Tutorial: Plugin Monitoring
plugin development monitoringContents
Introduction
As detailed in monitoring mode tutorial, T2 can either be remotely controlled by USR1/2 signals or by the t2stat command. Each plugin can implement a monitoring function which will be called during monitoring or report operation.
Getting started
Create folders for your data and results
If you have not created a separate data and results directory yet, please do it now. This will greatly facilitate your workflow:
mkdir ~/data ~/results
Reset tranalyzer2 and the plugins configuration
If you have followed the other tutorials, you may have modified some of the core and plugins configuration. To ensure your results match those in this tutorial, make sure to reset everything:
t2conf -a --reset
You can also clean all build files:
t2build -a -c
Empty the plugin folder
To ensure we are not left with some unneeded plugins or plugins which were built using different core configuration, it is safer to empty the plugins folder:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/user/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Download the PCAP file
The PCAP file used in this tutorial can be downloaded here:
Please save it in your ~/data folder:
wget --no-check-certificate -P ~/data https://tranalyzer.com/download/data/annoloc2.pcap
Configure Tranalyzer2 core
For this tutorial, we need to activate the monitoring mode using PCAP time. We want to produce a differential machine report. All the required flags reside in main.h:
tranalyzer2/src/main.h
MONINTTMPCP=1(monitoring mode using PCAP time)DIFF_REPORT=1(differential report)MACHINE_REPORT=1(machine report)
Change the configuration of Tranalyzer2 using the following t2conf command:
t2conf tranalyzer2 -D MONINTTMPCP=1 -D DIFF_REPORT=1 -D MACHINE_REPORT=1
Build tranalyzer2 and the required plugins
For this tutorial, we will need to build the core (tranalyzer2) and the following plugin:
We do not need flow output, so no sink plugin is needed.
As you may have modified some of the automatically generated files, it is safer to use the -r and -f options.
...
BUILDING SUCCESSFUL
Source Code
In this tutorial, we will extend tcpWin03.tar.gz, the final version of the previous tutorial (Plugin End Report).
If you are impatient, you can download the intermediate and final versions of the tcpWin plugin we will develop in this tutorial.
To use one of those plugins, just unpack it in the plugins folder of your T2 installation.
tranpl
tar -xf ~/Downloads/tcpWin05.tar.gz
And let t2_aliases know about it:
source "$T2HOME/scripts/t2_aliases"
Implementing the Monitoring
If your plugin wants to contribute information to the monitoring mode, then global variables and a void t2Monitoring(FILE *stream, uint8_t state) callback have to be added.
So open tcpWin.c and add two global variables after the tcpWinFlows definition. Look for the // <-- markers below. If you already completed the end report tutorial, you only need to add the winStatG0 variable, which will be used in the differential mode to store the old value of winStatG. If this is your first plugin just add both variables: winStatG and winStatG0. Note that if you use one of the T2_LOG*_DIFF*() macro, then variables MUST always follow this naming convention: variable name for old value = variable name for current value suffixed with 0, e.g., static uint8_t myVar, myVar0;.
tcpWin
vi src/tcpWin.c
...
/*
* Plugin variables that may be used by other plugins (MUST be declared in
* the header file as 'extern tcpWinFlow_t *tcpWinFlows;'
*/
tcpWinFlow_t *tcpWinFlows;
/*
* Static variables are only visible in this file
*/
static uint32_t pktTcpCnt; // Aggregated TCP packet count
static uint32_t winThCntG, winThCntG0; // <-- Aggregated win threshold count and variable for the last threshold count
static uint8_t tcpWinStat; // <-- Aggregated status
...Then in the t2OnFlowTerminate(...) callback, add the lines marked by // <-- to aggregate tcpWinStat and winThCnt of all flows, if you did not do the end report tutorial. Here we aggregate all flow information into global variables.
vi src/tcpWin.c
...
