Frequently Asked Questions (FAQ)
Contents
- After ./setup.sh, I receive the following error: -bash: t2: command not found
- T2 does not have the feature I need…
- If the hash table is full, how much memory do I need to add?
- Can I change the timeout of a specific flow in my plugin?
- Can I reduce the maximal flow length?
- Can I produce CSV files instead of TSV (flow file, packet file)?
- How can I change the separation character in the flow file?
- How can I build all the plugins?
- T2 failed to compile or to load: what can I do?
- T2 segfaults: what can I do?
- socketSink plugin aborts with could not connect to socket: connection refused
- T2 stalls after USR1 interrupt: what can I do?
- Can I reuse my configuration between different machines or Tranalyzer versions?
- I executed ./setup.sh and compiled later a plugin with t2build but it bailed out with an error
- T2 cannot process my data and exit with ‘Unsupported link-layer type’ error
- How to contribute code, submit a bug or request a feature?
After ./setup.sh, I receive the following error: -bash: t2: command not found
After running the setup.sh
script,
you need to open a new bash window or source your .bashrc
(or .zshrc
, …) file in order for the new aliases and functions to be available:
t2
-bash: t2: command not found
source ~/.bashrc
t2
Tranalyzer 0.9.0 - High performance flow based network traffic analyzer
Usage
tranalyzer [OPTION...] <INPUT>
...
T2 does not have the feature I need…
We are always looking for ways to improve T2, so send us an email and we’ll implement the feature you need in no time!
If the hash table is full, how much memory do I need to add?
When T2 warns you that the hash table is full, it also tells you how to correct the problem:
[WRN] Hash Autopilot: main HashMap full: flushing 1 oldest flow(s) [INF] Hash Autopilot: Fix: Invoke Tranalyzer with '-f 5'
T2 calculates an estimate of the multiplication factor HASHFACTOR
which you can set with the -f
command line option.
By default the main hash autopilot is enabled which maintains the sanity of T2 even if it runs out of flow memory.
Nevertheless, T2 will be faster if you feed him the recommended -f
factor.
Can I change the timeout of a specific flow in my plugin?
That is possible because each flow owns a timeout value which can be altered even on packet basis. It enables the user to program stateful protocol plugins. Refer to the Flow timeout programming tutorial or check out the tcpStates plugin as an inspiration.
Can I reduce the maximal flow length?
In tranalyzer2/src/tranalyzer.h you will find a constant called FDURLIMIT
.
Set it to the amount of seconds you like and T2 will terminate every flow with max FDURLIMIT+1
seconds.
And create a new flow for the next packet to come.
t2conf tranalyzer2 -D FDURLIMIT="60"
Can I produce CSV files instead of TSV (flow file, packet file)?
Yes, the separation character is defined as SEP_CHAR
in utils/bin2txt.h.
It can be set to any character(s), e.g., ","
or "||"
.
In order to produce a CSV file, run: t2conf tranalyzer2 -D SEP_CHR=","
You may also want to change the extension of the produced files: t2conf txtSink -D FLOWS_TXT_SUFFIX="_flows.csv"
t2conf tranalyzer2 -D PACKETS_SUFFIX="_packets.csv"
In addition, the character(s) used for comments, e.g., column names, is controlled by HDR_CHR
in the same file.
t2conf tranalyzer2 -D HDR_CHR="#"
Note that Tranalyzer default values are "\t"
and "%"
, respectively.
Be advised that if you change either of those values, some scripts may not work as expected.
How can I change the separation character in the flow file?
The separation character is defined as SEP_CHAR
in utils/bin2txt.h.
It can be set to any character(s), e.g., ","
or "||"
.
t2conf tranalyzer2 -D SEP_CHR=","
In addition, the character(s) used for comments, e.g., column names, is controlled by HDR_CHR
in the same file.
t2conf tranalyzer2 -D HDR_CHR="#"
Note that Tranalyzer default values are "\t"
and "%"
, respectively.
Be advised that if you change either of those values, some scripts may not work as expected.
How can I build all the plugins?
If you invoked the script setup.sh
then you may use
t2build -a
Refer to the Building Tranalyzer2 and the Plugins tutorial for more information.
T2 failed to compile or to load: what can I do?
If a dependency is missing, you should see an appropriate error message, e.g.,Failed to configure plugin pluginName Missing dependency libname?
In this case, try installing the dependency and recompiling the plugin.
If no such message is displayed, it could be that the Makefiles are outdated or your core uses a different configuration than your plugins.
Start by recompiling all your plugins:
t2build -R
If this happens after a system update:
ERROR: Build directory has been generated with Meson version 0.60.3, which is incompatible with the current version 0.61.1.
Failed to build tranalyzer2
Then use t2build -r -R
to force the rebuild of the Makefiles:
t2build -R -r
Moreover a typical error requiring the use of t2build -r
is:
...
