L2/3 flow aggregation modes

ETH_ACTIVATE IPV6_ACTIVATE T2_HDRDESC_AGGR T2_PRI_HDRDESC layer 2 layer 3 flow aggregation

L2/3 flow aggregation modes

As already introduced in the basics tutorial, we like to explore the different flow aggregation modes of T2.

So the five tuple: (srcIP, srcPort, dstIP, dstPort, l4Proto) aggregation is commonly used, right? But that is far from reality, which is more complex, e.g. there are these ominous virtual LANs, aka VLANs.

The flows gets messed up if different VLANs using the same five tuple. Yes, I know who gets traffic from an LNS or a trunk…

So a six tuple. Aehm, what about SCTP? Right, so that has to be integrated into the definition of a flow as well, as discussed in the SCTP tutorial. Seven tuple. There are several L2 protocols, oups! So we need to add the ether type and the Ethernet addresses as well. Now we are ending up with a 10 tuple. The configuration of these different modes will be the topic of the following tutorial.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y

Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the core (tranalyzer2) and the following plugins:

t2build tranalyzer2 basicFlow basicStats tcpStates connStat txtSink

...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAPs used in this tutorial can be downloaded here:

Please save them in your ~/data folder.

Now you’re all set!

T2 protocol flow aggregation

The constants controlling the flow aggregation are residing in networkHeaders.h. Open the file and search for USER CONFIGURATION FLAGS as shown below:

tranalyzer2

vi src/networkHeaders.h

...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define IPV6_ACTIVATE     2 // 0: IPv4 only
                            // 1: IPv6 only
                            // 2: dual mode

#define ETH_ACTIVATE      1 // 0: No L2 flows,
                            // 1: Activate L2 flows,
                            // 2: Also use Ethernet addresses for IPv4/6 flows

#define LAPD_ACTIVATE     0 // 0: No LAPD/Q.931 flows
                            // 1: Activate LAPD/Q.931 flow generation
#define LAPD_OVER_UDP     0 // 0: Do not try dissecting LAPD over UDP
                            // 1: Dissect LAPD over UDP (experimental)

#define SCTP_ACTIVATE     0 // 0: standard flows
                            // 1: activate SCTP chunk streams -> flows
                            // 2: activate SCTP association -> flows
                            // 3: activate SCTP chunk & association -> flows
#define SCTP_STATFINDEX   1 // 0: findex increments
                            // 1: findex constant for all SCTP streams in a packet

#define MULTIPKTSUP       0 // multi-packet suppression

#define T2_PRI_HDRDESC    1 // keep track of the headers traversed
#define T2_HDRDESC_AGGR   1 // aggregate repetitive headers, e.g., vlan{2}
#define T2_HDRDESC_LEN  128 // max length of the headers description

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

By default T2 operates in dual IP mode, so IPv4/6 flows are produced, even IPv4 in IPv6 or vise versa, any combination you can have with any L2 encapsulation protocols including fragmentation and all crap you can imagine. Search for // Protocol stack in tranalyzer.h as shown below:

vi src/tranalyzer.h

...
// Protocol stack
#define AYIYA           1 // AYIYA processing on: 1, off: 0
#define GENEVE          1 // GENEVE processing on: 1, off: 0
#define TEREDO          1 // TEREDO processing on: 1, off: 0
#define L2TP            1 // L2TP processing on: 1, off: 0
#define GRE             1 // GRE processing on: 1, off: 0
#define GTP             1 // GTP processing on: 1, off: 0
#define VXLAN           1 // VXLAN processing on: 1, off: 0
#define IPIP            1 // IPv4/6 in IPv4/6 processing on: 1, off: 0
#define ETHIP           1 // Ethernet over IP on: 1, off: 0
#define CAPWAP          1 // CAPWAP processing on: 1, off: 0
#define LWAPP           1 // LWAPP processing on: 1, off: 0
...

It is a legacy that you cannot switch off IPv4, we will change it to independent switches in a later version. The SCTP constants are discussed in detail in the SCTP tutorial, so we will skip that here.

