News archive

Latest news

Tranalyzer2 Tarantula version 0.8.10lmw1 is out!

  • tranalyzer2:
    • Added support for IEEE 802.3br mPackets encapsulation (DLT_ETHERNET_MPACKET)
    • flowInd is now printed by the core
    • New OUTBUF_APPEND_ARRAY macros
  • New plugin:
  • plugins/*:
  • tcpFlags:
    • Fixed reported number of attempted/successful scans
  • fpsGplt/statGplt/t2plot/t2timeline/t2viz:
    • Added --png/--svg options
  • tawk:
    • Added -L option to decode all variables from Tranalyzer log file
  • t2build/autogen.sh:
    • Added support for building/cleaning t2b2t, t2whois and fextractor
    • Use t2build -i tranalyzer2 to install tranalyzer in the plugin folder
  • t2conf:
    • Added support for querying the default value of a config flag: t2conf pluginName -G flagName -g default
    • Added support for resetting a flag to its default value: t2conf pluginName -D flagName=default
    • Adapted -D/-G options to set/extract values from configuration files t2conf pluginName -g [file.config|default] -G name
    • Added -S option to list active plugins in a loading list
    • Use --gui with -g to graphically edit configuration files instead of headers: t2conf pluginName -g --gui
  • t2docker:
    • Massively reduced image size
    • Added -m/--multi-stage option
    • Added support for t2whois and t2b2t
  • t2plot:
    • Added --no-title option
  • t2rrd:
    • New script combining the old rrdmonitor (t2rrd -m) and rrdplot
  • t2test:
    • Added -W option to ignore warnings caused by #warning macro

Monday, 07.06.2021

Tranalyzer2 Tarantula version 0.8.9lmw1 is out!

  • tranalyzer2:
    • Added support for long options
    • Added support for t1ha hash functions (meson build backend only)
    • PLLIST (plugin loading list) can now be specified as absolute path (previously only possible via tranalyzer -b option)
    • Removed global.h:
    • Updated MUM-hash to version 3
    • Updated uthash to version 2.1.0
    • Updated wyhash to final (?) version (Aug. 2020)
    • Updated xxhash to version 0.8.0
    • Improved computation of padding bytes for IPv4/6 and LLC
    • Bugfix in IPv6 fragmentation handling
  • bin2txt.[ch]:
    • New B2T_NANOSECS flag replaces old and buggy B2T_TIME_IN_MICRO_SECS
    • Bugfix in human readable time string (B2T_TIMESTR)
  • t2Plugin.h:
  • arpDecode:
    • Flag ARP Probes and Announcements
  • ftpDecode:
    • Improved data carving capabilities
    • Improved plugin report
    • Fixed name of carved data
  • ircDecode:
    • Extensive refactoring
    • Extended flow ouput
    • Improved data carving and decoding capabilities
  • macRecorder:
    • Extended MR_MACLBL to output MAC labels as int, hex or string
    • Added src/dstMacLbl to packet mode
    • Fixed output of manufacturers in packet mode
  • mongoSink, mysqlSink:
    • Store MAC and IPv4/6 addresses as requested in bin2txt.h (MAC_FORMAT, MAC_SEP, IP4_FORMAT and IP6_FORMAT)
  • nDPI:
    • Updated nDPI library to version 3.4
  • ospfDecode:
    • Added support for OSPFv3
    • Improved rospf script to map the network with graphviz
  • telnetDecode:
    • Improved data carving and decoding capabilities
  • tftpDecode:
    • Improved plugin report
    • Fixed typos in column names
    • Extended ouput of flow and packet mode
  • voipDetector:
    • Improved plugin report
  • New plugin:
    • mqttDecode
  • t2b2t:
    • Added -l option to list the column names from a binary file
  • t2conf:
    • -L option (edit plugin loading list) does not require --gui option anymore
  • t2whois:
    • Added T2WHOIS_RANDOM flag in t2whois.h to (de)activate testing of random IPs (and drop the dependency to libbsd)
  • t2build/autogen.sh:
    • Changed default build backend to meson (with a fallback to autotools-out-of-tree)
    • Deprecated autotools build backend
  • tawk:
    • Improved shark() function (query T2 with wireshark/tshark syntax)
    • Added more variables descriptions (-V option): ethType, l4Proto, …
  • New t2docker script:
    • create and manage Tranalyzer Docker containers
    • run T2 commands inside Docker containers
  • fpsGplt:
    • Added -P/--plot option to directly plot the packet signal
  • statGplt:
    • Added -P/--plot option to directly plot the signals
    • Added --iat/--ps/--ps-iat options to generate specific distributions
  • t2plugin:

