nudel"
10
13
20
15
150
80
32
Description
Root path
Path for pictures
Path for videos
Path for audios
Path for messages
Path for texts
Path for applications
Path for put/else
File name for unnamed content
Maximum dim of all storage array: # / flow
max # of cnt digits attached to file name
string length of findex in decimal format.
Maximum image name length in bytes
Maximum user agent name length in bytes
Maximum x-forward-for name length in bytes
Maximum antivirus client ID length in bytes
Flow File Output
The default settings will result in six tab separated columns in the flow file where the items in column 4-6 are sequences of
strings separated by ’;’. Whereas an item switch is set to ’0’ only the occurrence of this item during the flow is supplied.
It is a high speed mode for large datasets or real-time operation in order to produce an initial idea of interesting flows
maybe by script based post processing selecting also by the information supplied by first three columns.
Column
httpStat
httpAFlags
httpMethods
Type
H16
H16
H8
Description
Status
Anomaly flags
HTTP methods
66
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
CONTENTS
14.2.1
14. HTTPSNIFFER
Column
httpHeadMimes
httpCFlags
httpGet_Post
httpRSCnt
httpRSCode
httpURL_Via_Loc_Srv_
Pwr_UAg_XFr_
Ref_Cky_Mim
httpImg_Vid_Aud_Msg_
Txt_App_Unk
httpHosts
httpURL
httpMimes
httpCookies
httpImages
httpVideos
httpAudios
httpMsgs
httpAppl
httpText
httpPunk
httpBdyURL
Type
H16
H8
2U16
U16
U16
10U16
RS
RS
RS
RS
RS
RS
RS
RS
RS
RS
RS
RS
Description
HEADMIME-TYPES
HTTP content body info
Number of GET and POST requests
Response status count
Response status code
Number of URL, Via, Location, Server,
Powered-By, User-Agent, X-Forwarded-For,
Referer, Cookie and Mime-Type
Number of images, videos, audios, messages,
texts, applications and unknown
Host names
URLs (including parameters)
MIME-types
Cookies
Images
Videos
Audios
Messages
Applications
Texts
Punk
Body: Refresh, set_cookie URL
httpUsrAg
httpXFor
httpRefrr
httpVia
httpLoc
httpServ
httpPwr
RS
RS
RS
RS
RS
RS
RS
User-Agent
X-Forwarded-For
Referer
Via (Proxy)
Location (Redirection)
Server
Powered-By / Application
7U16
Flags
HTTP_BODY=1
HTTP_MCNT=1
HTTP_STAT=1
HTTP_STAT=1
HTTP_HOST=1
HTTP_URL=1
HTTP_MIME=1
HTTP_COOKIE=1
HTTP_IMAGE=1
HTTP_VIDEO=1
HTTP_AUDIO=1
HTTP_MSG=1
HTTP_APPL=1
HTTP_TEXT=1
HTTP_PUNK=1
HTTP_BODY=1&&
HTTP_BDURL=1
HTTP_USRAG=1
HTTP_XFRWD=1
HTTP_REFRR=1
HTTP_VIA=1
HTTP_LOC=1
HTTP_SERV=1
HTTP_PWR=1
httpStat
The httpStat column is to be interpreted as follows:
httpStat
20 (=0x0001)
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24 (=0x0010)
25 (=0x0020)
26 (=0x0040)
27 (=0x0080)
28 (=0x0100)
29 (=0x0200)
210 (=0x0400)
Description
Warning: HTTP_DATA_C_MAX entries in flow name array reached
Warning: Filename longer than HTTP_MXFILE_LEN
Internal State: pending url name
HTTP Flow
Internal State: Chunked transfer
Internal State: HTTP Flow detected
Internal State: http header parsing in process
Internal State: sequence number init
Internal State: header shift
Internal State: PUT payload sniffing
Internal State: Image payload sniffing
67
c 2008–2017 by Tranalyzer Development Team
Copyright 14. HTTPSNIFFER
211
212
213
214
215
14.2.2
CONTENTS
httpStat
(=0x0800)
(=0x1000)
(=0x2000)
(=0x4000)
(=0x8000)
Description
Internal State:
Internal State:
Internal State:
Internal State:
Internal State:
video payload sniffing
audio payload sniffing
message payload sniffing
text payload sniffing
application payload sniffing
httpAFlags
The httpAFlags column denotes http anomalies regarding the protocol and the security. It is to be interpreted as follows:
httpAFlags
20 (=0x0001)
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24 (=0x0010)
25 (=0x0020)
26 (=0x0040)
27 (=0x0080)
28 (=0x0100)
29 (=0x0200)
210 (=0x0400)
211 (=0x0800)
212 (=0x1000)
213 (=0x2000)
214 (=0x4000)
215 (=0x8000)
14.2.3
Description
Warning: POST ? anomaly, possible malware
Warning: Host is IPv4
Warning: Possible DGA
Warning: Mismatched content-type
Warning: Sequence number mangled or error retry detected
Warning: Parse Error
Info: X-Site Scripting protection
Info: Content Security Policy
Warning: possible exe download, check also mime type for conflict
Warning: possible ELF download, check also mime type for conflict
Warning: HTTP 1.0 legacy protocol, often used by malware
httpMethods
The aggregated httpMethods bit field provides an instant overview about the protocol state and communication during a
flow. It can also be used during post processing in order to select only flows containing e.g. responses or delete operations.
httpMethods
(=0x00)
0
2 (=0x01)
21 (=0x02)
22 (=0x04)
23 (=0x08)
24 (=0x10)
25 (=0x20)
26 (=0x40)
27 (=0x80)
Type
RESPONSE
OPTIONS
GET
HEAD
POST
PUT
DELETE
TRACE
CONNECT
Description
Response of server identified by URL
Return HTTP methods that server supports for specified URL
Request of representation of specified resource
Request of representation of specified resource without BODY
Request to accept enclosed entity as new subordinate of resource identified by URI
Request to store enclosed entity under supplied URI
Delete specified resource
Echo back received request
Convert request connection to transparent TCP/IP tunnel
68
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
14.2.4
14. HTTPSNIFFER
httpHeadMimes
The aggregated httpHeadMimes bit field provides an instant overview about the content of the HTTP payload being
transferred during a flow. Thus, the selection of flows with certain content during post processing is possible even when the
plugin is set to count mode for all items in order to conserve memory and processing capabilities. The 16 Bit information
is separated into Mime Type (MT) and Common Subtype Prefixes (CSP) / special Flags each comprising of 8 Bit. This is
experimental and is subject to change if a better arrangement is found.
httpHeadMimes
20 (=0x0001)
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24 (=0x0010)
24 (=0x0020)
25 (=0x0040)
26 (=0x0080)
28 (=0x0100)
29 (=0x0200)
210 (=0x0400)
211 (=0x0800)
212 (=0x1000)
213 (=0x2000)
214 (=0x4000)
215 (=0x8000)
14.2.5
MT / CSP
application
audio
image
message
model
multipart
text
video
vnd
x
x-pkcs
—
PDF
JAVA
—
MAL
Description
Multi-purpose files: java or post script, etc
Audio file
Image file
Instant or email message type
3D computer graphics
Archives and other objects made of more than one part
Human-readable text and source code
Video stream: Mpeg, Flash, Quicktime, etc
vendor-specific files: Word, OpenOffice, etc
Non-standard files: tar, SW packages, LaTex, Shockwave Flash, etc
public-key cryptography standard files
—
Portable Document Format
Java, Java script
—
Malicious content, to be implemented
httpCFlags
The httpCFlags contain information about the content body, regarding to information about rerouting or antivirus. They
have to be interpreted as follows:
httpBodyFlags
20 (=0x0001)
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24 (=0x0010)
25 (=0x0020)
14.3
MT / CSP
STCOOKIE
REFRESH
HOSTNAME
BOUND
PCNT
—
Description
http set cookie
http refresh detected
host name detected
Post Boundary marker
Potential HTTP content
Plugin Report Output
The following information is reported:
• Max number of file handles (only if HTTP_SAVE=1)
• Number of HTTP IPv4/6 packets
• Number of HTTP #GET, #POST, #GET/#POST ratio
• Aggregated status flags (httpStat)
69
c 2008–2017 by Tranalyzer Development Team
Copyright 14. HTTPSNIFFER
CONTENTS
• Aggregated anomaly flags (httpAFlags)
• Aggregated content flags (httpCFlags, only if HTTP_BODY=1)
The GET/POST ratio is very helpful in detecting malware operations, if you know the normal ratio of your machines
in the network. The file descriptor gives you an indication of the maximum file handles the present pcap will produce.
You can increase it by invoking uname -n mylimit.
70
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
15
15.1
15. ICMPDECODE
icmpDecode
Description
The icmpDecode plugin analyzes ICMP traffic and provides absolute and relative statistics to the PREFIX_icmpStats.txt
file.
15.2
Configuration Flags
The following flags can be used to control the output of the plugin:
15.3
Name
ICMP_TC_MD
Default
0
ICMP_NUM
ICMP_FDCORR
ICMP_PARENT
ICMP_SUFFIX
10
1
0
“_icmpStats.txt”
Description
0: Type/code as bitfield
1: Type/code as explicit array
2: Type/code statistics (not implemented)
Number of type and code information
Flow direction correction
Whether (1) or not (0) to resolve the parent flow
Suffix for output file name
Flags
ICMP_TC_MD=1
Flow File Output
The icmpDecode plugin outputs the following columns:
Column
icmpStat
icmpTCcnt
icmpBFType_Code
Type
H8
U8
H32_H16
Description
Status
type code count
Aggregated type (<32) and code bitfield
icmpBFTypH_TypL_Code
H32_H32_H16
Aggr. type (H>128), L(<32) and code bitfield
icmpType_Code
icmptmgtw
icmpEchoSuccRatio
icmpPFindex
U8_U8
H32
F
U64
Type and code fields
Time/gateway
Echo reply/request success ratio
Parent flowIndex
15.3.1
icmpStat
The icmpStat column is to be interpreted as follows:
icmpStat
(=0x10)
24
15.3.2
Description
WANG2 Microsoft bandwidth test
icmpBFType_Code
The icmpBFType_Code column is to be interpreted as follows:
71
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
ICMP_TC_MD=0 &&
IPV6_ACTIVATE=0
ICMP_TC_MD=0 &&
IPV6_ACTIVATE=1
ICMP_TC_MD=1
ICMP_PARENT=1
15. ICMPDECODE
icmpBFType
20 (=0x0000.0001)
21 (=0x0000.0002)
22 (=0x0000.0004)
23 (=0x0000.0008)
24 (=0x0000.0010)
25 (=0x0000.0020)
26 (=0x0000.0040)
27 (=0x0000.0080)
28 (=0x0000.0100)
29 (=0x0000.0200)
210 (=0x0000.0400)
211 (=0x0000.0800)
212 (=0x0000.1000)
213 (=0x0000.2000)
214 (=0x0000.4000)
215 (=0x0000.8000)
CONTENTS
Description
Echo Reply
—
—
Destination Unreachable
Source Quench
Redirect (change route)
—
Echo Request
—
—
—
Time Exceeded
Parameter Problem
Timestamp Request
Timestamp Reply
Information Request
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
icmpBFType
(=0x0001.0000)
(=0x0002.0000)
(=0x0004.0000)
(=0x0008.0000)
(=0x0010.0000)
(=0x0020.0000)
(=0x0040.0000)
(=0x0080.0000)
(=0x0100.0000)
(=0x0200.0000)
(=0x0400.0000)
(=0x0800.0000)
(=0x1000.0000)
(=0x2000.0000)
(=0x4000.0000)
(=0x8000.0000)
Description
Information Reply
Address Mask Request
Address Mask Reply
—
—
—
—
—
—
—
—
—
—
—
Traceroute
—
The icmpCode for Destination Unreachable (0x0000.0008) is to be interpreted as follows:
icmpBFCode
20 (=0x0001)
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24 (=0x0010)
25 (=0x0020)
26 (=0x0040)
27 (=0x0080)
Description
Network Unreachable
Host Unreachable
Protocol Unreachable
Port Unreachable
Fragmentation Needed/DF set
Source Route failed
—
—
icmpBFCode
28 (=0x0100)
29 (=0x0200)
210 (=0x0400)
211 (=0x0800)
212 (=0x1000)
213 (=0x2000)
214 (=0x4000)
215 (=0x8000)
72
c 2008–2017 by Tranalyzer Development Team
Copyright Description
—
—
—
—
—
Packet filtered
Precedence violation
Precedence cut off
CONTENTS
15.3.3
15. ICMPDECODE
ICMPv6
For ICMPv6, the types and codes are:
icmpType
0
1
2
3
4
100
101
102–126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
icmpType
142
143
144
145
146
147
148
149
150
Description
Reserved
Destination Unreachable
Packet Too Big
Time Exceeded
Parameter Problem
Private experimentation
Private experimentation
Unassigned
Reserved for expansion of ICMPv6
error messages
Echo Request
Echo Reply
Multicast Listener Query
Multicast Listener Report
Multicast Listener Done
Router Solicitation
Router Advertisement
Neighbor Solicitation
Neighbor Advertisement
Redirect Message
Router Renumbering
ICMP Node Information Query
ICMP Node Information Response
Inverse Neighbor Discovery Solicitation
151
152
153
154
155
156
157
158
159
160–199
200
201
255
Description
Inverse Neighbor Discovery Advertisement
Version 2 Multicast Listener Report
Home Agent Address Discovery Request
Home Agent Address Discovery Reply
Mobile Prefix Solicitation
Mobile Prefix Advertisement
Certification Path Solicitation
Certification Path Advertisement
ICMP messages utilized by experimental
mobility protocols such as Seamoby
Multicast Router Advertisement
Multicast Router Solicitation
Multicast Router Termination
FMIPv6 Messages
RPL Control Message
ILNPv6 Locator Update Message
Duplicate Address Request
Duplicate Address Confirmation
MPL Control Message
Unassigned
Private experimentation
Private experimentation
Reserved for expansion of ICMPv6
informational messages
The icmpCode for Destination Unreachable (1) are:
icmpCode
0
1
2
3
4
5
6
7
Description
no route to destination
communication with destination administratively prohibited
beyond scope of source address
address unreachable
port unreachable
source address failed ingress/egress policy
reject route to destination
Error in Source Routing Header
The icmpCode for Time Exceeded (3) are:
icmpCode
0
1
Description
hop limit exceeded in transit
fragment reassembly time exceeded
The icmpCode for Parameter Problem (4) are:
73
c 2008–2017 by Tranalyzer Development Team
Copyright 15. ICMPDECODE
CONTENTS
icmpCode
0
1
2
3
Description
erroneous header field encountered
unrecognized Next Header type encountered
unrecognized IPv6 option encountered
IPv6 First Fragment has incomplete IPv6 Header Chain
The icmpCode for Router Renumbering (138) are:
icmpCode
0
1
255
Description
Router Renumbering Command
Router Renumbering Result
Sequence Number Reset
The icmpCode for ICMP Node Information Query (139) are:
icmpCode
0
1
2
Description
The Data field contains an IPv6 address which is the Subject of this Query
The Data field contains a name which is the Subject of this Query, or is empty,
as in the case of a NOOP
The Data field contains an IPv4 address which is the Subject of this Query
The icmpCode for ICMP Node Information Response (140) are:
icmpCode
0
1
2
15.4
Description
A successful reply. The Reply Data field may or may not be empty
The Responder refuses to supply the answer. The Reply Data field will be empty
The Qtype of the Query is unknown to the Responder. The Reply Data field will be empty
Packet File Output
In packet mode (-s option), the icmpDecode plugin outputs the following columns:
Column
icmpType_Code
15.5
Type
U8_U8
Description
Type and code fields
Additional Output
The icmpDecode plugin outputs absolute and relative statistics in the PREFIX_icmpStats.txt file.
The output is as follows (IPV6_ACTIVATE=0):
Type
ICMP_ECHOREQUEST
ICMP_ECHOREPLY
ICMP_SOURCE_QUENCH
ICMP_TRACEROUTE
ICMP_DEST_UNREACH
Code
—
—
—
—
ICMP_NET_UNREACH
Description
Echo request
Echo reply to an echo request
Source quenches
Traceroute packets
Network unreachable
74
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
15. ICMPDECODE
Type
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_DEST_UNREACH
ICMP_REDIRECT
ICMP_REDIRECT
ICMP_REDIRECT
ICMP_REDIRECT
ICMP_TIME_EXCEEDED
ICMP_TIME_EXCEEDED
Code
ICMP_HOST_UNREACH
ICMP_PROT_UNREACH
ICMP_PORT_UNREACH
ICMP_FRAG_NEEDED
ICMP_SR_FAILED
ICMP_NET_UNKNOWN
ICMP_HOST_UNKNOWN
ICMP_HOST_ISOLATED
ICMP_NET_ANO
ICMP_HOST_ANO
ICMP_NET_UNR_TOS
ICMP_HOST_UNR_TOS
ICMP_PKT_FILTERED
ICMP_PREC_VIOLATION
ICMP_PREC_CUTOFF
ICMP_REDIR_NET
ICMP_REDIR_HOST
ICMP_REDIR_NETTOS
ICMP_REDIR_HOSTTOS
ICMP_EXC_TTL
ICMP_EXC_FRAGTIME
Description
Host unreachable
Protocol unreachable
Port unreachable
Fragmentation needed
Source route failed
Network unknown
Host unknown
Host is isolated
Network annotation
Host annotation
Unreachable type of network service
Unreachable type of host service
Dropped by a filtering device
Precedence violation
Precedence cut off
Network redirection
Host redirection
Network type of service
Host type of service
TTL exceeded in Transit
Fragment Reassembly Time Exceeded
If IPV6_ACTIVATE=1, then the output becomes:
Type
ICMP6_ECHOREQUEST
ICMP6_ECHOREPLY
ICMP6_PKT_TOO_BIG
ICMP6_DEST_UNREACH
ICMP6_DEST_UNREACH
ICMP6_DEST_UNREACH
ICMP6_DEST_UNREACH
ICMP6_DEST_UNREACH
ICMP6_DEST_UNREACH
ICMP6_DEST_UNREACH
ICMP6_DEST_UNREACH
ICMP6_TIME_EXCEEDED
ICMP6_TIME_EXCEEDED
ICMP6_PARAM_PROBLEM
ICMP6_PARAM_PROBLEM
ICMP6_PARAM_PROBLEM
ICMP6_MCAST_QUERY
ICMP6_MCAST_REP
ICMP6_MCAST_DONE
ICMP6_RTER_SOLICIT
ICMP6_RTER_ADVERT
ICMP6_NBOR_SOLICIT
Code
—
—
—
ICMP6_NO_ROUTE
ICMP6_COMM_PROHIBIT
ICMP6_BEYOND_SCOPE
ICMP6_ADDR_UNREACH
ICMP6_PORT_UNREACH
ICMP6_SR_FAILED
ICMP6_REJECT
ICMP6_ERROR_HDR
ICMP6_EXC_HOPS
ICMP6_EXC_FRAGTIME
ICMP6_ERR_HDR
ICMP6_UNRECO_NEXT_HDR
ICMP6_UNRECO_IP6_OPT
—
—
—
—
—
—
Description
Echo request
Echo reply to an echo request
Packet too big
No route to destination
Communication with destination prohibited
Beyond scope of source address
Address unreachable
Port unreachable
Source route failed
Reject source to destination
Error in Source Routing Header
Hop limit exceeded in transit
Fragment reassembly time exceeded
Erroneous header field
Unrecognized Next Header type
Unrecognized IPv6 option
Multicast Listener Query
Multicast Listener Report
Multicast Listener Done
Router Solicitation
Router Advertisement
Neighbor Solicitation
75
c 2008–2017 by Tranalyzer Development Team
Copyright 15. ICMPDECODE
CONTENTS
Type
ICMP6_NBOR_ADVERT
ICMP6_REDIRECT_MSG
ICMP6_RTER_RENUM
ICMP6_RTER_RENUM
ICMP6_RTER_RENUM
ICMP6_NODE_INFO_QUERY
ICMP6_NODE_INFO_QUERY
ICMP6_NODE_INFO_QUERY
ICMP6_NODE_INFO_RESP
ICMP6_NODE_INFO_RESP
ICMP6_NODE_INFO_RESP
ICMP6_INV_NBOR_DSM
ICMP6_INV_NBOR_DAM
ICMP6_MLD2
ICMP6_ADDR_DISC_REQ
ICMP6_ADDR_DISC_REP
ICMP6_MOB_PREF_SOL
ICMP6_MOB_PREF_ADV
ICMP6_CERT_PATH_SOL
ICMP6_CERT_PATH_ADV
ICMP6_EXP_MOBI
ICMP6_MRD_ADV
ICMP6_MRD_SOL
ICMP6_MRD_TERM
ICMP6_FMIPV6
ICMP6_RPL_CTRL
ICMP6_ILNP_LOC_UP
ICMP6_DUP_ADDR_REQ
ICMP6_DUP_ADDR_CONF
15.6
Post-Processing
15.6.1
icmpX
Code
—
—
ICMP6_RR_CMD (0)
ICMP6_RR_RES (1)
ICMP6_RR_RST (255)
ICMP6_NIQ_IP6 (0)
ICMP6_NIQ_NAME (1)
ICMP6_NIQ_IP4 (2)
ICMP6_NIR_SUCC (0)
ICMP6_NIR_DENIED (1)
ICMP6_NIR_UNKN (2)
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
Description
Neighbor Advertisement
Redirect Message
Router Renumbering Command
Router Renumbering Result
Router Renum.: Sequence Number Reset
Node Info. Query: contains an IPv6 address
Contains a name or is empty (NOOP)
Contains an IPv4 address
Node Info. Response: Successful reply
Responder refuses to answer
Qtype of the query unknown
Inverse Neighbor Discovery Solicitation Msg
Inverse Neighbor Disc. Advertisement Msg
Version 2 Multicast Listener Report
Home Agent Address Discovery Request Msg
Home Agent Address Discovery Reply Msg
Mobile Prefix Solicitation
Mobile Prefix Advertisement
Certification Path Solicitation Message
Certification Path Advertisement Message
Experimental mobility protocols
Multicast Router Advertisement
Multicast Router Solicitation
Multicast Router Termination
FMIPv6 Messages
RPL Control Message
ILNPv6 Locator Update Message
Duplicate Address Request
Duplicate Address Confirmation
The icmpX script extracts all ICMP flows and their parents (flows which caused the ICMP message) from a flow file.
Run ./icmpX --help for more information.
15.7
TODO
• IPv6
– Parent flow index
76
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
16
16. IGMPDECODE
igmpDecode
This plugin analyzes IGMP traffic and provides absolute and relative statistics to the PREFIX_igmpStats.txt file.
16.1
Required Files
None
16.2
Plugin Flow File Output
The hex based status variable (igmpStat) is defined as follows:
igmpStat
20 (=0x01)
21 (=0x02)
22 (=0x04)
23 (=0x08)
16.3
Description
IGMP message had invalid length
IGMP message had invalid checksum
IGMP message had invalid TTL (6= 1)
IGMP message was invalid for other reasons
Additional Output
The plugin exports global statistics about IGMP traffic in the PREFIX_igmpStats.txt file.
77
c 2008–2017 by Tranalyzer Development Team
Copyright 17. IRCDECODE
17
ircDecode
17.1
Description
CONTENTS
The ircDecode plugin analyses IRC traffic. User defined compiler switches are in ircDecode.h.
17.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
IRC_SAVE
BITFIELD
Default
0
0
Description
Save content to IRC_F_PATH
Bitfield coding of IRC commands
If the parent data flow cannot be indentified by T2, IRC_NDFLW = 1, then increase IRC_PRTSCNMX. Some implementations do not care about the standard and use a random source port.
17.3
Flow File Output
The ircDecode plugin outputs the following columns:
Column
ircStat
ircCBF
ircCC
ircRC
ircUsrNum
ircPwNum
ircCNum
ircUsr
ircPw
ircC
17.3.1
Type
H8
H64
RSC
RU16
U8
U8
U8
RS
RS
RS
Description
Status
Commands
Command codes
Response codes
Number of users
Number of passwords
Number of parameters
Users
Passwords
Content
Flags
BITFIELD=1
ircStat
The ircStat column describes the errors encountered during the flow lifetime:
20
21
22
23
24
25
26
27
ircStat
(=0x01)
(=0x02)
(=0x04)
(=0x08)
(=0x10)
(=0x20)
(=0x40)
(=0x80)
Name
IRC_INIT
RNT
PPWF
APRNT
PPWFERR
NDFLW
_OVFL
Description
IRC control port found
IRC passive parent flow
IRC passive write finished
IRC active parent flow
File error
Data flow not detected
Array overflow
78
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
17.3.2
17. IRCDECODE
ircCBF
The ircCBF column is to be interpreted as follows:
ircCBF
20 (=0x0000000000000001)
21 (=0x0000000000000002)
22 (=0x0000000000000004)
23 (=0x0000000000000008)
24 (=0x0000000000000010)
25 (=0x0000000000000020)
26 (=0x0000000000000040)
27 (=0x0000000000000080)
28 (=0x0000000000000100)
29 (=0x0000000000000200)
210 (=0x0000000000000400)
211 (=0x0000000000000800)
212 (=0x0000000000001000)
213 (=0x0000000000002000)
214 (=0x0000000000004000)
215 (=0x0000000000008000)
216 (=0x0000000000010000)
217 (=0x0000000000020000)
218 (=0x0000000000040000)
219 (=0x0000000000080000)
220 (=0x0000000000100000)
221 (=0x0000000000200000)
222 (=0x0000000000400000)
223 (=0x0000000000800000)
224 (=0x0000000001000000)
225 (=0x0000000002000000)
226 (=0x0000000004000000)
227 (=0x0000000008000000)
228 (=0x0000000010000000)
229 (=0x0000000020000000)
17.4
Description
ABOR
ACCT
ADAT
ALLO
APPE
AUTH
CCC
CDUP
CONF
CWD
DELE
ENC
EPRT
EPSV
FEAT
HELP
LANG
LIST
LPRT
LPSV
MDTM
MIC
MKD
MLSD
MLST
MODE
NLST
NOOP
OPTS
PASS
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
ircCBF
(=0x0000000040000000)
(=0x0000000080000000)
(=0x0000000100000000)
(=0x0000000200000000)
(=0x0000000400000000)
(=0x0000000800000000)
(=0x0000001000000000)
(=0x0000002000000000)
(=0x0000004000000000)
(=0x0000008000000000)
(=0x0000010000000000)
(=0x0000020000000000)
(=0x0000040000000000)
(=0x0000080000000000)
(=0x0000100000000000)
(=0x0000200000000000)
(=0x0000400000000000)
(=0x0000800000000000)
(=0x0001000000000000)
(=0x0002000000000000)
(=0x0004000000000000)
(=0x0008000000000000)
(=0x0010000000000000)
(=0x0020000000000000)
(=0x0040000000000000)
(=0x0080000000000000)
(=0x0100000000000000)
(=0x0200000000000000)
(=0x0400000000000000)
(=0x0800000000000000)
(=0x1000000000000000)
TODO
• fragmentation
• reply address extraction
• irc parent hash
79
c 2008–2017 by Tranalyzer Development Team
Copyright Description
PASV
PBSZ
PORT
PROT
PWD
QUIT
REIN
REST
RETR
RMD
RNFR
RNTO
SITE
SIZE
SMNT
STAT
STOR
STOU
STRU
SYST
TYPE
USER
XCUP
XMKD
XPWD
XRCP
XRMD
XRSQ
XSEM
XSEN
CLNT
18. JSONSINK
18
CONTENTS
jsonSink
18.1
Description
The jsonSink plugin generates JSON output in a file PREFIX_flows.json, where PREFIX is provided via Tranalyzer -w
or -W option.
