News archive
Latest news
Latest news
Tranalyzer2 Cobra version 0.9.2lmw1 is out!
- tranalyzer2:
- Added support for DPDK
- Added support for DTLS dissection
- clickhouseSink
- Improved documentation
- findexer
- Added support for pcap with nanosecond precision
- Various fixes and improvements
- mongoSink
- Improved handling of timestamps with nanosecond precision
- Improved documentation
- ospfDecode
- Added missing column names in output files
- Make sure each row in each file always have the same number of columns
- Renamed column
seq#
toSeqNum
- Bugfixes and improvements
- pcapd
- Bugfixes and improvements
- psqlSink:
- Improved handling of timestamps with nanosecond precision
- Improved documentation
- sslDecode
- Updated SSL blacklist
- tcpFlags
- Improved performance
- voipDetector
- Bugfixes and improvements
- t2fm
- Added information about top known and unknown JA3 and JA3S fingerprints
- Added information about top known and unknown JA4 and JA4S fingerprints
- Added information about top blacklisted certificates
- Replaced
-C
/--color
option with--{chart,table-{odd,even}}-color
- Replaced
-c
/--clickhouse
option with-C
/--clickhouse
- Various fixes and improvements
- t2py
- t2utils.sh
- Added
${IS_LINUX}
and${IS_MACOS}
variables - Simplified
find_most_recent_file
function - Renamed
check_dependency_osx
tocheck_dependency_macos
- Various fixes and improvements
- Added
- tawk
- Added
-b
/--both-directions
option to extract A and B flows (-x
/-k
options) - Added support for more custom defined columns (
srcMac
,ethType
, …) - Various fixes and improvements
- Added
- scripts:
- t2timeline: added
-d
option
- t2timeline: added
- New script:
- t2dpdk: run N instances of Tranalyzer in DPDK multi-process mode
Tranalyzer2 Cobra version 0.9.1lmw1 is out!
- tranalyzer2:
- Added
LIVEBUFSIZE
define to set libpcap internal buffer size on live captures - Added
T2_USEC_PREC
andT2_PRI_USEC
macros - Added sensor ID to monitoring machine report
- Added support for DTLS 1.2
- Added
-S
/--snaplen
and-B
/--rx-bufsize
command line options - Added
-P
/--priority
option to set process priority (renice) - Added
-M
/--mon-interval
option to set monitoring interval - Added
-m
/--monfile
option to redirect monitoring output to _monitoring.txt - Added
FLOW_IS_A()
andFLOW_IS_B()
macros - Extended support for Q-in-Q VLAN (ethertypes 0x9100 and 0x9200)
- Reduced memory footprint of
flow_t
structure ifFRAGMENTATION=0
- Reduced list of L2/3 protocols to monitor (can be easily extended with
MONPROTL[23]
) - Removed
B2T_NANOSECS
macro, usedTSTAMP_PREC
instead - Renamed
ENABLE_IO_BUFFERING
macro toIO_BUFFERING
- Added
- basicFlow:
- Added MPLS information to packet mode
- Added option to output MPLS labels as hexadecimal
- Added
BFO_VLAN=3
option to output decoded VLAN headers - Fixed nanoseconds representation in packet mode
- nDPI:
- Updated nDPI library to version 4.8
- nFrstPkts:
- Fixed nanoseconds representation for inter-arrival times
- pcapd:
- Added
PD_CHKSUM
option to correct IPv4 checksum
- Added
- sslDecode:
- Renamed
SSL_PROTO_LIST
toSSL_ALPN_LIST
- Renamed
sslProtoList
andsslNumProto
tosslALPNList
andsslNumALPNList
- Extract list of signature hash algorithms
- Extract list of ALPN, NPN and ALPS
- Extract list of record, handshake and supported versions
- Extended
sslProto
to flag GREASE values and more - Added support for TLS 1.3 draft versions
- Added support for missing TLS 1.3 ciphers
- Added support for missing TLS 1.3 alerts
- Added number of TLS 1.3 draft versions flows to plugin report
- Added number of DTLS 1.3 flows to plugin report
- Added support for JA4/JA4S fingerprints
- Fixed handling of GREASE values in JA3 fingerprints
- Updated list of insecure, weak, secure and recommended ciphers
- Updated JA3 fingerprints
- Updated SSL blacklist
- Renamed
- tcpFlags:
- Added support for JA4T fingerprints
- tp0f:
- Added packet mode
- txtSink:
- Report process priority in headers file
- voipDetector:
- Added
VOIP_SIP
,VOIP_RTP
,VOIP_RTCP
to control protocol dissection - Added
VOIP_BUFMODE
,RTPBUFSIZE
,RTPSUBDIRS
,VOIP_PERM
macros - Decode RTCP by default
- Output SIP contacts and Call-IDs
- Output SDP session ID
- Fixed description of RTP payload type 125
- Code hardening
- Added
- fsutils.[ch]:
- New helper macro:
T2_MKPATH_WITH_FLAGS()
- New helper macro:
- t2buf.[ch]:
- New function:
t2buf_ptr()
- New function:
- t2log.h:
- New macros:
T2_FPLOG_DIFFNUM
,T2_FPLOG_DIFFNUM0
- New macros:
- t2utils.[ch]:
- New helper macros:
DTLS12_HEADER()
t2_calloc()
,t2_malloc()
- New functions:
t2_strncpy()
t2_tcp_socket_connect()
,t2_tcp_socket_connect_to_server()
,t2_udp_socket_init()
t2_calloc_fatal()
,t2_malloc_fatal()
- Fixed nanoseconds representation in
t2_log_date()
andt2_log_time()
- New helper macros:
- API break:
- Renamed
t2_calloc
/t2_malloc
tot2_[cm]alloc_fatal()
- Renamed
- tawk:
- tawk is now faster
- Inverted
-t
option behavior: use it to validate column names (slow)
- scripts:
- t2build:
- Added
--lto
option to enable link time optimization (meson only)
- Added
- t2caplist:
- Added
-x
option to filter by extension (faster, but less precise) - Added
-t
option to sort list by first packet time
- Added
- t2conf:
- Fixed
t2conf tranalyzer2 --gui
- Several other fixes and improvements
- Fixed
- t2fm:
- Added information about ASNs
- Added
-d
/--data-carving
option to report EXE downloads
- t2fuzz:
- Added
-S
/-P
/-a
options to start netcat (nc
) before runningt2
- Added
- t2build:
Tranalyzer2 Cobra version 0.9.0lmw1 is out!