Thursday, 04.03.2021

Tranalyzer2 Tarantula version 0.8.8lmw4 is out!

  • tranalyzer2:
    • Improved error reporting
  • macRecorder:
    • Updated manuf.txt
  • sslDecode:
    • Updated sslblacklist.[ct]sv
  • t2flowstat:
    • Improved and extended replacement of flowstat
  • t2whois:
    • Fixed -k option to generate KML files
  • setup.sh:
    • Added missing libbsd-devel and readline-devel dependencies for CentOS/Fedora/Red Hat

Friday, 24.07.2020

Tranalyzer2 Tarantula version 0.8.8lmw3 is out!

  • tranalyzer2:
    • Updated subnet files
  • dnsDecode:
    • New DNS_WHO configuration flag to add geo info to DNS A and AAA records
    • Added type and class of query
  • macRecorder:
    • Updated manuf.txt
  • nDPI:
    • Replaced buggy kerberos.c with latest development version from ntop/nDPI
  • nFrstPkts:
    • Bugfix in absolute time computation (NFRST_IAT=2)
  • sslDecode:
    • Updated sslblacklist.[ct]sv
  • t2conf:
    • Added --gui option
  • tawk:
    • Added t2whois() function
    • Added passivedns() function (loaded with tawk -e)

Friday, 26.06.2020

Tranalyzer2 Tarantula version 0.8.8lmw2 is out!

  • setup.sh: added -C option to check for new releases
  • tranalyzer2: (thx to Diaf Alaeddine to test this feature)
    • Corrected FDURLIMIT mode for unusual bursty traffic
    • Added FDLSFINDEX: sub flows can have now the same findex
  • dnsDecode: updated maldomain.txt
  • icmpDecode:
    • Improved packet mode
    • Report aggregated icmpStat in final and monitoring report
    • Detect covert channels such as Loki or OpenSSH in ICMP
  • macRecorder: updated manuf.txt
  • sslDecode: updated sslblacklist.[ct]sv
  • autogen.sh/t2build:
    • Added -B option to change build backend:
      • autotools
      • autotools-out-of-tree
      • cmake
      • meson
    • Added -G option to select CMake generator
  • t2fm: added --reset option
  • New tutorial: flow mode

Wednesday, 10.06.2020

Tranalyzer2 Tarantula version 0.8.8lmw1 is out!