18.2
Dependencies
18.2.1
External Libraries
If gzip compression is activated (GZ_COMPRESS=1), then zlib must be installed.
Ubuntu: sudo apt-get install zlib1g-dev
Arch:
sudo pacman -S zlib
18.3
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
SOCKET_ON
Default
0
Description
Whether to output to a socket (1) or to a file (0)
Flags
Address of the socket
Port of the socket
SOCKET_ON=1
SOCKET_ON=1
SOCKET_ON=0
SOCKET_ADDR
SOCKET_PORT
“127.0.0.1”
GZ_COMPRESS
JSON_SPLIT
0
1
Whether or not to compress the output (gzip)
Whether (1) or not (0) to split the output file
(Tranalyzer -W option)
JSON_ROOT_NODE
SUPPRESS_EMPTY_ARRAY
JSON_NO_SPACES
HEX_CAPITAL
IP_PRINT_NORMALIZE
IP6_COMPRESS
B2T_TIME_IN_MICRO_SECS
0
1
1
0
0
1
1
Whether or not to add a root node (array)
Whether or not to output empty fields
Whether or not to suppress unnecessary spaces
Hex number: 0: lower case, 1: upper case
IPv4 addr.: 0: normal, 1: padded with 0
IPv6 addr.: 1: compressed, 0: full 128 bit length
Time precision: 0: nanosecs, 1: microsecs
5000
1024*1024
JS_BUFFER_SIZE
JSON_SUFFIX
GZ_SUFFIX
“_flows.json”
“.gz”
Size of output buffer
Suffix for output file
Suffix for compressed output file
SOCKET_ON=0
SOCKET_ON=0&&
GZ_COMPRESS=1
18.4
Custom File Output
• PREFIX_flows.json: JSON representation of Tranalyzer output
80
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
18.5
18. JSONSINK
Example
To send compressed data over a socket (SOCKET_ON=1 and GZ_COMPRESS=1):
1. nc -l 127.0.0.1 5000 | gunzip
2. tranalyzer -r file.pcap
81
c 2008–2017 by Tranalyzer Development Team
Copyright 19. MACRECORDER
19
CONTENTS
macRecorder
19.1
Description
The macRecorder plugin provides the source- and destination MAC address as well as the number of packets detected in
the flow separated by an underscore. If there is more than one combination of MAC addresses, e.g., due to load balancing
or router misconfiguration, the plugin prints all recognized MAC addresses separated by semicolons. The number of
distinct source- and destination MAC addresses can be output by activating the MR_NPAIRS flag. The MR_MANUF flags
controls the output of the manufacturers for the source and destination addresses. The representation of MAC addresses
can be altered using the MR_MAC_FMT flag.
19.2
Dependencies
19.2.1
Required Files
The file manuf.txt is required if MR_MANUF > 0.
19.3
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
MR_MAC_FMT
MR_NPAIRS
MR_MANUF
MR_MAX_MAC
19.4
Default
1
1
1
16
Description
Format for MAC addresses. 0: hex, 1: mac, 2: int
Whether (1) or not (0) to report number of distinct pairs
0: no manufacturers, 1: short names, 2: long names
max number of output MAC address per flow
Flow File Output
The macRecorder plugin outputs the following columns:
Column
macPairs
srcMac_dstMac_numP
srcMac_dstMac_numP
srcMac_dstMac_numP
srcManuf_dstManuf
srcManuf_dstManuf
19.5
Type
U32
H64_H64_U64
MA_MA_U64
U64_U64_U64
SC_SC
S_S
Description
Number of distinct src/dst MAC addresses pairs
Src/Dst MAC addresses, number of packets
Src/Dst MAC addresses, number of packets
Src/Dst MAC addresses, number of packets
Src/Dst MAC manufacturers
Src/Dst MAC manufacturers
Packet File Output
In packet mode (-s option), the macRecorder plugin outputs the following columns:
Column
srcManuf
dstManuf
Description
Source MAC manufacturer
Destination MAC manufacturer
Flags
MR_MANUF=1
MR_MANUF=1
82
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
MR_NPAIRS=1
MR_MAC_FMT=0
MR_MAC_FMT=1
MR_MAC_FMT=2
MR_MANUF=1
MR_MANUF=2
CONTENTS
19.6
19. MACRECORDER
Example Output
Consider a host with MAC address aa:aa:aa:aa:aa:aa in a local network requesting a website from a public server. Due
to load balancing, the opposite flow can be split and transmitted via two routers with MAC addresses bb:bb:bb:bb:bb:bb
and cc:cc:cc:cc:cc:cc. The macRecorder plugin then produces the following output:
bb:bb:bb:bb:bb:bb_aa:aa:aa:aa:aa:aa_667;cc:cc:cc:cc:cc:cc_aa:aa:aa:aa:aa:aa_666
83
c 2008–2017 by Tranalyzer Development Team
Copyright 20. MODBUS
20
CONTENTS
modbus
20.1
Description
The modbus plugin analyzes Modbus traffic.
20.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
MB_DEBUG
Default
0
Description
Whether (1) or not (0) to activate debug output
MB_FE_FRMT
0
Function/Exception codes representation: 0: hex, 1: int
MB_NUM_FUNC
MB_UNIQ_FUNC
0
0
Number of function codes to store (0 to hide modbusFC)
Whether or not to aggregate multiply defined function codes
MB_NUM_FEX
MB_UNIQ_FEX
0
0
Number of function codes causing exceptions to store (0 to hide modbusFEx)
Whether or not to aggregate multiply defined function codes causing exceptions
MB_NUM_EX
MB_UNIQ_EX
0
0
Number of exception codes to store (0 to hide modbusExC)
Whether or not to aggregate multiply defined exception codes
20.3
Flow File Output
The modbus plugin outputs the following columns:
Column
modbusStat
modbusUID
modbusNPkts
modbusNumEx
modbusFCBF
modbusFC
modbusFExBF
modbusFEx
modbusExCBF
modbusExC
20.3.1
Type
H16
U8
U32
U16
H64
RH8
H64
RH8
H16
RH8
Description
Status
Unit identifier
Number of Modbus packets
Number of exceptions
Aggregated function codes
List of function codes
Aggregated function codes which caused exceptions
List of function codes which caused exceptions
Aggregated exception codes
List of exception codes
modbusStat
The modbusStat column is to be interpreted as follows:
modbusStat
0x0001
0x0002
0x0004
Description
Flow is Modbus
Non-modbus protocol identifier
Unknown function code
84
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
MB_NUM_FUNC>0
MB_NUM_FEX>0
MB_NUM_EX>0
CONTENTS
20. MODBUS
modbusStat
0x0008
0x0010
0x0100
0x0200
0x0400
0x4000
0x8000
20.3.2
Description
Unknown exception code
Multiple unit identifiers
List of function codes truncated... increase MB_NUM_FUNC
List of function codes which caused exceptions truncated... increase MB_NUM_FEX
List of exception codes truncated... increase MB_NUM_EX
Snapped packet
Malformed packet
modbusFC and modbusFCBF
The modbusFC and modbusFCBF columns are to be interpreted as follows:
modbusFC
1 = 0x01
2 = 0x02
3 = 0x03
4 = 0x04
5 = 0x05
6 = 0x06
7 = 0x07
8 = 0x08
11 = 0x0b
12 = 0x0c
15 = 0x0f
16 = 0x10
17 = 0x11
20 = 0x14
21 = 0x15
22 = 0x16
23 = 0x17
24 = 0x18
43 = 0x2b
20.3.3
modbusFCBF
0x0000 0000 0000
0x0000 0000 0000
0x0000 0000 0000
0x0000 0000 0000
0x0000 0000 0000
0x0000 0000 0000
0x0000 0000 0000
0x0000 0000 0000
0x0000 0000 0000
0x0000 0000 0000
0x0000 0000 0000
0x0000 0000 0001
0x0000 0000 0002
0x0000 0000 0010
0x0000 0000 0020
0x0000 0000 0040
0x0000 0000 0080
0x0000 0000 0100
0x0000 0800 0000
0002
0004
0008
0010
0020
0040
0080
0100
0800
1000
8000
0000
0000
0000
0000
0000
0000
0000
0000
Description
Read Coils
Read Discrete Inputs
Read Multiple Holding Registers
Read Input Registers
Write Single Coil
Write Single Holding Register
Read Exception Status
Diagnostic
Get Com Event Counter
Get Com Event Log
Write Multiple Coils
Write Multiple Holding Registers
Report Slave ID
Read File Record
Write File Record
Mask Write Register
Read/Write Multiple Registers
Read FIFO Queue
Read Decide Identification
modbusFEx and modbusFExBF
The modbusFEx and modbusFExBF columns are to be interpreted as modbusFC and modbusFCBF, respectively.
20.3.4
modbusExC and modbusExCBF
The modbusExC and modbusExCBF column are to be interpreted as follows:
modbusExC
1 = 0x01
2 = 0x02
3 = 0x03
4 = 0x04
5 = 0x05
modbusExCBF
0x0002
0x0004
0x0008
0x0010
0x0020
Description
Illegal function code
Illegal data address
Illegal data value
Slave device failure
Acknowledge
85
c 2008–2017 by Tranalyzer Development Team
Copyright 20. MODBUS
CONTENTS
modbusExC
6 = 0x06
7 = 0x07
8 = 0x08
10 = 0x0a
11 = 0x0b
20.4
modbusExCBF
0x0040
0x0080
0x0100
0x0400
0x0800
Description
Slave device busy
Negative acknowledge
Memory parity error
Gateway path unavailable
Gateway target device failed to respond
Packet File Output
In packet mode (-s option), the modbus plugin outputs the following columns:
Column
mbTranId
mbProtId
mbLen
mbUnitId
mbFuncCode
mbFuncCode
20.4.1
Type
U16
U16
U16
U8
H8
U8
Description
Transaction Identifier
Protocol Identifier
Length
Unit identifier
Function code
Function code
Flags
MB_FE_FRMT=0
MB_FE_FRMT=1
mbFuncCode
If mbFuncCode column is to be interpreted as follows:
mbFuncCode
< 128 (=0x80)
≥ 128 (=0x80)
20.5
Description
refer to modbusFC and modbusFCBF
subtract 128 (=0x80) and refer to modbusFEx and modbusFExBF
Plugin Report Output
The number of Modbus packets is reported.
86
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
21
21. NDPI
nDPI
21.1
Description
This plugin is a simple wrapper around the nDPI library: https://github.com/ntop/nDPI. It classifies flows according
to their protocol/application by analyzing the payload content instead of using the destination port. This plugin produces
output to the flow file and to a protocol statistics file. Configuration is achieved by user defined compiler switches in
src/nDPI.h.
21.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Variable
NDPI_OUTPUT_NUM
NDPI_OUTPUT_STR
NDPI_OUTPUT_STATS
21.3
Default
0
1
1
Description
Whether (1) or not (0) to output a numerical classification.
Whether (1) or not (0) to output a textual classification.
Whether (1) or not (0) to output nDPI protocol distribution in a separate file.
Flow File Output
The nDPI plugin outputs the following columns:
Column
nDPIMasterProto
nDPISubProto
nDPIclass
21.4
Type
U16
U16
S
Description
numerical nDPI master protocol
numerical nDPI sub protocol
nDPI based protocol classification
Flags
NDPI_OUTPUT_NUM=1
NDPI_OUTPUT_NUM=1
NDPI_OUTPUT_STR=1
nDPI Numerical Protocol Classification
0 Unknown
12 SSDP
24 AppleJuice
1 FTP_CONTROL
13 BGP
25 DirectConnect
2 POP3
14 SNMP
26 Socrates
3 SMTP
15 XDMCP
27 COAP
4 IMAP
16 SMB
28 VMware
5 DNS
17 Syslog
29 SMTPS
6 IPP
18 DHCP
30 Filetopia
7 HTTP
19 PostgreSQL
31 UBNTAC2
8 MDNS
20 MySQL
32 Kontiki
9 NTP
21 Hotmail
33 OpenFT
10 NetBIOS
22 Direct_Download_Link
34 FastTrack
11 NFS
23 POPS
35 Gnutella
87
c 2008–2017 by Tranalyzer Development Team
Copyright 21. NDPI
CONTENTS
36 eDonkey
65 IRC
94 MGCP
37 BitTorrent
66 Ayiya
95 IAX
38 EPP
67 Unencrypted_Jabber
96 TFTP
39 AVI
68 MSN
40 Flash
69 Oscar
41 OggVorbis
70 Yahoo
42 MPEG
71 BattleField
43 QuickTime
72 Quake
102 ICMPV6
44 RealMedia
73 VRRP
103 DHCPV6
45 WindowsMedia
74 Steam
104 Armagetron
46 MMS
75 HalfLife2
105 Crossfire
47 Xbox
76 WorldOfWarcraft
106 Dofus
48 QQ
77 Telnet
49 Move
78 STUN
50 RTSP
79 IPsec
51 IMAPS
80 GRE
52 IceCast
81 ICMP
53 PPLive
82 IGMP
113 MapleStory
54 PPStream
83 EGP
114 MsSQL-TDS
55 Zattoo
84 SCTP
115 PPTP
56 ShoutCast
85 OSPF
116 Warcraft3
57 Sopcast
86 IP_in_IP
117 WorldOfKungFu
58 Tvants
87 RTP
59 TVUplayer
88 RDP
60 HTTPDownload
89 VNC
61 QQLive
90 PcAnywhere
62 Thunder
91 SSL
123 GoogleMaps
63 Soulseek
92 SSH
124 YouTube
64 SSL_No_Cert
93 Usenet
125 Skype
97 AFP
98 Stealthnet
99 Aimini
100 SIP
101 TruPhone
107 Fiesta
108 Florensia
109 Guildwars
110 HTTP_Application_ActiveSync
111 Kerberos
112 LDAP
118 Slack
119 Facebook
120 Twitter
121 Dropbox
122 GMail
88
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
21. NDPI
126 Google
155 RemoteScan
184 VHUA
127 DCE_RPC
156 Spotify
185 Telegram
128 NetFlow
157 WebM
186 Vevo
129 sFlow
158 H323
130 HTTP_Connect
159 OpenVPN
131 HTTP_Proxy
160 NOE
132 Citrix
161 CiscoVPN
133 NetFlix
162 TeamSpeak
192 Placeholder
134 LastFM
163 Tor
193 KakaoTalk
135 Waze
164 CiscoSkinny
194 KakaoTalk_Voice
136 SkyFile_PrePaid
165 RTCP
195 Twitch
137 SkyFile_Rudics
166 RSYNC
196 QuickPlay
138 SkyFile_PostPaid
167 Oracle
139 Citrix_Online
168 Corba
140 Apple
169 UbuntuONE
141 Webex
170 Whois-DAS
142 WhatsApp
171 Collectd
143 AppleiCloud
172 SOCKS
203 Github
144 Viber
173 Lync
204 BJNP
145 AppleiTunes
174 RTMP
205 1kxun
146 Radius
175 FTP_DATA
206 iQIYI
147 WindowsUpdate
176 Wikipedia
207 SMPP
148 TeamViewer
177 ZeroMQ
149 Tuenti
178 Amazon
150 LotusNotes
179 eBay
151 SAP
180 CNN
152 GTP
181 Megaco
213 Starcraft
153 UPnP
182 Redis
214 Teredo
154 LLMNR
183 Pando_Media_Booster
215 HotspotShield
187 Pandora
188 QUIC
189 WhatsAppVoice
190 EAQ
191 Placeholder
197 Placeholder
198 MPEG_TS
199 Snapchat
200 Sina(Weibo)
201 GoogleHangout
202 IFLIX
208 Placeholder
209 Placeholder
210 Deezer
211 Instagram
212 Microsoft
89
c 2008–2017 by Tranalyzer Development Team
Copyright 21. NDPI
CONTENTS
216 HEP
220 Cloudflare
224 Placeholder
217 Placeholder
221 MS_OneDrive
225 OpenDNS
218 OCS
222 MQTT
226 Git
219 Office365
223 RX
227 DRDA
21.5
Additional Output
If NDPI_OUTPUT_STATS=1 then nDPI protocol distribution statistics are output in PREFIX_nDPI.txt.
21.6
Post-Processing
The nDPIStat script can be used to sort the PREFIX_nDPI.txt file for the most or least occurring protocols (in terms of
number of packets). It can output the top or bottom N protocols or only those with at least a given percentage:
• sorted list of protocols: ./nDPIStat PREFIX_nDPI.txt
• top 10 protocols: ./nDPIStat PREFIX_nDPI.txt -n=10
• bottom 5 protocols: ./nDPIStat PREFIX_nDPI.txt -n=-5
• protocols with probability greater than 20%: ./nDPIStat PREFIX_nDPI.txt -p=20
21.7
How to Update nDPI to New Version
• Download latest stable version (or git clone and checkout stable branch)
• cd nDPI
• rm -rf doc/ example/ lib ndpi-netfilter/ packages/ tests/ .git/ .gitignore .travis.yml
• edit configure.ac
--- configure . ac . origin
+++ configure . ac
@@ -62 ,9 +62 ,9 @@
fi
+
AC_ARG_ENABLE ([ json -c],
AS_HELP_STRING ([ - - disable - json -c], [ Disable json -c support ]) )
AS_HELP_STRING ([ - - enable - json -c], [ Enable json -c support ]) )
- AS_IF ([ test " x$enable_json_c " != " xno "] , [
+ AS_IF ([ test " x$enable_json_c " = " xyes "] , [
PKG_CONFIG_PATH =/ usr / local / share / pkgconfig : $PKG_CONFIG_PATH
pkg - config -- exists json -c
AS_IF ([ test "$ ?" == "0"] ,
@@ -87 ,7 +87 ,7 @@
AC_CHECK_LIB ( pthread , pthread_setaffinity_np , AC_DEFINE_UNQUOTED ( HAVE_PTHREAD_SETAFFINITY_NP
, 1, [ libc has pthread_setaffinity_np ]) )
- AC_CONFIG_FILES ([ Makefile src / lib / Makefile example / Makefile tests / Makefile libndpi . pc ])
90
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
21. NDPI
+ AC_CONFIG_FILES ([ Makefile src / lib / Makefile libndpi . pc ])
AC_CONFIG_HEADERS ( config .h)
AC_SUBST ( GIT_RELEASE )
AC_SUBST ( SVN_DATE )
• edit Makefile.am
--- Makefile . am . origin
+++ Makefile . am
@@ -1 ,6 +1 ,6 @@
ACLOCAL_AMFLAGS = -I m4
- SUBDIRS = src / lib example tests
+ SUBDIRS = src / lib
pkgconfigdir = $( libdir )/ pkgconfig
pkgconfig_DATA = libndpi . pc
• edit src/lib/Makefile.am
--- Makefile . am . origin
+++ Makefile . am
@@ -1 ,8 +1 ,7 @@
- lib_LTLIBRARIES = libndpi . la
+ noinst_LTLIBRARIES = libndpi . la
CFLAGS += - fPIC - DPIC
libndpi_la_CPPFLAGS = -I$ ( top_srcdir )/ src / include / -I$ ( top_srcdir )/ src / lib / third_party /
include /
- libndpi_la_LDFLAGS = - version - info 1:0:0 -export - symbols $( top_srcdir )/ libndpi . sym
libndpi_la_includedir = $( includedir )/ libndpi - @VERSION@ / libndpi
• Replace src/nDPI folder in the nDPI plugin.
• Replace the proto.tex file using the prototex utiliy and regenerate doc.
• Add the new files to SVN and delete removed files before commit.
91
c 2008–2017 by Tranalyzer Development Team
Copyright 22. NFRSTPKTS
22
nFrstPkts
22.1
Description
CONTENTS
The nFrstPkts plugin supplies the PL and IAT of the N first packets per flow as columns. This representation has shown
to be useful in fast and efficient application classification. Useful values of N are in the range of 8 to 30, the default value
is 20.
22.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
NFRST_PKTCNT
NFRST_HDRINFO
22.3
Default
20
0
Description
Number of packets to record
extended
Flow File Output
The nFrstPkts plugin outputs the following columns:
22.4
Column
nFpCnt
L2L3L4Pl_Iat
Type
U32
R(U16_UT)
HD3l_HD4l_
L2L3L4Pl_Iat
R(U8_U8_
_U16_UT)
Description
Number of signal samples
L2/L3/L4 or payload length and
inter-arrival times for the N first packets
L3Hdr, L4Hdr, L2/L3/L4 or payload length and
inter-arrival times for the N first packets
Flags
NFRST_HDRINFO=0
NFRST_HDRINFO=1
Post-Processing
By invoking the script fpsGplt under trunk/scripts files are generated for the packet signal in a Gnuplot/Excel/SPSS
readable column oriented format. The format is shown below:
PL
IAT
absolute time
92
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
23. NTPDECODE
23
ntpDecode
23.1
Description
The ntpDecode plugin produces a flow based view of NTP operations between computers for anomaly detection and
troubleshooting.
23.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
NTP_TS
NTP_TS_FRMT
NTP_LIVM_HEX
23.3
Default
1
0
0
Description
1: print NTP time stamps, 0: no time stamps
Timestamp representation: 0: unix timestamp, 1: human readable date
Leap indicator, version and mode: 0: split into three values, 1: aggregated hex number
Flow File Output
The ntpDecode plugin outputs the following columns:
Name
ntpStat
ntpLiVM
ntpLi_V_M
ntpStrat
ntpRefClkId
ntpRefStrId
ntpPollInt
ntpPrec
ntpRtDelMin
ntpRtDelMax
ntpRtDispMin
ntpRtDispMax
ntpRefTS
ntpOrigTS
ntpRecTS
ntpTranTS
23.3.1
Type
H8
H8
U8_U8_U8
H8
IP4
SC
U32
F
F
F
F
F
D
D
D
D
Description
NTP status, warnings and errors
NTP leap indicator, version number and mode
NTP leap indicator, version number and mode
NTP stratum
NTP root reference clock ID (stratum ≥ 2)
NTP root reference string (stratum ≤ 1)
NTP poll interval
NTP precision
NTP root delay minimum
NTP root delay maximum
NTP root dispersion minimum
NTP root dispersion maximum
NTP reference timestamp
NTP originate timestamp
NTP receive timestamp
NTP transmit timestamp
ntpStat
The ntpStat column is to be interpreted as follows:
20
ntpStat
(=0x01)
Description
NTP Record detected
93
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
NTP_LIVM_HEX=1
NTP_LIVM_HEX=0
NTP_TS=1
NTP_TS=1
NTP_TS=1
NTP_TS=1
23. NTPDECODE
23.3.2
CONTENTS
ntpLiVM
The ntpLiVM column is to be interpreted as follows (refer to Section 23.4 for some examples):
ntpLiVM
xx.. ....
..xx x...
.... .xxx
Description
Leap indicator
Version number
Mode
The Leap Indicator bits are to be interpreted as follows:
Leap Indicator
0x0
0x1
0x2
0x3
Description
No warning
Last minute has 61 seconds
Last minute has 59 seconds
Alarm condition, clock not synchronized
The Mode bits are to be interpreted as follows:
Mode
0x0
0x1
0x2
0x3
0x4
0x5
0x6
0x7
23.3.3
Description
Reserved
Symmetric active
Symmetric passive
Client
Server
Broadcast
NTP control message
Private use
ntpStrat
The ntpStrat column is to be interpreted as follows:
ntpStrat
0x00
0x01
0x02-0xff
23.3.4
Description
Unspecified
Primary reference
Secondary reference
ntpRefStrId
The interpretation of the ntpRefStrId column depends on the value of ntpStrat. The following table lists some suggested
identifiers:
ntpStrat
0x00
0x00
0x00
0x00
ntpRefStrId
DCN
NIST
TSP
DTS
Description
DCN routing protocol
NIST public modem
TSP time protocol
Digital Time Service
94
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
23. NTPDECODE
ntpStrat
0x01
0x01
0x01
0x01
0x01
0x01
23.4
ntpRefStrId
ATOM
VLF
callsign
LORC
GOES
GPS
Description
Atomic clock (calibrated)
VLF radio
Generic radio
LORAN-C
GOES UHF environment satellite
GPS UHF positioning satellite
Examples
• Extract the NTP leap indicator:
tawk ’NR > 1 { print rshift(and(strtonum($ntpLiVM), 0xc0), 6) }’ out_flows.txt
• Extract the NTP version:
tawk ’NR > 1 { print rshift(and(strtonum($ntpLiVM), 0x38), 3) }’ out_flows.txt
• Extract the NTP mode:
tawk ’NR > 1 { printf "%#x\n", and(strtonum($ntpLiVM), 0x7) }’ out_flows.txt
95
c 2008–2017 by Tranalyzer Development Team
Copyright 24. OSPFDECODE
CONTENTS
24
ospfDecode
24.1
Description
This plugin analyzes OSPF traffic and provides absolute and relative statistics to the PREFIX_ospfStats.txt file. In
addition, the rospf script extracts the areas, networks and netmasks, along with the routers and their interfaces (Section
24.5).
24.2
Configuration Flags
Name
OSPF_OUTPUT_DBD
OSPF_OUTPUT_MSG
OSPF_MASK_AS_IP
OSPF_AREA_AS_IP
24.3
Default
0
0
0
0
Description
Whether (1) or not (0) to output routing tables
Whether (1) or not (0) to output all messages
Whether or not to display netmasks as IP (0: hex, 1: IP)
Whether or not to display areas as IP (0: int, 1: IP, 2: hex)
Flow File Output
The ospfDecode plugin outputs the following columns:
Column
ospfStat
ospfType
ospfAuType
ospfAuPass
ospfArea
24.3.1
Type
H8
H8
H16
RS
U32/H32
Description
Status
Message type
Authentication type
Authentication password (if ospfAuType == 0x4)
Area ID (see OSPF_AREA_AS_IP in Section 24.2)
ospfStat
The hex based status variable (ospfStat) is defined as follows:
20
21
22
23
24
ospfStat
(=0x01)
(=0x02)
(=0x04)
(=0x08)
(=0x10)
Description
OSPF message had invalid TTL (6= 1)
OSPF message had invalid destination
OSPF message had invalid type
OSPF message had invalid checksum
OSPF message was malformed
The invalid checksum status 0x08 is currently not implemented.
The malformed status 0x10 is currently used to report cases such as possible covert channels, e.g., authfield used when
auType was NULL.
24.3.2
ospfType
The hex based message type variable ospfType is defined as follows:
96
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
24. OSPFDECODE
ospfType
21 (=0x02)
22 (=0x04)
23 (=0x08)
24 (=0x10)
25 (=0x20)
24.3.3
Description
Hello
Database Description
Link State Request
Link State Update
Link State Acknowledgement
ospfAuType
The hex based authentication type variable ospfAuType is defined as follows:
ospfAuType
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24.4
Description
Null authentication
Simple password
Cryptographic authentication
Additional Output
• PREFIX_ospfStats.txt: global statistics about OSPF traffic
• PREFIX_ospfHello.txt Hello messages (see Section 24.5)
• PREFIX_ospfDBD.txt: Routing tables (see Section 24.2)
• PREFIX_ospfMsg.txt: All other messages (see Section 24.2)
24.5
Post-Processing
24.5.1
rospf
Hello messages can be used to discover the network topology and are stored in the PREFIX_ospfHello.txt file. The
script rospf extracts the areas, networks, netmasks, routers and their interfaces:
./rospf PREFIX_ospfHello.txt
24.5.2
dbd
If OSPF_OUTPUT_DBD is activated (Section 24.2), database description messages are stored in a file PREFIX_ospfDBD.txt.
