Tutorial: MAC labelling

Introduction

The macRecorder plugin labels MAC addresses according to Manufacturer and allows also a user defined labelling e.g. for corporate and training purposes.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins and compile the following plugins:

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$ t2build -f tranalyzer2 basicFlow tcpStates macRecorder txtSink
...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

$ mkdir ~/data ~/results
$

The anonymized sample PCAP used in this tutorial can be downloaded here: faf-exercise.pcap Please extract it under your data folder. Now you are all set for T2 IP label experiments.

macRecorder plugin

Move to the macRecorder plugin and look into it

$ macRecorder
$ ls
autogen.sh  configure.ac  COPYING  default.config  doc  maclbl.txt  Makefile.am  manuf.txt  src  t2plconf  tests  utils
$

Look into the manufacturing file manuf.txt. The column denotes the first 3 octets of the MAC, the second the short description, which you will see in the flow or packet based output, as you already could see in tutorials such as Basic Analysis. The third is a more complete description of the manufacturer.

$ head -n 15 manuf.txt | tcol
0x000000  00:00:00  Officially Xerox, but 0:0:0:0:0:0 is more common
0x000001  Xerox     Xerox Corporation
0x000002  Xerox     Xerox Corporation
0x000003  Xerox     Xerox Corporation
0x000004  Xerox     Xerox Corporation
0x000005  Xerox     Xerox Corporation
0x000006  Xerox     Xerox Corporation
0x000007  Xerox     Xerox Corporation
0x000008  Xerox     Xerox Corporation
0x000009  Powerpip  powerpipes?
0x00000A  OmronTat  Omron Tateisi Electronics Co.
0x00000B  Matrix    Matrix Corporation
0x00000C  Cisco     Cisco Systems, Inc
0x00000D  Fibronic  Fibronics Ltd.
0x00000E  Fujitsu   Fujitsu Limited
...
$

Unlike the manufacturer the user MAC labelling is not switched on by default. If you open the maclbl.txt table you see certain standard definitions of MAC addresses. The second column is for numeric labeling, which is sometimes better for script based post processing or Classification purposes.

$ cat maclbl.txt
#Group MAC address  NumLabel  Notes
01:80:C2:00:00:00   1         Nearest Customer Bridge group address
01:80:C2:00:00:01   2         IEEE MAC-specific Control Protocols group address
01:80:C2:00:00:02   3         Slow_Protocols_Multicast address
01:80:C2:00:00:03   4         Nearest non-TPMR Bridge group address
01:80:C2:00:00:04   5         IEEE MAC-specific Control Protocols group address
01:80:C2:00:00:05   6         Reserved for future standardization
01:80:C2:00:00:06   7         Reserved for future standardization
01:80:C2:00:00:07   8         MEF Forum ELMI protocol group address
01:80:C2:00:00:08   9         Provider Bridge group address
01:80:C2:00:00:09   10        Reserved for future standardization
01:80:C2:00:00:0A   11        Reserved for future standardization
01:80:C2:00:00:0B   12        EDE-SS PEP Address
01:80:C2:00:00:0C   13        Reserved for future standardization
01:80:C2:00:00:0D   14        Provider Bridge MVRP address
...

Now move to the src/ directory and look into the macRecorder.h file

$ cd src
$ ls
macLbl.c  macLbl.h  macRecorder.c  macRecorder.h  Makefile.am
$ vi macRecorder.h

The MR_MAC_FMT constant controls the output format of MAC addresses. In order to rapidly produce a rapid plot an integer or a hex number on the x-axis is better computable than the default ‘:’ notation. The MR_NPAIRS constant denotes whether MAC pairs are unique or not. The number of MAC pairs to be printed is defined by MR_MAX_MAC. MR_MANUF controls the manufacturer labeling. And here we come to our topic the MAC labelling, defined by MR_MACLBL.

So either switch it to 1 or use t2conf, compile the plugin and rerun T2 on the pcap.

$ t2conf macRecorder -D MR_MACLBL=1
$ t2build macRecorder
...
$ t2 -r ~/data/faf-exercise.pcap -w ~/results/
...
$

If you look into the flow file srcLbl_dstLbl is empty, as non of the MACs match IEEE mac groups.

