Frequently Asked Questions (FAQ)

FAQ NOLAYER2 NOL2_L3HDROFFSET

After ./setup.sh, I receive the following error: -bash: t2: command not found

After running the setup.sh script, you need to open a new bash window or source your .bashrc (or .zshrc, …) file in order for the new aliases and functions to be available:

t2

-bash: t2: command not found

source ~/.bashrc

t2

Tranalyzer 0.9.0 - High performance flow based network traffic analyzer

Usage
    tranalyzer [OPTION...] <INPUT>

...

T2 does not have the feature I need…

We are always looking for ways to improve T2, so send us an email and we’ll implement the feature you need in no time!

If the hash table is full, how much memory do I need to add?

When T2 warns you that the hash table is full, it also tells you how to correct the problem:


[WRN] Hash Autopilot: main HashMap full: flushing 1 oldest flow(s)
[INF] Hash Autopilot: Fix: Invoke Tranalyzer with '-f 5'

T2 calculates an estimate of the multiplication factor HASHFACTOR which you can set with the -f command line option. By default the main hash autopilot is enabled which maintains the sanity of T2 even if it runs out of flow memory. Nevertheless, T2 will be faster if you feed him the recommended -f factor.

Can I change the timeout of a specific flow in my plugin?

That is possible because each flow owns a timeout value which can be altered even on packet basis. It enables the user to program stateful protocol plugins. Refer to the Flow timeout programming tutorial or check out the tcpStates plugin as an inspiration.

Can I reduce the maximal flow length?

In tranalyzer2/src/tranalyzer.h you will find a constant called FDURLIMIT. Set it to the amount of seconds you like and T2 will terminate every flow with max FDURLIMIT+1 seconds. And create a new flow for the next packet to come.

t2conf tranalyzer2 -D FDURLIMIT="60"

Can I produce CSV files instead of TSV (flow file, packet file)?

Yes, the separation character is defined as SEP_CHAR in utils/bin2txt.h. It can be set to any character(s), e.g., "," or "||".

In order to produce a CSV file, run: t2conf tranalyzer2 -D SEP_CHR=","

You may also want to change the extension of the produced files: t2conf txtSink -D FLOWS_TXT_SUFFIX="_flows.csv"

t2conf tranalyzer2 -D PACKETS_SUFFIX="_packets.csv"

In addition, the character(s) used for comments, e.g., column names, is controlled by HDR_CHR in the same file.

t2conf tranalyzer2 -D HDR_CHR="#"

Note that Tranalyzer default values are "\t" and "%", respectively.

Be advised that if you change either of those values, some scripts may not work as expected.

How can I change the separation character in the flow file?

The separation character is defined as SEP_CHAR in utils/bin2txt.h. It can be set to any character(s), e.g., "," or "||".

t2conf tranalyzer2 -D SEP_CHR=","

In addition, the character(s) used for comments, e.g., column names, is controlled by HDR_CHR in the same file.

t2conf tranalyzer2 -D HDR_CHR="#"

Note that Tranalyzer default values are "\t" and "%", respectively.

Be advised that if you change either of those values, some scripts may not work as expected.

How can I build all the plugins?

If you invoked the script setup.sh then you may use

t2build -a

Refer to the Building Tranalyzer2 and the Plugins tutorial for more information.

T2 failed to compile or to load: what can I do?

If a dependency is missing, you should see an appropriate error message, e.g.,

Failed to configure plugin pluginName
Missing dependency libname?

In this case, try installing the dependency and recompiling the plugin.

If no such message is displayed, it could be that the Makefiles are outdated or your core uses a different configuration than your plugins.

Start by recompiling all your plugins:

t2build -R

If this happens after a system update:


ERROR: Build directory has been generated with Meson version 0.60.3, which is incompatible with the current version 0.61.1.

Failed to build tranalyzer2

Then use t2build -r -R to force the rebuild of the Makefiles:

t2build -R -r

Moreover a typical error requiring the use of t2build -r is:

...
/bin/bash: line 10: automake-: command not found
Makefile:333: recipe for target `Makefile.in' failed
make[1]: *** [Makefile.in] Error 127
...