If you got traffic from a monitor port of a switch where somebody forgot to suppress either the port egress or ingress traffic, essentially the resulting pcap contains all duplicate packets. No big deal, switch on MULTIPKTSUP, t2build tranalyzer2 and that mishap is gone. This mode only works with IPv4, as these IETF guys defining IPv6 forgot the IPID in the IPv6 main header. Morons!!

If you want the header description being created by the core leave T2_PRI_HDRDESC on, unless you want to gain performance. T2_HDRDESC_AGGR aggregates multiple header descriptions, a good choice if you want to reduce the length of the header description column in the flow/packet file. Also the T2_HDRDESC_LEN limits the length of the column. In the basics tutorial, the form and effect of the header description config was already demonstrated.

Let’s focus here on the IP and Ethernet aggregation modes first.

IP modes

You should know by now that the annoloc2.pcap contains L2, IPv4 and IPv6 flows. Let us switch to L4 mode only, as all plugins implement the aggregation mode the core and all plugins loaded have to be recompiled:

t2conf tranalyzer2 -D IPV6_ACTIVATE=0 -D ETH_ACTIVATE=0 && t2build -R

t2 -r ~/data/annoloc2.pcap -w ~/results/

Now we see only IPv4 flows, but we still receive statistics about all other protocols such as IPv6 or ARP. So even when filtering out traffic in the core you have the full overview of the traffic. Really useful, because somebody might promise you IPv4 traffic only, you switch T2 to IPv4 mode and then you discover that there is still IPv6 traffic in it without even looking into a single flow file. So you can show it to the guy, and make him eat furniture.

At the beginning of the report you see: Number of packets without flow: 407 [0.03%]

These are the 0.03% IPv6 + L2 packets T2 does not dissect. So the statistics is marginally different from dual mode. To prove that the core filtering works, select either the IPv4/6 flowStat bits and aggregate them or aggregate hdrDesc. Here I chose the latter, because it is human readable:

tawk 'aggrrep($hdrDesc)' ~/results/annoloc2_flows.txt | tcol

hdrDesc                   Flows
eth:ipv4:tcp              10442
eth:ipv4:udp              5987
eth:ipv4:icmp             561
eth:ipv4:udp:ssdp         419
eth:ipv4:igmp             11
eth:ipv4:ipv4:tcp         8
eth:ipv4:pim              3
eth:ipv4:udp:gtp          2
eth:ipv4:udp:gtp:ssdp     1
eth:ipv4:ipv6:vrrp        1
eth:ipv4:ipv6:vines       1
eth:ipv4:ipv6:UNK(95)     1
eth:ipv4:ipv6:UNK(79)     1
eth:ipv4:ipv6:UNK(22)     1
eth:ipv4:ipv6:UNK(168)    1
eth:ipv4:ipv6:UNK(147)    1
eth:ipv4:ipv6:UNK(133)    1
eth:ipv4:ipv6:UNK(131)    1
eth:ipv4:ipv6:UNK(126)    1
eth:ipv4:ipv6:dsr         1
eth:ipv4:gre:UNK(0xefe6)  1
eth:ipv4:gre:UNK(0xc098)  1
eth:ipv4:gre:UNK(0xa11f)  1
eth:ipv4:gre:UNK(0x6d6f)  1
eth:ipv4:gre:UNK(0x6d38)  1
eth:ipv4:gre:UNK(0x697d)  1
eth:ipv4:gre:UNK(0x18aa)  1
eth:ipv4:gre:UNK(0x111d)  1
eth:ipv4:gre:UNK(0x0f0e)  1
eth:ipv4:gre:UNK(0x0db3)  1
eth:ipv4:gre:UNK(0x0a90)  1
eth:ipv4:gre:UNK(0x09c3)  1
eth:ipv4:gre:UNK(0x08a8)  1
eth:ipv4:gre:UNK(0x05e8)  1
eth:ipv4:gre:UNK(0x0496)  1
eth:ipv4:gre:UNK(0x0401)  1
eth:ipv4:gre:UNK(0x008b)  1
eth:ipv4:gre:UNK(0x0051)  1
eth:ipv4:gre:UNK(0x0014)  1

The UNK() is a complaint from the core that these flows contain header snapped packets.