/bin/bash: line 10: automake-: command not found
Makefile:333: recipe for target `Makefile.in' failed
make[1]: *** [Makefile.in] Error 127
...
If you see the following message, then the autotools
are not installed.
make: Entering directory '/home/user/tranalyzer2-0.9.3/tranalyzer2/doc'
make: Nothing to be done for 'clean'.
make: Leaving directory '/home/user/tranalyzer2-0.9.3/tranalyzer2/doc'
../autogen.sh: line 116: autoreconf: command not found
../autogen.sh: line 118: ./configure: No such file or directory
Failed to build tranalyzer2
In this case, please refer to Getting Started.
## ERROR: Build directory has been generated with Meson version 0.x.y, which is incompatible with the current version 0.z.v.
The error message above can also happen if you updated a version. Then you have to recompile everything using the -r
option:
t2build -r plugin
or safer forcefully recompile everything what is under your plugin directory, which also updates all necessary files, such as subnet or mac labeling files.
t2build -R -r -f
T2 segfaults: what can I do?
T2 never segfaults! Unless he deviates from his cosmic plan and indeed segfaults. The prominent reason are memory inconsistencies with the core or old plugins being resident under ~/.tranalyzer/plugins/.
Remove all the plugins from the plugin folder
t2build -e -c -a -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes Plugin folder emptied ... CLEANING SUCCESSFUL
Recompile all the plugins, or the plugins you use including the core, e.g.,
t2build tranalyzer2 tcpStates basicFlow basicStats dnsDecode httpSniffer txtSink
T2 should behave again.
For the developer
If that does not fix the problem, recompile T2 in debug mode:
t2build -R -d
and try to run t2
in gdb
with the gt2
command:
gt2 -r file.pcap -w outpref
If the error happens while writing flows, try to remove plugins until the error disappears.
Finally, run the segvtrack
script as follows:
segvtrack file.pcap
This will automatically reduce the PCAP to the smallest set of packets which causes a segfault.
If this does not help, send us a bug report with this pcap, T2 configuration (the values that differ from the default) and the plugins you are using. Then we will get a fix for you in no time.
socketSink plugin aborts with could not connect to socket: connection refused
The socketSink plugins acts as a client in a socket communication.
Therefore, a server listening to SKS_SERVADD
, SKS_DPORT
and SKS_SOCKTYPE
is required.
As described in the Example Section of the socketSink plugin documentation,
a simple server can be set up with netcat as follows:
t2conf socketSink -G SKS_SERVADD -G SKS_DPORT
SKS_SERVADD = "127.0.0.1"
SKS_DPORT = 6666
nc -l 127.0.0.1 6666
Make sure the address and port match the values listed in socketSink.h.
T2 stalls after USR1 interrupt: what can I do?
It is a bug in the libpcap, which somehow is not thread-safe under certain conditions. Check whether T2 is set to default signal threading mode in (main.h) :
t2conf tranalyzer2 -G MONINTTHRD -G MONINTPSYNC
MONINTTHRD = 1
MONINTPSYNC = 1
Do not forget to recompile T2 with ./autogen.sh
if you had to change the configuration.
Now the process of printing is detached from the packet capture and the output is synchronized to the packet processing main loop. Thus, pcap is never interrupted.
Can I reuse my configuration between different machines or Tranalyzer versions?
You can write a patch for t2conf
and use it as follows: t2conf --patch file.patch
.
Revert the patch with the --rpatch
option.
The patch is a simple text file listing the defines to change, e.g., IPV6_ACTIVATE <tab> 1 <tab> 0 <tab> tranalyzer2/src/networkHeaders.h
.
For more details, refer to the documentation of t2conf
.
I executed ./setup.sh and compiled later a plugin with t2build but it bailed out with an error
First, try to build the plugin, e.g., nDPI, alone:
t2build -r nDPI... Failed to configure plugin nDPI Missing dependency libgcrypt?
Look in the error report of the compiler which library you need to install.
Install it and redo the t2build
command.
In order to avoid these mishaps you can also install the dependencies for all extra plugins and then rebuild your plugin:
./setup -d -a
t2build -r nDPI
T2 cannot process my data and exit with ‘Unsupported link-layer type’ error
Not all linktypes have been implemented in Tranalyzer2. Nevertheless, there is a hack! If you know at which offset your IP header starts, e.g., 42, configure T2 as follows and it will bypass the error and process your data:
t2conf tranalyzer2 -D NOLAYER2=1 -D NOL2_L3HDROFFSET=42
This tells T2 to start dissecting IP at offset 42 (change the offset according to your data!). Everything before is simply ignored.
Do not forget to recompile T2:
t2build tranalyzer2
How to contribute code, submit a bug or request a feature?
You can simply contact the Anteater via email and he will answer you.