- tranalyzer2:
- Switched to nanoseconds precision:
- New default values:
TSTAMP_PREC=1
,B2T_NANOSECS=1
- New default values:
- New subnet files
- Added
ENVCNTRL
flag to control plugin configuration via environment variables - Added support for XXH3 (64-bits and 128-bits) hash functions
- Monitoring mode output field separator can now be changed with
SEP_CHR
- Packet mode output field separator can now be changed with
SEP_CHR
- Report sensor ID and bound CPU number (if
-c
option was used) in final report - Report link layer type in monitoring (status) report
- Report snapshot length in final and monitoring (status) report
- Fallback to user’s default plugin folder when running T2 with sudo
- Fixed dissection of IPv6/AH/IPv6
- Updated t1ha to version v2.1.4
- Updated wyhash to version wyhash_final4
- Updated xxhash to version v0.8.1
- New macros:
- Minor fixes and improvements
- Switched to nanoseconds precision:
- plugins/*:
- Added support for
ENVCNTRL
- Renamed configuration flags
- Minor fixes and improvements
- Added support for
- basicFlow:
- Renamed
ethVlanID
andethVlanHdr
tovlanID
andvlanHdr
- Renamed
- basicStats:
- Added
udpLen
,snapL[47]Len
to packet mode
- Added
- connStat:
- Added new
connG
feature
- Added new
- dnsDecode:
- Added geolocation information to packet mode
- geoip:
- Also output
geoStat
column whenGEOIP_LIB=0
- Also output
- httpSniffer:
- Added packet mode
- mndpDecode:
- Fixed autotools backend
- nDPI:
- Added packet mode
- Updated nDPI library to version 4.6
- netflowSink:
- Plugin now also working when
BLOCK_BUF=1
- Plugin now also working when
- pcapd:
- Added possibility to modify packets before saving them:
PD_TSHFT
(time)PD_MACSHFT
(MAC addresses)PD_VLNSHFT
(VLAN ID)PD_IPSHFT
(IPv4/6 addresses)- More flags to control the modification process
- Fixed
PD_MODE_OUT=1
when-e
option was used
- Added possibility to modify packets before saving them:
- portClassifier:
- Fixed packet mode for L2 flows
- sctpDecode:
- Improved packet mode
- sslDecode:
- Updated SSL blacklist
- tcpFlags:
- Added flag for invalid length in UDP/UDP-Lite header
- Output UDP length and snapped layer 4/7 length in packet mode
- txtSink:
- Report libpcap version in _headers.txt file
- voipDetector:
- Added
VOIP_SIP
to (de)activate SIP dissection - Added support for MPEG-2 transport stream (MP2T, RTP type 33)
- Extract X-Real-IP from SIP header
- Report number of SIP, SDP, RTP and RTCP packets
- Fixed extraction of SIP User-Agent
- Added
- New plugins:
- bayesClassifier: classification using Naive Bayes
- kafkaSink: output into an Apache Kafka event streaming platform
- fsutils.[ch]:
- New helper functions:
- iputils.[ch]:
- New helper functions:
ipv4_to_mask()
,ipv6_to_mask()
mask_to_ipv4()
,mask_to_ipv6()
- New helper functions:
- subnetHL.h:
- New helper macros:
SUBNET_POS_UNKNOWN
andSUBNET_POS_IS_UNKNOWN()
SUBNET[46]_{ASN,CNTY,CTY,NETID,LAT,LNG,PREC,ORG}
- New helper macros:
- t2base64.[ch]:
- New helper functions to base64 encode data
- t2buf.h:
- New helper macro:
t2buf_rewind()
- New helper macro:
- t2crypto.[ch]:
- New helper functions to compute message digests (md5, sha1, …)
- t2Plugin.h:
- New helper macro:
T2_PLUGIN_STRUCT_RESET_ITEM()
- New helper macro:
- t2utils.[ch]:
- New functions and macros for
ENVCNTRL
: - New helper macros:
FLOW_IS_IP()
,PACKET_IS_IP()
L2_HEADER()
,L3_HEADER()
,L4_HEADER()
,L7_HEADER()
,ETH_HEADER()
,LAPD_HEADER()
IPV4_HEADER()
,IPV6_HEADER()
ICMP_HEADER()
,IGMP_HEADER()
,PIM_HEADER()
,SCTP_HEADER()