Now switch on only IPv6, still L2 flows off.

t2conf tranalyzer2 -D IPV6_ACTIVATE=1 && t2build -R

t2 -r ~/data/annoloc2.pcap -w ~/results/

Now more flows are ignored: Number of packets without flow: 1218855 (1.22 M) [99.99%]

These are the 99.9% IPv4 + L2 which are not processed by T2 core. Only 44 IPv6 Flows are listed in the flow file. To test whether the anteater does a good job, here is the proof:

tawk 'aggr($hdrDesc)' ~/results/annoloc2_flows.txt | tcol

hdrDesc                 Flows
eth:ipv6:tcp            37
eth:ipv6:icmpv6         7
eth:ipv4:ipv6:vrrp      1
eth:ipv4:ipv6:vines     1
eth:ipv4:ipv6:UNK(95)   1
eth:ipv4:ipv6:UNK(79)   1
eth:ipv4:ipv6:UNK(64)   1
eth:ipv4:ipv6:UNK(28)   1
eth:ipv4:ipv6:UNK(231)  1
eth:ipv4:ipv6:UNK(23)   1
eth:ipv4:ipv6:UNK(229)  1
eth:ipv4:ipv6:UNK(228)  1
eth:ipv4:ipv6:UNK(223)  1
eth:ipv4:ipv6:UNK(22)   1
eth:ipv4:ipv6:UNK(168)  1
eth:ipv4:ipv6:UNK(147)  1
eth:ipv4:ipv6:UNK(133)  1
eth:ipv4:ipv6:UNK(131)  1
eth:ipv4:ipv6:UNK(126)  1
eth:ipv4:ipv6:UNK(114)  1
eth:ipv4:ipv6:dsr       1
eth:ipv4:ipv6           1

Switching certain protocols off in the core save time and memory. Hence, if you definitely know that on your interface or trunk port is ONLY one type of traffic, first run T2 in full Dual and L2 mode and look at the end report, then switch certain protocols off.

L2 modes

Now we only want to see L2 flows, so no IP. If you set IPV6_ACTIVATE=0, you still have IPv4. Bummer, a legacy flaw, which we definitely will correct in a later version. So you have to add a BPF filter, which messes up the internal packet index, as not every packet reaches T2’s core. So comparing with Wireshark is then difficult. Wait, we will take care of it.

Anyway, let’s switch on pure L2 flows, and IPv4 on. Load the macRecorder, which records all mac pairs in an IP flow. We will need it for the number of MAC pairs in a flow as a selection feature.

t2conf tranalyzer2 -D IPV6_ACTIVATE=0 -D ETH_ACTIVATE=1

t2build macRecorder

t2build -R

t2 -r ~/data/annoloc2.pcap -w ~/results/

Total 17545 flows. Now change to your results window again and search for all flows which contain more than one MAC pair during the life time of the flow. We find one, a UDP broadcast.

tawk '$macPairs > 1 || NR == 1' ~/results/annoloc2_flows.txt

%dir	flowInd	flowStat	timeFirst	timeLast	duration	numHdrDesc	numHdrs	hdrDesc	srcMac	dstMac	ethType	ethVlanID	srcIP	srcIPCC	srcIPOrg	srcPort	dstIP	dstIPCC	dstIPOrg	dstPort	l4Proto	macStat	macPairs	srcMac_dstMac_numP	srcMacLbl_dstMacLbl	numPktsSnt	numPktsRcvd	numBytesSnt	numBytesRcvd	minPktSz	maxPktSz	avePktSize	stdPktSize	minIAT	maxIAT	aveIAT	stdIAT	pktps	bytps	pktAsm	bytAsm	tcpStatesAFlags	connSip	connDip	connSipDip	connSipDprt	connF
A	7669	0x0400000200004000	1022171718.902437	1022171719.151404	0.248967	1	3	eth:ipv4:udp	00:00:1c:b6:17:f2;00:c1:28:01:65:77	ff:ff:ff:ff:ff:ff	0x0800		0.0.0.0	-	"-"	68	255.255.255.255	11	"Broadcast"	67	17	0x00	2	00:00:1c:b6:17:f2_ff:ff:ff:ff:ff:ff_1;00:c1:28:01:65:77_ff:ff:ff:ff:ff:ff_2	BellTech,US_Broadcast;-_Broadcast	3	0	915	0	300	312	305	4.133199	0	0.227059	0.082989	0.07443081	12.04979	3675.186	1	1	0x00	1	5	1	1	1

