Tranalyzer2 cheatsheet

cheatsheet

This cheatsheet summarizes the most important scripts and commands used and discussed in the various tutorials.

List of Tranalyzer2 plugins

For an overview of Tranalyzer2 plugins, refer to The plugins tutorial.

List of Tranalyzer2 scripts and utilities

t2 run Tranalyzer
st2 run Tranalyzer as root (sudo)
gt2 run Tranalyzer in the gdb (Linux) or lldb (macOS) debugger
t2build build (load/unload) plugins
t2conf configure plugins
t2doc access plugin documentation
t2docker run T2 commands inside Docker, create and manage T2 containers
t2b2t convert T2 binary file to text or json
t2fm generate a PDF report from a PCAP file
t2flowstat generate flow statistics from flow file
t2fuzz corrupt PCAP files and run T2 against them
t2locate query location database to acquire information about a city near float point terrestrial coordinates
t2mmdb query IPs from MaxMind DB and get the results in T2 format
t2netID decode hexadecimal network IDs
t2plot 2D/3D plot
t2plugin create new plugins and list existing plugins
t2py Control and Operate T2 with Python
t2rrd Monitoring and plotting with RRD Tool
t2stat send signals (interrupts) to Tranalyzer2
t2test run a toggle test on a specified plugin
t2timeline generate a timeline from a flow file
t2update check for a new version of Tranalyzer and update if requested
t2viz generates a graphviz script which can be loaded into xdot or dotty
t2whois query the anteaters subnet file
fextractor use findexer *_flows.xer* file to extract specific flows/packets into a new pcap
protStat sort and manipulate protocol statistics files
fpsGplt transform 2/3D statistics output from pktSIATHisto to gnuplot format
statGplt transform the output from nFrstPkts to gnuplot format
tawk awk for Tranalyzer flow and packet files

For more details about a specific command, use the script -h or --help option.

List of Tranalyzer2 navigation shortcuts

$T2HOME tranalyzer root folder
$T2PLHOME tranalyzer plugin root folder
tran go to tranalyzer root folder
tranpl go to tranalyzer plugin root folder
pluginName go to tranalyzer pluginName root folder, e.g., tcpFlags
.tran go to tranalyzer active plugin folder (~/.tranalyzer/plugins)
subnetutils go to tranalyzer subnet utils directory ($T2HOME/utils/subnet/)

List of important Tranalyzer2 configuration flags

Refer to the Tranalyzer2 Configuration Cheatsheet.

t2conf: configure Tranalyzer2 and the plugins

  • To change the value of a configuration flag run:

    • To set the value in the header file, e.g., pluginName.h: t2conf pluginName -D FLAG_NAME=new_value

    • To set the value in the config file, i.e., pluginName.config: t2conf pluginName -D FLAG_NAME=new_value -g

    • To set the value in a specific config file: t2conf pluginName -D FLAG_NAME=new_value -g /path/to/myconfig.cfg

  • To reset the value of a configuration flag to its default:

    • To reset the value in the header file, e.g., pluginName.h: t2conf pluginName -D FLAG_NAME=default

    • To reset the value in the config file, i.e., pluginName.config: t2conf pluginName -D FLAG_NAME=default -g

    • To reset the value in a specific config file: t2conf pluginName -D FLAG_NAME=default -g /path/to/myconfig.cfg

  • To check the value of a configuration flag run:

    • To get the value from the header file, e.g., pluginName.h: t2conf pluginName -G FLAG_NAME

    • To get the value from the config file, i.e., pluginName.config: t2conf pluginName -g -G FLAG_NAME

    • To get the default value from default.config: t2conf pluginName -g default -G FLAG_NAME

    • To get the value from a specific config file: t2conf pluginName -g /path/to/myconfig.cfg -G FLAG_NAME

  • To list the configuration flags available run:

    t2conf pluginName -I

  • To list the environment configuration flags available run:

    t2conf pluginName -E

  • To list the environment configuration flags currently set run:

    t2conf pluginName -e

  • To reset a plugin configuration to its default values run:

    t2conf pluginName --reset

  • To save a plugin configuration run (if no filename is specified, default to $T2HOME/plugins/pluginName/pluginName.config):

    t2conf pluginName -g

    t2conf pluginName -g /where/to/save/file.config

  • To load plugin configuration run:

    t2conf pluginName -C /path/to/file.config

    Note that if the default filename is used ($T2HOME/plugins/pluginName/pluginName.config), then -C auto can be used instead

    t2conf pluginName -C auto

  • Create a plugin loading list (if no filename is specified, default to $HOME/.tranalyzer/plugins/plugins.load):

    t2conf -L plugin1 plugin2 ...

    t2conf -L plugins.txt plugin1 plugin2 ...