void t2OnFlowTerminate(unsigned long flowIndex, outputBuffer_t *buf) {
tcpWinFlow_t * const tcpWinFlowP = &tcpWinFlows[flowIndex];
tcpWinStat |= tcpWinFlowP->stat; // <-- Aggregate all packet flags
pktTcpCnt += tcpWinFlowP->pktTcpCnt; // Count all TCP packets
winThCntG += tcpWinFlowP->winThCnt; // <-- Sum all winThCnt packet counts
OUTBUF_APPEND_U8(buf, tcpWinFlowP->stat);
OUTBUF_APPEND_U8(buf, tcpWinFlowP->ttl);
OUTBUF_APPEND_U32(buf, tcpWinFlowP->tcpWinInit);
OUTBUF_APPEND_U32(buf, tcpWinFlowP->winThCnt);
float f = 0.0;
if (tcpWinFlowP->pktTcpCnt) f = (float)tcpWinFlowP->winThCnt/(float)tcpWinFlowP->pktTcpCnt;
OUTBUF_APPEND_FLT(buf, f);
}
...Note, that a snapshot taken by the monitoring is now only representing the terminated flows not the actually existing state in the memory. If you want that, you need to shift that code, a bit modified into the t2OnLayer4(...) callback. We will try that later.
Implementing the t2Monitoring() callback
Now add the void t2Monitoring(FILE *stream, uint8_t state) callback after the t2OnFlowTerminate(...) callback (or after the t2PluginReport(...) callback if you implemented the end report already).
The t2Monitoring(...) function is called by the core:
- At T2 initialization:
T2_MON_PRI_HDRfor the machine mode to output header information. - At a USR1/2 interrupt:
T2_MON_PRI_VALto print data in the machine mode andT2_MON_PRI_REPORTfor the report mode.
Note the DIFF_REPORT pragma, which implements the backup of the old winThCntG value.
If one case is not implemented, nothing will appear.
vi src/tcpWin.c
...
/*
* This function is used to report information regarding the plugin
* at regular interval or when a USR1 signal is received.
*/
void t2Monitoring(FILE *stream, uint8_t state) {
switch (state) {
// Print the name of the variables that will be output
case T2_MON_PRI_HDR: // hdr output at the beginning
fputs("winPktThCnt" SEP_CHR, stream); // Note the trailing separator (SEP_CHR)
return;
// Print the variables to monitor
case T2_MON_PRI_VAL: // USR1/2 interrupt machine mode
// Note the trailing separator (SEP_CHR)
fprintf(stream, "%" PRIu32 /* winPktThCnt */ SEP_CHR, winThCntG - winThCntG0);
break;
// Print a report similar to t2PluginReport()
case T2_MON_PRI_REPORT: // USR1/2 interrupt report mode
T2_FPLOG_DIFFNUMP(stream, plugin_name,
"Number of TCP winsize packets below threshold" STR(TCPWIN_THRES),
winThCntG, numPackets);
break;
default: // Invalid state, do nothing
return;
}
#if DIFF_REPORT == 1
winThCntG0 = winThCntG; // differential mode, save the old value
#endif // DIFF_REPORT == 1
}
...After you edited the skeleton code you should compare your implementation with tcpWin04.tar.gz.
Now compile tcpWin.
t2build tcpWin
If compilation was error free, execute T2 with the -l option to redirect all end report info to the file ~/results/annoloc2_log.txt.
t2 -r ~/data/annoloc2.pcap -l -w ~/results/
%repTyp time dur memUsageKB fillSzHashMap numFlows numAFlows numBFlows numPkts numAPkts numBPkts numV4Pkts numV6Pkts numVxPkts numBytes numABytes numBBytes numFrgV4Pkts numFrgV6Pkts numAlarms rawBandwidth globalWarn 0x0042Pkts 0x0042Bytes 0x00fePkts 0x00feBytes 0x0806Pkts 0x0806Bytes 0x8035Pkts 0x8035Bytes 0x0800Pkts 0x0800Bytes 0x86ddPkts 0x86ddBytes ICMPPkts ICMPBytes IGMPPkts IGMPBytes TCPPkts TCPBytes UDPPkts UDPBytes GREPkts GREBytes ICMPv6Pkts ICMPv6Bytes SCTPPkts SCTPBytes winPktThCnt