If you see the following message, then the autotools are not installed.


make: Entering directory '/home/user/tranalyzer2-0.9.3/tranalyzer2/doc'
make: Nothing to be done for 'clean'.
make: Leaving directory '/home/user/tranalyzer2-0.9.3/tranalyzer2/doc'
../autogen.sh: line 116: autoreconf: command not found
../autogen.sh: line 118: ./configure: No such file or directory

Failed to build tranalyzer2

In this case, please refer to Getting Started.


## ERROR: Build directory has been generated with Meson version 0.x.y, which is incompatible with the current version 0.z.v.

The error message above can also happen if you updated a version. Then you have to recompile everything using the -r option:

t2build -r plugin

or safer forcefully recompile everything what is under your plugin directory, which also updates all necessary files, such as subnet or mac labeling files.

t2build -R -r -f

T2 segfaults: what can I do?

T2 never segfaults! Unless he deviates from his cosmic plan and indeed segfaults. The prominent reason are memory inconsistencies with the core or old plugins being resident under ~/.tranalyzer/plugins/.

  • Remove all the plugins from the plugin folder

    t2build -e -c -a -y

    
    Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
    Plugin folder emptied
    ...
    CLEANING SUCCESSFUL
    
  • Recompile all the plugins, or the plugins you use including the core, e.g.,

    t2build tranalyzer2 tcpStates basicFlow basicStats dnsDecode httpSniffer txtSink

  • T2 should behave again.

For the developer

If that does not fix the problem, recompile T2 in debug mode:

t2build -R -d

and try to run t2 in gdb with the gt2 command:

gt2 -r file.pcap -w outpref

If the error happens while writing flows, try to remove plugins until the error disappears. Finally, run the segvtrack script as follows:

segvtrack file.pcap

This will automatically reduce the PCAP to the smallest set of packets which causes a segfault.

If this does not help, send us a bug report with this pcap, T2 configuration (the values that differ from the default) and the plugins you are using. Then we will get a fix for you in no time.

socketSink plugin aborts with could not connect to socket: connection refused

The socketSink plugins acts as a client in a socket communication. Therefore, a server listening to SKS_SERVADD, SKS_DPORT and SKS_SOCKTYPE is required. As described in the Example Section of the socketSink plugin documentation, a simple server can be set up with netcat as follows:

t2conf socketSink -G SKS_SERVADD -G SKS_DPORT

SKS_SERVADD = "127.0.0.1"
SKS_DPORT = 6666

nc -l 127.0.0.1 6666

Make sure the address and port match the values listed in socketSink.h.

T2 stalls after USR1 interrupt: what can I do?

It is a bug in the libpcap, which somehow is not thread-safe under certain conditions. Check whether T2 is set to default signal threading mode in (main.h) :

t2conf tranalyzer2 -G MONINTTHRD -G MONINTPSYNC

MONINTTHRD = 1
MONINTPSYNC = 1

Do not forget to recompile T2 with ./autogen.sh if you had to change the configuration.

Now the process of printing is detached from the packet capture and the output is synchronized to the packet processing main loop. Thus, pcap is never interrupted.

Can I reuse my configuration between different machines or Tranalyzer versions?

You can write a patch for t2conf and use it as follows: t2conf --patch file.patch. Revert the patch with the --rpatch option. The patch is a simple text file listing the defines to change, e.g., IPV6_ACTIVATE <tab> 1 <tab> 0 <tab> tranalyzer2/src/networkHeaders.h. For more details, refer to the documentation of t2conf.

I executed ./setup.sh and compiled later a plugin with t2build but it bailed out with an error

First, try to build the plugin, e.g., nDPI, alone:

t2build -r nDPI

...

Failed to configure plugin nDPI
Missing dependency libgcrypt?

Look in the error report of the compiler which library you need to install. Install it and redo the t2build command.

In order to avoid these mishaps you can also install the dependencies for all extra plugins and then rebuild your plugin:

./setup -d -a

t2build -r nDPI

Not all linktypes have been implemented in Tranalyzer2. Nevertheless, there is a hack! If you know at which offset your IP header starts, e.g., 42, configure T2 as follows and it will bypass the error and process your data:

t2conf tranalyzer2 -D NOLAYER2=1 -D NOL2_L3HDROFFSET=42

This tells T2 to start dissecting IP at offset 42 (change the offset according to your data!). Everything before is simply ignored.

Do not forget to recompile T2:

t2build tranalyzer2

How to contribute code, submit a bug or request a feature?

You can simply contact the Anteater via email and he will answer you.