Now instruct the core to add the ethertype and the MAC addresses to the flow hash and re-run t2:

t2conf tranalyzer2 -D IPV6_ACTIVATE=0 -D ETH_ACTIVATE=2 && t2build -R

t2 -r ~/data/annoloc2.pcap -w ~/results/

Total 17546 flows, one more. Why? Search in your results window again for all flows which contain more than one MAC pair during the life time of the flow. Oups, gone. Because now the IP flow is split into two flows.

tawk '$macPairs > 1 || NR == 1' ~/results/annoloc2_flows.txt

%dir	flowInd	flowStat	timeFirst	timeLast	duration	numHdrDesc	numHdrs	hdrDesc	srcMac	dstMac	ethType	ethVlanID	srcIP	srcIPCC	srcIPOrg	srcPort	dstIP	dstIPCC	dstIPOrg	dstPort	l4Proto	macStat	macPairs	srcMac_dstMac_numP	srcManuf_dstManuf	numPktsSnt	numPktsRcvd	numBytesSnt	numBytesRcvd	minPktSz	maxPktSz	avePktSize	stdPktSize	minIAT	maxIAT	aveIAT	stdIAT	pktps	bytps	pktAsm	bytAsm	tcpStates	connSip	connDip	connSipDip	connSipDprt	connF

As homework, produce a tawk to find the said two flows.

SCTP modes

Already covered in the SCTP tutorial

Header description

Now let’s switch off the header description, very convenient but a performance factor. Note that you need to rebuild also basicFlow, as it implements also the T2_PRI_HDRDESC switch. So safest is to rebuild all plugins + core.

t2conf tranalyzer2 -D T2_PRI_HDRDESC=0 && t2build -R

t2 -r ~/data/802.1Q_tunneling.cap -w ~/results/

In the end report the header count with min, max, ave is gone. In the flow file the description of the headers is also gone, but you still have the flowStat bit encoding.