The dbd script formats this file to produce an output similar to that of standard routers:
./dbd PREFIX_ospfDBD.txt
OSPF Router with ID (192.168.22.10)
Router Link States ( Area 1)
Link ID
192.168.22.5
192.168.22.10
192.168.22.9
ADV Router
192.168.22.5
192.168.22.10
192.168.22.9
Age
4
837
837
Seq #
0 x80000002
0 x80000002
0 x80000002
Checksum
0 x38ce
0 x6b0f
0 x156c
97
c 2008–2017 by Tranalyzer Development Team
Copyright 24. OSPFDECODE
Name
N1
N2
N3
...
Area
0
1
1
CONTENTS
Network
192.168.21.0
192.168.16.0
192.168.22.0
Router
R1
R2
R3
...
Interface_n
192.168.22.29
192.168.22.5
192.168.22.10
Router
R0
R1
R2
...
Connected Routers
R2
R4
R6
R7
R2
R4
R0
R1
R4
R8
Netmask
0 xffffff00
0 xffffff00
0 xfffffffc
Network_n
N11
192.168.21.4
N12
192.168.16.1
N13
192.168.21.2
N5
N0
N5
192.168.22.25
192.168.22.1
192.168.22.6
R8
Net Link States ( Area 1)
Link ID
192.168.22.6
192.168.22.9
ADV Router
192.168.22.10
192.168.22.9
Age
4
838
Seq #
0 x80000001
0 x80000001
Age
735
736
715
Seq #
0 x80000001
0 x80000001
0 x80000001
Checksum
0 x150b
0 x39e0
Summary Net Link States ( Area 1)
Link ID
192.168.17.0
192.168.17.0
192.168.18.0
...
ADV Router
192.168.22.9
192.168.22.10
192.168.22.9
Checksum
0 x5dd9
0 x57de
0 x52e3
98
c 2008–2017 by Tranalyzer Development Team
Copyright N10
N6
N12
CONTENTS
25
25. PCAPD
pcapd
25.1
Description
The pcapd plugin can be used to create PCAP files based on some criteria such as flow indexes (Section 25.3.1) or alarms
raised by other plugins (Section 25.3.2).
25.2
Dependencies
If PD_MODE=4, the libpcap version must be at least 1.7.2. (In this mode, the plugin uses the pcap_dump_open_append()
function which was introduced in the libpcap in February 12, 2015.)
25.3
Configuration Flags
The following flags can be used to configure the plugin:
Variable
PD_SPLIT
Default
1
PD_MODE
0
PD_EQ
PD_MAX_FD
PD_SUFFIX
25.3.1
1
128
“.pcap”
Description
Whether (1) or not (0) to split the output file (Tranalyzer -W option)
0: flow index only, 1: flow file format (Section 25.3.1),
2: alarm mode (Section 25.3.2),
3: one pcap (Section 25.3.3)
4: one pcap per flow (Section 25.3.4)
whether to save matching (1) or non-matching (0) flows
Maximum number of simultaneously open file descriptors
pcap file extension
Flags
PD_MODE<3
PD_MODE=4
PD_MODE=0, PD_MODE=1
The idea behind the first two modes (PD_MODE=0 or PD_MODE=1) is to use awk to extract flows of interest and then the
pcapd plugin to create a PCAP with all those flows. Those two modes require Tranalyzer -e option. The format of the file
must be as follows:
PD_MODE=0
PD_MODE=1
The first column must be the flow index (the rest (optionnal) is ignored):
1234
...
The second column must be the flow index:
A
1234
...
Lines starting with ‘%’, ‘#’, a space or a tab are ignored, along with empty lines.
Flows whose index appears in the -e file will be dumped in a file named PREFIX_PD_SUFFIX, where PREFIX is the
value given to Tranalyzer -e option. Note that if PD_EQ=0, then flows whose index does not appear in the file will be
dumped.
25.3.2
PD_MODE=2
In the alarm mode (PD_MODE=2), every flow whose status bit FL_ALARM=0x20000000 is set (PD_EQ=1) or not set (PD_EQ=0)
will be dumped in a file named PREFIX_PD_SUFFIX, where PREFIX is the value given to Tranalyzer -w or -W option.
99
c 2008–2017 by Tranalyzer Development Team
Copyright 25. PCAPD
25.3.3
CONTENTS
PD_MODE=3
In this mode, all the packets are dumped into a PCAP file. If Tranalyzer -W option is used, then the pcap files will be
split accordingly. For example, the following command will create PCAP files of 100MB each: tranalyzer -i eth0
-W out:100M
25.3.4
PD_MODE=4
In this mode, every flow will have its own PCAP file, whose name will end with the flow index.
25.4
Additional Output
A PCAP file with suffix PD_SUFFIX will be created. The prefix and location of the file depends on the configuration of
the plugin.
• If PD_MODE < 2, the file is named according to the -e option.
• Otherwise the file is named according to the -w or -W option (Sections 25.3.2, 25.3.3 and 25.3.4).
25.5
Examples
For the following examples, it is assumed that Tranalyzer was run as follows, with the basicFlow and txtSink plugins in
their default configuration:
tranalyzer -r file.pcap -w out
The column numbers can be obtained by looking in the file out_headers.txt.
25.5.1
Extracting ICMP Flows
To create a PCAP file containing ICMP flows only, proceed as follows:
1. Identify the “Layer 4 protocol” column in out_headers.txt (column 14):
grep "Layer 4 protocol" out_headers.txt
2. Extract all flow indexes whose protocol is ICMP (1):
awk -F’\t’ ’$14 == 1 { print $2 }’ out_flows.txt > out_icmp.txt
3. Configure pcapd.h as follows: PD_MODE=0, PD_EQ=1
4. Build the pcapd plugin: cd $T2HOME/pcapd/; ./autogen.sh
5. Re-run Tranalyzer with the -e option:
tranalyer -r file.pcap -w out -e out_icmp.txt
6. The file out_icmp.txt.pcap now contains all the ICMP flows.
25.5.2
Extracting Non-ICMP Flows
To create a PCAP file containing non-ICMP flows only, use the same procedure as that of Section 25.5.1, but replace
PD_EQ=1 with PD_EQ=0 in step 3. Alternatively, replace $14==1 with $14!=1 in step 2. Or if an entire flow file is
preferred to the flow indexes only, set PD_MODE=1 and replace print $2 with print $0 in step 2.
100
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
26
26.1
26. PKTSIATHISTO
pktSIATHisto
Description
The pktSIATHisto plugin records the PL and IAT of a flow. While the PL is precise the IAT is divided by default into 91
statistical bins:
Bin
0 – 39
40 – 59
60 – 89
90
26.2
Range of IAT
0 ms (incl.) – 200 ms (excl.), partitioned into bins of 5 ms
200 ms (incl.) – 400 ms (excl.), partitioned into bins of 10 ms
400 ms (incl.) – 1 sec. (excl.), partitioned into bins of 20 ms
for all IAT higher than 1 sec.
Configuration Flags
Classifying tasks may require other IAT binning. Then the bin limit IATBINBu and the binsize IATBINWu constants in
pktSIATHisto.h need to be adapted as being indicated below using 5 different classes of bins:
# define
# define
# define
# define
# define
IATBINBu1
IATBINBu2
IATBINBu3
IATBINBu4
IATBINBu5
50// bin boundary of section one : [0 , 50) ms
200
1000
10000
100000
# define
# define
# define
# define
# define
IATBINWu1
IATBINWu2
IATBINWu3
IATBINWu4
IATBINWu5
10// bin width 1 ms
5
10
20
50
# define
# define
# define
# define
# define
IATBINNu1
IATBINNu2
IATBINNu3
IATBINNu4
IATBINNu5
IATBINBu1 / IATBINWu1 //
( IATBINBu2 - IATBINBu1 )
( IATBINBu3 - IATBINBu2 )
( IATBINBu4 - IATBINBu3 )
( IATBINBu5 - IATBINBu4 )
#
/
/
/
/
of bins in section one
IATBINWu2 + IATBINNu1
IATBINWu3 + IATBINNu2
IATBINWu4 + IATBINNu3
IATBINWu5 + IATBINNu4
# define IATSECMAX 5 // max # of section in statistics ;
// last section comprises all elements > IATBINBu4
// definition of bin count fields
const uint32_t IATBinBu [ IATSECMAX +1] = { 0, IATBINBu1 , IATBINBu2 , IATBINBu3 , IATBINBu4 , IATBINBu5
};
const uint32_t IATBinWu [ IATSECMAX ] = { IATBINWu1 , IATBINWu2 , IATBINWu3 , IATBINWu4 , IATBINWu5 };
const uint32_t IATBinNu [ IATSECMAX +1] = { 0, IATBINNu1 , IATBINNu2 , IATBINNu3 , IATBINNu4 , IATBINNu5
};
The number of bin sections is defined by IATSECMAX, default is 3. The static fields IATBinBu and IATBinWu need
to be adapted when IATSECMAX is changed. The static definition in curly brackets of the constant fields IATBinBu[],
IATBinBu[] and IATBinBu[] must adapted as well to the maximal bin size. The constant IATBINUMAX including his two
dimensional packet length, IAT statistics is being used by the descriptive statistics plugin and can suit as a raw input for
subsequent statistical classifiers, such as Bayesian networks or C5.0 trees.
The user is able to customize the output by changing several define statements in the header file pktSIATHisto.h. Every
change requires a recompilation of the plugin using the autogen.sh script.
HISTO_PRINT_BIN == 0, the default case, selects the number of the IAT bin, while 1 supplies the lower bound of the IAT
101
c 2008–2017 by Tranalyzer Development Team
Copyright 26. PKTSIATHISTO
CONTENTS
bin’s range.
As being outlined in the Descriptive Statistics plugin the output of the plugin can be suppressed by defining PRINT_HISTO
to zero.
For specific applications in the AI regime, the distribution can be directed into a separate file if the value PRINT_HISTO_IN
_SEPARATE_FILE is different from zero. The suffix for the distribution file is defined by the HISTO_FILE_SUFFIX define.
A full list of switches is listed below:
Name
HISTO_IN_SEP_FILE
HISTO_NODEPOOL_FACTOR
PRINT_HISTO
HISTO_PRINT_BIN
Default
0
15
1
0
HISTO_PRINT_PROJECTION
HISTO_EARLY_CLEANUP
0
1
HISTO_FILE_SUFFIX
HISTO_DEBUG
PSI_XCLD
PSI_XMIN
26.3
Description
1: print histo into separate histo file
multiplication factor redblack tree nodepool
print histo to flow file
Bin number; 0: Minimum of assigned inter arrival time.
Example: Bin = 10 -> iat = [50:55) -> min(iat) = 50ms
1: print axis projections
after onFlowTerminate tree information is destroyed.
MUST be 0 if dependent plugins are loaded
Flags
"_histo.txt"
0
0
UINT16_MAX
1: include (BS_XMIN,UINT16_MAX]
maximal packet length
PSI_XCLD==1
Flow File Output
The pktSIATHisto plugin outputs the following columns:
Column
tCnt
Ps_IatBin_Cnt_
PsCnt_IatCnt
Ps_Iat_Cnt_
PsCnt_IatCnt
Type
U32
R(U16_4xU32)
Description
Packet size inter-arrival time number of tree entries
Packet size inter-arrival time bin histogram
Flags
HISTO_PRINT_BIN=0
R(U16_4xU32)
Packet size min inter-arrival time of bin histo
HISTO_PRINT_BIN=1
All PL-IAT bins greater than zero are appended for each flow in the PREFIX_flows.txt file using the following
format:
[ps]_[IAT]_[# packets]_[# of packets PL]_[# of packets IAT]
the PL-IAT bins are separated by semicolons. The IAT value is the lower bound of the IAT range of a bin.
26.4
Post-Processing
By invoking the script statGplt under trunk/scripts files are generated for the 2/3 dim statistics in a Gnuplot/Excel/SPSS
column oriented format. The format is:
• For the 3D case: PL
IAT
• For the 2D case: PL
count
count
102
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
26.5
26. PKTSIATHISTO
Example Output
Consider a single flow with the following PL and IAT values:
Packet number
1
2
3
4
5
6
PL (bytes)
50
70
70
70
70
60
IAT (ms)
0
88.2
84.3
92.9
87.1
91.6
IAT bin
0
17
16
18
17
18
Packet number two and five have the same PL-IAT combination. Packets number two to five have the same PL and
number two and five as well as the number four and six fall within the same IAT bin. Therefore the following sequence is
generated:
50_0_1_1_1 ; 60_90_1_1_2 ; 70_80_1_4_1 ; 70_85_2_4_2 ; 70_90_1_4_2
Note that for better readability spaces are inserted around the semicolons which will not exist in the text based flow file!
103
c 2008–2017 by Tranalyzer Development Team
Copyright 27. POPDECODE
27
popDecode
27.1
Description
CONTENTS
The popDecode plugin processes MAIL header and content information of a flow. The idea is to identify certain pop mail
features and save content. User defined compiler switches are in popDecode.h.
27.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
POP_SAVE
MXNMLN
MXUNM
MXPNM
MXCNM
27.3
Default
0
21
5
5
5
Description
save content to POP_F_PATH
maximal name length
maximal number of users
maximal number of passwords/parameters
maximal number of content
Flow File Output
The popDecode plugin outputs the following columns:
Column
popStat
popCBF
popCC
popRM
popUsrNum
popPwNum
popCNum
popUsr
popPw
popC
27.3.1
Type
H8
H16
RSC
RU16
U8
U8
U8
RS
RS
RS
Description
Status bit field
POP command codes bit field
POP Command Codes
POP Response Codes
number of POP Users
number of POP Passwords
number of POP parameters
POP Users
POP Passwords
POP Content
popStat
The popStat column describes the errors encountered during the flow lifetime:
popStat
(=0x01)
21 (=0x02)
22 (=0x04)
23 (=0x08)
24 (=0x10)
24 (=0x20)
26 (=0x40)
27 (=0x80)
20
Name
POP2_INIT
POP3_INIT
POP_ROK
POP_RERR
POP_DWF
POP_DTP
POP_RNVL
POP_OVFL
Description
pop2 port found
pop3 port found
response +OK
response -ERR
data storage exists, POP_SAVE == 1
data storage in progress, POP_SAVE == 1
response not valid or data
array overflow
104
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
27.3.2
27. POPDECODE
popCBF
The popCBF column describes the commands encountered during the flow lifetime:
20
21
22
23
24
25
26
27
28
29
210
211
212
213
214
215
27.4
popCBF
(=0x0001)
(=0x0002)
(=0x0004)
(=0x0008)
(=0x0010)
(=0x0020)
(=0x0040)
(=0x0080)
(=0x0100)
(=0x0200)
(=0x0400)
(=0x0800)
(=0x1000)
(=0x2000)
(=0x4000)
(=0x8000)
Name
POP_APOP
POP_AUTH
POP_CAPA
POP_DELE
POP_LIST
POP_NOOP
POP_PASS
POP_QUIT
POP_RETR
POP_RSET
POP_STAT
POP_STLS
POP_TOP
POP_UIDL
POP_USER
POP_XTND
Description
Login with MD5 signature
Authentication request
Get a list of capabilities supported by the server
Mark the message as deleted
Get a scan listing of one or all messages
Return a +OK reply
Cleartext password entry
Exit session. Remove all deleted messages from the server
Retrieve the message
Remove the deletion marking from all messages
Get the drop listing
Begin a TLS negotiation
Get the top n lines of the message
Get a unique-id listing for one or all messages
Mailbox login
TODO
• IPv6
• fragmentation
• reply address extraction
105
c 2008–2017 by Tranalyzer Development Team
Copyright 28. PORTCLASSIFIER
28
28.1
CONTENTS
portClassifier
Description
The portClassifier plugin classifies the flow according to the destination port meaning. It accepts a default port list
portmap.txt, automatically installed with the plugin.
28.2
Dependencies
28.2.1
Required Files
The file portmap.txt is required.
28.3
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
PBC_NUM
PBC_STR
PBC_CLASSFILE
28.4
Default
1
1
"portmap.txt"
Description
Print string representation of port classification
Print numeric representation of port classification
input file for the mapping between ports and application
Flow File Output
The portClassifier plugin outputs the following columns:
Column
dstPortClassN
dstPortClass
Type
U16
SC
Description
Port based classification of the destination port number
Port based classification of the destination port name
106
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
PBC_NUM=0
PBC_STR=1
CONTENTS
29
protoStats
29.1
Description
29. PROTOSTATS
The protoStats plugin provides protocol/port sorted frequency statistics about the observed OSI layer 4 protocols and ports
to the file named PREFIX_protocols. Protocols numbers are decoded via a proto.txt file, automatically installed with
the plugin.
29.2
Dependencies
29.2.1
Required Files
The file proto.txt is required.
29.3
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
ETH_STAT
29.4
Default
1
Description
Whether (1) or not (0) to output layer 2 statistics
Flow File Output
None.
29.5
Additional Output
• PREFIX_protocols.txt: protocol statistics
29.6
Post-Processing
29.6.1
protStat
The protStat script can be used to sort the PREFIX_protocols.txt file for the most or least occurring protocols (in
terms of number of packets). It can output the top or bottom N protocols or only those with at least a given percentage:
• sorted list of protocols: ./protStat PREFIX_protocols.txt
• top 10 protocols: ./protStat PREFIX_protocols.txt -n=10
• bottom 5 protocols: ./protStat PREFIX_protocols.txt -n=-5
• protocols with probability greater than 20%: ./protStat PREFIX_protocols.txt -p=20
107
c 2008–2017 by Tranalyzer Development Team
Copyright 30. PWX
30
30.1
CONTENTS
pwX
Description
The pwX plugin extracts usernames and passwords from different plaintext protocols. This plugin produces only output
to the flow file. Configuration is achieved by user defined compiler switches in src/pwX.h.
30.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Variable
PE_OUTPUT_USERNAME
PE_OUTPUT_PASSWORD
30.3
Default
1
1
Description
Defines if username column is printed.
Defines if password column is printed.
PE_EXTRACT_FTP
PE_EXTRACT_POP3
PE_EXTRACT_IMAP
PE_EXTRACT_SMTP
PE_EXTRACT_HTTP_BASIC
PE_EXTRACT_HTTP_PROXY
PE_EXTRACT_HTTP_GET
PE_EXTRACT_HTTP_POST
PE_EXTRACT_IRC
PE_EXTRACT_TELNET
PE_EXTRACT_LDAP
1
1
1
1
1
1
1
1
1
1
1
Defines if FTP authentication is extracted.
Defines if POP3 authentication is extracted.
Defines if IMAP authentication is extracted.
Defines if SMTP authentication is extracted.
Defines if HTTP Basic Authorization is extracted.
Defines if HTTP Proxy Authorization is extracted.
Defines if HTTP GET authentication is extracted.
Defines if HTTP POST authentication is extracted.
Defines if IRC authentication is extracted.
Defines if Telnet authentication is extracted.
Defines if LDAP bind request authentication is extracted.
PWXDEBUG
0
Whether or not to activate debug output.
Flow File Output
The pwX plugin outputs the following columns:
Name
extractedAuthType
extractedUsername
extractedPassword
30.3.1
Type
U8
S
S
Description
Authentication type
Extracted username
Extracted password
Flags
PE_OUTPUT_USERNAME != 0
PE_OUTPUT_PASSWORD != 0
extractedAuthType
The extractedAuthType column is to be interpreted as follows:
extractedAuthType
0
1
2
3
4
Description
No password or username extracted
FTP authentication
POP3 authentication
IMAP authentication
SMTP authentication
108
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
30. PWX
extractedAuthType
5
6
7
8
9
10
11
30.4
Description
HTTP Basic Authorization
HTTP Proxy Authorization
HTTP GET authentication
HTTP POST authentication
IRC authentication
Telnet authentication
LDAP authentication
Plugin Report Output
The number of passwords extracted is reported.
109
c 2008–2017 by Tranalyzer Development Team
Copyright 31. REGEX_PCRE
CONTENTS
31
regex_pcre
31.1
Description
The regex_pcre plugin provides a full PCRE compatible regex engine.
31.2
Dependencies
31.2.1
External Libraries
This plugin depends on the pcre library.
Ubuntu: sudo apt-get install libpcre3-dev
OpenSUSE: sudo zypper install pcre-devel
31.2.2
Other Plugins
If LABELSCANS=1, then this plugin requires the tcpFlags plugin.
31.2.3
Required Files
The file regexfile.txt is required. See Section 31.3.3 for more details.
31.3
Configuration Flags
31.3.1
regfile_pcre.h
The compiler constants in regfile_pcre.h control the pre-processing and compilation of the rule sets supplied in the regex
file during the initialisation phase of Tranalyzer.
Name
RULE_OPTIMIZE
REGEX_MODE
MAXREGEXP
31.3.2
Default
0
PCRE_DOTALL
2048
Description
0: No opt rules allocated 1: Allocate opt rule structure & compile regex
Regex compile time options
Maximal line length of a rule being imported from inputfile and allocated
in memory
regex_pcre.h
The compiler constants in regex_pcre.h control the execution and the output the rule matches.
Variable
EXPERTMODE
Default
0
PKTTIME
LABELSCANS
MAXREGPOS
REGOPT
0
0
30
0
REXPOSIX_FILE
"regexfile.txt"
Description
0: Alarm with highest severity: class type & severity,
1: full info
0: no time, 1: timestamp when rule matched
0: No scans, 1: label scans (depends on tcpFlags)
Maximal # of matches stored / flow
0: No optimization,
1: execute regex optimization
Name of regex file under ./tranalyzer/plugins
110
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
RULE_OPTIMIZE=1
CONTENTS
Variable
OVECCOUNT
31.3.3
31. REGEX_PCRE
Default
1
Description
regex internal: maximal # of regex output vectors
Flags
regexfile.txt
The regexfile.txt file has the following format:
# ID Predecessor Flags ANDMask ANDPin ClassID Severity Sel
Regex
# single rule
1
0
0 x80
0 x0000 0 x0000 15 3
0 x8b
0 x0001 6
x60 \ x6A .*
# single rule
3
1
0 x80
0 x0000 0 x0000 15 3
0 x82
0 x0001 6
x80 \ x66 .*\ x31
# root rules to following tree
202 0
0 x11
0 x0000 0 x0000 20 4
0 x41
0 x0001 6
203 0
0 x10
0 x0000 0 x0000 20 4
0 x41
0 x0001 6
# sucessors and predesessors
204 202 0 x01
0 x0000 0 x0001 43 2
0 x85
0 x0001 6
204 203 0 x40
0 x0000 0 x0002 40 2
0 x8f
0 x0001 6
# successors 20 t5 & 205 to 204 AND ruleset
205 204 0 x81
0 x0003 0 x0000 40 3
0 x00
0 x0001 0
206 204 0 x80
0 x0002 0 x0000 35 3
0 x00
0 x0000 0
Dir Proto srcPort
dstPort offset
0
80
0
\ x6A .{1 ,}\ x6B \ x3C \ x24 \ x0B \
0
80
8
\ x31 \ xDB \ x8D \ x43 \ x0D \ xCD \
0
0
80
80
20
20
^ http
GET
0
445 0
666 666 0
Volume Serial Number
(? i) Command completed (? -i)
0
0
^ get .* porno .*
^ FTP
20
21
0
0
Lines starting with a ’#’ denote a comment line and will be ignored. All kind of rule trees can be formed using rules
also acting on multiple packets using different ID’s and Predecessor as outlined in the example above. Regex rules with
the same ID denote combined predecessors to other rules. Default is an OR operation unless ANDPin bits are set. These
bits denote the different inputs to a bitwise AND. The output is then provided to the successor rule which compares with
the ANDMask bit field whether all necessary rules are matched. Then an evaluation of the successor rule can take place.
Thus, arbitrary rule trees can be constructed and results of predecessors can be used for multiple successor rules. The
variable Flags controls the basic PCRE rule interpretation and the flow alarm production (see the table below), e.g. only
if bit eight is set and alarm flow output is produced. ClassID and Severity denote information being printed in the flow
file if the rule fires.
20
21
22
23
24
25
26
27
Flags
(=0x01)
(=0x02)
(=0x04)
(=0x08)
(=0x10)
(=0x20)
(=0x40)
(=0x80)
Description
PCRE_CASELESS
PCRE_MULTILINE
PCRE_DOTALL
PCRE_EXTENDED
Internal state: successor found
Internal state: predecessor matched
Preserve alarm in queue for later use
Print alarm in flow file
The Sel column controls the header selection of a rule in the lower nibble and the start of regex evaluation in the
higher nibble. The position of the bits in the control byte are outlined below:
Sel
20 (=0x01)
21 (=0x02)
Description
Activate dir field
Activate L4Proto field
111
c 2008–2017 by Tranalyzer Development Team
Copyright 31. REGEX_PCRE
CONTENTS
22
23
24
25
26
27
Sel
(=0x04)
(=0x08)
(=0x10)
(=0x20)
(=0x40)
(=0x80)
Description
Activate srcPort field
Activate dstPort field
Header start: Layer 2
Header start: Layer 3
Header start: Layer 4
Header start: Layer 7
The higher nibble selects which flow direction (A: 0x0000, B: 0x0001), protocol, source and destination port will be
evaluated per rule, all others will be ignored. The dir field might contain other bits meaning more selection options in
future. The offset column depicts the start of the regex evaluation from the selected header start, default value 0. The
Regex column accepts a full PCRE regex term. If the regex is not correct, the rule will be discarded displaying an error
message in the Tranalyzer report.
31.4
Flow File Output
The regex_pcre plugin outputs the following columns:
Column
RgxCnt
RgxClTyp
RgxSev
RgxN_B_RID_
Amsk_F_CT_Sv
RgxT_N_B_RID_
Amsk_F_CT_Sv
Type
U16
U8
U8
R(4xU16_)
H8_2xU8)
R(UT_4xU16_
H8_2xU8)
Description
Regexp match count
Classtype
Severity
Packet, byte position, regfile ID,
AND mask, flags, classtype, severity
Time, packet, byte position, regfile ID,
AND mask, flags, classtype, severity
112
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
EXPERTMODE=0
EXPERTMODE=0
EXPERTMODE=1&&
PKTTIME=0
EXPERTMODE=1&&
PKTTIME=1
CONTENTS
32. SCTPDECODE
32
sctpDecode
32.1
Description
The sctpDecode plugin produces a flow based view of SCTP operations between computers for anomaly detection and
troubleshooting purposes.