,TCP_HEADER()
, [UDP_HEADER()]
(/tutorial/plugindevcheatsheet#layer-4-header)L2_PROTO()
,L3_PROTO()
,L4_PROTO()
,PROTO_IS_IPV4()
,PROTO_IS_IPV6()
PROTO_IS_ICMP4()
,PROTO_IS_ICMP6()
,PROTO_IS_IGMP()
,PROTO_IS_SCTP()
,PROTO_IS_TCP()
,PROTO_IS_UDP()
T2_MKPATH()
T2_MAC_STRLEN
T2_FREE_CONST()
T2_IPV4_TO_STR()
,T2_IPV6_TO_STR()
- New helper functions:
t2_alloc_strcat()
t2_swap_mac()
t2_fopen_in_dir()
,t2_fopen_with_suffix()
t2_discard_trailing_chars()
- New functions and macros for
- fpsGplt:
- Added support for t2plot options
- statGplt:
- Added
-f
/--flow
option to plot specific flow only - Added
-d
/--dir
option to plot specific direction only - Automatically derive output filename
- Added support for t2plot options
- Minor fixes and improvements
- Added
- tawk:
- Improved
texscape()
function - Minor fixes and improvements
- Improved
- t2build:
- Fix for old meson versions (< 0.36.0)
- t2conf:
- Added
-e
option to list plugins currently set environment variables - Added
-E
option to list plugins available environment variables - Fixed
-D
option for empty strings - Fixed handling of
-m
,--dual
,--ip4
and--ip6
options - Minor fixes and improvements
- Added
- t2docker:
- Improved error reporting
- Minor fixes and improvements
- t2fm:
- Report number of flows in Summary section
- Report snapshot length in Summary section
- Report unique VLAN tags in Summary section
- Improved error reporting
- Minor fixes and improvements
- t2netID:
- Improved output readability
- t2plot:
- Improved support for mouse interaction
- t2plugin:
- Added
-m
/--minimal
,-t
/--t2buf
and-s/--sink
options - Added
-y
/--yes
option - Improved plugin number testing/generation for sink plugins
- Minor fixes and improvements
- Added
- t2py:
- Improved readability of
T2.status()
and T2Plugin.status()
- Improved readability of
- t2test:
- If *.flags is empty, run t2build instead of aborting
- t2utils.sh:
* New helper functions:
abort_required_dir
,abort_required_file_or_dir
- New script:
- t2fuzz: corrupt PCAP files and run T2 against them
- API break:
flow.h:
- Some fields in
flow_t
have been renamed
- Some fields in
packet.h:
-
- Renamed
OUTBUF_APPEND_OPTSTR()
toOUTBUF_APPEND_OPT_STR()
- Renamed
t2utils.h:
- Changed signatures of
t2_alloc_filename()
andt2_build_filename()
t2_open_filename()
was renamed tot2_fopen()
- Changed signatures of
binaryValue.h:
bv_new_bv()
: swapped parametersname
anddesc
to match order ofBV_APPEND_*()
macros
Renamed plugins callbacks:
New callback function Old callback function Handled by t2PluginName
get_plugin_name
T2_PLUGIN_INIT*()
t2PluginVersion
get_plugin_version
T2_PLUGIN_INIT*()
t2SupportedT2Major
get_supported_tranalyzer_version_major
T2_PLUGIN_INIT*()
t2SupportedT2Minor
get_supported_tranalyzer_version_minor
T2_PLUGIN_INIT*()
t2Dependencies
get_dependencies
T2_PLUGIN_INIT_WITH_DEPS()
t2Init
initialize
t2PrintHeader
printHeader
t2OnNewFlow
onFlowGenerated
t2OnLayer2
claimLayer2Information
t2OnLayer4
claimLayer4Information
t2OnFlowTerminate
onFlowTerminate
t2PluginReport
pluginReport
t2Monitoring
monitoring
t2Finalize
onApplicationTerminate
t2BufferToSink
bufferToSink
t2SaveState
saveState
t2RestoreState
restoreState
New signatures for callbacks:
t2BufferToSink
receives thebinary_value_t
to decode the buffer:void t2BufferToSink(outputBuffer_t *buf, binary_value_t *bv)
t2OnFlowTerminate
receives the buffer to fill:void onFlowTerminate(unsigned long flowIndex, outputBuffer_t *buf)
Tranalyzer2 Tarantula version 0.8.14lmw1 is out!