USR1MR_D 1022171702.125000 0.308953000 18857 2144 2152 1220 932 14548 6878 7670 14542 3 0 765516 358988 406528 31 0 0 262155.094 0x0c00881a0202c044 0 0 0 0 3 126 0 0 14542 765256 3 134 34 2220 0 0 11316 628896 3192 134172 0 0 0 0 0 0 5
USR1MR_D 1022171703.027000 0.999902000 2039 1735 1770 963 807 49194 22820 26374 49162 22 0 2586276 1191528 1394748 97 0 0 270888.438 0x0c00987a0202c044 0 0 0 0 10 420 0 0 49162 2584404 22 1452 129 7938 0 0 37923 2109222 11132 468696 0 0 0 0 0 0 23
USR1MR_D 1022171704.334000 1.307000 848 1069 1131 650 481 48765 22660 26105 48734 26 0 2562726 1182212 1380514 91 0 0 267914.906 0x0c00987a0202c044 0 0 0 0 5 210 0 0 48734 2560800 26 1716 133 8202 0 0 37502 2085364 11125 468950 0 0 0 0 0 0 39
USR1MR_D 1022171705.030000 0.999696000 574 757 833 489 344 47156 22079 25077 47146 2 0 2471500 1148578 1322922 91 0 0 253765.031 0x0c00987a0202c044 0 0 0 0 8 336 0 0 47146 2471064 2 100 124 7704 0 0 36153 2006038 10870 457388 0 0 0 0 0 0 43
USR1MR_D 1022171706.009000 0.999979000 528 618 687 384 303 47251 21942 25309 47239 3 0 2480982 1143508 1337474 96 0 0 257045.938 0x0c00987a0202c044 0 0 0 0 9 378 0 0 47239 2480442 3 162 139 8814 0 0 36192 2013364 10909 458330 0 0 1 62 0 0 52
USR1MR_D 1022171707.298000 1.289000 488 628 714 396 318 48061 22155 25906 48038 5 0 2520286 1153038 1367248 71 0 0 263887.188 0x0c00987a0202d044 0 0 0 0 18 756 0 0 48038 2519208 5 322 112 7032 0 0 37267 2064558 10657 447646 5 170 2 124 0 0 47
USR1MR_D 1022171708.102000 0.999804000 467 559 622 339 283 48284 22114 26170 48262 3 0 2539600 1155564 1384036 79 0 0 266056.719 0x0c00987a0202d044 0 0 0 0 19 798 0 0 48262 2538612 3 190 117 7458 0 0 37526 2084196 10619 446990 1 34 2 124 0 0 37
USR1MR_D 1022171709.695000 1.593000 335 527 598 351 247 49272 22973 26299 49249 7 0 2587936 1198894 1389042 96 0 0 270947.375 0x0c00987a0202d044 0 0 0 0 16 672 0 0 49249 2586870 7 394 143 8910 0 0 38179 2117206 10931 461018 0 0 1 62 0 0 58
USR1MR_D 1022171710.175000 0.999480000 476 528 583 323 260 50508 23624 26884 50497 4 0 2662064 1237564 1424500 97 0 0 282688.781 0x0c00987a0202d044 0 0 0 0 7 294 0 0 50497 2661506 4 264 109 6738 0 0 39825 2209682 10560 445112 7 238 0 0 0 0 28
USR1MR_D 1022171711.193000 1.018000 307 474 524 306 218 48619 22823 25796 48603 2 0 2563366 1196706 1366660 84 0 0 272032.375 0x0c00987a0202d044 0 0 0 0 14 588 0 0 48603 2562646 2 132 113 7122 0 0 38302 2125628 10189 429994 0 0 0 0 0 0 28
USR1MR_D 1022171712.691000 1.498000 307 535 574 332 242 49611 23075 26536 49599 0 0 2603054 1202538 1400516 95 0 0 277082.562 0x0c00987a0202d044 0 0 0 0 12 504 0 0 49599 2602550 0 0 134 8508 0 0 38673 2139862 10792 454180 0 0 0 0 0 0 23
USR1MR_D 1022171713.000000 0.999309000 340 447 529 293 236 50143 23468 26675 50134 0 0 2631530 1223992 1407538 96 0 0 278520.219 0x0c00987a0202d044 0 0 0 0 9 378 0 0 50134 2631152 0 0 113 7050 0 0 39099 2164110 10922 459992 0 0 0 0 0 0 24