32.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
SCTP_CRC32CHK
SCTP_ADL32CHK
SCTP_CHNKTSTR
32.3
Default
0
0
0
Description
1: CRC32 check
1: Adler32 check
1: Chunk type as string, 0: as int
Flow File Output
The sctpDecode plugin outputs the following columns:
Column
sctpStat
sctpNumS
sctpPPI
sctpVTag
sctpTypeBf
sctpCntD_I_A
sctpCCBF
sctpCFlgs
sctpIS
sctpOS
sctpIARW
sctpIARWMin
sctpIARWMax
sctpARW
32.4
Type
H8
U16
U32
H32
H16
3U16
H16
H8
U16
U16
U32
U32
U32
F
Description
SCTP status
SCTP Number of streams
SCTP Payload ID
SCTP verification tag
SCTP aggregated type bit field
SCTP Data_Init_Abort count
SCTP aggregated error cause code bit field
SCTP aggregated chunk flag
SCTP inbound streams
SCTP outbound streams
SCTP Initial Advertised Receiver Window
SCTP Initial Advertised Receiver Window Minimum
SCTP Initial Advertised Receiver Window Maximum
SCTP Advertised Receiver Window
sctpStat
The sctpStat column is to be interpreted as follows:
sctpStat
(=0x01)
21 (=0x02)
22 (=0x04)
23 (=0x08)
26 (=0x10)
27 (=0x20)
24 (=0x40)
20
Description
Adler32 error
CRC32 error
—
Chunk truncated
—
—
Type BF: Do not report
113
c 2008–2017 by Tranalyzer Development Team
Copyright 32. SCTPDECODE
CONTENTS
sctpStat
25 (=0x80)
32.5
Description
Type BF: Stop processing of the packet
sctpCFlgs
The sctpCFlgs column is to be interpreted as follows:
sctpCFlgs
20 (=0x01)
21 (=0x02)
22 (=0x04)
23 (=0x08)
26 (=0x10)
27 (=0x20)
24 (=0x40)
25 (=0x80)
32.6
Description
Last segment
First segment
Ordered delivery
Possibly delay SACK
—
—
—
—
Packet File Output
In packet mode (-s option), the sctpDecode plugin outputs the following columns:
Column
sctpVerifTag
sctpChunkType_Flags_Len
sctpNChunks
Type
H32
U8/S_H8_U16(R)
U8
Description
Verification tag
Chunk type, flags and length
Number of chunks
114
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
33
smbDecode
33.1
Description
33. SMBDECODE
The smbDecode plugin analyzes SMB2 traffic.
33.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
SMB_DATE_FORMAT
Default
0
Description
Formatting of dates. 0: unix timestamp,
1: human readable date time
SMB1_DECODE
SMB_SECBLOB
0
0
Whether or not to decode SMB1 (beta)
Whether or not to decode security blob (beta)
SMB_NUM_FNAME
SMB2_NUM_DIALECT
SMB1_NUM_DIALECT
SMB1_DIAL_MAXLEN
5
3
3
32
number of unique filenames to store
number of SMB2 dialects to store
number of SMB1 dialects to store
maximum length for SMB1 dialects
SMB2_NUM_STAT
18
number of unique SMB2 header status to store
SMB1_SAVE_DATA
SMB2_SAVE_DATA
SMB_SAVE_AUTH
SMB_NATIVE_NAME_LEN
SMB_SAVE_DIR
SMB_AUTH_FILE
SMB_RM_DATADIR
SMB_FNAME_LEN
0
0
0
64
Whether or not to save files
Whether or not to save files
Whether or not to save NTLM authentications
Maximum length for names
Folder for saved data
File where to store NTLM authentications
Whether to remove SMB_SAVE_DIR before starting
Maximum length for filenames
"/tmp/TranSMB/"
"smb_auth.txt"
1
512
Flags
SMB1_DECODE=1
SMB1_DECODE=1
SMB1_DECODE=1
SMB_SAVE_DATA=1
SMB_SAVE_AUTH=1
SMB_SAVE_DATA=1
When saving files, the plugin uses a combination of the file ID and the flow index as name. The file ID can be replaced
with the real filename by using the smbrename script and the SMB_GUID_MAP_FILE (smb_filenames.txt) file (See Section
33.5).
33.3
Flow File Output
The smbDecode plugin outputs the following columns:
Column
smbStat
smb1NDialects
smb1Dialects
Type
H16
U32
RS
smb2NDialects
smb2Dialects
U32
RH16
Description
Status
Number of requested dialects (SMB1)
SMB1 requested dialects
(client: supported, server: chosen)
Number of dialects (SMB2)
SMB2 dialect revision
115
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
33. SMBDECODE
CONTENTS
Column
Type
smbNHdrStat
smbHdrStat
smbOpcodes
smbNOpcodes
smbPrevSessId
smbNativeOS
smbNativeLanMan
smbPrimDom
smbTargName
smbDomName
smbUserName
smbHostName
smbNTLMServChallenge
smbNTProofStr
smbSessionKey
smbGUID
smbSessFlags_
secM_
caps
smbBootT
smbBootT
smbMaxSizeT_R_W
smbPath
smbShareT
smbShareFlags
caps
acc
smbNFiles
smbFiles
U32
RH32
H32
19x(U32)
H64
S
S
S
S
S
S
S
S
S
S
S
H16_
H8_
H32
UT
T
U32_U32_U32
S
H8
H32_
H32_
H32
U32
RS
33.3.1
Description
(client: supported, server: chosen)
Number of unique SMB2 header status values
SMB2 list of uniq header status
Opcodes
Number of records per opcode
SMB previous session ID
SMB native OS
SMB native LAN Manager
SMB primary domain
SMB target name
SMB domain name
SMB user name
SMB host name
SMB NTLM server challenge
SMB NT proof string
SMB session key
Client/Server GUID
Session flags,
Security mode,
Capabilities
Server start time
Server start time
Max transaction/read/write size
Full share path name
Type of share being accessed
Share flags,
Capabilities,
Access mask
Number of accessed files
Accessed files
Flags
SMB_DATE_FORMAT=0
SMB_DATE_FORMAT=1
smbStat
The smbStat column is to be interpreted as follows:
smbStat
0x0001
0x0002
0x0004
0x0008
0x0010
0x0020
0x0040
0x0080
0x0100
0x1000
0x8000
Description
Flow is SMB
SMB2 header status list truncated... increase SMB2_NUM_STAT
Dialect name truncated... increase SMB1_DIAL_MAXLEN
SMB1 dialect list truncated... increase SMB1_NUM_DIALECT
SMB2 dialect list truncated... increase SMB_NUM_DIALECT
List of accessed files truncated... increase SMB_NUM_FNAME
Selected dialect index out of bound... increase SMB1_NUM_DIALECT
Selected dialect index out of bound (error or reverse flow not found)
Filename truncated... increase SMB_FNAME_LEN
Authentication information extracted
Malformed packets
116
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
33.3.2
33. SMBDECODE
smb2Dialects
The smb2Dialects column is to be interpreted as follows:
smb2Dialects
0x0202
0x0210
0x0300
0x0302
0x0311
0x02ff
33.3.3
Description
SMB 2.0.2
SMB 2.1
SMB 3
SMB 3.0.2
SMB 3.1.1
Wildcard revision number (≥ 2.1)
smbHdrStat
The smbHdrStat column is to be interpreted as follows:
smbOpcodes
0x00000000
0x00000103
0x0000010b
0x0000010c
0x80000005
0x80000006
0xc0000003
0xc000000d
0xc000000f
0xc0000010
0xc0000011
0xc0000016
0xc0000022
0xc0000023
0xc0000034
0xc0000035
0xc000003a
0xc0000043
0xc0000061
0xc000006a
0xc000006d
0xc0000071
0xc00000ac
0xc00000ba
0xc00000bb
0xc00000c9
0xc00000cc
0xc0000101
0xc0000120
0xc0000128
0xc000019c
0xc0000203
Description
STATUS_SUCCESS
STATUS_PENDING
STATUS_NOTIFY_CLEANUP
STATUS_NOTIFY_ENUM_DIR
STATUS_BUFFER_OVERFLOW
STATUS_NO_MORE_FILES
STATUS_INVALID_INFO_CLASS
STATUS_INVALID_PARAMETER
STATUS_NO_SUCH_FILE
STATUS_INVALID_DEVICE_REQUEST
STATUS_END_OF_FILE
STATUS_MORE_PROCESSING_REQUIRED
STATUS_ACCESS_DENIED
STATUS_BUFFER_TOO_SMALL
STATUS_OBJECT_NAME_NOT_FOUND
STATUS_OBJECT_NAME_COLLISION
STATUS_OBJECT_PATH_SYNTAX_BAD
STATUS_SHARING_VIOLATION
STATUS_PRIVILEGE_NOT_HELD
STATUS_WRONG_PASSWORD
STATUS_LOGON_FAILURE
STATUS_PASSWORD_EXPIRED
STATUS_PIPE_NOT_AVAILABLE
STATUS_FILE_IS_A_DIRECTORY
STATUS_NOT_SUPPORTED
STATUS_NETWORK_NAME_DELETED
STATUS_BAD_NETWORK_NAME
STATUS_DIRECTORY_NOT_EMPTY
STATUS_CANCELLED
STATUS_FILE_CLOSED
STATUS_FS_DRIVER_REQUIRED
STATUS_USER_SESSION_DELETED
117
c 2008–2017 by Tranalyzer Development Team
Copyright 33. SMBDECODE
CONTENTS
smbOpcodes
0xc0000225
0xc0000234
0xc0000257
0xc0000275
Description
STATUS_NOT_FOUND
STATUS_ACCOUNT_LOCKED_OUT
STATUS_PATH_NOT_COVERED
STATUS_NOT_A_REPARSE_POINT
For a comprehensive list of the possible status and more extensive description, refer to [MS-ERREF], Section 2.3.1.
33.3.4
smbOpcodes
The smbOpcodes column is to be interpreted as follows:
smbOpcodes
20 (=0x00000001)
21 (=0x00000002)
22 (=0x00000004)
23 (=0x00000008)
24 (=0x00000010)
25 (=0x00000020)
26 (=0x00000040)
27 (=0x00000080)
28 (=0x00000100)
29 (=0x00000200)
210 (=0x00000400)
211 (=0x00000800)
212 (=0x00001000)
213 (=0x00002000)
214 (=0x00004000)
215 (=0x00008000)
216 (=0x00010000)
217 (=0x00020000)
218 (=0x00040000)
33.3.5
Description
SMB2_NEGOTIATE
SMB2_SESSION_SETUP
SMB2_LOGOFF
SMB2_TREE_CONNECT
SMB2_TREE_DISCONNECT
SMB2_CREATE
SMB2_CLOSE
SMB2_FLUSH
SMB2_READ
SMB2_WRITE
SMB2_LOCK
SMB2_IOCTL
SMB2_CANCEL
SMB2_ECHO
SMB2_QUERY_DIRECTORY
SMB2_CHANGE_NOTIFY
SMB2_QUERY_INFO
SMB2_SET_INFO
SMB2_OPLOCK_BREAK
smbNOpcodes
The smbNOpcodes column reports the number of records of each type separated by underscores.
smbNOpcodes
1
2
3
4
5
6
7
8
9
10
Description
Number of SMB2_NEGOTIATE records
Number of SMB2_SESSION_SETUP records
Number of SMB2_LOGOFF records
Number of SMB2_TREE_CONNECT records
Number of SMB2_TREE_DISCONNECT records
Number of SMB2_CREATE records
Number of SMB2_CLOSE records
Number of SMB2_FLUSH records
Number of SMB2_READ records
Number of SMB2_WRITE records
118
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
33. SMBDECODE
smbNOpcodes
11
12
13
14
15
16
17
18
19
33.3.6
Description
Number of SMB2_LOCK records
Number of SMB2_IOCTL records
Number of SMB2_CANCEL records
Number of SMB2_ECHO records
Number of SMB2_QUERY_DIRECTORY records
Number of SMB2_CHANGE_NOTIFY records
Number of SMB2_QUERY_INFO records
Number of SMB2_SET_INFO records
Number of SMB2_OPLOCK_BREAK records
smbSessFlags_secM_caps
The smbSessFlags_secM_caps column is to be interpreted as follows:
smbSessFlags
0x01
0x02
0x04
Description
Client authenticated as guest user
Client authenticated as anonymous user
Server requires encryption of messages on this session (SMB 3.x)
smbSecM
0x01
0x02
smbCaps
0x01
0x02
0x04
0x08
0x10
0x20
0x40
33.3.7
Description
Security signatures enabled on the server
Security signatures required by the server
Description
Server supports the Distributed File System (DFS)
Server supports leasing
Server supports multi-credit operation (Large MTU)
Server supports establishing multiple channels for a single session
Server supports persistent handles
Server supports directory leasing
Server supports encryption
smbShareT
The smbShareT column is to be interpreted as follows:
smbShareT
0x01
0x02
0x03
33.3.8
Description
Physical disk share
Named pipe share
Printer share
smbShareFlags_caps_acc
The smbShareFlags_caps_acc column is to be interpreted as follows:
119
c 2008–2017 by Tranalyzer Development Team
Copyright 33. SMBDECODE
CONTENTS
smbShareFlags
0x00000001
0x00000002
Description
Specified share is present in a Distributed File System (DFS) tree structure
Specified share is present in a DFS tree structure (DFS root)
If none of the following three bits is set, then the caching policy is “manual”
0x00000010
0x00000020
0x00000030
Auto caching
VDO Caching
Offline caching MUST NOT occur
0x00000100
0x00000200
0x00000400
0x00000800
0x00001000
0x00002000
0x00004000
0x00008000
Restrict exclusive opens
Force shared delete
Allow namespace caching
Server will filter directory entries based on access permissions of the client
Server will not issue exclusive caching rights on this share
Enable hash V1
Enable hash V2
Encrypt data required
smbShareCaps
0x00000008
0x00000010
0x00000020
0x00000040
0x00000080
smbShareAcc
0x00000001
0x00000002
0x00000004
0x00000008
0x00000010
0x00000020
0x00000040
0x00000080
0x00000100
0x00010000
0x00020000
0x00040000
0x00080000
0x00100000
0x01000000
0x02000000
0x10000000
0x20000000
0x40000000
Description
Specified share is present in a DFS tree structure
Continuous availability
Scaleout
Cluster
Asymmetric
Description
Read access
Write access
Append access
Read extended attributes access
Write extended attributes access
Execute access
Delete child access
Read attributes access
Write attributes access
Delete access
Read access to owner, group and ACL of the SID
Owner may write the DAC
Can write owner (take ownership)
Can wait on handle to synchronise on completion of I/O
System security is NOT set
Maximum allowed is NOT set
Generic all is NOT set
Generic execute is NOT set
Generic write is NOT set
120
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
33. SMBDECODE
smbShareAcc
0x80000000
33.4
Description
Generic read is NOT set
Plugin Report Output
The number of SMB, SMB2 and SMB3 records is reported. In addition, if SMB_SAVE_AUTH=1, the number of NetNTLMv2
hashes extracted is reported.
33.5
Post-Processing
33.5.1
smbrename
The smbrename script can be used to rename and organise the files extracted by the plugin. It must be run from within
the SMB_SAVE_DIR folder (where the file smb_filenames.txt is located). By default, it will replace the file ID with the real
filename and organise the files into folders according to their mimetype. Either operation can be performed or not. Try
’smbrename -help’ for more information.
33.5.2
SMB Authentications
When SMB1_DECODE=1, SMB_SECBLOB=1 and SMB_SAVE_AUTH=1, the plugin produces a file with suffix SMB_AUTH_FILE
containing all the NetNTLMv2 hashes extracted from the traffic. The hashes can then be reversed using JohnTheRipper3
or Hashcat4 as follows:
john --wordlist=password.lst -format=netntlmv2 FILE_smb_auth.txt
hashcat -m 5600 FILE_smb_auth.txt wordlist.txt
33.6
References
• [MS-CIFS]: Common Internet File System (CIFS) Protocol
• [MS-SMB]: Server Message Block (SMB) Protocol
• [MS-SMB2]: Server Message Block (SMB) Protocol Versions 2 and 3
• [MS-ERREF]: Windows Error Codes
• [MS-SPNG]: Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) Extension
• [MS-AUTHSOD]: Authentication Services Protocols Overview
• [MS-DTYP]: Windows Data Types
• [RFC4178]: The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism
3 https://github.com/magnumripper/JohnTheRipper
4 https://hashcat.net
121
c 2008–2017 by Tranalyzer Development Team
Copyright 34. SMTPDECODE
34
34.1
CONTENTS
smtpDecode
Description
The smtpDecode plugin processes MAIL header and content information of a flow. The idea is to identify certain mail
features and CNAMES. User defined compiler switches are in smtpDecode.h.
34.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
SMTP_SAVE
SMTP_BTFLD
SMTP_RCTXT
SMTP_MXNMLN
SMTP_MXUNMLN
SMTP_MXPNMLN
MAXCNM
MAXUNM
MAXPNM
MAXSNM
MAXRNM
MAXTNM
34.3
Default
0
0
1
70
25
15
8
5
5
8
8
8
Description
1: save content to SMTP_F_PATH
1: Bitfield coding of SMTP commands
1: print response code text
maximal name length
maximal user length
maximal PW length
maximal number rec,trans codes
maxiaml number server names
maxiaml number server names
maximal number of server addresses
maximal number of rec EMail addresses
maximal number of trans EMail addresses
Flow File Output
The smtpDecode plugin outputs the following columns:
Column
smtpStat
smtpCBF
smtpCC
smtpRC
smtpUsr
smtpPW
smtpSANum
smtpESANum
smtpERANum
smtpSA
smtpESA
smtpERA
34.3.1
Type
H8
H16
RSC
RI16
RS
RS
I8
I8
I8
RS
RS
RS
Description
Status
Command bit field
Command Codes
Response Codes
SMTP Users
SMTP Passwords
number of Server addresses
number of email sender addresses
number of email receiver addresses
Server send addresses
Email send addresses
Email receive addresses
Flags
BITFIELD=1
smtpStat
The smtpStat column describes the errors encountered during the flow lifetime:
smtpStat
(=0x01)
20
Name
SMTP_INIT
Description
SMTP ports found
122
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
34. SMTPDECODE
smtpStat
21 (=0x02)
22 (=0x04)
23 (=0x08)
24 (=0x10)
25 (=0x20)
26 (=0x40)
27 (=0x80)
34.3.2
Name
SMTP_AUTP
SMTP_DTP
PWSTATE
SMTP_PWF
SMTP_FERR
SMTP_OVFL
Description
Authentication pending
data download pending, SMTP_SAVE == 1
User PW pending
flow write finished, SMTP_SAVE == 1
File error, SMTP_SAVE == 1
array overflow
smtpCBF
The smtpCBF column is to be interpreted as follows:
smtpCBF
20 (=0x0001)
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24 (=0x0010)
25 (=0x0020)
26 (=0x0040)
27 (=0x0080)
28 (=0x0100)
29 (=0x0200)
210 (=0x0400)
211 (=0x0800)
212 (=0x1000)
213 (=0x2000)
214 (=0x4000)
215 (=0x8000)
34.4
Description
HELO
EHLO
MAIL
RCPT
DATA
RSET
SEND
SOML
SAML
VRFY
EXPN
HELP
NOOP
QUIT
TURN
AUTH
TODO
• fragmentation
123
c 2008–2017 by Tranalyzer Development Team
Copyright 35. SOCKETSINK
35
socketSink
35.1
Description
CONTENTS
This plugin is a socket interface of Tranalyzer. The idea is to interface one or many ditributed Tranalyzer instances with
a central server post-processing and visualising its data. The plugin also implements the Alarm Mode being activated
by ALARM_MODE=1 in the core tranalyzer.h file. Prepending information such as data length, checksum, or an id is controlled by the BUF_DATA_SHFT variable in the tranalyzer core: outputBuffer.h. The user needs to configure the destination
port, socket type and whether host info is transmitted in the first record. Otherwise the socketSink plugin requires no
dependencies and produces output directly into the ETHERNET interface.
35.2
Configuration Flags
The following flags can be used to control the output of the plugin:
35.3
socketSink.h
Variable
SERVADD
DPORT
SOCKTYP
CONTENT_TYPE
HOST_INFO
35.4
Description
destination address
destination port (host order)
Socket type: 0: UDP; 1: TCP
0: binary; 1: text
0: no info; 1: all info about host
Flags
CONTENT_TYPE=1
bin2TxtBuf.h
Variable
HEX_CAPITAL
IP_PRINT_NORMALIZE
IP6_COMPRESS
TFS_EXTENDED_HEADER
B2T_LOCALTIME
B2T_TIME_IN_MICRO_SECS
HDR_CHR
SEP_CHR
35.5
Default
127.0.0.1
6666
1
1
0
Default
0
0
1
0
0
1
"%"
’\t’
Description
Hex number representation: 0: lower case, 1: upper case
IPv4 addresses representation: 0: normal, 1: normalized (padded with 0)
IPv6 addresses representation: 1: compressed, 0: full 128 bit length
Whether or not to print an extended header in the flow file
(number of rows, columns, columns type)
Time representation: 0: UTC, 1: localtime
Time precision: 0: nanosecs, 1: microsecs
start character of comments in flow file
character to use to separate the columns in the flow file
Additional Output
The output buffer normally being written to the flow file will be directed to the socket. If HOST_INFO = 1 then the
following header is transmitted as a prelude.
Parameter
1
2
3
4
Type
U32
U32
U32
T
Description
Message length, if BUF_DATA_SHFT > 0
Checksum, if BUF_DATA_SHFT > 1
Sensor ID
Present Unix time Stamp
124
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
Parameter
5
35. SOCKETSINK
Type
RS;
RS;
RS;
Description
OS;Machine Name;built;OS type;HW;
Ethername1(address1)Ethername2(address2)...;
IPInterfacename1(address1/netmask1)IPInterfacename2(address2/netmask2)...;
After the prelude all flow based binary buffer will be directed to the socket interface according to the format shown in
table sock3 below.
Column
1
2
3
35.6
Type
U32
U32
RU32
Description
Message length, if BUF_DATA_SHFT > 0
Checksum, if BUF_DATA_SHFT > 1
Binary buffer output
Test
For initial assessment of the output opoen a socket e.g. with netcat in a new bash window:
nc -l 127.0.0.1 -p 6666
and start T2 with the socket plugin. You should now see the flows being listed in your bash screen. If you like to
simulate a server collecting data from many T2:
nc -l 127.0.0.1 -p 6666 > flowfile.txt
125
c 2008–2017 by Tranalyzer Development Team
Copyright 36. STPDECODE
36
stpDecode
36.1
Description
CONTENTS
The stpDecode plugin analyzes STP traffic.
36.2
Flow File Output
The stpDecode plugin outputs the following columns:
Column
stpStat
stpProtID
stpVerID
stpBpdu
stpFlags
36.2.1
Type
H8
H16
H16
H8
H8
Description
Status
Protocol ID
Version ID
bpdu
Flags
stpStat
The stpStat column is to be interpreted as follows:
stpStat
0x01
Description
Flow is STP
126
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
37
37. SYSLOGDECODE
syslogDecode
37.1
Description
The syslogDecode plugin extract syslog messages from IP traffic, dissects and transforms the messages into a flow based
statistics.
37.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
SYSLOG_SUFFIX
37.3
Default
"_syslog.txt"
Description
packet file name extension
Flow File Output
The syslogDecode plugin outputs the following columns:
Column
syslogStat
syslogMCnt
syslogSev_Fac_Cnt
37.3.1
Type
H8
U32
RU8_U8_U16
Description
Status
Syslog msg count
number of Syslog severity, facility messges
syslogStat
The syslogStat column is to be interpreted as follows:
syslogStat
0x01
0x02
0x04
0x08
0x10
0x20
0x40
0x80
37.4
Description
Syslog detected
-
Additional Output
Non-standard output:
• syslog_pkt.txt: packet mode output controlled by -s option
37.5
TODO
• IPv6 tests
127
c 2008–2017 by Tranalyzer Development Team
Copyright 37. SYSLOGDECODE
37.6
CONTENTS
References
• https://tools.ietf.org/html/rfc5424
128
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
38
38. TCPFLAGS
tcpFlags
38.1
Description
The tcpFlags plugin contains IP and TCP header information encountered during the lifetime of a flow. All features are a
result of practical troubleshooting experience in the field.
38.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
SPKTMD_SEQACKREL
RTT_ESTIMATE
IPCHECKSUM
Default
0
1
2
WINDOWSIZE
SEQ_ACK_NUM
FRAG_ANALYZE
NAT_BT_EST
SCAN_DETECTOR
38.3
1
1
1
1
1
Description
Seq/Ack Numbers 0: absolute, 1: relative (-s option)
Whether (1) or not (0) to estimate Round trip time
0: No checksums calculation
1: Calculation of L3 (IP) Header Checksum
2: L3/L4 (TCP, UDP, ICMP, IGMP, ...) Checksum
Whether (1) or not (0) to output TCP window size parameters
Whether (1) or not (0) to output Sequence/Acknowledge Number features
Whether (1) or not (0) to enable fragmentation analysis
Whether (1) or not (0) to estimate NAT boot time
Whether (1) or not (0) to enable scan flow detector
Flow File Output
The tcpFlags plugin outputs the following columns:
Column
tcpStat
ipMindIPID
ipMaxdIPID
ipMinTTL
ipMaxTTL
ipTTLChg
ipTOS
ipFlags
ipOptCnt
ipOptCpCl_Num
Type
H8
U16
U16
U8
U8
U8
H8
H16
U16
H8_H32
tcpPSeqCnt
tcpSeqSntBytes
tcpSeqFaultCnt
tcpPAckCnt
tcpFlwLssAckRcvdBytes
tcpAckFaultCnt
tcpInitWinSz
tcpAveWinSz
tcpMinWinSz
U16
U64
U16
U16
U64
U16
U32
F
U32
Description
Status
IP Minimum delta IP ID
IP Maximum delta IP ID
IP Minimum TTL
IP Maximum TTL
IP TTL Change Count
IP Type of Service
IP aggregated flags
IP options count
IP aggregated options, copy-class and
number
TCP packet sequence count
TCP sent seq diff bytes
TCP sequence number fault count
TCP packet ack count
TCP flawless ack received bytes
TCP ack number fault count
TCP initial effective window size
TCP average effective window size
TCP minimum effective window size
129
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
SEQ_ACK_NUM=1
SEQ_ACK_NUM=1
SEQ_ACK_NUM=1
SEQ_ACK_NUM=1
SEQ_ACK_NUM=1
SEQ_ACK_NUM=1
WINDOWSIZE=1
WINDOWSIZE=1
WINDOWSIZE=1
38. TCPFLAGS
CONTENTS
Column
tcpMaxWinSz
tcpWinSzDwnCnt
tcpWinSzUpCnt
tcpWinSzChgDirCnt
tcpAggrFlags
Type
U32
U16
U16
U16
H8
tcpAggrAnomaly
tcpOptPktCnt
tcpOptCnt
tcpAggrOptions
tcpMSS
tcpWS
tcpTmS
tcpTmER
tcpEcI
tcpBtm
tcpSSASAATrip
H16
U16
U16
H32
U16
U8
U32
U32
F
UT
F
tcpRTTAckTripMin
tcpRTTAckTripMax
tcpRTTAckTripAve
tcpRTTAckTripJitAve
tcpRTTSseqAA
F
F
F
F
F
tcpRTTAckJitAve
F
38.3.1
Description
TCP maximum effective window size
TCP effective window size change down count
TCP effective window size change up count
TCP effective window size direction change count
TCP aggregated protocol flags
(cwr, ack, push, reset, syn, fin)
TCP aggregated header anomaly flags
TCP options packet count
TCP options count
TCP aggregated options
TCP Maximum Segment Length
TCP Window Scale
TCP Time Stamp
TCP Time Echo Reply
TCP Estimated counter increment
TCP Estimated Boot time
(A) TCP Trip Time Syn, Syn-Ack,
(B) TCP Trip Time Syn-Ack, Ack
TCP Ack Trip Minimum
TCP Ack Trip Maximum
TCP Ack Trip Average
TCP Ack Trip Jitter Average
(A) TCP Round Trip Time Syn, Syn-Ack, Ack
(B) TCP Round Trip Time Ack-Ack RTT
TCP Ack Round trip average Jitter
tcpStat
The tcpStat column is to be interpreted as follows:
tcpStat
0x01
0x02
0x04
0x08
0x10
0x20
0x40
0x80
Description
Packet no good for interdistance assessment
Scan detected in flow
Successful scan detected in flow
Timestamp option decreasing
TCP option init
ACK Packet loss state machine init
Window state machine initialized
Window state machine count up/down
130
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
WINDOWSIZE=1
WINDOWSIZE=1
WINDOWSIZE=1
WINDOWSIZE=1
NAT_BT_EST=1
NAT_BT_EST=1
NAT_BT_EST=1
NAT_BT_EST=1
RTT_ESTIMATE=1
RTT_ESTIMATE=1
RTT_ESTIMATE=1
RTT_ESTIMATE=1
RTT_ESTIMATE=1
RTT_ESTIMATE=1
RTT_ESTIMATE=1
CONTENTS
38.3.2
38. TCPFLAGS
ipFlags
The ipFlags column is to be interpreted as follows:
ipFlags
0x0001
0x0002
0x0004
0x0008
0x0010
0x0020
0x0040
0x0080
38.3.3
Description
IP options corrupt
IPv4 packets out of order
IPv4 ID roll over
IP fragment below minimum
IP fragment out of range
More Fragment bit
IPv4: Dont Fragment bit
IPv6: reserve bit
Reserve bit
ipFlags
0x0100
0x0200
0x0400
0x0800
0x1000
0x2000
0x4000
0x8000
Description
Fragmentation position error
Fragmentation sequence error
L3 checksum error
L4 checksum error
L3 header length snapped
Packet interdistance
Packet interdistance < 0
TCP SYN flag with L7 content
ipOptCpCl_Num
The aggregated IP options are coded as a bit field in hexadecimal notation where the bit position denotes the IP options
type according to following format: [2Copy-Class ]_[2Number ]. If the field reads: 0x10_0x00100000 in an ICMP message it
is a 0x94 = 148 router alert.