- tranalyzer2:
- Added support for configuring aggregation mode with t2conf
--gui
- Added support for bit operations in packet mode (
SPKTMD_BOPS
) - Added number of L2/IPv4/IPv6 flows to end report
- Fixed reporting of ARP/RARP packets in final report
- Added support for configuring aggregation mode with t2conf
- descriptiveStats:
- Added
DS_QUARTILES
flag to control quartiles calculation - Renamed
ENABLE_{IAT,PS}_CALC
toDS_{IAT,PS}_CALC
- Added
- nDPI:
- Updated nDPI library to version 4.4
- portClassifier:
- Added packet mode
- psqlSink:
- Improved documentation
- regex_pcre:
- Added packet mode
- sctpDecode:
- Improved packet mode
- Various fixes and improvements
- sslDecode:
- Updated SSL blacklist
- tcpFlags:
- Added MPTCP variables to packet mode
- Various fixes and improvements
- New plugins:
- clickhouseSink: output into a ClickHouse database
- mndpDecode: MikroTik Neighbor Discovery Protocol
- tawk:
- New functions:
bitshift
,isfloat
,isint
,isuint
,nibble_swap
- Added variables descriptions (
-V
option) for MPTCP - Various fixes and improvements
- New functions:
- t2fm:
- Added
-c
option to generate a PDF report from a ClickHouse database - Various fixed and improvements
- Added
- scripts:
- t2doc: added
-n
option to not open the generated PDF - t2timeline: bugfixes and improvements
- t2conf: added support for bitfields in GUI mode
- t2doc: added
Tranalyzer2 Tarantula version 0.8.13lmw2 is out!
- tranalyzer2:
- findexer:
- Added
-P
option to extract specific packets instead of whole flows
- Added
- nDPI:
- Updated nDPI library to version 4.2
- ntlmsspDecode:
- Produce separate files for NetNTLMv1 and NetNTLMv2 hashes
- sctpDecode:
- Fixed SCTP stream aggregation in packet and flow mode
- Chunk parameter extraction
- sslDecode:
- Updated SSL blacklist
- t2conf:
- Adapted script for C++ plugins and .hpp files
- tawk:
- Added
-P
option to extract specific packets instead of whole flows flow()
,packet()
: added support for filtering multiple rangesproto()
: added support for filtering multiple ranges[sp]?port()
: added support for filtering multiple rangest2sort()
,t2rsort()
: added support for sorting by multiple columnstobits()
: added option to force interpretation as hex
- Added
- setup.sh:
- Fixed
t2update
check for new version
- Fixed
Tranalyzer2 Tarantula version 0.8.13lmw1 is out!
- tranalyzer2:
- Added
SPKTMD_PCNTL
flag to control start of payload in packet mode - Added
SPKTMD_PCNTH_PREF
andSPKTMD_PCNTH_SEP
to control byte prefix and separator in packet mode as hex - Removed bug in alarm mode when subnet is switched off
- Improved error reporting
- Added
- arpDecode:
- Improved detection of ARP spoofing
- basicFlow:
- Fixed packet mode
- httpSniffer:
- Extended monitoring report
- modbus:
- Added monitoring report
- ntlmsspDecode:
- Only print decoding warnings/errors if
DEBUG > 0
- Only print decoding warnings/errors if
- payloadDumper:
- Fixed payload extraction based on port numbers
- Added options to dump payload of layer 2 flows (
PLDUMP_L2
andPLDUMP_ETHERTYPES
) - Added option to start dumping L2 and UDP payload from a specific offset (
PLDUMP_START_OFF
)
- sshDecode:
- Added monitoring report
- Code hardening
- sslDecode:
- Updated SSL blacklist
- tcpFlags:
- Improved troubleshooting and anomaly info:
tcpAnomaly
,tcpFStat
,tcpFlags
, window, seq/ack number features, fault counts, etc - Extended packet mode including
pktTrip
: packet round-trip time and flags
- Improved troubleshooting and anomaly info:
- vrrpDecode:
- Added monitoring report
- Code hardening
- vtpDecode:
- Fixed autotools backend
- t2test:
- Renamed
-r
/--resume
option to-b
/--resume
- Added
-r
/--configure
option (t2build -r
)
- Renamed
- tawk:
- Added
tobits()
function
- Added
- t2_aliases:
- New
sortup
alias (same assortu
, i.e.,sort | uniq -C | sort -rn
), but report the relative percentage instead of the absolute count
- New
- setup.sh:
- Force re-generation of build files
Tranalyzer2 Tarantula version 0.8.12lmw1 is out!
- bgpDecode:
- Improved scripts and plugin report
- dhcpDecode:
- Fixed reporting of DHCP messages with types > 8
- ftpDecode, ircDecode, payloadDumper:
- Fixed handling of retransmissions and out-of-order packets
- payloadDumper:
- Added capability to dump SCTP payload
- Improved handling of TCP Keep-Alive packets
- Added packet mode
- sshDecode:
- Added packet mode
- sslDecode:
- Updated SSL blacklist
- tcpFlags:
- Flag TCP Keep-Alive packets in tcpFStat
- Improved detection of TCP sequence number anomalies
- torDetector:
- Improved detection for Tor version <= 0.4.5.10
- t2docker:
- Minor improvements
- t2fm:
- Added
-y
/--yes
option
- Added
- t2locate:
- Refactoring for compatibility with macOS and older systems
- t2py:
- Added support for tawk: T2Utils.TAWK and T2Utils.tawk()
- Added support for following streams: T2.follow_stream() and T2Utils.follow_stream()
- Added support for streaming flows: T2.streaming and T2.stream()
- Improved error reporting for functions using the subprocess module
- Improved API documentation
- Minor improvements
- tawk:
- New
base64()
function - New
follow_stream()
function - New
t2rsort()
function to sort in reverse order - Added variables descriptions (
-V
option) for BGP and SSL/TLS
- New
- t2_aliases:
- Added alias for t2locate
- Improved Bash and ZSH completions
Tranalyzer2 Tarantula version 0.8.11lmw3 is out!