  • tranalyzer2, basicFlow, utils:
  • basicFlow, basicStats, connStat:
  • tranalyzer2:
    • Fixed bug in SCTP engine
  • dnsDecode, sslDecode, httpSniffer, tcpStates:
    • Used field name in Aggregated ... report (easier to grep and decode)
  • jsonSink,mongoSink,mysqlSink,psqlSink,sqliteSink:
    • Added {JSON,MONGO,MYSQL,PSQL,T2_SQLITE}_SELECT options to only output/insert specific fields into the DB
  • sqliteSink:
    • Automatically grow query buffer as required
    • Replaced SQLITE_QRY_LEN with SQLITE_QRY_MAXLEN to control maximum size of query buffer
    • Discard flows which could not de be deserialized instead of exiting
    • Use Tranalyzer -w option as database name
  • dnsDecode:
    • Report percentage of flows with alarms
    • Updated domains blacklist
  • entropy: added end report
  • fnameLabel: added configuration flags: FNL_LBL, FNL_HASH, FNL_FLNM and FNL_FREL
  • geoip:
    • Replaced GEOIP_LEGACY configuration flag with GEOIP_LIB=[0,1,2]
    • Faster direct MaxMindDB access
    • t2mmdb: fast direct request to MaxMindDB
    • t2mmdba: convert MaxMindDB to T2 subnet format
  • macRecorder:
    • Improved MAC labelling
    • Updated manufacturers list
    • Reduced memory usage
  • nDPI: updated nDPI library to version 3.2
  • regex_pcre: report percentage of flows with alarms
  • sshDecode:
    • Added SSH_ALGO to display chosen algorithms
    • Added SSH_LISTS to display lists of supported algorithms
    • Added SSH_FINGERPRINT to output fingerprints as MD5 or SHA256
    • Improved detection of Elliptic Curve Diffie-Hellman Key Exchange
  • sslDecode: updated blacklist
  • bin2txt: added B2T_NON_IP_STR macro to configure representation of non-IPv4/6 addresses in IP columns
  • t2whois: added -D option to run as a server
  • t2netID: Decode T2 hexadecimal country organisation codes
  • scripts:
    • t2_aliases: new t2mmdb and t2netID aliases
    • t2build/autogen.sh: new -U option to update databases, blacklists, …
    • t2fm:
      • Added top organisations section
      • Added SSH section with top connections and known HASSH signatures
      • Added --hide-{user,pass,user-pass} options to obfuscate usernames/passwords
      • Added --no-* options to discard specific sections of the report
      • New -NUM (-0, -1, …) option to control the number of queries to run in parallel
    • t2plot: allow for * in -s[xyz] options, e.g., -sx '0:*'
    • t2utils.sh: new helper functions: find_most_recent_{dir,file}, t2_wget[_n], t2_build_exec, ask_default_{no,yes}

Monday, 27.04.2020

Tranalyzer2 Tarantula version 0.8.7lmw1 is out!

  • scripts:
    • t2conf, t2test, t2fm, tawk: bugfixes and improvements
    • Simplified configuration:
      • Reset: t2conf pluginName --reset
      • Generate: t2conf pluginName -g myPluginName.conf
      • Apply: t2conf pluginName -C myPluginName.conf
  • tranalyzer2:
    • Flag and handle IP packets with payload length > framing length
    • Flag IPv4 packets with header length < 20 bytes
    • Fixed column names for REPORT_HIST=1
    • Fixed l7Len for OSPFv2
    • Added support for Ethernet over MPLS
  • arpDecode: fixed detection of gratuitous ARP
  • basicFlow: new subnetfiles, hex coding for country now 9 bits
  • ospfDecode: bugfixes, code hardening
  • tcpFlags:
    • MPTCP new features, thx to Theresa TU Berlin
    • Flag and handle corrupt IPv4 options with length = 0
  • regex_pcre: New engine and regfile format

Friday, 29.11.2019

Tranalyzer2 Tarantula version 0.8.6lmw1 is out!

  • basicFlow:
    • t2whois: new program to query Tranalyzer databases
    • New subnet files, county city configurable
  • basicStats: report L2 and L3 biggest talkers
  • geoip: updated GeoLite2 database
  • macRecorder:
    • Report min, max and average MAC pairs per flow
    • Updated manuf database
  • nDPI: updated nDPI library to version 3.0
  • {radius,smtp}Decode: bugfixes
  • sctpDecode: merged SCTP_CHNKVAL and SCTP_CHNKSTR
  • sshDecode: compute and lookup HASSH fingerprints
  • sslDecode: updated blacklist
  • t2caplist: added -z and -R options, various fixes
  • t2conf: added bash/zsh completion for -D and -G options
  • t2plot:
    • Added support for drawing histograms (-H and -D options)
    • Added -c option to customise chart color
  • Tester.py:
    • Make sure to restore default configuration when toggle test failed
    • New options -S1, -S2 and -J (bit shift and Johnson counter)
    • New option -e to ignore compilation errors caused by #error macro
    • New t2test alias to run the tester from anywhere
  • fpsGplt:
    • fpsEst was merged into fpsGplt as -j option
    • Improved -d option: -d 0|1 is now -d A|B
  • protStat:
    • Added -C option to not output percentages
    • Added -r option to sort in reverse order
    • Added -H, -HR and -HH options to control the formatting of numbers
    • Added --color[=WHEN] option (default: no color if output redirected)
  • t2b2t:
    • Utility to convert T2 binary files (renamed from tranalyzer-b2t)
    • Automatically compiled when building binSink or socketSink (CONTENT_TYPE=0)
  • t2_aliases: new t2b2t and t2whois alias
  • setup.sh: added -u/-U option to (not) update the databases