Refer to RFC for decoding the bit field : http://www.iana.org/assignments/ip-parameters.
38.3.4
tcpAggrFlags
The tcpAggrFlags column is to be interpreted as follows:
tcpAggrFlags
20 (=0x01)
21 (=0x02)
22 (=0x04)
23 (=0x08)
24 (=0x10)
25 (=0x20)
26 (=0x40)
27 (=0x80)
38.3.5
Flag
FIN
SYN
RST
PSH
ACK
URG
ECE
CWR
Description
No more data, finish connection
Synchronize sequence numbers
Reset connection
Push data
Acknowledgement field value valid
Urgent pointer valid
ECN-Echo
Congestion Window Reduced flag is set
tcpAggrAnomaly
The tcpAggrAnomaly column is to be interpreted as follows:
tcpAggrAnomaly
0x0001
0x0002
0x0004
0x0008
0x0010
0x0020
0x0040
Description
FIN-ACK flag
SYN-ACK flag
RST-ACK flag
SYN-FIN flag, scan or malicious packet
SYN-FIN-RST flag, potential malicious scan packet or channel
FIN-RST flag, abnormal flow termination
Null flag, potential NULL scan packet, or malicious channel
131
c 2008–2017 by Tranalyzer Development Team
Copyright 38. TCPFLAGS
CONTENTS
tcpAggrAnomaly
0x0080
0x0100
0x0200
0x0400
0x0800
0x1000
0x2000
0x4000
0x8000
38.3.6
Description
XMas flag, potential Xmas scan packet, or malicious channel
L4 option field corrupt or not acquired
SYN retransmission
Sequence Number retry
Sequence Number out of order
Sequence mess in flow order due to pcap packet loss
Sequence number jump forward
ACK number out of order
Duplicate ACK
tcpAggrOptions
The tcpAggrOptions column is to be interpreted as follows:
tcpAggrOptions
20 (=0x00000001)
21 (=0x00000002)
22 (=0x00000004)
23 (=0x00000008)
Description
End of Option List
No-Operation
Maximum Segment Size
Window Scale
24
25
26
27
SACK Permitted
SACK
Echo (obsoleted by option 8)
Echo Reply (obsoleted by option 8)
(=0x00000010)
(=0x00000020)
(=0x00000040)
(=0x00000080)
28 (=0x00000100)
29 (=0x00000200)
210 (=0x00000400)
211 (=0x00000800)
Timestamps
Partial Order Connection Permitted (obsolete)
Partial Order Service Profile (obsolete)
CC (obsolete)
212 (=0x00001000)
213 (=0x00002000)
214 (=0x00004000)
215 (=0x00008000)
CC.NEW (obsolete)
CC.ECHO (obsolete)
TCP Alternate Checksum Request (obsolete)
TCP Alternate Checksum Data (obsolete)
216 (=0x00010000)
217 (=0x00020000)
218 (=0x00040000)
219 (=0x00080000)
Skeeter
Bubba
Trailer Checksum Option
MD5 Signature Option (obsoleted by option 29)
220 (=0x00100000)
221 (=0x00200000)
222 (=0x00400000)
223 (=0x00800000)
SCPS Capabilities
Selective Negative Acknowledgements
Record Boundaries
Corruption experienced
224 (=0x01000000)
225 (=0x02000000)
SNAP
Unassigned (released 2000-12-18)
132
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
38.4
38. TCPFLAGS
tcpAggrOptions
226 (=0x04000000)
227 (=0x08000000)
Description
TCP Compression Filter
Quick-Start Response
228 (=0x10000000)
229 (=0x20000000)
230 (=0x40000000)
231 (=0x80000000)
User Timeout Option (also, other known unauthorized use)
TCP Authentication Option (TCP-AO)
Multipath TCP (MPTCP)
all options > 31
Packet File Output
In packet mode (-s option), the tcpFlags plugin outputs the following columns:
Column
ipTOS
ipID
ipIDDiff
ipFrag
ipTTL
ipHdrChkSum
ipCalChkSum
l4HdrChkSum
l4CalChkSum
ipFlags
pktLen
ipOptLen
ipOpts
seq
ack
seqDiff
ackDiff
seqPktLen
ackPktLen
tcpStat
tcpFlags
specialFlags
tcpWin
tcpOptLen
tcpOpts
38.5
Description
IP Type of Service
IP ID
IP ID diff
IP fragment
IP TTL
IP header checksum
IP header computed checksum
Layer 4 header checksum
Layer 4 header computed checksum
IP flags
Packet size
IP options length
IP options
Sequence number
Acknowledgement number
Sequence number diff
Acknowledgement number diff
Sequence packet length
Acknowledgement packet length
TCP aggregated protocol flags
(cwr, ack, push, reset, syn, fin)
Flags
TCP aggregated header anomaly flags
TCP window size
TCP options length
TCP options
Flags
SEQ_ACK_NUM=1
SEQ_ACK_NUM=1
SEQ_ACK_NUM=1
SEQ_ACK_NUM=1
Additional Output
Non-standard output:
• PREFIX_suffix.txt: description
133
c 2008–2017 by Tranalyzer Development Team
Copyright 38. TCPFLAGS
38.6
CONTENTS
Plugin Report Output
The aggregated ipFlags and tcpAggrAnomaly are reported.
38.7
Example
A prominent example is the routing problem by misconfiguration: Anomaly flag shows 0xXX03 with Flags 0x1A indicating
perfect data exchange but the received byte count and packet count are zero. Either the return traffic is not captured and/or
a routing anomaly exists, such as the traffic returns via an unknown gateway. This was an actual case resolving a firewall
misconfiguration combined with unexpected OSPF actions in a large company network.
38.8
References
• http://www.iana.org/assignments/ip-parameters
• http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xml
134
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
39
39.1
39. TCPSTATES
tcpStates
Description
The tcpStates plugin tracks the actual state of a TCP connection, by analyzing the flags set in the packet header. The
plugin recognizes and reports non-compliant behavior.
39.2
Configuration Flags
None.
39.3
Flow File Output
The tcpStates plugin outputs the following columns:
Column
tcpStates
39.3.1
Type
H8
Description
TCP state machine anomalies
tcpStates
The tcpStates column is to be interpreted as follows:
tcpStates
0x01
0x02
0x04
0x08
0x10
0x40
0x80
39.3.2
Description
Malformed connection establishment
Malformed teardown
Malformed flags during established connection
Packets detected after teardown
Packets detected after reset
Reset from sender
Potential evil behavior (scan)
Flow Timeouts
The tcpStates plugin also changes the timeout values of a flow according to its recognized state:
State
New
Established
Closing
Closed
Reset
39.3.3
Description
Three way handshake is encountered
Connection established
Hosts are about to close the connection
Connection closed
Connection reset encountered by one of hosts
Timeout (seconds)
120
610
120
10
0.1
Differences to the Host TCP State Machines
The plugin state machine (Figure 4) and the state machines usually implemented in hosts differ in some cases. Major
differences are caused by the benevolence of the plugin. For example, if a connection has not been established in a correct
way, the plugin treats the connection as established, but sets the malformed connection establishment flag. The reasons
for this benevolence are the following:
135
c 2008–2017 by Tranalyzer Development Team
Copyright 39. TCPSTATES
CONTENTS
• A flow might have been started before invocation of Tranalyzer2.
• A flow did not finish before Tranalyzer2 terminated.
• Tranalyzer2 did not detect every packet of a connection, for example due to a router misconfiguration.
• Flows from malicious programs may show suspicious behavior.
• Packets may be lost after being captured by Tranalyzer2 but before they reached the opposite host.
39.4
Plugin Report Output
The aggregated tcpStates anomalies is reported.
136
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
39. TCPSTATES
Figure 4: State machine of the tcpState plugin
137
c 2008–2017 by Tranalyzer Development Team
Copyright 40. TFTPDECODE
CONTENTS
40
tftpDecode
40.1
Description
The tftpDecode plugin analyses TFTP traffic. User defined compiler switches are in tftpDecode.h.
40.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
TFTP_SAVE
TFTP_MXNMLN
MAXCNM
FTP_F_PATH
40.3
Default
0
15
2
"/tmp/TFTPFILES/"
Description
save content to FTP_F_PATH
maximal name length
maximal length of command field
path for TFTP_SAVE
Flow File Output
The tftpDecode plugin outputs the following columns:
Column
tftpStat
tftPFlw
tftpOpCBF
tftpErrCBF
tftOpCNum
tftpPNum
tftpOpC
tftpC
40.3.1
Type
H16
U64
H8
H8
U8
U8
RSC
RS
Description
TFTP status bitfield
TFTP Parent Flow
TFTP OP Code Bit Field
TFTP Error Code Bit Field
TFTP Number of OP Code
TFTP Number of parameters
TFTP OP Codes
TFTP Parameters
tftpStat
The tftpStat column describes the errors encountered during the flow lifetime:
tftpStat
20 (=0x0001)
21 (=0x0002)
22 (=0x0004)
23 (=0x0008)
24 (=0x0010)
25 (=0x0020)
26 (=0x0040)
27 (=0x0080)
28 (=0x0100)
29 (=0x0200)
210 (=0x0400)
211 (=0x0800)
212 (=0x1000)
Name
TFTPS_INIT
TFTPS_DRD
TFTPS_DWD
TFTP_FERR
TFTPS_BSERR
TFTPS_BSAERR
TFTPS_PERR
TFTPS_OVFL
TFTP_RW_PLNERR
TFTPS_ACT
Description
TFTP flow found
tftp data read
tftp data write
file open error for TFTP_SAVE
Error in block send sequence
Error in block ack sequence
Error, or TFTP prot error or not TFTP
array overflow
Crafted packet or tftp read/write parameter length error
TFTP active
138
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
40. TFTPDECODE
tftpStat
213 (=0x2000)
214 (=0x4000)
215 (=0x8000)
40.3.2
Name
TFTPS_PSV
-
Description
TFTP passive
-
tftpOpCBF
The tftpOpCBF column describes the op code encountered during the flow lifetime:
tftpOpCBF
20 (=0x01)
21 (=0x02)
22 (=0x04)
23 (=0x08)
24 (=0x10)
25 (=0x20)
26 (=0x40)
27 (=0x80)
40.3.3
Name
TFTP_RRQ
TFTP_WRQ
TFTP_DATA
TFTP_ACK
TFTP_ERR
TFTP_OACK
—
—
Description
1: Read request
2: Write request
3: Read or write the next block of data
4: Acknowledgment
5: Error message
6: Option acknowledgment
—
—
tftpErrCBF
The tftpErrCBF column describes the error code (if op code TFTP_ERR encountered during the flow lifetime):
tftpErrCBF
20 (=0x00)
21 (=0x01)
22 (=0x02)
23 (=0x04)
24 (=0x08)
25 (=0x10)
26 (=0x20)
27 (=0x40)
27 (=0x80)
40.4
Name
TFTP_NOERR
TFTP_FLNFND
TFTP_ACCVLT
TFTP_DSKFLL
TFTP_ILGLOP
TFTP_UKWNID
TFTP_FLEXST
TFTP_NOSUSR
TFTP_TRMOPN
Description
0: No Error
1: File not found
2: Access violation
3: Disk full or allocation exceeded
4: Illegal TFTP operation
5: Unknown transfer ID
6: File already exists
7: No such user
8: Terminate transfer due to option negotiation
TODO
• fragmentation
• reply address extraction
139
c 2008–2017 by Tranalyzer Development Team
Copyright 41. TP0F
41
CONTENTS
tp0f
41.1
Description
The tp0f plugin classifies IP addresses according to OS and version according to best effort initial TTL and windowsize
rules and using the tcp layer3 and 4 rules of p0f. With additional http and https rules programs such as browser versions
can be also classified. At compilation a script tp0fL34conv converts the supllied p0f file under the tp0f trunk into a
T2 readable file defined by TP0FL34FILE in tp0f.h. A IP hash tests whether an IP was classified and marks that flow as
already been classified. Hence, even non tcp flows are being labeled correctly. This function can be disabled.
41.1.1
Required Files
The file file.txt is required.
41.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
TP0FRULES
TP0FHSH
TP0FRC
TP0FL34FILE
Default
1
1
0
"tp0fL34.txt"
Description
0: standard OS guessing; 1: OS guessing and p0f L34 rules
0: no ip hash; 1: ip hash to recognize IP already classified
0: only human readable; 1: tp0f rule and classifier numbers
file containing converted L3/4 rules
In tp0flist.h
Name
MAXLINELN
TCPOPTMAX
41.3
Default
4096
40
Description
maximal line input buffer size for tp0fL34.txt
maximal tcp option byted codes being stored and processed
Flow File Output
The p0f plugin outputs the following columns:
Column
tp0fStat
tp0fDis
tp0fRN
tp0fClass
tp0fProg
tp0fVer
tp0fClName
tp0fPrName
tp0fVerName
41.3.1
Type
H8
U8
U16
U8
U8
U8
S
S
S
Description
status
initial ttl distance
rule number that triggered
OS class of rule file
Program category of rule file
version category of rule file
OS class name
OS/Program name
OS/Program version name
tp0fStat
The p0fStat column is to be interpreted as follows:
140
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
41. TP0F
p0fStat
0x01
0x02
0x04
0x08
0x10
0x20
0x40
0x80
41.4
name
TP0F_TSSIG
TP0F_TSASIG
TP0F_ASN
TP0F_L4OPTBAD
Description
SYN tp0f rule fired
SYN-ACK tp0f rule fired
Already SeeN IP by tP0f
tcp option length or content corrupt
Plugin Report Output
The number of packets which fired a tp0f rule is reported.
41.5
Example Output
41.6
Known Bugs and Limitations
41.7
TODO
• test IPv6
• integrate tls rules
• integrate http rules
41.8
References
• http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting
• http://lcamtuf.coredump.cx/p0f3/
141
c 2008–2017 by Tranalyzer Development Team
Copyright 42. TXTSINK
42
42.1
CONTENTS
txtSink
Description
The txtSink plugin provides human readable text output which can be saved in a file PREFIX_flows.txt, where PREFIX
is provided via the -w option. The generated output contains a textual representation of all plugins results. Each line in
the file represents one flow. The different output statistics of the plugins are separated by a tab character to provide better
post-processing with command line scripts or statistical toolsets.
42.2
Configuration Flags
The configuration flags for the txtSink plugins are separated in two files.
42.2.1
txtSink.h
Name
TFS_SPLIT
Default
1
TFS_PRI_HDR
TFS_HDR_FILE
TFS_HDTIME_H
TFS_PRI_HDR_FW
1
1
1
0
Description
Whether (1) or not (0) to split the output file (Tranalyzer -W option)
whether (1) or not (0) to print a row with column names at the start of the flow file
whether or not to generate a separate header file (Section 42.3.1)
time representation in header file: 0: date, 1: unix time stamp
-W option, print header in every output fragment
The default suffix used for the flow file is _flows.txt and _headers.txt for the header file. Both suffix can be configured using FLOWS_TXT_SUFFIX and HEADER_SUFFIX respectively.
42.2.2
bin2txt.h
bin2txt.h controls the conversion from internal binary format to standard text output.
Variable
HEX_CAPITAL
IP_PRINT_NORMALIZE
IP6_COMPRESS
TFS_EXTENDED_HEADER
B2T_LOCALTIME
B2T_TIME_IN_MICRO_SECS
HDR_CHR
SEP_CHR
42.3
Additional Output
42.3.1
Header File
Default
0
0
1
0
0
1
’%’
’\t’
Description
Hex number representation: 0: lower case, 1: upper case
IPv4 addresses representation: 0: normal, 1: normalized (padded with 0)
IPv6 addresses representation: 1: compressed, 0: full 128 bit length
Whether or not to print an extended header in the flow file
(number of rows, columns, columns type)
Time representation: 0: UTC, 1: localtime
Time precision: 0: nanosecs, 1: microsecs
start character of comments in flow file
character to use to separate the columns in the flow file
The header file PREFIX_headers.txt describes the columns of the flow file and provides some additional information,
such as plugins loaded and PCAP file or interface used, as depicted below. The default suffix used for the header file is
_headers.txt. This suffix can be configured using HEADER_SUFFIX.
142
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
42. TXTSINK
# Header file for flow file : PREFIX_flows . txt
# Generated from : / home / test / file . pcap
#
# 666;03.03.2016 _19 :04:55; hostname ; Linux ;4.2.0 -30 - generic ;#36 - Ubuntu SMP Fri Feb 26 00:58:07
UTC 2016; x86_64
#
# Plugins loaded :
# 00: protoStats , version 0.6.0
# 01: basicFlow , version 0.6.0
# 02: macRecorder , version 0.6.0
# 03: portClassifier , version 0.5.8
# 04: basicStats , version 0.6.1
# 05: tcpFlags , version 0.6.0
# 06: tcpStates , version 0.5.8
# 07: icmpDecode , version 0.6.0
# 08: connectionCounter , version 0.6.0
# 09: txtSink , version 0.5.8
#
# Col No .
Type
Name
1
24: N
Flow direction
2
10: N
Flow Index
3
15: N
Flow Status
4
25: N
System time of first packet
5
25: N
System time of last packet
6
25: N
Flow duration
7
8: R
Ether VlanID
8
28: N
Source IPv4 address
9
15: N
Subnet number of source IPv4
10
8: N
Source port
11
28: N
Destination IP4 address
12
15: N
Subnet number of destination IP
13
8: N
Destination port
14
7: N
Layer 4 protocol
15
9: N
Number of distinct Source / Destination MAC addresses pairs
16
27 _27_10 :R Source MAC address , destination MAC address , number of packets of MAC
address combination
17
30 _30 :R Source MAC manufacturer , destination MAC manufacturer
...
The first column can be used, e.g., with awk to query a given column. For example, to extract all ICMP flows (layer 4
protocol equals 1) from a flow file:
awk -F’\t’ ’$14 == 1’ PREFIX_flows.txt
The second column indicates the type of the column (see table below) and whether the value are repetitive (R) or not
(N). Repetitive values can occurs any number of times (0 to N) and each repetition is separated by a semicolon. The ’_’
indicates a compound, that is a value containing 2 to N subvalues.
143
c 2008–2017 by Tranalyzer Development Team
Copyright 42. TXTSINK
Number
1
2
3
4
5
6
7
8
9
10
CONTENTS
Type
int8
int16
int32
int64
int128
int256
uint8
uint16
uint32
uint64
42.4
Post-Processing
42.4.1
tranalyzer-b2t
Number
11
12
13
14
15
16
17
18
19
20
Type
uint128
uint256
hex8
hex16
hex32
hex64
hex128
hex256
float
double
Number
21
22
23
24
25
26
27
29
29
30
Type
long double
char
string
flow direction (A,B)
unix time (uint64.uint32)
time (date)
mac address
ipv4 address
ipv6 address
string class (no quotes)
The program tranalyzer-b2t can be used to transform binary Tranalyzer files into text files. The converted file uses the
same format as the one generated by the txtSink plugin.
The program is automatically built with the plugin.
The use of the program is straightforward: ./tranalyzer-b2t -r FILE_flows.bin -w FILE_flows.txt
If the -w option is omitted, the destination default to stdout. Additionally, the -c option can be used to print the name
of the columns as the first row.
144
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
43
43.1
43. VOIPDETECTOR
voipDetector
Description
The idea of this plugin is to identify SIP, RTP and RTCP flows independently of each other, so that also non standard
traffic can be detected. Moreover certain QoS values are extracted. The plugin requires default setting: PACKETLENGTH=3
in packetCapture.h.
43.2
Configuration Flags
The following flags can be used to control the output of the plugin:
43.3
Variable
VOIP_ANALEN
Default
1
VOIP_V_SAVE
VOIP_RM_DIR
VOIP_PLDOFF
VOIP_PATH
VOIP_FNAME
SIPNMMAX
0
0
0
“/tmp/”
“eier”
40
Description
1: additional check report len against payload length
0: only ssrc check
save rtp content to VOIP_RM_DIR
rm RTP content directory
offset to payload pointer to save content
default path of content directory
default content file name prefix
maximal sip caller name length in flow file
Flags
VOIP_V_SAVE=1
VOIP_V_SAVE=1
Flow File Output
The voipDetector plugin outputs the following columns:
Column
voipStat
voipID
voipSRCnt
voipTyp
voipPMr
voipSIPStatCnt
voipSIPReqCnt
voipSCID
voipSIPStat
voipReq
voipTPCnt
voipTBCnt
voipCPMCnt
voipMIAT
43.3.1
Type
H8
H32
H8
H8
F
U8
U8
S
U16
S3
U32
U32
U32
U32
Description
Status
RTP/RTCP ID
RTP SID/RTCP record Count
RTP/RTCP type
RTP Packet miss ratio
SIP stat count
SIP request count
SIP Call ID
SIP stat
SIP request
RTCP cumulated transmitter packet count
RTCP cumulated transmitter byte count
RTCP cumulated packet miss count
RTCP maximal Inter Arrival Time
voipStat
The voipStat column is to be interpreted as follows:
20
voipStat
(=0x01)
Name
RTP
Description
RTP detected
145
c 2008–2017 by Tranalyzer Development Team
Copyright 43. VOIPDETECTOR
CONTENTS
21
22
23
24
25
26
27
43.4
voipStat
(=0x02)
(=0x04)
(=0x08)
(=0x10)
(=0x20)
(=0x40)
(=0x80)
Name
RTCP
SIP
—
X
WROP
PKTLSS
RTPNFRM
Description
RTCP detected
SIP detected
—
RTP: extension header
RTP: content write operation
RTP: packet loss detected
RTP: new frame header flag
TODO
• Skype
• Google Talk
146
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
44. VRRPDECODE
44
vrrpDecode
44.1
Description
The vrrpDecode plugin analyzes Virtual Router Redundancy Protocol (VRRP) traffic.
44.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Name
VRRP_NUM_VRID
VRRP_NUM_IP
VRRP_RT
VRRP_SUFFIX
44.3
Default
5
25
0
"_vrrp.txt"
Description
number of unique virtual router ID to store
number of unique IPs to store
Whether (1) or not (0) to output routing tables
Suffix for routing tables file
Flow File Output
The vrrpDecode plugin outputs the following columns:
Column
vrrpStat
vrrpVer
vrrpT
vrrpVRIDCnt
vrrpVRID
vrrpMinPri
vrrpMaxPri
vrrpMinAdvInt
vrrpMaxAdvInt
vrrpAuthT
vrrpAuth
vrrpIPCnt
vrrpIP
44.3.1
Type
H16
H8
H8
U32
RU8
U8
U8
U8
U8
H8
SC
U32
R(IP)
Description
Status
Version
Type
Virtual router ID count
Virtual router ID
Minimum priority
Maximum priority
Minimum advertisement interval [s]
Maximum advertisement interval [s]
Autentication type
Authentication string
IP address count
IP addresses
vrrpStat
The vrrpStat column is to be interpreted as follows:
vrrpStat
0x0001
0x0002
0x0004
0x0008
0x0010
0x0020
0x0040
0x0100
Description
flow is VRRP
invalid version
invalid type
invalid checksum
invalid TTL (should be 255)
invalid destination IP (should be 224.0.0.18)
invalid destination MAC (should be 00:00:5e:00:01:routerID)
Virtual Router ID list truncated... increase VRRP_NUM_VRID
147
c 2008–2017 by Tranalyzer Development Team
Copyright Flags
VRRP_RT=1
44. VRRPDECODE
CONTENTS
vrrpStat
0x0200
0x4000
0x8000
44.3.2
Description
IP list truncated... increase VRRP_NUM_IP
Packet snapped
Malformed packet... covert channel?
vrrpVer
The vrrpVer column is to be interpreted as follows:
vrrpVer
0x04
0x08
44.3.3
Description
VRRP v2
VRRP v3
vrrpT
The vrrpT column is to be interpreted as follows:
vrrpT
0x01
44.3.4
Description
Advertisement
vrrpAuthT
The vrrpAuthT column is to be interpreted as follows:
vrrpAuthT
0x01
0x02
0x04
44.4
Description
No authentication
Simple text password
IP Authentication Header
Additional Output
Non-standard output:
• PREFIX_vrrp.txt: VRRP routing tables
The routing tables contain the following columns:
Name
VirtualRtrID
Priority
SkewTime[s]
MasterDownInterval[s]
AddrCount
Addresses
Version
Type
AdverInt[s]
AuthType
AuthString
Description
Virtual router ID
Priority
Skew time (seconds)
Master down interval (seconds)
Number of addresses
List of addresses
VRRP version
Message type
Advertisement interval
Authentication type
Authentication string
148
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
44. VRRPDECODE
Name
Checksum
CalcChecksum
flowIndex
44.5
Description
Stored checksum
Calculated checksum
Flow index
Plugin Report Output
The number of VRRP v2 and v3 packets is reported.
44.6
Post-Processing
The routing tables can be pruned by using the following command:
sort -u PREFIX_vrrp.txt > PREFIX_vrrp_pruned.txt
149
c 2008–2017 by Tranalyzer Development Team
Copyright 45. WAVELET
45
45.1
CONTENTS
wavelet
Description
This plugin calculates the Daubechies wavelet transformation of the IP packet length variable in the packet structure, or
the inter arrival distance of packets (IAT). The wavelet plugin requires no dependencies and produces only output to the
flow file. User defined compiler switches in define_global.h produce optimized code for the specific application.
