Lightweight flow generator and packet analyzer - Tranalyzer

The Anteater

Tranalyzer2 is a lightweight flow generator and packet analyzer designed for practitioners and researchers. Special value is set to simplicity, performance and scalability. It extends Cisco NetFlow's functionality and supports analysts in processing ultra large packet dumps. It supports the drill down process to the very flow or even packet of interest and is able to quickly produce a reduced pcap, which can then be analyzed in depth by its very own text based packet mode or simply loaded in tcpdump or Wireshark.

The program is open-source, implemented in C and built upon the libpcap library. Tranalyzer provides functionality to analyze and generate key parameters and statistics from network traces either being live-captured from Ethernet interfaces or pcap files. The quantity of binary and text based output of Tranalyzer depends on enabled plugins. Hence, users have the possibility to tailor the output according to their needs. Moreover, additional plugins can be developed independently of the functionality of other plugins.

Performance

Designed for heavy duty tasks

Open-source

Licensed under the GNU GPL

Extendable

Flexible plugin-based architecture

Features

Aggregation

Flexible aggregation of packets into 0 to 10 tuple flows with flow cross-link, e.g., ICMP with the originating flow or FTP control with data.

Geolocation

Geolocation and whois based IP address labeling and aggregation. Support tools: t2whois, t2netID, t2locate and MaxMind DB plugin.

Mining & AI support

For traffic mining, the preprocessing and proper mathematical transformation to find invariances represent about 90-95% of the work to produce a robust classifier which performs well in practice.

Encapsulations

Protocol Encapsulations such as VLAN, L2TP, MPLS, PPP, GRE, GTP, ERSPAN, VXLAN, AYIYA, CAPWAP, Teredo, PIM, SCTP, etc.

Output options

Text, JSON and binary format. Reports into multiple databases: PostgreSQL, MongoDB, SQLite, MariaDB/MySQL and ClickHouse. Reports also into standard NetFlow 9/10 tools.

Reporting

Assess pcap quality and detect anomalies. Generate summary reports of PCAP files (endpoints / protocol statistics, anomalies, ...). Specific reporting for troubleshooting, security and forensic purposes.

Easy post-processing

Via Tawk, Awk, Python, Bash, Perl, ... how admins like it!

Monitoring

Reports into standard tools such as RRDtool or Splunk

Forensics

Payload Dumper, Passwords extraction, NTLM/NTLMSSP, packet mode, pcap extraction, data carving, etc.

Data carving

Data carving for: HTTP, SMB, SMTP, POP, (T)FTP, VoIP, IRC, Telnet, etc.

Routing & switching

Support for several routing and switching protocols such as: BGP, OSPF, CDP, LLDP, STP, VRRP, etc.

Network management

Support for several network management protocols such as: RADIUS, VTP, NTP, DHCP, LDAP, etc.

Pcap generation

For performance tests often statistically correct upscaling of pcaps acquired at lower speeds is required. pcapd solves that problem for you.

Graphics

Graphical support by t2plot, t2viz, t2timeline, t2fm, gnuplot, Matlab, SPSS, Google Earth, Excel, etc. GUI development framework

Tranalyzer Anteater