- tranalyzer2/basicFlow:
- Fixed detection of Tor addresses
- Moved detection of Tor addresses from basicFlow to the core
- torDetector:
- Added detection heuristics based on packet size
- Bug fixes and minor improvements
- t2py:
- Bug fixes and minor improvements
- See the news for Tranalyzer2 Tarantula version 0.8.11lmw1 and 0.8.11lmw2 below for more details
Tranalyzer2 Tarantula version 0.8.11lmw2 is out!
- torDetector:
- Added packet mode
- t2py:
- Improved alias and library documentation
- New plugin:
- payloadDumper (similar functionality to tcpflow)
- See the news for Tranalyzer2 Tarantula version 0.8.11lmw1 below for more details
Tranalyzer2 Tarantula version 0.8.11lmw1 is out!
- tranalyzer2:
- New
T2_FPLOG_AGGR_{HEX,HEX0,H8,H16,H32,H64}
macros OUTBUF_APPEND_NUMREP()
can now be used with non-uint32_t
variables- Fixed flow direction correction for port 8080, 8081, 8088 and 8089
- Updated uthash to version 2.3.0
- New
- geoip:
- Added
GEOIP_ASN
andGEOIP_CONNT
to output source and destination AS number and connection type (only available in GeoLite2 Enterprise DB) - Added name of database (
GEOIP_DB_FILE{,4,6}
) to configuration flags
- Added
- macRecorder:
- Faster conversion of EtherType and MAC addresses database
- mqttDecode:
- Added packet mode
- nDPI:
- Updated nDPI library to version 4.0
- radiusDecode:
- New configuration flags
- Added packet mode
- Improved flow output
- sshDecode:
- Updated HASSH fingerprints
- sslDecode:
- Added
SSL_DETECT_TOR
configuration flag - Updated SSL blacklist
- Added
- New plugins:
- t2plugin:
- Added
-N
option to list plugin names only - Added
-H
option to remove section headers
- Added
- fpsGplt/statGplt/t2plot/t2timeline/t2viz:
- Added
--gif
/--jpeg
options
- Added
- New t2py library to control and operate T2 with Python
Tranalyzer2 Tarantula version 0.8.10lmw1 is out!
- tranalyzer2:
- Added support for IEEE 802.3br mPackets encapsulation (
DLT_ETHERNET_MPACKET
) flowInd
is now printed by the core- New OUTBUF_APPEND_ARRAY macros
- Added support for IEEE 802.3br mPackets encapsulation (
- New plugin:
- plugins/*:
- Improved plugin report and packet mode
- Improved default.config, t2plconf and documentation
- tcpFlags:
- Fixed reported number of attempted/successful scans
- fpsGplt/statGplt/t2plot/t2timeline/t2viz:
- Added
--png
/--svg
options
- Added
- tawk:
- Added
-L
option to decode all variables from Tranalyzer log file
- Added
- t2build/autogen.sh:
- Added support for building/cleaning t2b2t, t2whois and fextractor
- Use
t2build -i tranalyzer2
to installtranalyzer
in the plugin folder
- t2conf:
- Added support for querying the default value of a config flag:
t2conf pluginName -G flagName -g default
- Added support for resetting a flag to its default value:
t2conf pluginName -D flagName=default
- Adapted
-D
/-G
options to set/extract values from configuration filest2conf pluginName -g [file.config|default] -G name
- Added
-S
option to list active plugins in a loading list - Use
--gui
with-g
to graphically edit configuration files instead of headers:t2conf pluginName -g --gui
- Added support for querying the default value of a config flag:
- t2docker:
- t2plot:
- Added
--no-title
option
- Added
- t2rrd:
- New script combining the old rrdmonitor (
t2rrd -m
) and rrdplot
- New script combining the old rrdmonitor (
- t2test:
- Added
-W
option to ignore warnings caused by#warning
macro
- Added
Tranalyzer2 Tarantula version 0.8.9lmw1 is out!