45.2
Configuration Flags
The following flags can be used to control the output of the plugin:
Variable
WAVELET_IAT
WAVELET_SIG
WAVELET_PREC
WAVELET_THRES
WAVELET_LEVEL
WAVELET_EXTMODE
WAVELET_TYPE
WAVELET_MAX_PKT
45.3
Default
0
0
0
8
3
ZPD
DB3
40
Description
analysis of 0: pktlen, 1:IAT
print signal
precision 0: float, 1: double
Min number of packets for analysis
Wavelet decomposition level
Extension Mode: NON, SYM, ZPD
Mother Wavelet: Daubechies DB1 - DB4
Maximal # of selected pkts
Flow File Output
The wavelet plugin outputs the following columns:
Name
waveNumPnts
waveSig
waveNumLvl
waveCoefDetail
waveCoefApprox
Type
U16
RF/D
U32
RF/D
RF/D
Description
Number of points
Packet length / IAT signal
Number of wavelet levels
Wavelet detail coefficients
Wavelet approximation coefficients
150
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
46
46. SCRIPTS
scripts
This section describes various scripts and utilities for Tranalyzer. For a complete list of options, use the scripts -h option.
46.1
b64ex
Extracts all HTTP, EMAIL, FTP, TFTP etc base64 encoded content extracted from T2 und /tmp. To produce a list of files
containing base64 use grep as indicated below:
• grep "base64" /tmp/SMTPFILE/*
• ./b64ex /tmp/SMTPFILES/file@wurst.ch_0_1223
46.2
flowstat
Calculates statistical distributions of selected columns/flows from a flow file.
46.3
gpcc
3D plot for connectionCounter.
cat FILE_connection | ./gpcc | gnuplot -p
The script can be configured through the command line. For a full list of options, run ./gpcc -help
46.4
gpq3x/gpq3x_c
Use this script to create 3D waterfall plot. Was orignally designed for the centrality plugin:
cat FILE_centrality | ./gpq3x | gnuplot -p
The script can be configured through the command line. For a full list of options, run ./gpq3x -help
46.5
new_plugin
Use this script to create a new plugin. For a more comprehensive description of how to write a plugin, refer to Appendix
A (Creating a custom plugin) of $T2HOME/doc/documentation.pdf.
46.6
osStat
Counts the number of hosts of each operating system (OS) in a PCAP file. In addition, a file with suffix _IP_OS.txt
mapping every IP to its OS is created. This script uses p0f which requires a fingerprints file (p0f.fp), the location of
which can be specified using the -f option. Version 2 looks first in the current directoy, then in /etc/p0f. Version 3
looks only in the current directory.
46.7
rrdmonitor
Stores Tranalyzer monitoring output into a RRD database.
151
c 2008–2017 by Tranalyzer Development Team
Copyright 46. SCRIPTS
46.8
CONTENTS
rrdplot
Uses the RRD database generated by rrdmonitor to monitor and plot various values, e.g., number of flows.
46.9
segvtrack
If the processing of a pcap file causes a segmentation fault, this script can be used to locate the packets which caused the
error. It works by repetitively splitting the file in half until neither half causes a segmentation fault. Its usage is as follows:
segvtrack file.pcap
Note that you might need to change the path to the Tranalyzer binary by editing the T2 variable at line 5 of the script.
46.10
t2_aliases
Set of aliases for Tranalyzer.
46.10.1
Description
t2_aliases defines the following aliases, functions and variables:
T2HOME
Variable pointing to the root folder of Tranalyzer, e.g., cd $T2HOME. In addition, every plugin can be accessed by typing
its name instead of its full path, e.g., tcpFlags instead of cd $T2HOME/tcpFlags.
tran
Shortcut to access $T2HOME, e.g., tran
.tran
Shortcut to access $HOME/.tranalyzer/plugins, e.g., .tran
awkf
Configures awk to use tabs, i.e., ‘\t’ as input and output separator (prevents issue with repetitive values), e.g.,
awkf ‘{ print $4 }’ file_flows.txt
tawk
Shortcut to access tawk, e.g., tawk
tcol
Displays columns with minimum width, e.g., tcol file_flows.txt.
lsx
Displays columns with fixed width (default: 40), e.g., lsx file_flows.txt or lsx 45 file_flows.txt
sortu
Sort rows and count the number of times a given row appears, then sort by the most occuring rows. (Alias for sort
| uniq -c | sort -rn). Useful, e.g., to analyse the most occuring user-agents: tawk ’{ print $httpUsrAg }’
FILE_flows.txt | sortu
152
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
46. SCRIPTS
t2
Shortcut to run Tranalyzer from anywhere, e.g., t2 -r file.pcap -w out
gt2
Shortcut to run Tranalyzer in gdb from anywhere, e.g., gt2 -r file.pcap -w out
st2
Shortcut to run Tranalyzer with sudo, e.g., st2 -i eth0 -w out
tranalyzer
Shortcut to run Tranalyzer from anywhere, e.g., tranalyzer -r file.pcap -w out
protStat
Shortcut to access protStat from anywhere, e.g., protStat file_protocols.txt
rrdmonitor
Shortcut to run rrdmonitor from anywhere, e.g., t2 -i eth0 | rrdmonitor
rrdplot
Shortcut to run rrdplot from anywhere, e.g., rrdplot V4Pkts V6Pkts
t2build
Function to build Tranalyzer and the plugins from anywhere, e.g., t2build tcpFlags. Use <tab> to list the available
plugins and complete names. Use t2build -h for a full list of options.
t2caplist
Shortcut to run t2caplist from anywhere, e.g., t2caplist
t2conf
Shortcut to run t2conf from anywhere, e.g., t2conf -t2
t2dmon
Shortcut to run t2dmon from anywhere, e.g., t2dmon dumps/
t2doc
Function to access Tranalyzer documentation from anywhere, e.g., t2doc tcpFlags. Use <tab> to list the available
plugins and complete names.
t2edit
Function to edit Tranalyzer and the plugins source files from anywhere, e.g., t2edit tcpFlags/src/tcpFlags.c. Use
<tab> to list the available files and complete names.
t2plot
Shortcut to run t2plot from anywhere, e.g., t2plot file.txt
153
c 2008–2017 by Tranalyzer Development Team
Copyright 46. SCRIPTS
CONTENTS
t2timeline
Shortcut to run t2timeline from anywhere, e.g., t2timeline file.txt
t2stat
Sends USR1 signal to Tranalyzer to produce intermediary report. If a numeric argument N is provided, sends the signal
every N seconds, e.g. t2stat or t2stat 10 to report every 10s.
46.10.2
Usage
Those aliases can be activated using either one of the following methods:
1. Append the content of this file to ~/.bash_aliases or ~/.bashrc
2. Append the following line to ~/.bashrc (make sure to replace $T2HOME with the actual path, e.g.,
$HOME/int_tranalyzer/trunk):
if [ -f " $T2HOME / scripts / t2_aliases " ]; then
. $T2HOME / scripts / t2_aliases
# Note the leading ‘.’
fi
46.11
t2alive
In order to monitor the status of T2 the t2alive script sends syslog messages to server defined by the user whenever the
status of T2 changes. It acquires the PID of the T2 process and transmits every REP a kill -SYS $pid. If T2 answers
with a corresponding kill command defined in tranalyzer.h, s.b., then status is set to alive, otherwise to dead. Only if a
status change is detected a syslog message is transmitted. The following constants residing in tranalyzer.h govern the
functionality of the script:
constant
SERVER
PORT
FAC
STATFILE
REP
default
"127.0.0.1"
514
"<25>"
"/tmp/t2alive.txt"
10
Description
syslog server IP
syslog server port
facility code
alive status file
T2 test interval [s]
Table 216: t2alive script configuration
T2 on the other hand has also to be configured. To preserve simplicity the unused SIGSYS interrupt was abused
to respond to the t2alive request, hence the monitoring mode depending on USR1 and USR2 can be still functional.
Configuration is carried out in tranalyzer.h according to the table below:
Constant
REPSUP
ALVPROG
REPCMDAW
REPCMDAS
Default
0
"t2alive"
"a=‘pgrep "ALVPROG"‘; if [ $a ]; then kill -USR1 $a; fi"
"a=‘pgrep "ALVPROG"‘; if [ $a ]; then kill -USR2 $a; fi"
Description
1: activate alive mode
name of control program
alive and stall (no packet count, looping?)
alive and well (working)
Table 217: T2 configuration for t2alive mode
154
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
46. SCRIPTS
REPSUP=1 activates the alive mode. If more functionality is requested the REPCMDAx constant facilitates the necessary
changes. On some linux distributions the pcap read callback function is not thread safe, thus signals of any kind might
lead to crashes especially when capturing live traffic. Therefore MONINTTHRD=1 in main.h is set by default.
Note that t2alive should be executed in a shell as a standalone script. If executed as a cron job, the while loop and the
sleep command has to be removed, as described in the script itself.
46.12
t2caplist
Generates a list of PCAP files with absolute path to use with Tranalyzer -R option. If no argument is provided, then lists
all the PCAP files in the current directory. If a folder name is given, lists all capture files in the folder. If a list of files is
given, list those files. Try t2caplist -help for more information.
• t2caplist > pcap_list.txt
• t2caplist ~/dumps/ > pcap_list.txt
• t2caplist ~/dumps/testnet*.pcap > pcap_list.txt
46.13
t2conf
Use t2conf to build, configure, activate and deactivate Tranalyzer plugins or use the t2plconf script provided with all
the plugins to configure individual plugins as follows:
• cd $T2HOME/pluginName
• ./t2plconf
– Navigate through the different options with the up and down arrows
– Use the left and right arrows to select an action:
∗
∗
∗
∗
ok: apply the changes
configure: edit the selected entry (use the space bar to select a different value)
cancel: discard the changes
edit: open the file containing the selected option in EDITOR (default: vim)
– Use the space bar to select a different value
A more detailed description of the script can be found in Tranalyzer2 documentation.
46.13.1
Dependencies
The t2conf and t2plconf scripts require dialog (version 1.1-20120703 minimum) and the vim editor. The easiest way to install them is to use the install.sh script provided (Section 46.13.3). Note that the editor can be changed by exporting the
environment variable EDITOR as follows: export EDITOR=/path/to/editor, e.g., export EDITOR=/usr/bin/nano or
by setting the EDITOR variable at line 7 of the t2conf script and at line 66 of the t2plconf script.
46.13.2
t2confrc
Set of predefined settings for t2conf.
155
c 2008–2017 by Tranalyzer Development Team
Copyright 46. SCRIPTS
46.13.3
CONTENTS
Installation
The easiest way to install t2conf and its dependencies is to use the provided install.sh script: ./install.sh --help
1Y
Alternatively, use t2_aliases or add the following alias to ~/.bash_aliases:
alias t2conf="$T2HOME/scripts/t2conf/t2conf
Where $T2HOME is the trunk folder containing the source code of Tranalyzer2 and its plugins, i.e., where README.md is
located. To use the predefined settings, copy t2confrc to ~/.tranalyzer/plugins/.
46.13.4
Usage
For a complete list of options use the -h option, i.e., t2conf -h, or the man page (man t2conf).
46.13.5
Patch
t2conf can be used to patch Tranalyzer and the plugins (useful to save settings such as hash table size, IPv6, ...). The
format of the patch file is similar to t2confrc:
• Empty lines and lines starting with ‘%’ or ‘#’ are ignored
• Filenames are relative to $T2HOME
• A line is composed of four tabs (not spaces) separated columns:
NAME <tab> newvalue <tab> oldvalue <tab> file
• --patch uses newvalue
• --rpatch uses oldvalue
As an example, let us take the value T2PSKEL_IP defined in t2PSkel/src/t2PSkel.h:
#define T2PSKEL_IP
1 // whether or not to output IP (var2)
A patch to set this value to 0 would look as follows (where the spaces between the columns are tabs, i.e., ‘\t’):
T2PSKEL_IP
0
1
t2PSkel/src/t2PSkel.h
46.14
t2dmon
Monitors a folder for new files and creates symbolic links with incrementing indexes. This can be used with the -D option
when the filenames have either multiple indexes, e.g., date and count, or when the filenames do not possess an index.
46.14.1
Dependencies
This script requires inotify-tools:
Arch:
sudo pacman -S inotify-tools
Fedora:
sudo yum install inotify-tools
Gentoo:
sudo emerge inotify-tools
156
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
46. SCRIPTS
Ubuntu: sudo apt-get install inotify-tools
46.14.2
Usage
t2dmon works as a daemon and as such, should either be run in the background (the ampersand ‘&’ in step 1 below) or
on a different terminal.
1. t2dmon dumps/ -o nudel.pcap &
2. tranalyzer -D dumps/nudel.pcap0 -w out
3. Finally, copy/move the pcap files into the dumps/ folder.
46.15
t2fm
Generates a PDF report out of:
• a flow file (-F option): t2fm -F file_flows.txt
• a live interface (-i option): t2fm -i eth0
• a PCAP file (-r option): t2fm -r file.pcap
• a list of PCAP files (-R option): t2fm -R pcap_list.txt
Refer to the PDF Report Generation from PCAP using t2fm in the doc/ folder for more information.
46.15.1
Required Plugins
• basicFlow
46.15.2
• basicStats
• txtSink
Optional Plugins
• arpDecode
• geoip
• nDPI
• pwX
• dnsDecode
• httpSniffer
• portClassifier
• sshDecode
46.16
t2plot
2D/3D plot for Tranalyzer using gnuplot. First row of the input file must be the column names. Try t2plot --help for
more information.
Examples:
• tawk ’{ print ip2num($SrcIP4), ip2num($DstIP4) }’ f_flows.txt | t2plot -pt
• tawk ’{ print ip2num($SrcIP4), $UnixTimeFirst, $connSip }’ f_flows.txt | t2plot
• t2plot file_with_two_or_three_columns.txt
157
c 2008–2017 by Tranalyzer Development Team
Copyright 46. SCRIPTS
46.17
CONTENTS
t2timeline
Timeline plot of flows: ./t2timeline FILE_flows.txt
• To use relative time, i.e., starting at 0, use the -r option.
• The vertical space between A and B flows can be adapted with the -v option, e.g., -v 50.
• When hovering over a flow, the following information is displayed:
flowInd_flowStat_SrcIP:SrcPort_DstIP:DstPort_L4Proto_ETHVlanID.
• Additional information can be displayed with the -e option, e.g, -e macS,macD,Duration
• Use t2timeline --help for more information.
An example graph is depicted in Figure 5.
Figure 5: T2 timeline flow plot
46.18
t2update
Updates Tranalyzer and all the plugins (svn or git): ./t2update
The -d option can be used to display the local changes and the -s option can be used to print the status of the files (use -m to
ignore unversioned files. Can also be used to update, diff or stat selected plugins as follows: t2update pluginName(s)
46.19
t2utils.sh
Collection of bash functions and variables.
46.19.1
Usage
To access the functions and variables provided by this file, source it in your script as follows:
source "$(dirname "$0")/t2utils.sh"
Note that if your script is not in the scripts/ folder, you will need to adapt the path above to t2utils.sh accordingly.
158
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
[ZSH]
46. SCRIPTS
If writing a script for ZSH, add the following line BEFORE sourcing the script:
unsetopt function_argzero
46.19.2
Colors
Alternative to printerr, printinf, printok and printwrn:
Variable
BLUE
GREEN
ORANGE
RED
NOCOLOR
46.19.3
Description
Points to the root folder of Tranalyzer
Example
$T2HOME/scripts/protStat file_protocols.txt
Programs
Variable
AWK
AWKF
OPEN
READLINK
SED
T2
TAWK
46.19.5
Example
printf "${BLUE}message${NOCOLOR}\n"
echo -e "${GREEN}message${NOCOLOR}"
printf "${ORANGE}${1}${NOCOLOR}\n" "message"
echo -e "${RED}$1${NOCOLOR}" "message"
printf "${RED}message$NOCOLOR\n"
Folders
Variable
T2HOME
46.19.4
Description
Set the color to blue
Set the color to green
Set the color to orange
Set the color to red
Reset the color
Program
gawk
gawk -F’\t’ -v OFS=’\t’
xdg-open (Linux), open (MacOS)
readlink (Linux) / greadlink (MacOS)
sed (Linux) / gsed (MacOS)
$T2HOME/tranalyzer2/src/tranalyzer
$T2HOME/scripts/tawk/tawk
Example
$AWK ’{ print }’
$AWKF ’{ print }’
$OPEN file.pdf
$READLINK file
$SED ’s/ /_/g’ «< "$str"
$T2 -r file.pcap
$TAWK ’{ print tuple4() }’
Functions
Function
printerr "msg"
printinf "msg"
printok "msg"
printwrn "msg"
Description
print an error message (red) with a newline
print an info message (blue) with a newline
print an ok message (green) with a newline
print a warning message (orange) with a newline
check_dependency "bin" "pkg"
check_dependency_linux "bin" "pkg"
check_dependency_osx "bin" "pkg"
check whether a dependency exists (Linux/MacOS)
check whether a dependency exists (Linux)
check whether a dependency exists (MacOS)
validate_ip "string"
validate_pcap "file"
Return 1 if string is a valid IPv4 address, 1 otherwise
Return 1 if file is a valid PCAP file, 1 otherwise
validate_next_arg "curr" "next"
check whether the next argument exists and is not an option
159
c 2008–2017 by Tranalyzer Development Team
Copyright 46. SCRIPTS
CONTENTS
Function
validate_next_dir "curr" "next"
validate_next_file "curr" "next"
validate_next_num "curr" "next"
Description
check whether the next argument exists and is a directory
check whether the next argument exists and is a regular file
check whether the next argument exists and is a number
validate_next_pcap "curr" "next"
abort_missing_arg "option"
abort_option_unknown "option"
abort_required_file
abort_with_help
check whether the next argument exists and is a PCAP file
print a message about a missing argument and exit with status 1
print a message about an unknown option and exit with status 1
print a message about a missing required file and exit with status 1
print a message explaining how to get help and exit with status 1
46.20
t2wizard
Launch several instances of Tranalyzer in the background, each with its own list of plugins (Tranalyzer must be configured
to use a plugin loading list (tranalyzer2/src/loadPlugins.h:24: USE_PLLIST > 0). The script is interactive and will prompt
for the required information. To see all the options available, run t2wizard --help. To use it, run t2wizard -r
file.pcap or t2wizard -R pcap_list.txt.
46.21
topNStat
Generates sorted lists of all the columns (names or numbers) provided. A list of examples can be displayed using the -e
option.
46.22
vc.c
Calculates entropy based features for a T2 column in a flow file or the packet file, selected by awk, tawk or cut, moreover
it decodes the % http notation for urls.
Compile: gcc vc.c -lm -o vc
Usage: extract url in position 26 and feed it into vc: cut -f 26 file_flows.txt | ./vc
Output on commandline:
...
5,45,17,4,0,9,0,0 1.000000 0.000000 0.549026 80 16.221350 0.342250
"/hphotos-ak-snc4/hs693.snc4/63362_476428124179_624129179_6849488_4409532_n.jpg"
...
160
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
47
47. TAWK
tawk
47.1
Description
This document describes tawk and its functionalities. tawk works just like awk, but provides access to the columns via
their names. In addition, provides access to helper functions, such as host() or port(). Custom functions can be defined
in a file named t2custom.awk, which will be automatically loaded.
47.2
Dependencies
gawk version 4.1 is required.
47.3
Installation
The recommended way to install tawk is to install t2_aliases as documented in README.md:
• Append the following line to ~/.bashrc (make sure to replace $T2HOME with the actual path, e.g.,
$HOME/int_tranalyzer/trunk):
if [ -f " $T2HOME / scripts / t2_aliases " ]; then
. $T2HOME / scripts / t2_aliases
# Note the leading ‘.’
fi
47.3.1
Man Pages
The man pages for tawk and t2nfdump can be installed by running: ./install.sh man. Once installed, they can be
consulted by running man tawk and man t2nfdump respectively.
47.3.2
Using tawk Within Scripts
To use tawk from within a script:
1. Create a TAWK variable pointing to the script: TAWK="$T2HOME/scripts/tawk/tawk"
2. Call tawk as follows: $TAWK ’dport(80)’ file.txt
47.4
Usage
• To list the column numbers and names: tawk -l file_flows.txt
• To list the column numbers and names as 3 columns: tawk -l=3 file_flows.txt
• To list the available functions: tawk -f file_flows.txt
• To list the available functions as 3 columns: tawk -f=3 file_flows.txt
• To save the original filename and filter used: tawk -c ’FILTER’ file_flows.txt > file.txt
• To extract all ICMP flows and the header: tawk ’hdr() || $l4Proto == 1’ file_flows.txt > icmp.txt
• To extract all ICMP flows without the header: tawk -H ’icmp()’ file_flows.txt > icmp.txt
• To extract the flow with index 1234: tawk ’$flowInd == 1234’ file_flows.txt
161
c 2008–2017 by Tranalyzer Development Team
Copyright 47. TAWK
CONTENTS
• To extract all DNS flows and the header: tawk ’hdr() || strtonum($dnsStat)’ file_flows.txt
• To consult the documentation for the function ’func’: tawk -d func
• To consult the documentation for all the available functions: tawk -d all
• To convert the output to JSON: tawk ’{ print json($flowStat "\t" tuple5()) }’ file_flows.txt
• To convert the output to JSON: tawk ’aggr(tuple2())’ file_flows.txt | tawk ’{ print json($0) }’
• To create a PCAP with all packets from flow 42: tawk -x flow42.pcap ’$flowInd == 42’ file_flows.txt
• To see all ICMP packets in Wireshark: tawk -k ’imcp()’ file_flows.txt
For a complete list of options, use the -h option.
47.5
Related Utilities
47.5.1
awkf
Configures awk to use tabs, i.e., ‘\t’ as input and output separator (prevents issue with repetitive values), e.g.,
awkf ‘{ print $4 }’ file_flows.txt
47.5.2
lsx
Displays columns with fixed width (default: 40), e.g., lsx file_flows.txt or lsx 45 file_flows.txt
47.5.3
sortu
Sort rows and count the number of times a given row appears, then sort by the most occuring rows. (Alias for sort
| uniq -c | sort -rn). Useful, e.g., to analyse the most occuring user-agents: tawk ’{ print $httpUsrAg }’
FILE_flows.txt | sortu
47.5.4
tcol
Displays columns with minimum width, e.g., tcol file_flows.txt.
47.6
Functions
Collection of functions for tawk:
• Parameters between brackets are optional,
• IPs can be given as string ("1.2.3.4"), hexadecimal (0xffffffff) or int (4294967295),
• Network masks can be given as string ("255.255.255.0"), hexadecimal (0xffffff00) or CIDR notation (24),
• Networks can be given as string, hexadecimal or int, e.g., "1.2.3.4/24" or "0x01020304/255.255.255.0",
• String functions can be made case insensitive by adding the suffix i, e.g., streq → streqi,
• Some examples are provided below,
• More details and examples can be found for every every function by running tawk -d funcname.
162
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
47. TAWK
Function
hdr()
Description
Use this function in your tests to keep the header (column names)
tuple2()
tuple3()
tuple4()
tuple5()
tuple6()
Returns the 2 tuple (source IP and destination IP)
Returns the 3 tuple (source IP, destination IP and port)
Returns the 4 tuple (source IP and port, destination IP and port)
Returns the 5 tuple (source IP and port, destination IP and port, protocol)
Returns the 6 tuple (source IP and port, dest. IP and port, proto., VLANID)
host([ip|net])
Returns true if the source or destination IP is equal to ip or belongs to net
If ip is omitted, returns the source and destination IP
Returns true if the source IP is equal to ip or belongs to net
If ip is omitted, returns the source IP
Returns true if the destination IP is equal to ip or belongs to net
If ip is omitted, returns the destination IP
shost([ip|net])
dhost([ip|net])
net([ip|net])
snet([ip|net])
dnet([ip|net])
Alias for host([ip|net])
Alias for shost([ip|net])
Alias for dhost([ip|net])
loopback(ip)
mcast(ip)
privip(ip)
Returns true if ip is a loopback address
Returns true if ip is a multicast address
Returns true if ip is a private IP
port([p])
Returns true if the source or destination port is equal to p
(multiple ports or port ranges can also be specified)
If p is omitted, returns the source and destination port
Returns true if the source port is equal to p
If p is omitted, returns the source port
Returns true if the destination port is equal to p
If p is omitted, returns the destination port
sport([p])
dport([p])
icmp([p])
igmp([p])
tcp([p])
udp([p])
rsvp([p])
gre([p])
esp([p])
ah([p])
icmp6([p])
sctp([p])
Returns true if the protocol is equal to p
If p is omitted, returns the protocol
Returns true if the protocol is equal to 1 (ICMP)
Returns true if the protocol is equal to 2 (IGMP)
Returns true if the protocol is equal to 6 (TCP)
Returns true if the protocol is equal to 17 (UDP)
Returns true if the protocol is equal to 46 (RSVP)
Returns true if the protocol is equal to 47 (GRE)
Returns true if the protocol is equal to 50 (ESP)
Returns true if the protocol is equal to 51 (AH)
Returns true if the protocol is equal to 58 (ICMPv6)
Returns true if the protocol is equal to 132 (SCTP)
dhcp()
dns()
http()
Returns true if the flow contains DHCP traffic
Returns true if the flow contains DNS traffic
Returns true if the flow contains HTTP traffic
proto([p])
163
c 2008–2017 by Tranalyzer Development Team
Copyright 47. TAWK
CONTENTS
Function
Description
tcpflags()
Returns a string representation of the TCP flags
ip2num(ip)
ip2hex(ip)
ip2str(ip)
ip62str(ip)
Converts an IP address to a number
Converts an IPv4 address to hex
Converts an IPv4 address to string
Converts an IPv6 address to string
ip6compress(ip)
ip6expand(ip,[trim])
Compresses an IPv6 address
Expands an IPv6 address. If trim is different from 0, removes leading zeros
ip2mask(ip)
mask2ip(m)
mask2ipstr(m)
mask2ip6(m)
mask2ip6str(m)
Converts an IP address to a network mask (int)
Converts a network mask (int) to an IPv4 address (int)
Converts a network mask (int) to an IPv4 address (string)
Converts a network mask (int) to an IPv6 address (int)
Converts a network mask (int) to an IPv6 address (string)
ipinnet(ip,net,[mask])
ipinrange(ip,low,high)
Tests whether an IP address belongs to a given network
Tests whether an IP address lies between two addresses
localtime(t)
utc(t)
Converts UNIX timestamp to string (localtime)
Converts UNIX timestamp to string (UTC)
t2split(val,sep,num)
splitc(val,num)
splitr(val,num)
Splits values according to sep.
If num is omitted, val is split into distinct tab separated columns.
If num > 0, returns the num repetition.
If num < 0, returns the num repetition from the end.
Splits compound values. Alias for t2split(val, "_", num)
Splits repetitive values. Alias for t2split(val, ";", num)
valcontains(val,sep,item)
cvalcontains(val,item)
rvalcontains(val,item)
Returns true if one item of val split by sep is equal to item.
Alias for valcontains(val, "_", item)
Alias for valcontains(val, ";", item)
strisempty(val)
streq(val1,val2)
strneq(val1,val2)
hasprefix(val,pre)
hassuffix(val,suf)
contains(val,txt)
Returns true if val is an empty string
Returns true if val1 is equal to val2
Returns true if val1 and val2 are not equal
Returns true if val begins with the prefix pre
Returns true if val finished with the suffix suf
Returns true if val contains the substring txt
not(q)
Returns the logical negation of a query q.
This function must be used to keep the header when negating a query.
