Tutorial: Internet Relay Chat (IRC)
chat layer 7 IRCContents
Introduction
This tutorial discusses the plugin ircDecode.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpStates ircDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: irc.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing IRC traffic!
ircDecode
Let’s look at the plugin configuration first:
ircDecode
vi src/ircDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define IRC_SAVE 0 // save content to IRC_F_PATH
#define IRC_RMDIR 1 // empty IRC_F_PATH before starting (require IRC_SAVE=1)
#define IRC_CMD_AGGR 1 // Aggregate IRC commands/response codes
#define IRC_BITFIELD 0 // Bitfield coding of IRC commands
#define IRC_UXNMLN 10 // maximal username length
#define IRC_PXNMLN 10 // maximal password length
#define IRC_NXNMLN 10 // maximal nickname length
#define IRC_MXNMLN 50 // maximal name length
#define IRC_MAXUNM 5 // Maximal number of users
#define IRC_MAXPNM 5 // Maximal number of passwords
#define IRC_MAXNNM 5 // Maximal number of nicknames
#define IRC_MAXCNM 20 // Maximal number of parameters
#define IRC_F_PATH "/tmp/IRCFILES/" // Path for extracted content
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Run t2 on the supplied pcap.
t2 -r ~/data/irc.pcap -w ~/results/ -s
So the aggregated ircStat tells us there is IRC.
The ircStat column is to be interpreted as follows: bit | ircStat | Description ============================================================================= 0 | 0x01 | IRC port found 1 | 0x02 | IRC registration successful 2 | 0x04 | IRC password incorrect 3 | 0x08 | - 4 | 0x10 | Unrecognized IRC command 5 | 0x20 | File error (IRC_SAVE == 1) 6 | 0x40 | Array, string or filename overflow 7 | 0x80 | Invalid format or parsing error
tcol ~/results/irc_flows.txt
Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf ircDecode --reset && t2build ircDecode
Have fun analyzing IRC traffic!