Tuesday, 08.10.2019

Tranalyzer2 Tarantula version 0.8.5lmw2 is out!

  • basicFlow: bugfix teredo subnet labeling

Thursday, 05.09.2019

Tranalyzer2 Tarantula version 0.8.5lmw1 is out!

  • Windows 10 version
  • tranalyzer2: bugfix in packetCapture: fragment hash lookup missing l4proto
  • tcpFlags: Bugfixes
    • ipFlags: Framentation and OSPF checksum calculation
    • ipFlags: Min frag flag not at last packet
    • Limit pseudo header calculation, OSPF has not pseudo header
    • Packet Mode: relative seq/ack number calculation
    • TCP time option: fix of uptime clock estimation
    • Window scale value
    • Scan detector
  • httpSniffer: robust against corrupted chunked pages

Friday, 30.08.2019

Tranalyzer2 Tarantula version 0.8.4lm2 is out!

  • basicFlow: improved subnet files
  • dnsDecode: updated blacklists
  • geoip: updated GeoLite2 database
  • macRecorder: updated manuf database
  • sslDecode: updated certificate blacklist

Tuesday, 09.07.2019

Tranalyzer2 Tarantula version 0.8.4lm1 is out!

  • Reorganisation of source code
    • Plugins moved into plugins/ subfolder
  • tranalyzer2:
    • Improved ALARM and FORCE mode
    • Added new hash functions
  • basicFlow:
    • Simplified configuration for EtherType, MAC, VLAN and MPLS
    • Added src/dst-Mac to flow output (BFO_MAC=1)
    • New improved subnet files and tor labelling
  • dhcpDecode: added DHCP_FLAG_MAC flag
    • Added dhcpSrcMac and dhcpDstMac columns
  • geoip: favour GeoLite2 over Legacy databases
  • protoStats/nDPI: added number of bytes for each protocol
  • scripts:
  • New tutorials:

Friday, 21.06.2019

Tranalyzer2 Tarantula version 0.8.3lm2 is out!

  • Landattack L2 removed
  • scripts:

Tuesday, 02.04.2019

Andy in Finland

  • The Anteater is currently in Finland giving a workshop at the BoostAcademy in Turku and eating some bugs, courtesy of ENTIS.
  • Find out more about the workshop here!

Friday, 29.03.2019

Tranalyzer2 Tarantula version 0.8.2lm2 is out!

  • Fix for OSX

Tuesday, 19.02.2019

Tranalyzer2 Tarantula version 0.8.2lm1 is out!

  • New plugin: findexer
  • basicFlow:
    • Updated IPv4/6 databases
    • Flag Tor addresses
  • dnsDecode: blacklisted domain names detection
  • ftpDecode: bug fixes
  • geoip: updated databases
  • nDPI: updated nDPI library to 2.6.0
  • pwX: improved detection of HTTP based credentials
  • sslDecode: updated JA3/JA3S database and SSL blacklist
  • tranalyzer2:
    • Improved final and monitoring reports
    • Improved network aggregation mode IPv4/6
  • autogen.sh/t2build:
    • Faster parallel compilation
    • New -P/--profile option
  • Simpler control of MAC addresses representation (utils/bin2txt.h):
    • MAC_FORMAT: 0: string, 1: hex
    • MAC_SEP: separator for MAC addresses as string (default: ":")
  • Avoid unecessary dependency to zlib (*Sink)
  • tawk: removed deprecated function bitisset
    • Use bitsanyset and bitsallset instead
  • Bugfixes and code hardening

Wednesday, 06.02.2019

Tranalyzer2 Tarantula version 0.8.1lm4 is out!

