Plugin kung fu
Contents
Introduction
If you are a bit familiar with t2 plugin coding you probably run into problems, we encountered ourselves and produced support for. In this tutorial we will discuss some special cases that might be helpful to speed up your research or the development of productive plugins.
Getting started
Tranalyzer2 core configuration
t2conf tranalyzer2 -D ALARM_MODE=1
Required plugins
First, remove all non-standard plugins by invoking
t2build -e -y
Are you sure you want to empty the plugin folder '/home/user/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then, compile the core (tranalyzer2) and the following plugin:
- basicFlow
- basicStats
- txtSink
...
BUILDING SUCCESSFUL
PCAP file
If you have not created a separate data and results directory yet, please do it now. This will greatly facilitate your workflow:
mkdir ~/data ~/results
Download the faf-exercise.pcap PCAP file and move it to ~/data:
mv ~/Downloads/annoloc2.pcap ~/data/
Source code
Here is the basis plugin which we will extend: tcpWin.tar.gz
Unpack it in the plugins folder of your T2 installation:
tranpl
tar -xf ~/Downloads/tcpWin.tar.gz
And let t2_aliases know about it:
source ../scripts/t2_aliases
Everything you alway wanted to know about flow output
T2 is very flexible in flow output.
How to build your own wurst
just add wurst
T2 hash functions
just use hash
Integrate the nudel
die nudel hüpft
See also
- Plugin programming cheatsheet
- The basics: your first flow plugin
- Plugin end report
- Plugin monitoring
- Plugin packet mode
- Plugin summary files
- Plugin geo labeling
- Plugin dependencies
- Plugin alarm mode
- Plugin force mode
- Plugin pcap extraction
- Plugin flow timeout
- Plugin sink
- Developing Tranalyzer plugins in C++
- Developing Tranalyzer plugins in Rust