$ head -n 10 faf-exercise_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration    numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP           srcIPCC  srcIPOrg                       srcPort  dstIP           dstIPCC  dstIPOrg                       dstPort  l4Proto  macStat  macPairs  srcMac_dstMac_numP                        srcManuf_dstManuf  srcLbl_dstLbl  tcpStates
A     1        0x0400000000004000  1258544215.037210  1258544215.372742  0.335532    1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104   07       "Private network"              1258     77.67.44.206    gb       "Akamai Technologies"          80       6        0x00     1         00:0b:db:4f:6b:10_00:19:e3:e7:5d:23_6     Dell_Apple         -_-            0x00
B     1        0x0400000000004001  1258544215.202900  1258544215.537951  0.335051    1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              77.67.44.206    gb       "Akamai Technologies"          80       192.168.1.104   07       "Private network"              1258     6        0x00     1         00:19:e3:e7:5d:23_00:0b:db:4f:6b:10_7     Apple_Dell         -_-            0x00
A     2        0x0400000000004000  1258544216.385370  1258544216.723144  0.337774    1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104   07       "Private network"              1259     77.67.44.206    gb       "Akamai Technologies"          80       6        0x00     1         00:0b:db:4f:6b:10_00:19:e3:e7:5d:23_5     Dell_Apple         -_-            0x00
B     2        0x0400000000004001  1258544216.551313  1258544216.888595  0.337282    1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              77.67.44.206    gb       "Akamai Technologies"          80       192.168.1.104   07       "Private network"              1259     6        0x00     1         00:19:e3:e7:5d:23_00:0b:db:4f:6b:10_4     Apple_Dell         -_-            0x00
A     3        0x0400000000004000  1258544216.908284  1258544217.008468  0.100184    1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104   07       "Private network"              1260     198.189.255.75  us       "California State University"  80       6        0x00     1         00:0b:db:4f:6b:10_00:19:e3:e7:5d:23_18    Dell_Apple         -_-            0x00
B     3        0x0400000000004001  1258544216.915576  1258544217.008019  0.092443    1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              198.189.255.75  us       "California State University"  80       192.168.1.104   07       "Private network"              1260     6        0x00     1         00:19:e3:e7:5d:23_00:0b:db:4f:6b:10_73    Apple_Dell         -_-            0x00
A     4        0x0400000000004000  1258544217.003718  1258544217.348506  0.344788    1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104   07       "Private network"              1261     77.67.44.206    gb       "Akamai Technologies"          80       6        0x00     1         00:0b:db:4f:6b:10_00:19:e3:e7:5d:23_5     Dell_Apple         -_-            0x00
B     4        0x0400000000004001  1258544217.169421  1258544217.513942  0.344521    1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              77.67.44.206    gb       "Akamai Technologies"          80       192.168.1.104   07       "Private network"              1261     6        0x00     1         00:19:e3:e7:5d:23_00:0b:db:4f:6b:10_4     Apple_Dell         -_-            0x00
A     5        0x0400000000004000  1258544217.349751  1258544217.413719  0.063968    1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104   07       "Private network"              1262     198.189.255.75  us       "California State University"  80       6        0x00     1         00:0b:db:4f:6b:10_00:19:e3:e7:5d:23_9     Dell_Apple         -_-            0x00
$

So we need to define our own tags. As an exercise, please save the maclbl.txt and extract the MAC columns from the basicFlow plugin. Sure, if you have more than one MAC pair in the srcMac_dstMac_numP column and you have to split them apart first. Here it is simpler to use srcMac and dstMac from the basicFlow plugin. Sort them, add a numeric label and append it to maclbl.txt. Recompile macRecorder using the -f option to produce and copy a new maclbl.bin file. Then rerun T2 on the same pcap.

$ cp maclbl.txt maclblB.txt
$ tawk 'BEGIN { i = 999 } /:/ { print $srcMac; print $dstMac }' ~/results/faf-exercise_flows.txt | sort -u | awkf '{ print $1, ++i, "Host " i }' >> maclbl.txt
$ t2build -f macRecorder
$ t2 -r ~/data/faf-exercise.pcap -w ~/results/
...
$

maclbl.txt should now look like that:

$ cat maclbl.txt
$ #Group MAC address    NumLabel        Notes
01:80:C2:00:00:00       1       Nearest Customer Bridge group address
01:80:C2:00:00:01       2       IEEE MAC-specific Control Protocols group address
01:80:C2:00:00:02       3       Slow_Protocols_Multicast address
01:80:C2:00:00:03       4       Nearest non-TPMR Bridge group address
...
09:00:2B:00:00:04       68      All End System Network Entities Address
09:00:2B:00:00:05       69      All Intermediate System Network Entities Address
00:08:74:38:01:b4       1       Host 1
00:0b:db:4f:6b:10       2       Host 2
00:0b:db:63:58:a6       3       Host 3
00:0b:db:63:5b:d4       4       Host 4
00:19:e3:e7:5d:23       5       Host 5

macLbl.h contains the definition from where to read the binary mac label file and the maximal length of a label.

