Installing Tranalyzer2 in a Docker container
Contents
Prerequisites
This tutorial assumes the reader is familiar with Docker. If you have not installed it yet, refer to the Install Docker engine page.
Getting the latest Docker image of Tranalyzer2
Download the latest version of Tranalyzer2 Docker image here or run the following command:
wget https://tranalyzer.com/download/tranalyzer/tranalyzer2-0.9.1lmw1-ubuntu.tar.gz
Installation
Extract the content of the archive:
tar xzf tranalyzer2-0.9.1lmw1-ubuntu.tar.gz
Load the image into Docker:
docker load -i tranalyzer2-0.9.1-ubuntu.tar
Loaded image: tranalyzer2-0.9.1-ubuntu:latest
Working with Tranalyzer2 Docker image
docker run --rm tranalyzer2-0.9.1-ubuntu
Tranalyzer 0.9.1 - High performance flow based network traffic analyzer
Usage:
tranalyzer [OPTION...] <INPUT>
Input arguments:
-i IFACE Listen on interface IFACE
-r PCAP Read packets from PCAP file or from stdin if PCAP is "-"
-R FILE Process every PCAP file listed in FILE
-D EXPR[:SCHR][,STOP]
Process every PCAP file whose name matches EXPR, up to an
optional last index STOP. If STOP is omitted, then Tranalyzer
never stops. EXPR can be a filename, e.g., file.pcap0, or an
expression, such as "dump*.pcap00", where the star matches
anything (note the quotes to prevent the shell from
interpreting the expression). SCHR can be used to specify
the last character before the index (default: 'p')
Output arguments:
-w PREFIX Append PREFIX to any output file produced. If the option is
omitted, derive PREFIX from the input. Use '-w -' to output
the flow file to stdout (other files will be saved as if the
'-w' option had been omitted and the '-l' option used)
-W PREFIX[:SIZE][,START]
Like -w, but fragment flow files according to SIZE, producing
files starting with index START. SIZE can be specified in bytes
(default), KB ('K'), MB ('M') or GB ('G'). Scientific notation,
i.e., 1e5 or 1E5 (=100000), can be used as well. If a 'f' is
appended, e.g., 10Kf, then SIZE denotes the number of flows.
-l Print end report in PREFIX_log.txt instead of stdout
-s Packet forensics mode
Optional arguments:
-p PATH Load plugins from PATH instead of ~/.tranalyzer/plugins
-b FILE Use plugin list FILE instead of plugin_folder/plugins.txt
-e FILE Create a PCAP file by extracting all packets belonging to
flow indexes listed in FILE (require pcapd plugin)
-f FACTOR Set hash multiplication factor
-x ID Sensor ID
-c CPU Bind tranalyzer to one core. If CPU is 0 then OS selects the
core to bind
-F FILE Read BPF filter from FILE
Help and documentation arguments:
-V Show the version of the program and exit
-h Show help options and exit
Remaining arguments:
BPF Berkeley Packet Filter command, as in tcpdumpdocker run -it --rm tranalyzer2-0.9.1-ubuntu /bin/bash
/t2-src/tranalyzer2/build/tranalyzer -h
/t2-src/utils/t2whois/t2whois -l 1.2.3.4
%IP Network/Mask Range Organization Country ASN Latitude Longitude Precision NetID
1.2.3.4 1.2.3.0/24 "1.2.3.0 - 1.2.3.255" "APNIC Debogon Project" au 0 -27.467939 153.028091 80.000000 0x1480205aAlternatively, use t2docker:
t2docker -r file.pcap -w /tmp/x -l
t2docker t2whois -l 1.2.3.4
Available scripts and programs
The following scripts and programs are available:
| tranalyzer | /t2-src/tranalyzer2/build/tranalyzer |
| t2b2t | /t2-src/utils/t2b2t/t2b2t |
| t2conf | /t2-src/scripts/t2conf/t2conf |
| t2flowstat | /t2-src/scripts/t2flowstat |
| t2fm | /t2-src/scripts/t2fm/t2fm |
| t2plot | /t2-src/scripts/t2plot |
| t2whois | /t2-src/utils/t2whois/t2whois |
| tawk | /t2-src/scripts/tawk/tawk |
| fextractor | /t2-src/plugins/findexer/fextractor/fextractor |
| t2rrd | /t2-src/scripts/t2rrd |
| t2stat | /t2-src/scripts/t2stat |
| t2timeline | /t2-src/scripts/t2timeline |
| t2viz | /t2-src/scripts/t2viz |
| protStat | /t2-src/scripts/protStat |
| fpsGplt | /t2-src/scripts/fpsGplt |
| statGplt | /t2-src/scripts/statGplt |
Building your own Docker image
To build your own Docker image, use the t2docker script:
t2docker -B latest
or for a specific version:
t2docker -B tranalyzer2-0.9.1lmw1.tar.gz