Tutorial: Tranalyzer2 Cheatsheet
Contents
This cheatsheet summarises the most important scripts and commands used and discussed in the various tutorials.
List of Tranalyzer2 scripts and utilities
t2 |
run Tranalyzer | |
st2 |
run Tranalyzer as root (sudo) | |
gt2 |
run Tranalyzer in the gdb debugger |
|
t2build |
build (load/unload) plugins | [Tutorial] |
t2conf |
configure plugins | [Tutorial] |
t2doc |
access plugin documentation | |
t2b2t |
convert T2 binary file to text or json | |
t2fm |
generate a PDF report from a PCAP file | [Tutorial] |
t2plot |
2D/3D plot | [Tutorial] |
t2stat |
send signals (interrupts) to Tranalyzer2 | [Tutorial] |
t2timeline |
generate a timeline from a flow file | [Tutorial] |
t2whois |
query the anteaters subnetfile | [Tutorial] |
protStat |
sort and manipulate protocol statistics files | [Tutorial] |
tawk |
awk for Tranalyzer flow and packet files |
[Tutorial] |
For more details about a specific command, use the script -h
or --help
option.
List of Tranalyzer2 navigation shortcuts
$T2HOME |
tranalyzer root folder |
$T2PLHOME |
tranalyzer plugin root folder |
tran |
go to tranalyzer root folder |
tranpl |
go to tranalyzer plugin root folder |
pluginName |
go to tranalyzer pluginName root folder |
.tran |
go to tranalyzer active plugin folder (~/.tranalyzer/plugins ) |
t2conf: Configuring Tranalyzer2 and the Plugins
To change the value of a configuration flag run:
$ t2conf pluginName -D FLAG_NAME=new_value
To check the value of a configuration flag run:
$ t2conf pluginName -G FLAG_NAME
To list the configuration flags available run:
$ t2conf pluginName -I
To reset a plugin configuration to its default values run:
$ t2conf pluginName --reset
To save a plugin configuration run:
$ t2conf pluginName -g
Note that the
-g
option accepts a filename:$ t2conf pluginName -g /where/to/save/file.config
To load plugin configuration run:
$ t2conf pluginName -C /path/to/file.config
Note that if the default filename is used,
-C auto
can be used instead$ t2conf pluginName -C auto
For more details about
t2conf
, run:$ t2conf --help
For an in-depth discussion about
t2conf
, refer to the Configuration kung fu tutorial.
t2build: Building Tranalyzer2 and the Plugins
Build the default plugins:
$ t2build
Build specific plugins:
$ t2build pluginName1 pluginName2
Build everything:
$ t2build -a
Rebuild Tranalyzer2 and the current plugins:
$ t2build -R
Unload (deactivate) a plugin:
$ t2build -u pluginName
List the plugins in the plugin folder:
$ t2build -l
Empty the plugin folder:
$ t2build -e
For more details about
t2build
, run:$ t2build --help
For an in-depth discussion about
t2build
, refer to the Building kung fu tutorial.
t2/st2: Running Tranalyzer2
Analyze a pcap:
$ t2 -r file.pcap
Change the output prefix:
$ t2 -r file.pcap -w /path/prefix
Save the final report in a file:
$ t2 -r file.pcap -l
Analyze traffic (as root) from an interface:
$ st2 -i eth0
For more details about
t2
, run:$ t2 --help
Post-processing
protStat
The protStat
script can be used to sort, filter and manipulate one of the files generated by one of those plugins:
- protoStats: _protocols.txt
- icmpDecode: _icmpStats.txt
- igmpDecode: _igmpStats.txt
nDPI: _nDPI.txt
Sort a file by packets:
$ protStat file.txt
Sort a file by bytes:
$ protStat -b file.txt
Sort in reverse order:
$ protStat -r file.txt
Only display values with packet probability greater than 50%:
$ protStat -p 50 file.txt
Only display values with byte probability smaller than 1%:
$ protStat -b -p -1 file.txt
Only display the 5 values with highest byte count:
$ protStat -b -n 5 file.txt
Only display the 10 values with lowest packet count:
$ protStat -n -10 file.txt
For more details about
protStat
, run:$ protStat --help
tawk
Decode Tranalyzer status bitfield
$ tawk -V name ... $ tawk -V name=value ...
List the column names and numbers of a flow file:
$ tawk -l file_flows.txt
List the functions provided by
tawk
:$ tawk -g
Alternatively, refer to the Alphabetical List of TAWK Functions.
Access the documentation of a
tawk
function:$ tawk -d name
For more details about
tawk
, run:$ tawk --help
For an in-depth discussion about tawk
, refer to the Post processing with TAWK tutorial.
t2plot
Basic histograms:
$ t2plot -D file_with_one_columns.txt ... $ tawk '{ print $col1 }' file_with_many_columns.txt | t2plot -D ... $ t2plot -D -o colName file_with_many_columns.txt ... $ t2plot -D -o colNumber file_with_many_columns.txt
Basic 2D plots:
$ t2plot file_with_two_columns.txt ... $ tawk '{ print $col1, $col2 }' file_with_many_columns.txt | t2plot ... $ t2plot -D -o colName1:colName2 file_with_many_columns.txt ... $ t2plot -D -o colNumber1:colNumber2 file_with_many_columns.txt
Basic 3D plots:
$ t2plot file_with_three_columns.txt ... $ tawk '{ print $col1, $col2, $col3 }' file_with_many_columns.txt | t2plot ... $ t2plot -D -o colName1:colName2:colName3 file_with_many_columns.txt ... $ t2plot -D -o colNumber1:colNumber2:colNumber3 file_with_many_columns.txt
Reducing X-, Y- or Z- range:
$ t2plot -sx lowestValueX:highestValueX -sy lowestValueY:highestValueY -sz lowestValueZ:highestValueZ ...
For more examples with
t2plot
, run:$ t2plot -e
For more details about
t2plot
, run:$ t2plot --help
t2whois
t2whois
can be used to query basicFlow geolocation database.
Query one or more IP addresses:
$ t2whois 127.0.0.1 ::1
Query IP addresses from file:
$ head file.txt 1.2.3.4 5.6.7.8 $ t2whois -r file.txt
Query IP addresses from a file and output the results as one tab separated line:
$ tawk -H '{ print $srcIP "\n" print $dstIP }' file_flows.txt | sort -u | t2whois -l
Only output specific fields:
$ t2whois -o netmask,who 1.2.3.4
List the fields available:
$ t2whois -L
Enter the interactive (prompt) mode:
$ t2whois
Generate a KML file which can be loaded in, e.g., Google Earth or Google Maps:
$ tawk '{ print $dstIP }' file_flows.txt | sort -u | t2whois -k file.kml
Get information about the databases:
$ t2whois -V
For more details about
t2whois
, run:$ t2whois -h
For an in-depth discussion about t2whois
, refer to the Geolocation and WHOIS behind it tutorial.