- tranalyzer2:
- Added support for long options
- Added support for t1ha hash functions (meson build backend only)
PLLIST
(plugin loading list) can now be specified as absolute path (previously only possible via tranalyzer-b
option)- Removed global.h:
- C plugins should include
"t2Plugin.h"
instead - C++ plugins should include
"t2Plugin.hpp"
instead
- C plugins should include
- Updated MUM-hash to version 3
- Updated uthash to version 2.1.0
- Updated wyhash to final (?) version (Aug. 2020)
- Updated xxhash to version 0.8.0
- Improved computation of padding bytes for IPv4/6 and LLC
- Bugfix in IPv6 fragmentation handling
- bin2txt.[ch]:
- New
B2T_NANOSECS
flag replaces old and buggyB2T_TIME_IN_MICRO_SECS
- Bugfix in human readable time string (
B2T_TIMESTR
)
- New
- t2Plugin.h:
- Added
T2_PLUGIN_STRUCT_NEW()
macro
- Added
- arpDecode:
- Flag ARP Probes and Announcements
- ftpDecode:
- Improved data carving capabilities
- Improved plugin report
- Fixed name of carved data
- ircDecode:
- Extensive refactoring
- Extended flow output
- Improved data carving and decoding capabilities
- macRecorder:
- Extended
MR_MACLBL
to output MAC labels as int, hex or string - Added
src/dstMacLbl
to packet mode - Fixed output of manufacturers in packet mode
- Extended
- mongoSink, mysqlSink:
- Store MAC and IPv4/6 addresses as requested in bin2txt.h (
MAC_FORMAT
,MAC_SEP
,IP4_FORMAT
andIP6_FORMAT
)
- Store MAC and IPv4/6 addresses as requested in bin2txt.h (
- nDPI:
- Updated nDPI library to version 3.4
- ospfDecode:
- Added support for OSPFv3
- Improved
rospf
script to map the network with graphviz
- telnetDecode:
- Improved data carving and decoding capabilities
- tftpDecode:
- Improved plugin report
- Fixed typos in column names
- Extended output of flow and packet mode
- voipDetector:
- Improved plugin report
- New plugin:
- mqttDecode
- t2b2t:
- Added
-l
option to list the column names from a binary file
- Added
- t2conf:
-L
option (edit plugin loading list) does not require--gui
option anymore
- t2whois:
- Added
T2WHOIS_RANDOM
flag in t2whois.h to (de)activate testing of random IPs (and drop the dependency to libbsd)
- Added
- t2build/autogen.sh:
- Changed default build backend to meson (with a fallback to autotools-out-of-tree)
- Deprecated autotools build backend
- tawk:
- Improved
shark()
function (query T2 with wireshark/tshark syntax) - Added more variables descriptions (
-V
option):ethType
,l4Proto
, …
- Improved
- New t2docker script:
- fpsGplt:
- Added
-P
/--plot
option to directly plot the packet signal
- Added
- statGplt:
- Added
-P
/--plot
option to directly plot the signals - Added
--iat
/--ps
/--ps-iat
options to generate specific distributions
- Added
- t2plugin:
- Renamed from
new_plugin
- Create new C, C++ or Rust plugins
- List existing plugins
- Renamed from
Tranalyzer2 Tarantula version 0.8.8lmw4 is out!
- tranalyzer2:
- Improved error reporting
- macRecorder:
- Updated
manuf.txt
- Updated
- sslDecode:
- Updated
sslblacklist.[ct]sv
- Updated
- t2flowstat:
- Improved and extended replacement of flowstat
- t2whois:
- Fixed
-k
option to generate KML files
- Fixed
- setup.sh:
- Added missing
libbsd-devel
andreadline-devel
dependencies for CentOS/Fedora/Red Hat
- Added missing
Tranalyzer2 Tarantula version 0.8.8lmw3 is out!
- tranalyzer2:
- Updated subnet files
- dnsDecode:
- New
DNS_WHO
configuration flag to add geo info to DNS A and AAA records - Added type and class of query
- New
- macRecorder:
- Updated
manuf.txt
- Updated
- nDPI:
- Replaced buggy
kerberos.c
with latest development version from ntop/nDPI
- Replaced buggy
- nFrstPkts:
- Bugfix in absolute time computation (
NFRST_IAT=2
)
- Bugfix in absolute time computation (
- sslDecode:
- Updated
sslblacklist.[ct]sv
- Updated
- t2conf:
- Added
--gui
option
- Added
- tawk:
- Added
t2whois()
function - Added
passivedns()
function (loaded withtawk -e
)
- Added
Tranalyzer2 Tarantula version 0.8.8lmw2 is out!
- setup.sh: added
-C
option to check for new releases - tranalyzer2: (thx to Diaf Alaeddine to test this feature)
- Corrected
FDURLIMIT
mode for unusual bursty traffic - Added
FDLSFINDEX
: sub flows can have now the same findex
- Corrected
- dnsDecode: updated
maldomain.txt
- icmpDecode:
- Improved packet mode
- Report aggregated
icmpStat
in final and monitoring report - Detect covert channels such as Loki or OpenSSH in ICMP
- macRecorder: updated
manuf.txt
- sslDecode: updated
sslblacklist.[ct]sv
- autogen.sh/t2build:
- Added
-B
option to change build backend:- autotools
- autotools-out-of-tree
- cmake
- meson
- Added
-G
option to select CMake generator
- Added
- t2fm: added
--reset
option - New tutorial: flow mode
Tranalyzer2 Tarantula version 0.8.8lmw1 is out!
- tranalyzer2, basicFlow, utils:
- Subnet control moved from basicFlow to tranalyzer2
- Subnet routines moved from basicFlow to utils/subnet
- New subnet aggregation mode
- IPv4/6 Tor address labeling
- Updated subnet files
- Fixed subnet, Tor generation
- basicFlow, basicStats, connStat:
- Added support for subnet aggregation mode
- tranalyzer2:
- Fixed bug in SCTP engine
- dnsDecode, sslDecode, httpSniffer, tcpStates:
- Used field name in
Aggregated ...