tcol ~/results/802.1Q_tunneling_flows.txt

%dir  flowInd  flowStat            timeFirst          timeLast           duration  srcMac             dstMac             ethType  ethVlanID  srcIP        srcIPCC  srcIPOrg           srcPort  dstIP        dstIPCC  dstIPOrg           dstPort  l4Proto  macStat  macPairs  srcMac_dstMac_numP                     srcManuf_dstManuf  numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT     stdIAT        pktps     bytps     pktAsm  bytAsm  tcpStates  connSip  connDip  connSipDip  connSipDprt  connF
A     1        0x0400000000004100  1277840495.135052  1277840495.141708  0.006656  00:13:c3:df:ae:18  00:1b:d4:1b:a4:d8  0x0800   118;10     10.118.10.1  04       "Private network"  0        10.118.10.2  04       "Private network"  0        1        0x00     1         00:13:c3:df:ae:18_00:1b:d4:1b:a4:d8_5  Cisco_Cisco        5           5            360          360           72        72        72          0           0       0.00188   0.0013312  0.0004990491  751.2019  54086.54  0       0       0x00       1        1        2           2            2
B     1        0x0400000000004101  1277840495.135910  1277840495.142543  0.006633  00:1b:d4:1b:a4:d8  00:13:c3:df:ae:18  0x0800   118;10     10.118.10.2  04       "Private network"  0        10.118.10.1  04       "Private network"  0        1        0x00     1         00:1b:d4:1b:a4:d8_00:13:c3:df:ae:18_5  Cisco_Cisco        5           5            360          360           72        72        72          0           0       0.001721  0.0013266  0.0005040318  753.8067  54274.09  0       0       0x00       1        1        1           1            1
A     2        0x0400000000004100  1277840503.708352  1277840503.714432  0.006080  00:19:aa:7d:e6:88  00:21:55:c8:f1:3c  0x0800   209;20     10.209.20.3  04       "Private network"  0        10.209.20.4  04       "Private network"  0        1        0x00     1         00:19:aa:7d:e6:88_00:21:55:c8:f1:3c_5  Cisco_Cisco        5           5            360          360           72        72        72          0           0       0.001733  0.001216   0.0004763269  822.3684  59210.52  0       0       0x00       1        1        2           2            2
B     2        0x0400000000004101  1277840503.709181  1277840503.715133  0.005952  00:21:55:c8:f1:3c  00:19:aa:7d:e6:88  0x0800   209;20     10.209.20.4  04       "Private network"  0        10.209.20.3  04       "Private network"  0        1        0x00     1         00:21:55:c8:f1:3c_00:19:aa:7d:e6:88_5  Cisco_Cisco        5           5            360          360           72        72        72          0           0       0.001666  0.0011904  0.0004731365  840.0538  60483.87  0       0       0x00       1        1        1           1            1
A     3        0x0000000000000104  1277840510.969363  1277840510.969363  0.000000  00:13:c3:df:ae:18  01:00:0c:cd:cd:d0  0x2000   118        0.0.0.0      -        "-"                0        0.0.0.0      -        "-"                0        0        0x00     1         00:13:c3:df:ae:18_01:00:0c:cd:cd:d0_1  Cisco_-            1           0            349          0             349       349       349         0           0       0         0          0             0         0         1       1       0x00       0        0        0           0            0
A     4        0x0000000000000104  1277840511.384783  1277840511.384783  0.000000  00:19:aa:7d:e6:88  01:00:0c:cd:cd:d0  0x2000   209        0.0.0.0      -        "-"                0        0.0.0.0      -        "-"                0        0        0x00     1         00:19:aa:7d:e6:88_01:00:0c:cd:cd:d0_1  Cisco_-            1           0            347          0             347       347       347         0           0       0         0          0             0         0         1       1       0x00       0        0        0           0            0
A     5        0x0000000000000004  1277840525.369320  1277840525.369320  0.000000  00:0f:34:5f:16:8d  01:00:0c:cc:cc:cc  0x2000              0.0.0.0      -        "-"                0        0.0.0.0      -        "-"                0        0        0x00     1         00:0f:34:5f:16:8d_01:00:0c:cc:cc:cc_1  Cisco_-            1           0            353          0             353       353       353         0           0       0         0          0             0         0         1       1       0x00       0        0        0           0            0
A     6        0x0000000000000004  1277840525.404193  1277840525.404193  0.000000  00:13:c4:12:0f:0d  01:00:0c:cc:cc:cc  0x2000              0.0.0.0      -        "-"                0        0.0.0.0      -        "-"                0        0        0x00     1         00:13:c4:12:0f:0d_01:00:0c:cc:cc:cc_1  Cisco_-            1           0            353          0             353       353       353         0           0       0         0          0             0         0         1       1       0x00       0        0        0           0            0
A     7        0x0000000000000104  1277840528.106320  1277840528.106320  0.000000  00:1b:d4:1b:a4:d8  01:00:0c:cd:cd:d0  0x2000   118        0.0.0.0      -        "-"                0        0.0.0.0      -        "-"                0        0        0x00     1         00:1b:d4:1b:a4:d8_01:00:0c:cd:cd:d0_1  Cisco_-            1           0            349          0             349       349       349         0           0       0         0          0             0         0         1       1       0x00       0        0        0           0            0
A     8        0x0000000000000104  1277840530.538713  1277840530.538713  0.000000  00:21:55:c8:f1:3c  01:00:0c:cd:cd:d0  0x2000   209        0.0.0.0      -        "-"                0        0.0.0.0      -        "-"                0        0        0x00     1         00:21:55:c8:f1:3c_01:00:0c:cd:cd:d0_1  Cisco_-            1           0            347          0             347       347       347         0           0       0         0          0             0         0         1       1       0x00       0        0        0           0            0

Now switch on the header description but switch off the header aggregation, so unlike the default config now each header is printed, instead of an aggregated count.