$ vi src/macLbl.h

Open the flow file and you will see that the flows are now tagged with your text.

$ head -n 10 ~/data/faf-exercise_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration    numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP           srcIPCC  srcIPOrg                       srcPort  dstIP           dstIPCC  dstIPOrg                       dstPort  l4Proto  macStat  macPairs  srcMac_dstMac_numP                        srcManuf_dstManuf  srcLbl_dstLbl  tcpStates
A     1        0x0400000000004000  1258544215.037210  1258544215.372742  0.335532    1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104   07       "Private network"              1258     77.67.44.206    gb       "Akamai Technologies"          80       6        0x00     1         00:0b:db:4f:6b:10_00:19:e3:e7:5d:23_6     Dell_Apple         Host 2_Host 5  0x00
B     1        0x0400000000004001  1258544215.202900  1258544215.537951  0.335051    1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              77.67.44.206    gb       "Akamai Technologies"          80       192.168.1.104   07       "Private network"              1258     6        0x00     1         00:19:e3:e7:5d:23_00:0b:db:4f:6b:10_7     Apple_Dell         Host 5_Host 2  0x00
A     2        0x0400000000004000  1258544216.385370  1258544216.723144  0.337774    1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104   07       "Private network"              1259     77.67.44.206    gb       "Akamai Technologies"          80       6        0x00     1         00:0b:db:4f:6b:10_00:19:e3:e7:5d:23_5     Dell_Apple         Host 2_Host 5  0x00
B     2        0x0400000000004001  1258544216.551313  1258544216.888595  0.337282    1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              77.67.44.206    gb       "Akamai Technologies"          80       192.168.1.104   07       "Private network"              1259     6        0x00     1         00:19:e3:e7:5d:23_00:0b:db:4f:6b:10_4     Apple_Dell         Host 5_Host 2  0x00
A     3        0x0400000000004000  1258544216.908284  1258544217.008468  0.100184    1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104   07       "Private network"              1260     198.189.255.75  us       "California State University"  80       6        0x00     1         00:0b:db:4f:6b:10_00:19:e3:e7:5d:23_18    Dell_Apple         Host 2_Host 5  0x00
B     3        0x0400000000004001  1258544216.915576  1258544217.008019  0.092443    1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              198.189.255.75  us       "California State University"  80       192.168.1.104   07       "Private network"              1260     6        0x00     1         00:19:e3:e7:5d:23_00:0b:db:4f:6b:10_73    Apple_Dell         Host 5_Host 2  0x00
A     4        0x0400000000004000  1258544217.003718  1258544217.348506  0.344788    1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104   07       "Private network"              1261     77.67.44.206    gb       "Akamai Technologies"          80       6        0x00     1         00:0b:db:4f:6b:10_00:19:e3:e7:5d:23_5     Dell_Apple         Host 2_Host 5  0x00
B     4        0x0400000000004001  1258544217.169421  1258544217.513942  0.344521    1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              77.67.44.206    gb       "Akamai Technologies"          80       192.168.1.104   07       "Private network"              1261     6        0x00     1         00:19:e3:e7:5d:23_00:0b:db:4f:6b:10_4     Apple_Dell         Host 5_Host 2  0x00
A     5        0x0400000000004000  1258544217.349751  1258544217.413719  0.063968    1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104   07       "Private network"              1262     198.189.255.75  us       "California State University"  80       6        0x00     1         00:0b:db:4f:6b:10_00:19:e3:e7:5d:23_9     Dell_Apple         Host 2_Host 5  0x00
$

As an exercise set MR_MACLBW to 0 to numerical output, recompile, rerun T2 and look at the result in flow file.

Otherwise don’t forget to move back the original maclbl.txt if you don’t want to keep your changes, reset MR_MACLBL and recompile with t2build -f:

$ mv maclblB.txt maclbl.txt
$ t2conf macRecorder -D MR_MACLBL=0
$ t2build -f macRecoder
..
$

Have fun!