report (easier to grep and decode)
- Used field name in
- jsonSink, mongoSink, mysqlSink, psqlSink, sqliteSink:
- Added
{JSON,MONGO,MYSQL,PSQL,T2_SQLITE}_SELECT
options to only output/insert specific fields into the DB
- Added
- sqliteSink:
- Automatically grow query buffer as required
- Replaced
SQLITE_QRY_LEN
withSQLITE_QRY_MAXLEN
to control maximum size of query buffer - Discard flows which could not de be deserialized instead of exiting
- Use Tranalyzer
-w
option as database name
- dnsDecode:
- Report percentage of flows with alarms
- Updated domains blacklist
- entropy: added end report
- fnameLabel: added configuration flags:
FNL_LBL
,FNL_HASH
,FNL_FLNM
andFNL_FREL
- geoip:
- macRecorder:
- Improved MAC labeling
- Updated manufacturers list
- Reduced memory usage
- nDPI: updated nDPI library to version 3.2
- regex_pcre: report percentage of flows with alarms
- sshDecode:
- Added
SSH_ALGO
to display chosen algorithms - Added
SSH_LISTS
to display lists of supported algorithms - Added
SSH_FINGERPRINT
to output fingerprints as MD5 or SHA256 - Improved detection of Elliptic Curve Diffie-Hellman Key Exchange
- Added
- sslDecode: updated blacklist
- bin2txt: added
B2T_NON_IP_STR
macro to configure representation of non-IPv4/6 addresses in IP columns - t2whois: added
-D
option to run as a server - t2netID: Decode T2 hexadecimal country organization codes
- scripts:
- t2_aliases: new t2mmdb and t2netID aliases
- t2build/autogen.sh: new
-U
option to update databases, blacklists, … - t2fm:
- Added top organizations section
- Added SSH section with top connections and known HASSH signatures
- Added
--hide-{user,pass,user-pass}
options to obfuscate usernames/passwords - Added
--no-*
options to discard specific sections of the report - New
-NUM
(-0
,-1
, …) option to control the number of queries to run in parallel
- t2plot: allow for
*
in-s[xyz]
options, e.g.,-sx '0:*'
- t2utils.sh: new helper functions:
find_most_recent_{dir,file}
,t2_wget[_n]
,t2_build_exec
,ask_default_{no,yes}
Tranalyzer2 Tarantula version 0.8.7lmw1 is out!
- scripts:
- tranalyzer2:
- Flag and handle IP packets with payload length > framing length
- Flag IPv4 packets with header length < 20 bytes
- Fixed column names for
REPORT_HIST=1
- Fixed l7Len for OSPFv2
- Added support for Ethernet over MPLS
- arpDecode: fixed detection of gratuitous ARP
- basicFlow: new subnet files, hex coding for country now 9 bits
- ospfDecode: bugfixes, code hardening
- tcpFlags:
- MPTCP new features, thx to Theresa TU Berlin
- Flag and handle corrupt IPv4 options with length = 0
- regex_pcre: New engine and regfile format
Tranalyzer2 Tarantula version 0.8.6lmw1 is out!
- basicFlow:
- t2whois: new program to query Tranalyzer databases
- New subnet files, county city configurable
- basicStats: report L2 and L3 biggest talkers
- geoip: updated GeoLite2 database
- macRecorder:
- Report min, max and average MAC pairs per flow
- Updated manuf database
- nDPI: updated nDPI library to version 3.0
- radiusDecode, smtpDecode: bugfixes
- sctpDecode: merged
SCTP_CHNKVAL
andSCTP_CHNKSTR
- sshDecode: compute and lookup HASSH fingerprints
- sslDecode: updated blacklist
- t2caplist: added
-z
and-R
options, various fixes - t2conf: added bash/zsh completion for
-D
and-G
options - t2plot:
- Added support for drawing histograms (
-H
and-D
options) - Added
-c
option to customise chart color
- Added support for drawing histograms (
- Tester.py:
- Make sure to restore default configuration when toggle test failed
- New options
-S1
,-S2
and-J
(bit shift and Johnson counter) - New option
-e
to ignore compilation errors caused by#error
macro - New
t2test
alias to run the tester from anywhere
- fpsGplt:
- fpsEst was merged into fpsGplt as
-j
option - Improved
-d
option:-d 0|1
is now-d A|B
- fpsEst was merged into fpsGplt as
- protStat:
- Added
-C
option to not output percentages - Added
-r
option to sort in reverse order - Added
-H
,-HR
and-HH
options to control the formatting of numbers - Added
--color[=WHEN]
option (default: no color if output redirected)
- Added
- t2b2t:
- Utility to convert T2 binary files (renamed from tranalyzer-b2t)
- Automatically compiled when building binSink or socketSink (
CONTENT_TYPE=0
)
- t2_aliases: new t2b2t and t2whois alias
- setup.sh: added
-u
/-U
option to (not) update the databases
Tranalyzer2 Tarantula version 0.8.5lmw2 is out!
- basicFlow: bugfix teredo subnet labeling
Tranalyzer2 Tarantula version 0.8.5lmw1 is out!
- Windows 10 version
- tranalyzer2: bugfix in packetCapture: fragment hash lookup missing l4proto
- tcpFlags: Bugfixes
ipFlags
: Fragmentation and OSPF checksum calculationipFlags
: Min frag flag not at last packet- Limit pseudo header calculation, OSPF has not pseudo header
- Packet Mode: relative seq/ack number calculation
- TCP time option: fix of uptime clock estimation
- Window scale value
- Scan detector
- httpSniffer: robust against corrupted chunked pages
Tranalyzer2 Tarantula version 0.8.4lm2 is out!