t2conf tranalyzer2 -D T2_PRI_HDRDESC=1 -D T2_HDRDESC_AGGR=0 && t2build -R

t2 -r ~/data/802.1Q_tunneling.cap -w ~/results/

...
--------------------------------------------------------------------------------
basicStats: Biggest L2 talker: 00:13:c3:df:ae:18: 1 [3.85%] packets
basicStats: Biggest L2 talker: 00:13:c3:df:ae:18: 375 [8.00%] bytes
basicStats: Biggest L3 talker: 10.118.10.1: 5 [19.23%] packets
basicStats: Biggest L3 talker: 10.118.10.1: 610 [13.02%] bytes
connStat: Number of unique source IPs: 2
connStat: Number of unique destination IPs: 2
connStat: Number of unique source/destination IPs connections: 2
connStat: Max unique number of source IP / destination port connections: 2
connStat: IP prtcon/sdcon, prtcon/scon: 1.000000, 1.000000
connStat: Source IP with max connections: 10.118.10.1: 1 connections
connStat: Destination IP with max connections: 10.118.10.2: 1 connections
--------------------------------------------------------------------------------
Headers count: min: 3, max: 5, average: 4.69
Max VLAN header count: 2
Number of LLC packets: 6 [23.08%]
Number of GRE packets: 6 [23.08%]
Number of ICMP packets: 20 [76.92%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...

The headers count is back and note the vlan:vlan instead of vlan{2} in the flow file below.