USR1MR_D 1022171714.741000 1.741000 278 380 499 287 212 47899 22509 25390 47873 17 0 2514274 1172650 1341624 94 0 0 263678.375 0x0c00987a0202d044 0 0 0 0 9 378 0 0 47873 2512870 17 1026 115 7278 1 38 37075 2056666 10696 449812 0 0 0 0 0 0 35
USR1MR_D 1022171715.263000 0.999522000 258 378 477 275 202 49110 22878 26232 49096 3 0 2582484 1195104 1387380 89 0 0 272797.156 0x0c00987a0202d044 0 0 0 0 11 462 0 0 49096 2581824 3 198 130 8052 1 38 38284 2123868 10684 450064 0 0 0 0 0 0 46
USR1MR_D 1022171716.269000 1.006000 332 471 543 316 227 49985 23187 26798 49976 4 0 2627906 1210650 1417256 94 0 0 278140.844 0x0c00987a0202d044 0 0 0 0 5 210 0 0 49976 2627432 4 264 128 8064 0 0 39083 2166434 10769 453198 0 0 0 0 0 0 25
USR1MR_D 1022171717.932000 1.663000 291 386 500 286 214 48938 22518 26420 48921 6 0 2575532 1178164 1397368 93 0 0 273963.812 0x0c00987a0202d044 0 0 0 0 11 462 0 0 48921 2574738 6 332 130 8148 0 0 38233 2122014 10562 444840 0 0 0 0 0 0 29
USR1MR_D 1022171718.200000 0.999268000 197 309 427 240 187 47700 21873 25827 47675 21 0 2501292 1138298 1362994 88 0 0 263612.438 0x0c00987a0202d044 0 0 0 0 4 168 0 0 47675 2499750 21 1374 121 7530 0 0 37041 2050350 10528 442956 3 102 3 186 0 0 34
USR1MR_D 1022171719.284000 1.084000 262 374 472 286 186 48263 21982 26281 48249 2 0 2532294 1143108 1389186 97 0 0 268193.375 0x0c00987a0202d044 0 0 0 0 12 504 0 0 48249 2531690 2 100 134 8532 0 0 37445 2074682 10671 448542 0 0 0 0 0 0 34
USR1MR_D 1022171720.1095000 1.811000 278 397 531 306 225 49621 22621 27000 49599 4 0 2611286 1179958 1431328 93 0 0 277837.719 0x0c00987a0202d044 0 0 0 0 18 756 0 0 49599 2610330 4 200 113 7074 0 0 39044 2164776 10444 438612 0 0 0 0 0 0 32
USR1MR_D 1022171721.640000 0.999545000 222 406 506 282 224 50166 22964 27202 50160 0 0 2639776 1198584 1441192 93 0 0 280237.719 0x0c00987a0222d044 0 0 0 0 6 252 0 0 50160 2639524 0 0 125 7746 0 0 39445 2186290 10590 445488 0 0 0 0 0 0 109
USR1MR_D 1022171722.427000 0.999787000 241 459 562 327 235 47175 21896 25279 47160 4 0 2478598 1140152 1338446 92 0 0 256399.453 0x0c00987a0222d044 0 0 0 0 11 462 0 0 47160 2477872 4 264 117 7458 0 0 36225 2015758 10822 454920 0 0 0 0 0 0 40
USR1MR_D 1022171723.058000 0.999631000 193 357 485 276 209 48872 22650 26222 48858 8 0 2578544 1187328 1391216 99 0 0 271465.625 0x0c00987a0222d044 0 0 0 0 6 252 0 0 48858 2577860 8 432 114 7260 0 0 38162 2124068 10587 446862 0 0 0 0 0 0 41
USR1MR_D 1022171724.127000 1.069000 213 412 575 321 254 50089 23028 27061 50080 3 0 2634246 1201068 1433178 88 0 0 281685.219 0x0c00987a0222d044 0 0 0 0 6 252 0 0 50080 2633832 3 162 107 6726 0 0 39264 2177144 10710 450028 0 0 1 62 0 0 55
USR1MR_D 1022171725.274000 1.147000 209 376 544 319 225 49908 22880 27028 49883 18 0 2627904 1195840 1432064 93 0 0 279872.562 0x0c00987a0222d044 0 0 0 0 7 294 0 0 49883 2626422 18 1188 139 8694 3 114 39002 2165132 10756 453636 0 0 0 0 0 0 63
USR1MR_D 1022171726.378000 1.104000 200 293 497 281 216 48767 22322 26445 48754 6 0 2565306 1165528 1399778 90 0 0 271439.000 0x0c00987a0222d044 0 0 0 0 7 294 0 0 48754 2564648 6 364 133 8394 5 190 37987 2109006 10634 447388 0 0 0 0 0 0 76You will notice your monitoring column, winPktThCnt. Wasn’t so difficult, right?