- basicFlow: improved subnet files
- dnsDecode: updated blacklists
- geoip: updated GeoLite2 database
- macRecorder: updated manuf database
- sslDecode: updated certificate blacklist
Tranalyzer2 Tarantula version 0.8.4lm1 is out!
- Reorganization of source code
- Plugins moved into plugins/ subfolder
- tranalyzer2:
- basicFlow:
- Simplified configuration for EtherType, MAC, VLAN and MPLS
- Added src/dst-Mac to flow output (
BFO_MAC=1
) - New improved subnet files and Tor labeling
- dhcpDecode: added
DHCP_FLAG_MAC
flag- Added
dhcpSrcMac
anddhcpDstMac
columns
- Added
- geoip: favour GeoLite2 over Legacy databases
- protoStats/nDPI: added number of bytes for each protocol
- scripts:
- New tutorials:
Tranalyzer2 Tarantula version 0.8.3lm2 is out!
Andy in Finland
Tranalyzer2 Tarantula version 0.8.2lm2 is out!
- Fix for macOS
Tranalyzer2 Tarantula version 0.8.2lm1 is out!
- New plugin: findexer
- basicFlow:
- Updated IPv4/6 databases
- Flag Tor addresses
- dnsDecode: blacklisted domain names detection
- ftpDecode: bug fixes
- geoip: updated databases
- nDPI: updated nDPI library to 2.6.0
- pwX: improved detection of HTTP based credentials
- sslDecode: updated JA3/JA3S database and SSL blacklist
- tranalyzer2:
- Improved final and monitoring reports
- Improved network aggregation mode IPv4/6
- autogen.sh/t2build:
- Faster parallel compilation
- New
-P
/--profile
option
- Simpler control of MAC addresses representation (utils/bin2txt.h):
MAC_FORMAT
: 0: string, 1: hexMAC_SEP
: separator for MAC addresses as string (default:":"
)
- Avoid unnecessary dependency to zlib (*Sink)
- tawk: removed deprecated function
bitisset
- Use
bitsanyset
andbitsallset
instead
- Use
- Bugfixes and code hardening
Tranalyzer2 Tarantula version 0.8.1lm4 is out!
Tranalyzer2 Tarantula version 0.8.1lm3 is out!
- More TM features in nFrstPkts scripts, tutorial improvements
- tcpFlags: minwinsz detection, doc
- telnetDecode: bug fixes
- Minor code refactoring
Tranalyzer2 Tarantula version 0.8.1lm2 is out!
- Fix for older distributions where zlib version < 1.2.9 (big thanks to Ali Safari Khatouni from Dalhousie University for reporting the issue!)
Tranalyzer2 Tarantula version 0.8.1 is out!
- New plugins:
- scripts:
- Improved t2fm: create PDF report from MongoDB or PostgreSQL database
- New t2plot and traffic mining scripts
- nFrstPkt: new signal preprocessing features
- Improved dnsDecode and arpDecode
- txtSink: added option to compress (gzip) the output
- Geo-labeling information for packet mode (
-s
option) - Check out our tutorials
Tranalyzer2 Tarantula version 0.8.0 is out!
- Concurrent L2, IPv4/6 triple mode.
- Linux & MAC tested.
- It is a different and more powerful beast, so check it out.
Tranalyzer2 Boeing version 0.7.6 is out!
This is the last Boeing version before the IPv4/6 dual mode Tarantula version!
- Linux & MAC tested.
- Improved end and t2fm report.
- Several bug fixes.
- Some protocol plugins added.
- Improved IPv4/6 geolabeling in basicFlow, now also non-CIDR ranges are possible, if enabled:
SUBRNG=1
. - Improved packet/flow statistics for traffic mining.
Tranalyzer2 Boeing Version 0.7.5 is out!
- Linux & MAC tested.
- More support for L2 encapsulations
- Improved packet mode
- Core code refactored
- Fast and more precise IPv4/6 geolabeling in basicFlow (special thx to Lars from UniBW), so slow geoip might be obsolete some day.
- New plugin:
- telnetDecode: because somebody insisted, here it is. Have fun!
Tranalyzer2 Boeing Version 0.7.4 is out!
- HashAutopilot: Protection against flow hash overflow, T2 finishes its job without complaining
- Added support for GENEVE, VXLAN-GPE and NSH
- Added support for WCCP, JUNIPER_PPPOE and JUMBO_LLC
- Added support for
DLT_PPP_SERIAL
- New plugins:
- Better fragmentation hashing
Tranalyzer 2 Boeing Version 0.7.1 is out!
- Several encapsulations added, such as:
- Ethernet over IP (EtherIP)
- Control and Provisioning of Wireless Access Points (CAPWAP)
- Anything in Anything (AYIYA)
- … and more!
- Improved packet mode, now each plugin can contribute
- Improved protocol plugins including content downloads
- Improved SCTP support
- Better human readability of end report,
- Improved t2fm PDF summary report scripts
- New powerful tawk post processing scripts
We are also continuously fuzzing and testing Tranalyzer to keep it resilient against all kinds of attacks.
New tutorial
PDF Report Generation from PCAP using t2fm
Sample report (IPs and passwords anonymized for privacy reasons): (PDF)