  • basicFlow: bugfixes in teredo
  • scripts:
    • Facilitated configuration of .h files via t2conf
    • Improved fpsStat mining script
  • Output function refactoring
  • Doc fixed
  • Tutorials corrections

Thursday, 08.11.2018

Tranalyzer2 Tarantula version 0.8.1lm3 is out!

  • More TM features in nFrstPkts scripts, tutorial improvements
  • tcpFlags: minwinsz detection, doc
  • telnetDecode: bug fixes
  • Minor code refactoring

Friday, 02.11.2018

Tranalyzer2 Tarantula version 0.8.1lm2 is out!

  • Fix for older distributions where zlib version < 1.2.9 (big thanks to Ali Safari Khatouni from Dalhousie University for reporting the issue!)

Tuesday, 30.10.2018

Tranalyzer2 Tarantula version 0.8.1 is out!

  • New plugins:
    • sslDecode: (SSL/TLS, including JA3 hash),
    • p0f: (OS fingerprinting based on SSL/TLS)
  • scripts:
    • Improved t2fm: create PDF report from MongoDB or PostgreSQL database
    • New t2plot and traffic mining scripts
  • nFrstPkt: new signal preprocessing features
  • Improved dnsDecode and arpDecode
  • txtSink: added option to compress (gzip) the output
  • Geo-labeling information for packet mode (-s option)
  • Check out our tutorials

Friday, 26.10.2018

Tranalyzer2 Tarantula version 0.8.0 is out!

  • Concurrent L2, IPv4/6 triple mode.
  • Linux & MAC tested.
  • It is a different and more powerful beast, so check it out.

Friday, 06.07.2018

Tranalyzer2 Boeing version 0.7.6 is out!

This is the last Boeing version before the IPv4/6 dual mode Tarantula version!

  • Linux & MAC tested.
  • Improved end and t2fm report.
  • Several bug fixes.
  • Some protocol plugins added.
  • Improved IPv4/6 geolabeling in basicFlow, now also non-CIDR ranges are possible, if enabled: SUBRNG=1.
  • Improved packet/flow statistics for traffic mining.

Wednesday, 16.05.2018

Tranalyzer2 Boeing Version 0.7.5 is out!

  • Linux & MAC tested.
  • More support for L2 encapsulations
  • Improved packet mode
  • Core code refactored
  • Fast and more precise IPv4/6 geolabeling in basicFlow (special thx to Lars from UniBW), so slow geoip might be obsolete some day.
  • New plugin:
    • telnetDecode: because somebody insisted, here it is. Have fun!

Tuesday, 30.01.2018

Tranalyzer2 Boeing Version 0.7.4 is out!

  • HashAutopilot: Protection against flow hash overflow, T2 finishes its job without complaining
  • Added support for GENEVE, VXLAN-GPE and NSH
  • Added support for WCCP, JUNIPER_PPPOE and JUMBO_LLC
  • Added support for DLT_PPP_SERIAL
  • New plugins:
    • cdpDecode
    • lldpDecode
    • radiusDecode
  • Better fragmentation hashing

Monday, 20.11.2017

Tranalyzer 2 Boeing Version 0.7.1 is out!

  • Several encapsulations added, such as:
    • Ethernet over IP (EtherIP)
    • Control and Provisioning of Wireless Access Points (CAPWAP)
    • Anything in Anything (AYIYA)
    • … and more!
  • Improved packet mode, now each plugin can contribute
  • Improved protocol plugins including content downloads
  • Improved SCTP support
  • Better human readability of end report,
  • Improved t2fm PDF summary report scripts
  • New powerful tawk post processing scripts

We are also continuously fuzzing and testing Tranalyzer to keep it resilient against all kinds of attacks.

Friday, 23.06.2017

New tutorial

PDF Report Generation from PCAP using t2fm

Sample report (IPs and passwords anonymized for privacy reasons): (PDF)

Tuesday, 09.05.2017

Latest news