tcol ~/results/802.1Q_tunneling_flows.txt

%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc                  srcMac             dstMac             ethType  ethVlanID  srcIP        srcIPCC  srcIPOrg           srcPort  dstIP        dstIPCC  dstIPOrg           dstPort  l4Proto  macStat  macPairs  srcMac_dstMac_numP                     srcMacLbl_dstMacLbl        numPktsSnt  numPktsRcvd  numBytesSnt  numBytesRcvd  minPktSz  maxPktSz  avePktSize  stdPktSize  minIAT  maxIAT    aveIAT     stdIAT        pktps     bytps     pktAsm  bytAsm  tcpStatesAFlags  connSip  connDip  connSipDip  connSipDprt  connF
A     1        0x0400000000004100  1277840495.135052  1277840495.141708  0.006656  1           5        eth:vlan:vlan:ipv4:icmp  00:13:c3:df:ae:18  00:1b:d4:1b:a4:d8  0x0800   118;10     10.118.10.1  04       "Private network"  0        10.118.10.2  04       "Private network"  0        1        0x00     1         00:13:c3:df:ae:18_00:1b:d4:1b:a4:d8_5  CiscoSyst,US_CiscoSyst,US  5           5            360          360           72        72        72          0           0       0.00188   0.0013312  0.0004990491  751.2019  54086.54  0       0       0x00             1        1        2           2            2
B     1        0x0400000000004101  1277840495.135910  1277840495.142543  0.006633  1           5        eth:vlan:vlan:ipv4:icmp  00:1b:d4:1b:a4:d8  00:13:c3:df:ae:18  0x0800   118;10     10.118.10.2  04       "Private network"  0        10.118.10.1  04       "Private network"  0        1        0x00     1         00:1b:d4:1b:a4:d8_00:13:c3:df:ae:18_5  CiscoSyst,US_CiscoSyst,US  5           5            360          360           72        72        72          0           0       0.001721  0.0013266  0.0005040318  753.8067  54274.09  0       0       0x00             1        1        1           1            1
A     2        0x0400000000004100  1277840503.708352  1277840503.714432  0.006080  1           5        eth:vlan:vlan:ipv4:icmp  00:19:aa:7d:e6:88  00:21:55:c8:f1:3c  0x0800   209;20     10.209.20.3  04       "Private network"  0        10.209.20.4  04       "Private network"  0        1        0x00     1         00:19:aa:7d:e6:88_00:21:55:c8:f1:3c_5  CiscoSyst,US_CiscoSyst,US  5           5            360          360           72        72        72          0           0       0.001733  0.001216   0.0004763269  822.3684  59210.52  0       0       0x00             1        1        2           2            2
B     2        0x0400000000004101  1277840503.709181  1277840503.715133  0.005952  1           5        eth:vlan:vlan:ipv4:icmp  00:21:55:c8:f1:3c  00:19:aa:7d:e6:88  0x0800   209;20     10.209.20.4  04       "Private network"  0        10.209.20.3  04       "Private network"  0        1        0x00     1         00:21:55:c8:f1:3c_00:19:aa:7d:e6:88_5  CiscoSyst,US_CiscoSyst,US  5           5            360          360           72        72        72          0           0       0.001666  0.0011904  0.0004731365  840.0538  60483.87  0       0       0x00             1        1        1           1            1
A     3        0x0000000000000104  1277840510.969363  1277840510.969363  0.000000  1           4        eth:vlan:llc:cdp         00:13:c3:df:ae:18  01:00:0c:cd:cd:d0  0x2000   118        0.0.0.0      -        "-"                0        0.0.0.0      -        "-"                0        0        0x00     1         00:13:c3:df:ae:18_01:00:0c:cd:cd:d0_1  CiscoSyst,US_-             1           0            349          0             349       349       349         0           0       0         0          0             0         0         1       1       0x00             0        0        0           0            0
A     4        0x0000000000000104  1277840511.384783  1277840511.384783  0.000000  1           4        eth:vlan:llc:cdp         00:19:aa:7d:e6:88  01:00:0c:cd:cd:d0  0x2000   209        0.0.0.0      -        "-"                0        0.0.0.0      -        "-"                0        0        0x00     1         00:19:aa:7d:e6:88_01:00:0c:cd:cd:d0_1  CiscoSyst,US_-             1           0            347          0             347       347       347         0           0       0         0          0             0         0         1       1       0x00             0        0        0           0            0
A     5        0x0000000000000004  1277840525.369320  1277840525.369320  0.000000  1           3        eth:llc:cdp              00:0f:34:5f:16:8d  01:00:0c:cc:cc:cc  0x2000              0.0.0.0      -        "-"                0        0.0.0.0      -        "-"                0        0        0x00     1         00:0f:34:5f:16:8d_01:00:0c:cc:cc:cc_1  CiscoSyst,US_CDP           1           0            353          0             353       353       353         0           0       0         0          0             0         0         1       1       0x00             0        0        0           0            0
A     6        0x0000000000000004  1277840525.404193  1277840525.404193  0.000000  1           3        eth:llc:cdp              00:13:c4:12:0f:0d  01:00:0c:cc:cc:cc  0x2000              0.0.0.0      -        "-"                0        0.0.0.0      -        "-"                0        0        0x00     1         00:13:c4:12:0f:0d_01:00:0c:cc:cc:cc_1  CiscoSyst,US_CDP           1           0            353          0             353       353       353         0           0       0         0          0             0         0         1       1       0x00             0        0        0           0            0
A     7        0x0000000000000104  1277840528.106320  1277840528.106320  0.000000  1           4        eth:vlan:llc:cdp         00:1b:d4:1b:a4:d8  01:00:0c:cd:cd:d0  0x2000   118        0.0.0.0      -        "-"                0        0.0.0.0      -        "-"                0        0        0x00     1         00:1b:d4:1b:a4:d8_01:00:0c:cd:cd:d0_1  CiscoSyst,US_-             1           0            349          0             349       349       349         0           0       0         0          0             0         0         1       1       0x00             0        0        0           0            0
A     8        0x0000000000000104  1277840530.538713  1277840530.538713  0.000000  1           4        eth:vlan:llc:cdp         00:21:55:c8:f1:3c  01:00:0c:cd:cd:d0  0x2000   209        0.0.0.0      -        "-"                0        0.0.0.0      -        "-"                0        0        0x00     1         00:21:55:c8:f1:3c_01:00:0c:cd:cd:d0_1  CiscoSyst,US_-             1           0            347          0             347       347       347         0           0       0         0          0             0         0         1       1       0x00             0        0        0           0            0

Conclusion

Play around a bit with the different modes applied to other pcaps and do not forget to reset the core for the other tutorials to the default mode and recompile the loaded plugins, as they also implement the IPV6_ACTIVATE and ETH_ACTIVATE constant.

t2conf tranalyzer2 -D IPV6_ACTIVATE=2 -D ETH_ACTIVATE=1 -D T2_PRI_HDRDESC=1 -D T2_HDRDESC_AGGR=1

t2build -R

Or use the new command:

t2conf --reset tranalyzer2

Have fun experimenting wit the Anteater!