Returns true if the bitfields (hexadecimal numbers) val1 and val2 are equal
If mode is omitted, returns true if all the bits set in mask are also set in val
else returns true if one of the bits set in mask is also set in val
bfeq(val1,val2)
bitisset(val,mask,[mode])
164
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
47. TAWK
Function
isip(v)
isip6(v)
isiphex(v)
isipnum(v)
isipstr(v)
isnum(v)
Description
Returns true if v is an IPv4 address in hexadecimal, numerical or
dotted decimal notation
Returns true if v is an IPv6 address
Returns true if v is an IPv4 address in hexadecimal notation
Returns true if v is an IPv4 address in numerical (int) notation
Returns true if v is an IPv4 address in dotted decimal notation
Returns true if v is a number
join(a,s)
unquote(s)
chomp(s)
strip(s)
lstrip(s)
rstrip(s)
Converts an array to string, separating each value with s
Removes leading and trailing quotes from a string
Removes leading and trailing spaces from a string
Removes leading and trailing spaces from a string
Removes leading spaces from a string
Removes trailing spaces from a string
abs(v)
mean(c)
Returns the absolute value of v
Computes the mean value of a column c. The result can be accessed with
get_mean(c) or printed with print_mean([c])
Returns the minimum value between a and b
Returns the minimum value between a, b and c
Returns the maximum value between a and b
Returns the maximum value between a, b and c
min(a,b)
min3(a,b,c)
max(a,b)
max3(a,b,c)
aggr(fields,[val,[num]])
aggrrep(fields,[val,[num]])
Performs aggregation of fields and store the sum of val.
fields and val can be tab separated lists of fields, e.g., $srcIP4"\t"$dstIP4
Results are sorted according to the first value of val.
If val is omitted or equal to "flows", counts the number of flows.
If num is omitted, returns the full list,
If num > 0 returns the top num results,
If num < 0 returns the bottom num results.
Performs aggregation of the repetitive fields and store the sum of val.
val can be a tab separated lists of fields, e.g., $numBytesSnt"\t"$numPktsSnt
Results are sorted according to the first value of val.
If val is omitted or equal to "flows", counts the number of flows.
If num is omitted, returns the full list,
If num > 0 returns the top num results,
If num < 0 returns the bottom num results.
t2sort(col,[num,[type]])
Sorts the file according to col.
If num is omitted, returns the full list,
If num > 0 returns the top num results,
If num < 0 returns the bottom num results.
type can be used to specify the type of data to sort:
"ip", "num" or "str" (default is based on the first matching record)
wildcard(expr)
Print all columns whose name matches the regular expression expr.
If expr is preceded by an exclamation mark, returns all columns whose name
165
c 2008–2017 by Tranalyzer Development Team
Copyright 47. TAWK
CONTENTS
Function
Description
does NOT match expr
json(s)
texscape(s)
base64d(s)
urldecode(url)
printerr(s)
diff(file)
ffsplit([s])
Convert the string s to JSON. The first record is used as column names.
Escape the string s to make it LaTeX compatible
Decode a base64 encoded string s
Decode the encoded URL url
Prints the string s in red with an added newline
Compares file and the input, and print the columns which differ
Split the input file into smaller more manageable files.
The files to create can be specified as argument to the function (one comma
separated string). If no argument is specified, creates one file per column
whose name ends with Stat, e.g., dnsStat, and one for
extractedAuthType (pw) and covertChannels (cc)
shark(q)
Query flow files according to Wireshark’s syntax
47.7
Examples
Collection of examples using tawk functions:
Function
covertChans([val, [num]])
Description
Returns information about hosts possibly involved in a covert channels.
If val is omitted or equal to "flows", counts the number of flows.
Otherwise, sums up the values of val.
If num is omitted, returns the full list,
If num > 0 returns the top num results,
If num < 0 returns the bottom num results.
dnsZT()
Returns all flows where a DNS zone transfer was performed
exeDL([n])
Returns the top N EXE downloads
nonstdports()
Returns all flows running protocols over non-standard ports
passwords([val, [num]])
Returns information about hosts sending authentication in cleartext
If val is omitted or equal to "flows", counts the number of flows.
Otherwise, sums up the values of val.
If num is omitted, returns the full list,
If num > 0 returns the top num results,
If num < 0 returns the bottom num results.
postQryStr([n])
Returns the top N POST requests with query strings
ssh()
Returns the SSH connections
166
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
47. TAWK
Function
topDnsA(n)
topDnsIp4(n)
topDnsIp6(n)
topDnsQ(n)
Description
Returns the top N DNS answers
Returns the top N DNS answers IPv4 addresses
Returns the top N DNS answers IPv6 addresses
Returns the top N DNS queries
topHttpMimesST(n)
topHttpMimesT(n)
Returns the top HTTP content-type (type/subtype)
Returns the top HTTP content-type (type only)
topSLD(n)
topTLD(n)
Returns the top N second-level domains queried (google.com, yahoo.com, ...)
Returns the top N top-level domains (TLD) queried (.com, .net, ...)
47.8
t2nfdump
Collection of functions for tawk allowing access to specific fields using a syntax similar as nfdump.
Function
ts()
te()
td()
pr()
sa()
da()
sap()
dap()
sp()
dp()
pkt()
ipkt()
opkt()
byt()
ibyt()
obyt()
flg()
mpls1()
mpls2()
mpls3()
mpls4()
mpls5()
mpls6()
mpls7()
mpls8()
mpls9()
mpls10()
mpls()
bps()
pps()
bpp()
Description
Start Time - first seen
End Time - last seen
Duration
Protocol
Source Address
Destination Address
Source Address:Port
Destination Address:Port
Source Port
Destination Port
Packets - default input
Input Packets
Output Packets
Bytes - default input
Input Bytes
Output Bytes
TCP Flags
MPLS label 1
MPLS label 2
MPLS label 3
MPLS label 4
MPLS label 5
MPLS label 6
MPLS label 7
MPLS label 8
MPLS label 9
MPLS label 10
MPLS labels 1-10
Bits per second
Packets per second
Bytes per package
167
c 2008–2017 by Tranalyzer Development Team
Copyright 47. TAWK
47.9
CONTENTS
Function
Description
oline()
olong()
oextended()
nfdump line output format (-o line)
nfdump long output format (-o long)
nfdump extended output format (-o extended)
t2custom.awk
Define your own functions in this file.
47.10
Writing a tawk Function
• Ideally one function per file (where the filename is the name of the function)
• Private functions are prefixed with an underscore
• Always declare local variables 8 spaces after the function arguments
• Local variables are prefixed with an underscore
• Use uppercase letters for global variables
• Include all referenced functions
• Files should be structured as follows:
#!/usr/bin/env awk
#
# Function description
#
# Parameters:
#
- arg1: description
#
- arg2: description (optional)
#
# Dependencies:
#
- plugin1
#
- plugin2 (optional)
#
# Examples:
#
- tawk ’funcname()’ file.txt
#
- tawk ’{ print funcname() }’ file.txt
@include "hdr"
@include "_validate_col"
function funcname(arg1, arg2, [8 spaces] _locvar1, _locvar2) {
_validate_col(colname1, "colname1")
_validate_col(colname2, "colname2")
if (prihdr && hdr()) {
168
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
47. TAWK
print "header"
} else {
print "something"
}
}
47.11
Awk Cheat Sheet
• Tranalyzer flow files default field separator is ’\t’:
– Always use awk -F’\t’ (or awkf/tawk) when working with flow files.
• Load libraries, e.g., tawk functions, with -i: awk -i file.awk ’program’ file.txt
• Always use strtonum with hex numbers (bitfields)
• Awk indices start at 1
• Using tawk is recommended.
47.11.1
Useful Variables
• $0: entire line
• $1, $2, ..., $NF: column 1, 2, ...
• FS: field separator
• OFS: output field separator
• NF: number of fields (columns)
• NR: record (line) number
• FNR: record (line) number relative to the current file
• FILENAME: name of current file
• To use external variables, use the -v option, e.g., awk -v name="value" ’{ print name }’ file.txt.
47.11.2
Awk Program Structure
awk -F’\t’ -i min -v OFS=’\t’ -v h="$(hostname)" ’
BEGIN { a = 0; b = 0; }
# Called once at the beginning
/^A/ { a++ }
# Called for every row starting with char A
/^B/ { b++ }
# Called for every row starting with char B
{ c++ }
# Called for every row
END
{ print h, min(a, b), c } # Called once at the end
’ file.txt
169
c 2008–2017 by Tranalyzer Development Team
Copyright 47. TAWK
47.12
CONTENTS
Awk Templates
• Print the whole line:
– tawk ’{ print }’ file.txt
– tawk ’{ print $0 }’ file.txt
– tawk ’FILTER’ file.txt
– tawk ’FILTER { print }’ file.txt
– tawk ’FILTER { print $0 }’ file.txt
• Print selected columns only:
– tawk ’{ print $srcIP4, $dstIP4 }’ file.txt
– tawk ’{ print $1, $2 }’ file.txt
– tawk ’{ print $4 "\t" $6 }’ file.txt
– tawk ’{
for (i = 6; i < NF; i++) {
printf "%s\t", $i
}
printf "%s\n", $NF
}’ file.txt
• Keep the column names:
– tawk ’hdr() || FILTER’ file.txt
– awkf ’NR == 1 || FILTER’ file.txt
– awkf ’/^%/ || FILTER’ file.txt
– awkf ’/^%[[:space:]]*[[:alpha:]][[:alnum:]_]*$/ || FILTER’ file.txt
• Skip the column names:
– tawk ’!hdr() && FILTER’ file.txt
– awkf ’NR > 1 && FILTER’ file.txt
– awkf ’!/^%/ && FILTER’ file.txt
– awkf ’!/^%[[:space:]]*[[:alpha:]][[:alnum:]_]*$/ && FILTER’ file.txt
• Bitfields and hexadecimal numbers:
– tawk ’bfeq($3,0)’ file.txt
– awkf ’strtonum($3) == 0’ file.txt
– tawk ’bitisset($3,1)’ file.txt
– awkf ’and(strtonum($3), 0x1)’ file.txt
• Split compound values:
– tawk ’{ print splitc($16, 1) }’ file.txt # first element
– tawk ’{ print splitc($16, -1) }’ file.txt # last element
170
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
47. TAWK
– awkf ’{ split($16, A, ’_’); print A[1] }’ file.txt
– awkf ’{ n = split($16, A, ’_’); print A[n] }’ file.txt # last element
– tawk ’{ print splitc($16) }’ file.txt
– awkf ’{ split($16, A, ’_’); for (i=1;i<=length(A);i++) print A[i] }’ file.txt
• Split repetitive values:
– tawk ’{ print splitr($16, 3) }’ file.txt # third repetition
– tawk ’{ print splitr($16, -2) }’ file.txt # second to last repetition
– awkf ’{ split($16, A, ’;’); print A[3] }’ file.txt
– awkf ’{ n = split($16, A, ’;’); print A[n] }’ file.txt # last repetition
– tawk ’{ print splitr($16) }’ file.txt
– awkf ’{ split($16, A, ’;’); for (i=1;i<=length(A);i++) print A[i] }’ file.txt
• Filter out empty strings:
– tawk ’!strisempty($4)’ file.txt
– awkf ’!(length($4) == 0 || $4 == "\"\"")’ file.txt
• Compare strings (case sensitive):
– tawk ’streq($3,$4)’ file.txt
– awkf ’$3 == $4’ file.txt
– awkf ’$3 == \"text\"’ file.txt
• Compare strings (case insensitive):
– tawk ’streqi($3,$4)’ file.txt
– awkf ’tolower($3) == tolower($4)’ file.txt
• Use regular expressions on specific columns:
– awkf ’$8 ~ /^192.168.1.[0-9]{1,3}$/’ file.txt # print matching rows
– awkf ’$8 !~ /^192.168.1.[0-9]{1,3}$/’ file.txt # print non-matching rows
• Use column names in awk:
– tawk ’{ print $srcIP4, $dstIP4 }’ file.txt
– awkf ’
NR == 1 {
for (i = 1; i <= NF; i++) {
if ($i == "srcIP4") srcIP4 = i
else if ($i == "dstIP4") dstIP4 = i
}
if (srcIP4 == 0 || dstIP4 == 0) {
print "No column with name srcIP4 and/or dstIP4"
exit
}
171
c 2008–2017 by Tranalyzer Development Team
Copyright 47. TAWK
CONTENTS
}
NR > 1 {
print $srcIP4, $dstIP4
}
’ file.txt
– awkf ’
NR == 1 {
for (i = 1; i <= NF; i++) {
col[$i] = i
}
}
NR > 1 {
print $col["srcIP4"], $col["dstIP4"];
}
’ file.txt
47.13
Examples
1. Pivoting (variant 1):
(a) First extract an attribute of interest, e.g., an unresolved IP address in the Host: field of the HTTP header:
tawk ’aggr($httpHosts)’ FILE_flows.txt | tawk ’{ print unquote($1); exit }’
(b) Then, put the result of the last command in the badguy variable and use it to extract flows involving this IP:
tawk -v badguy="$(!!)" ’host(badguy)’ FILE_flows.txt
2. Pivoting (variant 2):
(a) First extract an attribute of interest, e.g., an unresolved IP address in the Host: field of the HTTP header, and
store it into a badip variable:
badip="$(tawk ’aggr($httpHosts)’ FILE_flows.txt | tawk ’{ print unquote($1);exit }’)"
(b) Then, use the badip variable to extract flows involving this IP:
tawk -v badguy="$badip" ’host(badguy)’ FILE_flows.txt
3. Aggregate the number of bytes sent between source and destination addresses (independent of the protocol and
port) and output the top 10 results:
tawk ’aggr($srcIP4 "\t" $dstIP4, $numBytesSnt, 10)’ FILE_flows.txt
tawk ’aggr(tuple2(), $numBytesSnt "\t" "Flows", 10)’ FILE_flows.txt
4. Sort the flow file according to the duration (longest flows first) and output the top 5 results:
tawk ’t2sort(duration, 5)’ FILE_flows.txt
5. Extract all TCP flows while keeping the header (column names):
172
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
47. TAWK
tawk ’hdr() || tcp()’ FILE_flows.txt
6. Extract all flows whose destination port is between 6000 and 6008 (included):
tawk ’dport("6000-6008")’ FILE_flows.txt
7. Extract all flows whose destination port is 53, 80 or 8080:
tawk ’dport("53;80;8080")’ FILE_flows.txt
8. Extract all flows whose source IP is in subnet 192.168.1.0/24 (using host or net):
tawk ’shost("192.168.1.0/24")’ FILE_flows.txt
tawk ’snet("192.168.1.0/24")’ FILE_flows.txt
9. Extract all flows whose source IP is in subnet 192.168.1.0/24 (using ipinrange):
tawk ’ipinrange($srcIP4, "192.168.1.0", "192.168.1.255")’ FILE_flows.txt
10. Extract all flows whose source IP is in subnet 192.168.1.0/24 (using ipinnet):
tawk ’ipinnet($srcIP4, "192.168.1.0", "255.255.255.0")’ FILE_flows.txt
11. Extract all flows whose source IP is in subnet 192.168.1.0/24 (using ipinnet and a hex mask):
tawk ’ipinnet($srcIP4, "192.168.1.0", 0xffffff00)’ FILE_flows.txt
12. Extract all flows whose source IP is in subnet 192.168.1.0/24 (using ipinnet and the CIDR notation):
tawk ’ipinnet($srcIP4, "192.168.1.0/24")’ FILE_flows.txt
13. Extract all flows whose source IP is in subnet 192.168.1.0/24 (using ipinnet and a CIDR mask):
tawk ’ipinnet($srcIP4, "192.168.1.0", 24)’ FILE_flows.txt
For more examples, refer to tawk -d option, e.g., tawk -d aggr, where every function is documented and comes with a
set of examples. The complete documentation can be consulted by running tawk -d all.
173
c 2008–2017 by Tranalyzer Development Team
Copyright A. IMPORTING TRANALYZER FLOWS IN SPLUNK
A
CONTENTS
Importing Tranalyzer Flows in Splunk
A.1
Prerequisites
• Tranalyzer version 0.6.x is installed with standard/default plugins,
• Splunk 6.5.x is installed, Splunk account exists,
• At least one network interface (Ethernet or WLAN) has network traffic.
A.2
Select Network Interface
Determine the network interface name by entering the following command:
ifconfig
at the terminal command line. In the output look for the interface name which has the IP address where the network traffic
should be collected from:
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST>
mtu 1500 inet 10.20.6.79 netmask 0xfffffc00 broadcast 10.20.7.255
A.3
Configure Tranalyzer jsonSink Plugin
Go to tranalyzer2-0.6.XlmY/trunk/jsonSink/src/jsonSink.h and set the configuration parameters as needed:
#define SOCKET_ON
1 // Whether to output to a socket (1) or file (0)
#define SOCKET_ADDR "127.0.0.1" // address of the socket
#define SOCKET_PORT
5000 // port of the socket
Set SOCKET_ON to 1 to configure the output to a socket. Set the IP address of the destination server which should receive
the data stream. If the localhost will be the destination, leave the default setting "127.0.0.1". Set the socket server port
of the destination.
A.4
Recompile the jsonSink Plugin
Enter the following command:
tranalyzer2-0.6.8lm4/trunk/jsonSink/autogen.sh
Make sure that the plugin is compiled successfully. In this case the following message will be shown at the command
line:
Plugin jsonSink copied into USER_DIRECTORY/.tranalyzer/plugins
A.5
Start Tranalyzer2
Start generating flow records by launching Tranalyzer2 with the interface name determined on the previous step and
setting a file name as the command line arguments by entering the command:
tranalyzer -i en0 -w test1 &
Note that the file name is optional for JSON stream import, if file name is not indicated the records will be shown in
the standard output (besides being streamed over the configured TCP socket).
174
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
A.5.1
A. IMPORTING TRANALYZER FLOWS IN SPLUNK
Check File Output
Check that the flow records are written to the file by entering the command:
tail -f test1_flows.txt
Flow records should be shown in the terminal.
A.5.2
Collect Traffic
Let Tranalyzer2 run and collect network traffic.
A.6
Start Splunk
Start Splunk by entering the following command:
splunk start
in the directory where Splunk is installed. Wait for the confirmation message that Splunk is up and running:
The Splunk web interface is at http://splunk_hostname:8000
A.7
Login to Splunk, Import and Search Data
175
c 2008–2017 by Tranalyzer Development Team
Copyright A. IMPORTING TRANALYZER FLOWS IN SPLUNK
CONTENTS
Figure 6: Select “Add Data”.
176
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
A. IMPORTING TRANALYZER FLOWS IN SPLUNK
Figure 7: Select “TCP/UDP” and set protocol to “TCP” and set the correct port number (same as in the Tranalyzer2
plugin configuration file, in this example - 5000).
177
c 2008–2017 by Tranalyzer Development Team
Copyright A. IMPORTING TRANALYZER FLOWS IN SPLUNK
CONTENTS
Figure 8: Select “_json” as Source Type and proceed to “Review”.
178
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
A. IMPORTING TRANALYZER FLOWS IN SPLUNK
Figure 9: Select “Start Searching” to make sure that the data is being received by Splunk.
179
c 2008–2017 by Tranalyzer Development Team
Copyright A. IMPORTING TRANALYZER FLOWS IN SPLUNK
CONTENTS
Figure 10: Note that the data is being received, but the Tranalyzer2 specific data record field are not shown yet.
180
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
A. IMPORTING TRANALYZER FLOWS IN SPLUNK
Figure 11: Go to “Settings”->”DATA”->”Source Types” and click on “_json” data source type to edit it.
181
c 2008–2017 by Tranalyzer Development Team
Copyright A. IMPORTING TRANALYZER FLOWS IN SPLUNK
CONTENTS
Figure 12: Change option “KV_MODE” from “none” to “json” and save the changes.
182
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
A. IMPORTING TRANALYZER FLOWS IN SPLUNK
Figure 13: Return to the Search window and make sure that the Tranalyzer2 specific fields are recognized by Splunk.
183
c 2008–2017 by Tranalyzer Development Team
Copyright A. IMPORTING TRANALYZER FLOWS IN SPLUNK
CONTENTS
Figure 14: Query data, e.g. show top destination IP addresses by number of the records.
184
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
B
B. PDF REPORT GENERATION FROM PCAP USING T2FM
PDF Report Generation from PCAP using t2fm
B.1
Introduction
This tutorial presents t2fm, a script which generates a PDF report out of a PCAP file. Information provided in the report
include top source and destination addresses and ports, protocols and applications, DNS and HTTP activity and potential
warnings, such as executable downloads or SSH connections.
B.2
Prerequisites
For this tutorial, it is assumed the user has a basic knowledge of Tranalyzer and that the file t2_aliases has been
sourced in ~/.bashrc or ~/.bash_aliases as follows5 (make sure to replace $T2HOME with the actual path, e.g.,
$HOME/tranalyzer2-0.7.0lm1/trunk):
# $HOME/.bashrc
if [ -f "$T2HOME/scripts/t2_aliases" ]; then
. "$T2HOME/scripts/t2_aliases"
fi
B.2.1
# Note the leading ‘.’
Required plugins
The following plugins must be loaded for t2fm to produce a useful report:
• basicFlow
• txtSink
• basicStats
• httpSniffer, configured as follows:
• dnsDecode
– HTTP_SAVE_IMAGE=1
• nDPI, configured as follows:
– HTTP_SAVE_VIDEO=1
– HTTP_SAVE_AUDIO=1
– NDPI_OUTPUT_STR=1
– HTTP_SAVE_MSG=1
• portClassifier, configured as follows:
– HTTP_SAVE_TEXT=1
– HTTP_SAVE_APPL=1
– PBC_NUM=1
– PBC_STR=1
B.2.2
Optional plugins
The following plugins are optional:
• arpDecode
• pwX
• geoip
• sshDecode
If one of those plugin is not loaded, messages like N/A: dnsDecode plugin required will be displayed in the PDF
where the information could not be accessed.
5 Refer
to the file README.md or to the documentation for more details
185
c 2008–2017 by Tranalyzer Development Team
Copyright B. PDF REPORT GENERATION FROM PCAP USING T2FM
B.2.3
Packages
The following packages are required to build the PDF:
• texlive-latex-extra
• texlive-fonts-recommended
B.3
CONTENTS
• texlive-science
Step-by-Step Instructions
For simplicity, this tutorial assumes the user wants a complete report, i.e., requires all of the optional plugins.
1. Make sure all the plugins are configured as described in Section B.2
2. Build Tranalyzer and the plugins 6 :
t2build tranalyzer2 basicFlow basicStats txtSink arpDecode dnsDecode geoip httpSniffer \
nDPI portClassifier pwX sshDecode
(Note that those first two steps can be omitted if t2fm -b option is used)
3. Run t2fm directly on the PCAP file (the report will be named file.pdf):
t2fm -r file.pcap
4. Open the generated PDF report file.pdf:
evince file.pdf
Alternatively, if you prefer to run Tranalyzer yourself or already have access to a flow file, replace step 3 with the
following steps:
1. Run Tranalyzer on a pcap file as follows:
t2 -r file.pcap -w out
2. The previous command should have created the following files:
out_headers.txt
out_flows.txt
3. Run the t2fm script on the flow file generated previously:
t2fm -F out_flows.txt
B.4
Conclusion
This tutorial has presented how t2fm can be used to create a PDF report summarising the traffic contained in a PCAP file.
Although not discussed in this tutorial, it is also possible to use t2fm on a live interface (-i option) or on a list of PCAP
files (-R option). For more details, refer to t2fm man page or use t2fm --help.
6 Hint:
use the tab completion to avoid typing the full name of all the plugins: t2build tr<tab> ... ht<tab> ...
186
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
C
C. CREATING A CUSTOM PLUGIN
Creating a Custom Plugin
A plugin is a shared library file comprising of special functionality. Tranalyzer2 dynamically loads these shared libraries
at runtime from the ~/.tranalyzer/plugins directory in the user’s home folder. Therefore Tranalyzer2 is available for users
if being installed in the /usr/local/bin directory while the plugins are user dependent. To develop a plugin it is strongly
recommended that the user utilizes our special “new_plugin“ script. This script uses the plugin skeleton “t2PSkel” to
create a new custom named plugin. It is available via SVN from the Tranalyzer repository under the scripts/ folder. The
script copies only the required files. Therefore it is recommended to upload the newly created folder to a SVN/GIT repository before running ./autogen.sh (alternatively, ./autogen.sh -c can be used to clean up automatically generated
files that should not be committed). The skeleton contains a header and a source file comprising of all mandatory and
optional functions as well as a small HOWTO file and a script to build and move a shared library to the plugins folder.
C.1
Plugin Name
Plugin names should be kept short, start with a lowercase letter and only contain characters in the following ranges: a–z,
A–Z, 0–9. In addition, each “word” should start with an uppercase letter, e.g., pluginName.
C.2
Plugin Number
The plugin number (or order) influences when a plugin is to be loaded (useful if a plugin depends on another one). This
number should consist of three digits and be unique. The plugin orders used in your Tranalyzer installation can be listed
with ./scripts/pne. As a rule of thumb, numbers greater than 900 should be kept for sink (output) plugins and numbers
smaller than 10 for global plugins.
plugin range
000 - 099
100 - 199
200 - 299
300 - 699
700 - 799
800 - 899
900 - 999
C.3
description
global
basic L234 plugins
service and routing
L7 protocols
Math and statistics
dependent classifier and AI
output
Plugin Creation
To create a new plugin named pluginName with plugin order 123, Run the following command from Tranalyzer’s root,
i.e., trunk folder:
./scripts/new_plugin pluginName 123
If no plugin number is provided, then the script will choose a random one that is not used by any other plugin.
C.3.1
autogen.sh
The autogen.sh script provides the EXTRAFILES variable, which is used to list extra files, such as lists of subnets,
protocols, services, databases or blacklists, that the plugin needs in order to run. The files listed in this variable are
automatically copied into the Tranalyzer plugin folder.
EXTRAFILES=(dependency1 dependency2)
187
c 2008–2017 by Tranalyzer Development Team
Copyright C. CREATING A CUSTOM PLUGIN
CONTENTS
The CFLAGS variable in autogen.sh can be used if a plugin requires specific libraries, compilation or linking flags,
e.g., CFLAGS="-lzip". In such a case, the DEPS variable can be used to list the dependencies, e.g., DEPS="libzip".
C.4
Compilation
The plugin can then be compiled by typing ./autogen.sh. For a complete list of options, run ./autogen.sh -h
C.5
Error, warning, and informational messages
Tranalyzer2 provides several macros to report errors, warnings, informations or simple messages:
T2_PLOG()
T2_PINF()
T2_PWRN()
T2_PERR()
print a normal message (standard terminal colors)
print an information message (blue)
print a warning message (yellow)
print an error message (red)
pluginName: message
[INF] pluginName: message
[WRN] pluginName: message
[ERR] pluginName: message
Note that T2_PERR always prints to stderr, while the other macros print to stdout or PREFIX_log.txt if Tranalyzer
-l option was used.
Their usage is straightforward:
T2_PLOG("pluginName", "message %d", 42);
Note that a trailing newline is automatically added.
C.6
Accessible structures
Due to practical reasons all plugins are able to access every structure of the main program and the other plugins. This is
indeed a security risk, but since Tranalyzer2 is a tool for practitioners and scientists in access limited environments the
maximum possible freedom of the programmer is more important for us.
C.7
Important structures
A predominant structure in the main program is the flow table flow where the six tuple for the flow lookup timing information is stored as well as a pointer to a possible opposite flow. A plugin can access this structure by including the
packetCapture.h header. For more information please refer to the header file.
Another important structure is the main output buffer mainOutputBuffer. This structure holds all standard output of
activated plugins whenever a flow is terminated. The main output buffer is accessible if the plugin includes the header file
main.h.