  • Extract active plugins from a loading list (if no filename is specified, default to $HOME/.tranalyzer/plugins/plugins.load):

    t2conf -S

    t2conf -S plugins.txt

  • Graphical selection and configuration of the plugins [Tutorial]:

    t2conf --gui

  • Graphical configuration of a plugin [Tutorial]:

    t2conf pluginName --gui

  • Graphically editing configuration files, e.g., pluginName.config, instead of header files:

    t2conf pluginName -g --gui

  • Graphically create a plugin loading list:

    t2conf -L --gui

    t2conf -L plugins.txt --gui

  • For more details about t2conf, run:

    t2conf --help

  • For an in-depth discussion about t2conf, refer to the Configuration kung fu tutorial.

t2build: build Tranalyzer2 and the plugins

  • Build the default plugins:

    t2build

  • Build specific plugins:

    t2build pluginName1 pluginName2

  • Build everything:

    t2build -a

  • Rebuild Tranalyzer2 and the current plugins:

    t2build -R

  • Unload (deactivate) a plugin:

    t2build -u pluginName

  • List the plugins in the plugin folder:

    t2build -l

  • Empty the plugin folder:

    t2build -e

  • Update a plugin (blacklists, …):

    t2build -U pluginName

  • Change the build backend

    • meson t2build -B meson pluginName

    • cmake t2build -B cmake pluginName

    • autotools t2build -B autotools-out-of-tree pluginName

    Alternatively:

    • meson T2BUILD_BACKEND=meson t2build pluginName

    • cmake T2BUILD_BACKEND=cmake t2build pluginName

    • autotools T2BUILD_BACKEND=autotools-out-of-tree t2build pluginName

  • For more details about t2build, run:

    t2build --help

  • For an in-depth discussion about t2build, refer to the Building kung fu tutorial.

t2/st2: run Tranalyzer2

  • Analyze a pcap:

    t2 -r file.pcap

  • Change the output prefix:

    t2 -r file.pcap -w /path/prefix

  • Save the final report in a file:

    t2 -r file.pcap -l

  • Save the monitoring output in a file:

    t2 -r file.pcap -m

  • Create the packet file:

    t2 -r file.pcap -s

  • Analyze traffic (as root) from an interface:

    st2 -i eth0

  • For more details about t2, run:

    t2 --help

t2doc: access Tranalyzer2 and plugins documentation

  • Access the complete documentation:

    t2doc

  • Access the documentation of a specific plugin:

    t2doc pluginName

  • Access the documentation of specific plugins:

    t2doc pluginName1 pluginName2

  • Access the FAQ, tawk, t2fm and the various scripts documentation:

    t2doc faq tawk t2fm scripts

  • For more details about t2doc, run:

    t2doc --help

t2fm: PDF report generation from PCAP

  • Configure and build tranalyzer and the plugins (-b), run t2 on file.pcap and open the generated report (-A):

    t2fm -b -A -r file.pcap

  • Create a report from an existing flow file:

    t2fm -F file_flows.txt

  • Create a report from a MongoDB database named tranalyzer:

    t2fm -m tranalyzer

  • Create a report from a PostgreSQL database named tranalyzer:

    t2fm -p tranalyzer

  • For more details about t2fm, run:

    t2fm --help

For an in-depth discussion about t2fm, refer to the PDF Report Generation from PCAP using t2fm tutorial.

t2whois: query Tranalyzer2 subnet file

t2whois can be used to query basicFlow geolocation database.

  • Query one or more IP addresses:

    t2whois 127.0.0.1 ::1

  • Query IP addresses from file:

    head file.txt

    1.2.3.4
    5.6.7.8

    t2whois -r file.txt

  • Query IP addresses from a file and output the results as one tab separated line:

    tawk -H '{ print $srcIP "" print $dstIP }' file_flows.txt | sort -u | t2whois -l

  • Only output specific fields:

    t2whois -o netmask,who 1.2.3.4

  • List the fields available:

    t2whois -L

  • Enter the interactive (prompt) mode:

    t2whois

  • Generate a KML file which can be loaded in, e.g., Google Earth or Google Maps:

    tawk '{ print $dstIP }' file_flows.txt | sort -u | t2whois -k file.kml

  • Get information about the databases:

    t2whois -V

  • For more details about t2whois, run:

    t2whois -h

For an in-depth discussion about t2whois, refer to the Geolocation and WHOIS behind it tutorial.

Post-processing

tawk: awk for Tranalyzer flow files

  • Decode Tranalyzer status bitfields

    tawk -V name

    tawk -V name=value

  • Decode layer 2 protocols

    tawk -V ethType

    tawk -V ethType=value

  • Decode layer 4 protocols

    tawk -V l4Proto

    tawk -V l4Proto=value

  • Decode all aggregated fields in Tranalyzer log file

    tawk -L out_log.txt

    t2 -r file.pcap | tawk -L

  • List the column names and numbers of a flow file:

    tawk -l file_flows.txt

  • List the functions provided by tawk:

    tawk -g

    Alternatively, refer to the Alphabetical list of Tawk functions.

