Tutorial: Tranalyzer2 Cheatsheet
Contents
This cheatsheet summarises the most important scripts and commands used and discussed in the various tutorials.
List of Tranalyzer2 scripts and utilities
t2 |
run Tranalyzer | |
st2 |
run Tranalyzer as root (sudo) | |
gt2 |
run Tranalyzer in the gdb debugger |
|
t2build |
build (load/unload) plugins | [Tutorial] |
t2conf |
configure plugins | [Tutorial] |
t2doc |
access plugin documentation | |
t2b2t |
convert T2 binary file to text or json | |
t2fm |
generate a PDF report from a PCAP file | [Tutorial] |
t2plot |
2D/3D plot | [Tutorial] |
t2stat |
send signals (interrupts) to Tranalyzer2 | [Tutorial] |
t2timeline |
generate a timeline from a flow file | [Tutorial] |
t2whois |
query the anteaters subnetfile | [Tutorial] |
protStat |
sort and manipulate protocol statistics files | [Tutorial] |
tawk |
awk for Tranalyzer flow and packet files |
[Tutorial] |
For more details about a specific command, use the script -h or --help option.
List of Tranalyzer2 navigation shortcuts
$T2HOME |
tranalyzer root folder |
$T2PLHOME |
tranalyzer plugin root folder |
tran |
go to tranalyzer root folder |
tranpl |
go to tranalyzer plugin root folder |
pluginName |
go to tranalyzer pluginName root folder |
.tran |
go to tranalyzer active plugin folder (~/.tranalyzer/plugins) |
t2conf: Configuring Tranalyzer2 and the Plugins
To change the value of a configuration flag run:
$ t2conf pluginName -D FLAG_NAME=new_valueTo check the value of a configuration flag run:
$ t2conf pluginName -G FLAG_NAMETo list the configuration flags available run:
$ t2conf pluginName -ITo reset a plugin configuration to its default values run:
$ t2conf pluginName --resetTo save a plugin configuration run:
$ t2conf pluginName -gNote that the
-goption accepts a filename:$ t2conf pluginName -g /where/to/save/file.configTo load plugin configuration run:
$ t2conf pluginName -C /path/to/file.configNote that if the default filename is used,
-C autocan be used instead$ t2conf pluginName -C autoFor more details about
t2conf, run:$ t2conf --helpFor an in-depth discussion about
t2conf, refer to the Configuration kung fu tutorial.
t2build: Building Tranalyzer2 and the Plugins
Build the default plugins:
$ t2buildBuild specific plugins:
$ t2build pluginName1 pluginName2Build everything:
$ t2build -aRebuild Tranalyzer2 and the current plugins:
$ t2build -RUnload (deactivate) a plugin:
$ t2build -u pluginNameList the plugins in the plugin folder:
$ t2build -lEmpty the plugin folder:
$ t2build -eFor more details about
t2build, run:$ t2build --helpFor an in-depth discussion about
t2build, refer to the Building kung fu tutorial.
t2/st2: Running Tranalyzer2
Analyze a pcap:
$ t2 -r file.pcapChange the output prefix:
$ t2 -r file.pcap -w /path/prefixSave the final report in a file:
$ t2 -r file.pcap -lAnalyze traffic (as root) from an interface:
$ st2 -i eth0For more details about
t2, run:$ t2 --help
Post-processing
protStat
The protStat script can be used to sort, filter and manipulate one of the files generated by one of those plugins:
- protoStats: _protocols.txt
- icmpDecode: _icmpStats.txt
- igmpDecode: _igmpStats.txt
nDPI: _nDPI.txt
Sort a file by packets:
$ protStat file.txtSort a file by bytes:
$ protStat -b file.txtSort in reverse order:
$ protStat -r file.txtOnly display values with packet probability greater than 50%:
$ protStat -p 50 file.txtOnly display values with byte probability smaller than 1%:
$ protStat -b -p -1 file.txtOnly display the 5 values with highest byte count:
$ protStat -b -n 5 file.txtOnly display the 10 values with lowest packet count:
$ protStat -n -10 file.txtFor more details about
protStat, run:$ protStat --help
tawk
Decode Tranalyzer status bitfield
$ tawk -V name ... $ tawk -V name=value ...List the column names and numbers of a flow file:
$ tawk -l file_flows.txtList the functions provided by
tawk:$ tawk -gAlternatively, refer to the Alphabetical List of TAWK Functions.
Access the documentation of a
tawkfunction:$ tawk -d nameFor more details about
tawk, run:$ tawk --help
For an in-depth discussion about tawk, refer to the Post processing with TAWK tutorial.
t2plot
Basic histograms:
$ t2plot -D file_with_one_columns.txt ... $ tawk '{ print $col1 }' file_with_many_columns.txt | t2plot -D ... $ t2plot -D -o colName file_with_many_columns.txt ... $ t2plot -D -o colNumber file_with_many_columns.txtBasic 2D plots:
$ t2plot file_with_two_columns.txt ... $ tawk '{ print $col1, $col2 }' file_with_many_columns.txt | t2plot ... $ t2plot -D -o colName1:colName2 file_with_many_columns.txt ... $ t2plot -D -o colNumber1:colNumber2 file_with_many_columns.txtBasic 3D plots:
$ t2plot file_with_three_columns.txt ... $ tawk '{ print $col1, $col2, $col3 }' file_with_many_columns.txt | t2plot ... $ t2plot -D -o colName1:colName2:colName3 file_with_many_columns.txt ... $ t2plot -D -o colNumber1:colNumber2:colNumber3 file_with_many_columns.txtReducing X-, Y- or Z- range:
$ t2plot -sx lowestValueX:highestValueX -sy lowestValueY:highestValueY -sz lowestValueZ:highestValueZ ...For more examples with
t2plot, run:$ t2plot -eFor more details about
t2plot, run:$ t2plot --help
t2whois
t2whois can be used to query basicFlow geolocation database.
Query one or more IP addresses:
$ t2whois 127.0.0.1 ::1Query IP addresses from file:
$ head file.txt 1.2.3.4 5.6.7.8 $ t2whois -r file.txtQuery IP addresses from a file and output the results as one tab separated line:
$ tawk -H '{ print $srcIP "\n" print $dstIP }' file_flows.txt | sort -u | t2whois -lOnly output specific fields:
$ t2whois -o netmask,who 1.2.3.4List the fields available:
$ t2whois -LEnter the interactive (prompt) mode:
$ t2whoisGenerate a KML file which can be loaded in, e.g., Google Earth or Google Maps:
$ tawk '{ print $dstIP }' file_flows.txt | sort -u | t2whois -k file.kmlGet information about the databases:
$ t2whois -VFor more details about
t2whois, run:$ t2whois -h
For an in-depth discussion about t2whois, refer to the Geolocation and WHOIS behind it tutorial.