C.8
Generating output
As mentioned in Section 2.10 there are two ways to generate output. The first is the case where a plugin just writes
its arbitrary output into its own file, the second is writing flow-based information to a standard output file. We are now
discussing the later case.
The standard output file generated by the Standard File sink plugin consists of a header, a delimiter and values. The header
is generated using header information provided by each plugin, that writes output into the standard output file. During the
initialization phase of the sniffing process, the core calls the printHeader() functions of these plugins. These functions
return a single structure or a list of structures of type binary_value_t. Each structure represents a statistic. To provide a
188
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
C. CREATING A CUSTOM PLUGIN
mechanism for hierarchical ordering, the statistic itself may contain one ore more values and one or more substructures.
The structure contains the following fields:
Field name
num_values
subval
name_value_short
name_value_long
is_repeating
next
Field type
uint32_t
binary_subvalue_t*
char[128]
char[1024]
uint32_t
binary_value_t*
Explanation
Amount of values in the statistic
Type definition of the values
Short definition of the statistic
Long definition of the statistic
one, if the statistic is repeating, zero otherwise
used if the plugin provides more than one statistics
The substructure binary_subvalue_t is used to describe the values of the statistic. For each value, one substructure
is required. For example, if num_values is two, two substructures have to be allocated. The substructures must be
implemented as a continuous array consisting of the following fields:
Field name
value_type
num_values
subval
is_repeating
Field type
uint32_t
uint32_t
binary_subvalue_t*
uint32_t
Explanation
Type of the value
Amount of values in the statistic
Definition of the values
one, statistic is repeating, zero otherwise
Compared to the binary_value_t representation two strings are omitted in the statistic’s short and long description
and the *next pointer but it contains a new field, the value type. Possible values for this new field are described in the
enumeration binary_types defined in the header file binaryValue.h. If the field contains a value greater than zero the
fields num_values and subval are ignored. They are needed if a subval contains itself subvalues. To indicate additional
subvalues, the field value_type need to be set to zero. The mechanism is the same as for the binary_value_t.
The field is_repeating should be used if the number of values inside a statistic is variable; e.g. a statistic of a vector
with variable length.
C.8.1
Column Names
Column names should be kept short and only contain characters in the following ranges: _, a-z, A-Z, 0-9. In addition,
each “word” should start with an uppercase letter, e.g., myCol2. The ’_’ character should be used to name compound
values, e.g., field1_field2. A good practice is to prefix each column name with the short name of the plugin, e.g.,
ftpDecode → ftpStat, ftpCNum
C.8.2
Examples
The following examples illustrate the usage of the said two structures:
Example 1: Two Statistics each containing a single value If a plugin’s output is consisting of two statistics each
having a single value it needs to pass a list containing two structures of type binary_value_t. Both structures contain a
substructure with the type of the single values. The following diagram shows the relationships between all four structures:
189
c 2008–2017 by Tranalyzer Development Team
Copyright C. CREATING A CUSTOM PLUGIN
CONTENTS
Example 2: A statistic composed of two values Now the output of the plugin is again two statistics, but the first
statistic consists of two values; e.g. to describe a position on a grid. Therefore num_values is two and subval* points
to a memory field of size two-times struct binary_subvalue_t. The subvalues themselves contain again the type of the
statistic’s values. Note: These values do not need to be identical.
Example 3: A statistic containing a complete matrix With the ability to define subvalues in subvalues it is possible
to store multidimensional structures such as matrices. The following example illustrates the definition of a matrix of size
three times two:
190
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
C.8.3
C. CREATING A CUSTOM PLUGIN
Helper functions
In order to avoid filling the structures by hand a small API is located in the header file binaryValue.h doing all the
nitty-gritty work for the programmer. The therefore important four functions are described below.
binary_value_t* bv_append_bv(binary_value_t* dest, binary_value_t* new)
Appends a binary_value_t struct at the end of a list of binary_value_t structures and returns a pointer to the start of the
list.
Arguments:
Type
binary_value_t*
binary_value_t*
Name
dest
new
Explanation
The pointer to the start of the list
The pointer to the new binary_value_t structure
binary_value_t* bv_new_bv (char* name_long, char* name_short, uint32_t is_repeating,
uint32_t num_values...)
Generates a new structure of type binary_value_t and returns a pointer to it
Arguments:
Type
char*
char*
uint32_t
uint32_t
int
Name
name_long
name_short
is_repeating
num_values
...
Explanation
a long name for the statistic
a short name for the statistic
one, if the statistic is repeating, zero otherwise
the number of values for the statistic
the types of the statistical values, repeated num_values-times
191
c 2008–2017 by Tranalyzer Development Team
Copyright C. CREATING A CUSTOM PLUGIN
CONTENTS
The function creates a binary_value_t structure and sets the values. In addition, it creates an array field with num_values
binary_subvalue_t structures and fills the value types provided in the variable argument list.
Example: The call bv_new_bv(“Statistic vector”, “stat_vec”, 2, 0, bt_uint_64, bt_uint_64) creates
the following structures:
binary_value_t* bv_add_sv_to_bv (binary_value_t* dest, uint32_t pos,
uint32_t is_repeating, uint32_t num_values, ...)
Replaces a subvalue in a binary_value_t structure with a new substructure that contains additional substructures and
returns a pointer to the parent binary value.
Arguments:
Type
binary_value_t*
uint32_t
uint32_t
uint32_t
int
Name
dest
pos
is_repeating
num_values
...
Explanation
the pointer to the parent binary value
the position of the substructure to be replaced, starting at 0
one, if the subvalue is repeating, zero otherwise
the number of values in the subvalue
the types of the statistical values, repeated num_values-times
This function is only valid if dest is already a complete statistic containing all necessary structures.
Example: Let dest be a pointer to the binary_value_t structure from the example above. A call to the function
bv_add_sv_to_bv(dest, 1, 0, 2, bt_uint_64, bt_uint_64) replaces the second substructure with a new substructure containing two more substructures:
192
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
C. CREATING A CUSTOM PLUGIN
binary_value_t* bv_add_sv_to_sv (binary_subvalue_t* dest, uint32_t pos,
uint32_t is_repeating, uint32_t num_values, ...)
Replaces a subvalue in a binary_subvalue_t structure with a new substructure that contains additional substructures
and returns a pointer to the parent binary subvalue.
Arguments:
Type
binary_subvalue_t*
uint32_t
uint32_t
uint32_t
int
Name
dest
pos
is_repeating
num_values
...
Explanation
Pointer to the parent binary subvalue
Position of the substructure to be replaced, starting at 0
one, if the subvalue is repeating, zero otherwise
Number of values in the subvalue
Types of the statistical values, repeated num_values-times
193
c 2008–2017 by Tranalyzer Development Team
Copyright C. CREATING A CUSTOM PLUGIN
CONTENTS
For all hierarchical deeper located structures than above the function described above is required.
Example: Let dest be a pointer to the subvalue structure being replaced in the example above. A call to the function bv_add_sv_to_sv(dest, 0, 0, 2, bt_uint_64, bt_uint_64) replaces dest’s first the substructure with a new
substructure containing two more substructures:
C.8.4
Writing into the standard output
Standard output is generated using a buffer structure. Upon the event onFlowTerminate (see C.12.7) Plugins write
all output into this buffer. It is strongly recommended using the function outputBuffer_append(outputBuffer_t*
buffer, char* output, size_t size_of_output).
Arguments:
Type
outputBuffer_t*
Name
buffer
Explanation
the pointer to the standard output buffer structure, for standard
194
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
C. CREATING A CUSTOM PLUGIN
Type
Name
char*
size_t
output
size_of_output
Explanation
output, this is main_output_buffer
a pointer to the output, currently of type char
the length of field output in single bytes
The output buffer is send to the output sinks after all plugins have stored their information.
Example: If a plugin wants to write two statistics each with a single value of type uint64_t it first has to commit its
binary_value_t structure(s) (see section above). During the call of its onFlowTerminate() function the plugin writes
both statistical values using the append function:
outputbuffer_append ( main_output_buffer , ( char *) value1 , 4) ;
outputbuffer_append ( main_output_buffer , ( char *) value2 , 4) ;
Where value1 and value2 are two pointers to the statistical values.
C.9
Writing repeated output
If a statistic could be repeated (field is_repeating is one) the plugin has first to store the number of values as uint32_t
value into the buffer. Afterwards, it appends the values.
Example: A plugin’s output is a vector of variable length, the values are of type uint16_t. For the current flow, that
is terminated in the function onFlowTerminate(), there are three values to write. The plugin first writes a field of type
uint32_t with value three into the buffer, using the append function:
outputbuffer_append ( main_output_buffer , ( char *) numOfValues , sizeof ( uint32_t ));
Afterwards, it writes the tree values.
C.10
Important notes
• IP addresses (bt_ip4_addr or bt_ip6_addr) or MAC addresses (bt_mac_addr) are stored in network order.
• Strings are of variable length and need to be stored with a trailing zero bit (’\0’).
C.11
Administrative functions
Every plugin has to provide five administrative functions. The first four are mandatory while the last one is optional.
Function name
get_plugin_name()
Return type
char*
get_plugin_version()
char*
get_supported_tranalyzer_version_major()
unsigned int
Explanation
a unique name of the plugin, not
necessarily the filename. All characters
except the comma is allowed.
a version number, usually a dot separated
3 tupel (x.y.z)
The minimum major version number of
the main program being supported by
the plugin
195
c 2008–2017 by Tranalyzer Development Team
Copyright C. CREATING A CUSTOM PLUGIN
CONTENTS
Function name
get_supported_tranalyzer_version_minor()
Return type
unsigned int
get_dependencies()
char*
Explanation
The minimum minor version number in
combination with the minimum major
version number of the main program
being supported by the plugin
if exists, the plugin loader checks the
availability of the plugin names returned
by this function. The plugin names have
to be separated by a comma. White
spaces, tabs or any other characters are
not treated as name separators.
The existence of these functions is checked during the plugin initialization phase one and two, as highlighted in
Figure 15.
Figure 15: Processing of the plugin loading mechanism
C.12
Processing functions
During flow analysis Tranalyzer2 generates several events based on the status of the program, the inspected OSI layer of
the current packet or the status of the current flow. These events consist of specific function calls provided by the plugins.
The implementation of the event functions is dependent on the required action of a plugin to be carried out upon a certain
event.
C.12.1
Event: initialize()
196
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
C. CREATING A CUSTOM PLUGIN
Event / function name
initialize
Return type
void
Parameters
—
The initialize event is generated before the program activates the packet capturing phase. After Tranalyzer2 has
initialized its internal structures it grants the same phase to the plugins. Therefore temporary values should be allocated
during that event by using a C malloc.
C.12.2
Event: printHeader()
Event / function name
printHeader
Return type
binary_value_t*
Parameters
—
This event is also generated during the initialization phase. With this event the plugin providing data to the standard output
file signals the core what type of output they want to write (see C.8). The function returns a pointer to the generated
binary_value_t structure or to the start pointer of a list of generated binary_value_t structures.
197
c 2008–2017 by Tranalyzer Development Team
Copyright C. CREATING A CUSTOM PLUGIN
C.12.3
CONTENTS
Event: onFlowGenerated()
Event / function name
onFlowGenerated
Return type
void
Parameters
packet_t *packet, unsigned long flowIndex
This event is generated every time Tranalyzer2 recognizes a new flow not present in the flow table. The first parameter is
the currently processed packet, the second denotes the new generated flow index. As long as the flow is not terminated
the flow index is valid. After flow termination the flow number is reintegrated into a list for later reuse.
C.12.4
Event: claimLayer2Information()
Event / function name
claimLayer2Information
Return type
void
Parameters
packet_t *packet
This event is generated for every new packet comprising of a valid and supported layer two header, e.g. Ethernet as
default. This is the first event generated after libpcap dispatches a packet and before a lookup in the flow table happened.
At this very point in time no tests are conducted for higher layer headers. If a plugin tries to access higher layer structures
it has to test itself if they are present or not. Otherwise, at non-presence of higher layers an unchecked access can result
in a NULL pointer access and therefore in a possible segmentation fault! We recommend using the subsequent two events
to access higher layers.
C.12.5
Event: claimLayer3Information()
Event / function name
claimLayer3Information
Return type
void
Parameters
packet_t *packet
This event is generated for every new packet comprising of a valid and supported layer three header. The currently supported layer three headers are IP and IP encapsulated in a variable number of VLAN headers. The event is generated after
the claimLayer2Information event and before a lookup in the flow table is performed. Again, no tests are conducted
for higher layer headers. If a plugin tries to access higher layer structures it has to test their existence. If not present an
unchecked access can result in a NULL pointer access and therefore in a possible segmentation fault! We recommend using
the subsequent event to access higher layers.
C.12.6
Event: claimLayer4Information()
Event / function name
claimLayer4Information
Return type
void
Parameters
packet_t *packet, unsigned long flowIndex
This event is generated for every new packet containing a valid and supported layer four header. The current supported
layer four headers are TCP, UDP and ICMP. This event is called after Tranalyzer2 performs a lookup in its flow table and
eventually generates an onFlowGenerated event. Implementation of other protocols such as IPsec or OSPF are planned.
C.12.7
Event: onFlowTerminate()
198
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
C. CREATING A CUSTOM PLUGIN
Event / function name
onFlowTerminate
Return type
void
Parameters
unsigned long flowIndex
This event is generated every time Tranalyzer2 removes a flow from its active status either due to timeout or protocol
normal or abnormal termination. Only during this event, the plugins write output to the standard output.
C.12.8
Event: onApplicationTerminate()
Event / function name
onFlowTerminate
Return type
void
Parameters
—
This event is generated shortly before the program is terminated. At this time no more packets or flows are processed.
This event enables the plugins to do memory housekeeping, stream buffer flushing or printing of final statistics.
C.12.9
Event: bufferToSink()
Event / function name
bufferToSink
Return type
void
Parameters
outputBuffer* buffer
The Tranalyzer core generates this event immediately after the onFlowTerminate event with the main output buffer as
parameter. A plugin listening to this event is able to write this buffer to a data sink. For example the standard file sink
plugin pushes the output into the PREFIX_flows file.
C.13
Timeout handlers
A flow is terminated after a certain timeout being defined by so called timeout handlers. The default timeout value for a
flow is 182 seconds. The plugins are able to access and change this value. For example, the TCP States plugin changes
the value according to different connection states of a TCP flow.
C.13.1
Registering a new timeout handler
To register a new timeout handler, a plugin has to call the timeout_handler_add(float timeout_in_sec) function.
The argument is the new timeout value in seconds. Now the plugin is authorized by the core to change the timeout of a
flow to the registered timeout value. Without registering a timeout handler the test is unreliable.
C.13.2
Programming convention and hints
• A call of timeout_handler_add should only happen during the initialization function of the plugin.
• Registering the same timeout value twice is no factor.
• Registering timeout values in fractions of seconds is possible, see TCP States plugin.
199
c 2008–2017 by Tranalyzer Development Team
Copyright C. CREATING A CUSTOM PLUGIN
CONTENTS
Figure 16: Tranalyzer packet processing and event generation.
200
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
D
D. ADVANCED PERFORMANCE ENHANCEMENTS WITH PF_RING
Advanced Performance Enhancements with PF_RING
Under certain circumstances, e.g., large quantities of small packets, the kernel might drop packets. This happens due to
the normal kernel dispatching which is known to be inefficient for packet capture operations. The capturing process can
be devised more efficiently by changing the kernel as in packet_mmap, but then a patched libpcap is required which is
not available yet.7 Another option is pf_ring. Its kernel module passes the incoming packets in a different way to the user
process.8
Requirements
• Kernel version prior to 3.10.
9
• All packages needed for building a kernel module, names are distribution-dependent
• A network interface which supports NAPI polling by its driver.
• optional: A network card which supports Direct Network Interface Card (NIC) access (DNA).10
Quick setup
Download PF_RING from a stable tar ball or development source at http://www.ntop.org/get-started/download/.
In order to build the code the following commands have to executed in a bash window:
cd PF_RING / kernel
make && sudo make install
modprobe pf_ring
Figure 17: building kernel module
Tranalyzer2 requires at least libpfring and libpcap-ring which can be installed the following way:
cd PF_RING / userland
cd lib
make && sudo make install
cd ..
cd libpcap
make && sudo make install
Figure 18: basic userland
You may like to install other tools such as tcpdump. Just install it the same way as described above.
NOTE: The pf_ring.ko is loaded having the transparent_mode=0 by default which enables NAPI polling. If you use a
card with special driver support for DNA you may want to compile the driver and load pf_ring.ko in a different mode.11
7 See
https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt for more information
http://www.ntop.org/products/pf_ring/
9 Presently when composing this document there is no patch for the depreciation of create_proc_read_entry() function. See: https://lkml.
org/lkml/2013/4/11/215
10 documentation: http://www.ntop.org/products/pf_ring/DNA/
11 See: man modprobe.d
8 See
201
c 2008–2017 by Tranalyzer Development Team
Copyright D. ADVANCED PERFORMANCE ENHANCEMENTS WITH PF_RING
CONTENTS
Load on boot
Since this seems to be difficult for many users the load procedure is described in the following.
Depending on your distribution or to be more specific, the init system your distribution uses at boot time may be somewhere different. In systemd 12 create a file with a ‘.conf’ ending at /etc/modules-load.d/ which contains just the text
pf_ring, the module name without the ‘.ko’ ending.13
Ubuntu uses /etc/modules as a single file where you can add a line with the module name.14
systemd
echo pf_ring > / etc / modules - load .d/ pfring . conf
OR
ubuntu
echo pf_ring >> / etc / modules
Figure 19: on-boot kernel module load examples
New kernel
Once in a while there is indeed a new kernel available. If you want to use pf_ring afterwards do not forget to recompile
the kernel module, or set up dkms.
12 More
info: http://www.freedesktop.org/wiki/Software/systemd/
more info: man modules-load.d
14 See: man modules
13 For
202
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
E
E. STATUS
Status
This section summarises the available plugins. For each plugin, a brief description is provided, along with the license
(open/closed source) and development status (pre-alpha, alpha, beta, release-candidate, release or deprecated).
E.1
Global Plugins
Plugin Name
protoStats
E.2
Number
001
Description
Overall statistics about protocols
License
GPL
Status
release
Basic Plugins
Plugin Name
basicFlow
macRecorder
portClassifier
basicStats
connectionCounter
connStat
Number
100
110
111
120
501
500
Description
Overall statistics plugin
MAC addresses and manufacturers
Classification based on port numbers
Basic statistics
Connection counter
Connection statistics
License
GPL
GPL
GPL
GPL
GPL
GPL
203
c 2008–2017 by Tranalyzer Development Team
Copyright Status
release
release
release
release
deprecated (see connStat)
release
E. STATUS
E.3
CONTENTS
Protocol Plugins
Plugin Name
arpDecode
bgpDecode
dhcpDecode
dnsDecode
ftpDecode
httpSniffer
icmpDecode
igmpDecode
ircDecode
modbus
ntpDecode
oneWaytcpTracking
ospfDecode
popDecode
radiusDecode
sctpDecode
smbDecode
smtpDecode
ss7Decode
ssDecode
stpDecode
syslogDecode
tcpFlags
tcpStates
telnetDecode
tftpDecode
voipDetector
vrrpDecode
E.4
Number
200
201
250
251
301
310
140
204
401
450
205
199
202
304
255
135
385
303
190
311
203
260
130
132
305
300
320
220
Description
ARP
BGP
DHCP
DNS
FTP
HTTP
ICMP
IGMP
IRC
Modbus
NTP
one way tricks
OSPF
POP
RADIUS
SCTP
SMB
SMTP
SS7
SSL/TLS, SSH
STP
Syslog
TCP flags
TCP states
Telnet
TFTP
VoIP
VRRP
License
GPL
Status
beta
beta
release
beta
release
release
release
alpha
beta
beta
release
release
release
release
beta
beta
beta
release
pre-alpha
release
alpha
release
release
release
pre-alpha
release
release
beta
GPL
GPL
GPL
GPL
GPL
GPL
GPL
GPL
GPL
GPL
GPL
GPL
GPL
GPL
GPL
GPL
GPL
GPL
GPL
GPL
Application Plugins
Plugin Name
covertChannels
dnsBCmp
httpBCmp
natNudel
pwX
regex_pcre
regex_re2
regexp
regexp_snort_pcre
torDetector
Number
600
610
611
601
602
605
606
607
608
609
Description
Covert channel detection
DNS blacklist
HTTP blacklist
NAT detection, STUN decoder
Password extractor
PCRE
RE2
Basic regular expressions
Snort regular expressions
Tor Detector
License
GPL
GPL
Status
release
release
release
beta
release
release
release
deprecated (see regex_pcre)
beta
release
204
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
E.5
E. STATUS
Math Plugins
Plugin Name
centrality
descriptiveStats
entropy
nFrstPkts
pktSIATHisto
wavelet
E.6
Description
Centrality
Descriptive statistics
Entropy
Statistics over the first N packets
Histograms of packet size and inter-arrival times
Wavelet
License
GPL
GPL
GPL
GPL
Status
beta
release
beta
release
release
beta
Classifier Plugins
Plugin Name
bayes
esomClassifier
fnameLabel
nDPI
geoip
p0f
tp0f
E.7
Number
800
702
710
700
701
720
Number
801
800
899
112
116
779
117
Description
Classification using Bayes
Classification based on the ESOM
Classification based on filename
Classification based on content analysis
Classification based on content analysis
OS Classification based on content analysis
OS Classification based on content analysis
License
GPL
GPL
GPL
GPL
Status
beta
beta
beta
release
release
release
release
Output Plugins
Plugin Name
arcsightSink
binSink
findexer
fpSink
jsonSink
netflowSink
pcapd
redisDbSink
socketSink
sqlSink
txtSink
Number
905
900
961
921
903
904
960
922
910
920
901
Description
Output into a Arcsight socket interface
Binary output into a flow file
Produces a binary index mapping flow index and packets
Output into a PostgresSQL database
Produces a JSON file
Netflow output format for existing Cisco tools
Stores packets from specific flows in pcap files
Output into a Redis DB
Binary output into a TCP/UDP socket
Output into a SQL database
Text output into a flow file
205
c 2008–2017 by Tranalyzer Development Team
Copyright License
GPL
GPL
GPL
GPL
GPL
Status
release
release
release
release
release
alpha
release
release
release
beta
release
F. TODO
F
CONTENTS
TODO
This section lists some features, capabilities and plugins which Tranalyzer is currently missing. Feel free to pick a task or
two and contribute code, plugins or ideas.
F.1
Features
• Anonymisation
• Endianness independence
• Support for NetMon dump files
• Stream reassembly and reordering
F.2
Plugins
• SS7
• TDS (Tabular Data Stream, Microsoft)
• IMAP
• DCE/RPC
• NFS, iSCSI
• LDAP
• SNMP
• X11
• STP (L2)
• QUIC (Quick UDP Internet Connections, Google)
• Telnet
• LLMNR (Link-Local Multicast Name Resolution)
• CDP/LLDP
• Dropbox
• XMPP
• Routing (EIGRP, RIPv2, HSRP (Cisco), . . . )
• OCSP, PKIX-CRL (include in ssDecode?)
• Chat (MSN, IRC, YMSG, . . . )
• OpenVPN
• Torrent, Gnutella
• BACnet
206
c 2008–2017 by Tranalyzer Development Team
Copyright CONTENTS
G
G. FAQ
FAQ
This section answers some frequently asked questions.
G.1
If the hashtable is full, how much memory do I need to add?
When T2 warns you that the hashtable is full, it also tells you how to correct the problem:
[ERR] MainHashMap is full:
set HASHFACTOR to X or greater (use the ’-f’ option or edit
tranalyzer.h)
T2 calculates an estimate of the multiplication factor HASHFACTOR which you can set with the -f commandline option.
G.2
Can I change the timeout of a specific flow in my plugin?
That is possible because each flow owns a timeout value which can be altered even on packet basis. It enables the user to
program stateful protocol plugins. Check out the tcpStates plugin as an inspiration.
G.3
Can I reduce the maximal flow length?
In tranalyzer2/src/tranalyzer.h you will find a constant called FDURLIMIT. Set it to the amount of seconds you like and T2
will terminate every flow with max FDURLIMIT+1 seconds. And create a new flow for the next packet to come.
G.4
How can I change the separation character in the flow file?
The separation characted is defined as SEP_CHAR in txtSink/src/bin2txt.h. It can be set to any character, e.g., ’,’ or ’|’.
In addition, the character used for comments, e.g., column names, is controlled by HDR_CHR in the same file. Note that
Tranalyzer uses ’\t’ and ’%’ as default. Therefore if the separation or comment character is changed some scripts might
not work as expected.
G.5
How can I build all the plugins?
Use ./autogen.sh -a
G.6
T2 failed to compile: What can I do?
If a dependency is missing, you should see an appropriate messsage, e.g., Missing dependency libname. If no such
message is displayed, it could be that the Makefiles are outdated. Then use autogen.sh -r to force the rebuild of the
Makefiles. A typical error requiring the use of autogen.sh -r is:
...
/bin/bash: line 10: automake-: command not found
Makefile:333: recipe for target ’Makefile.in’ failed
make[1]: *** [Makefile.in] Error 127
...
207
c 2008–2017 by Tranalyzer Development Team
Copyright G. FAQ
G.7
CONTENTS
T2 segfaults: What can I do?
T2 never segfaults! Unless he deviates from his cosmic plan and indeed segfaults. The prominent reason are memory
inconsistencies with old plugins being resident under ~/.tranalyzer/plugins/.
1. Remove all the plugins: rm ~/.tranalyzer/plugins/*.so
2. Recompile the plugins, e.g., cd ~/tranalyzer2-xx/trunk && ./autogen.sh
3. T2 should behave again.
For the developer:
If that does not fix the problem, recompile T2 in debug mode with ./autogen.sh -d and try to run tranalyzer in gdb:
gdb -args ./tranalyzer -r file.pcap -w outpref. If the error happens while writing down flows, try to remove
plugins until the error disappears. Finally, run the segvtrack script as follows: segvtrack yourpcap. This will automatically reduce the PCAP to the smallest set of packets which causes a segfault. If this does not help, send us a bug
report at tranalyzer@rdit.ch with this pcap, T2 configuration (the values that differ from the default) and the plugins you
are using. Then we will get a fix for you in no time.
G.8
T2 stalls after USR1 interrupt: What can I do?
It is a bug in the libpcap, which somehow is not thread-safe under certain conditions. Check whether T2 is set to default
signal threading mode in (main.h):
• Set MONINTTHRD to 1
• Set MONINTPSYNC to 1
Do not forget to recompile T2 with ./autogen.sh if you had to change the configuration.
Now the process of printing is detached from the packet capture and the output is synchronized to the packet processing main loop. Thus, pcap is never interrupted.
Another method is to block all interrupts during pcap, so set MONINTBLK to 1, which is less performant.
G.9
Can I reuse my configuration between different machines or Tranalyzer versions?
You can write a patch for t2conf and use it as follows: t2conf --patch. Revert the patch with the --rpatch option. The patch is a simple text file listing the defines to change, e.g., IPV6_ACTIVATE <tab> 1 <tab> 0 <tab>
tranalyzer2/src/networkHeaders.h. For more details, refer to the documentation of t2conf.
G.10
How to contribute code, submit a bug or request a feature?
Either use the mailing-list at tranalyzer-devel@list.sourceforge.net or contact the development team directly via email at
tranalyzer@rdit.ch.
208
c 2008–2017 by Tranalyzer Development Team
Copyright 
Download PDF