  • Access the documentation of a tawk function:

    tawk -d name

  • Process Bro/Zeek log files:

    tawk --bro 'program' file.log

    tawk --zeek 'program' file.log

  • Process CSV log files:

    tawk --csv 'program' log.csv

  • Change the input field separator:

    tawk -F ',' 'program' log.csv

  • Change the output field separator:

    tawk -O ',' 'program' file.tsv

  • For more details about tawk, run:

    tawk --help

For an in-depth discussion about tawk, refer to the Post-processing with Tawk tutorial.

protStat: sort and manipulate protocol statistics files

The protStat script can be used to sort, filter and manipulate one of the files generated by one of those plugins:

  • protoStats: _protocols.txt

  • icmpDecode: _icmpStats.txt

  • igmpDecode: _igmpStats.txt

  • nDPI: _nDPI.txt

  • Sort a file by packets:

    protStat file.txt

  • Sort a file by bytes:

    protStat -b file.txt

  • Sort in reverse order:

    protStat -r file.txt

  • Only display values with packet probability greater than 50%:

    protStat -p 50 file.txt

  • Only display values with byte probability smaller than 1%:

    protStat -b -p -1 file.txt

  • Only display the 5 values with highest byte count:

    protStat -b -n 5 file.txt

  • Only display the 10 values with lowest packet count:

    protStat -n -10 file.txt

  • For more details about protStat, run:

    protStat --help

t2plot: 2D/3D plot

  • Basic histograms:

    t2plot -D file_with_one_columns.txt

    tawk '{ print $col1 }' file_with_many_columns.txt | t2plot -D

    t2plot -D -o colName file_with_many_columns.txt

    t2plot -D -o colNumber file_with_many_columns.txt

  • Basic 2D plots:

    t2plot file_with_two_columns.txt

    tawk '{ print $col1, $col2 }' file_with_many_columns.txt | t2plot

    t2plot -D -o colName1:colName2 file_with_many_columns.txt

    t2plot -D -o colNumber1:colNumber2 file_with_many_columns.txt

  • Basic 3D plots:

    t2plot file_with_three_columns.txt

    tawk '{ print $col1, $col2, $col3 }' file_with_many_columns.txt | t2plot

    t2plot -D -o colName1:colName2:colName3 file_with_many_columns.txt

    t2plot -D -o colNumber1:colNumber2:colNumber3 file_with_many_columns.txt

  • Reducing X-, Y- or Z- range:

    t2plot -sx lowestValueX:highestValueX -sy lowestValueY:highestValueY -sz lowestValueZ:highestValueZ ...

  • For more examples with t2plot, run:

    t2plot -e

  • For more details about t2plot, run:

    t2plot --help

t2b2t: convert Tranalyzer binary files

  • Convert a binary file to txt (keeping the same prefix):

    t2b2t -r file_flows.bin

  • Convert a binary file to JSON:

    t2b2t -r file_flows.bin -j

  • Convert a binary file to compressed (gzip) txt:

    t2b2t -r file_flows.bin -c

  • Convert a binary file to compressed (gzip) JSON:

    t2b2t -r file_flows.bin -j -c

  • Use a custom name for the output file:

    t2b2t -r file_flows.bin -w my_file.txt

    t2b2t -r file_flows.bin -w my_file.json.gz

    t2b2t -r file_flows.bin -w my_file.txt

    t2b2t -r file_flows.bin -w my_file.json.gz

  • Write the converted file to stdout:

    t2b2t -r file_flows.bin -w -

  • List the column names and exit

    t2b2t -r file_flows.bin -l

  • For more details about t2b2t, run:

    t2b2t --help

t2plugin: create new plugins and list existing plugins

  • Create a new C plugin:

    t2plugin -c pluginName

  • Create a new C plugin with a specific plugin number

    t2plugin -c pluginName -n 123

  • Create a new C++ plugin:

    t2plugin -c pluginName --cpp

  • Create a new Rust plugin:

    t2plugin -c pluginName --rust

  • List all the available plugins, their numbers and description:

    t2plugin -l

  • List all the name of all available plugins:

    t2plugin -l -N

  • List all the name of all available plugins without any header:

    t2plugin -l -N -H

  • For more details about t2plugin, run:

    t2plugin --help

t2docker: create and manage Tranalyzer Docker containers

  • Create a Docker container:

    t2docker -B t2-latest.tar.gz

  • Download the latest version of T2 and create a Docker container:

    t2docker -B latest

  • List existing Tranalyzer Docker containers:

    t2docker -ls

  • Save a Docker image:

    t2docker -S image-name-or-id

  • Load a Docker image:

    t2docker -L t2docker-image.tar[.gz]

  • Get a Shell in a Docker image:

    t2docker -X image-name-or-id

  • Run Tranalyzer inside a Docker container:

    t2docker -r file.pcap

  • Run another T2 command inside a Docker container:

    t2docker tawk -V flowStat

  • For more details about t2docker, run:

    t2docker --help