Now remove tcpStates and rerun T2:
t2build -u tcpStatesPlugin 'tcpStates' UNLOADING SUCCESSFUL
t2 -r ~/data/annoloc2.pcap -l -w ~/results/
%repTyp time dur memUsageKB fillSzHashMap numFlows numAFlows numBFlows numPkts numAPkts numBPkts numV4Pkts numV6Pkts numVxPkts numBytes numABytes numBBytes numFrgV4Pkts numFrgV6Pkts numAlarms rawBandwidth globalWarn 0x0042Pkts 0x0042Bytes 0x00fePkts 0x00feBytes 0x0806Pkts 0x0806Bytes 0x8035Pkts 0x8035Bytes 0x0800Pkts 0x0800Bytes 0x86ddPkts 0x86ddBytes ICMPPkts ICMPBytes IGMPPkts IGMPBytes TCPPkts TCPBytes UDPPkts UDPBytes GREPkts GREBytes ICMPv6Pkts ICMPv6Bytes SCTPPkts SCTPBytes winPktThCnt
USR1MR_D 1022171702.125000 0.308953000 18792 2152 2152 1220 932 14548 6878 7670 14542 3 0 765516 358988 406528 31 0 0 262155.094 0x0c00881a0202c044 0 0 0 0 3 126 0 0 14542 765256 3 134 34 2220 0 0 11316 628896 3192 134172 0 0 0 0 0 0 0
USR1MR_D 1022171703.027000 0.999902000 2003 1767 1767 961 806 49194 22820 26374 49162 22 0 2586276 1191528 1394748 97 0 0 270888.438 0x0c00987a0202c044 0 0 0 0 10 420 0 0 49162 2584404 22 1452 129 7938 0 0 37923 2109222 11132 468696 0 0 0 0 0 0 0
USR1MR_D 1022171704.334000 1.307000 836 1112 1112 639 473 48765 22660 26105 48734 26 0 2562726 1182212 1380514 91 0 0 267914.906 0x0c00987a0202c044 0 0 0 0 5 210 0 0 48734 2560800 26 1716 133 8202 0 0 37502 2085364 11125 468950 0 0 0 0 0 0 0
USR1MR_D 1022171705.030000 0.999696000 569 816 816 480 336 47156 22079 25077 47146 2 0 2471500 1148578 1322922 91 0 0 253765.031 0x0c00987a0202c044 0 0 0 0 8 336 0 0 47146 2471064 2 100 124 7704 0 0 36153 2006038 10870 457388 0 0 0 0 0 0 0
USR1MR_D 1022171706.009000 0.999979000 528 658 658 369 289 47251 21942 25309 47239 3 0 2480982 1143508 1337474 96 0 0 257045.938 0x0c00987a0202c044 0 0 0 0 9 378 0 0 47239 2480442 3 162 139 8814 0 0 36192 2013364 10909 458330 0 0 1 62 0 0 0
USR1MR_D 1022171707.298000 1.289000 488 685 685 381 304 48061 22155 25906 48038 5 0 2520286 1153038 1367248 71 0 0 263887.188 0x0c00987a0202d044 0 0 0 0 18 756 0 0 48038 2519208 5 322 112 7032 0 0 37267 2064558 10657 447646 5 170 2 124 0 0 0
USR1MR_D 1022171708.102000 0.999804000 454 595 595 325 270 48284 22114 26170 48262 3 0 2539600 1155564 1384036 79 0 0 266056.719 0x0c00987a0202d044 0 0 0 0 19 798 0 0 48262 2538612 3 190 117 7458 0 0 37526 2084196 10619 446990 1 34 2 124 0 0 0
USR1MR_D 1022171709.695000 1.593000 340 579 579 339 240 49272 22973 26299 49249 7 0 2587936 1198894 1389042 96 0 0 270947.375 0x0c00987a0202d044 0 0 0 0 16 672 0 0 49249 2586870 7 394 143 8910 0 0 38179 2117206 10931 461018 0 0 1 62 0 0 0
USR1MR_D 1022171710.175000 0.999480000 467 564 564 312 252 50508 23624 26884 50497 4 0 2662064 1237564 1424500 97 0 0 282688.781 0x0c00987a0202d044 0 0 0 0 7 294 0 0 50497 2661506 4 264 109 6738 0 0 39825 2209682 10560 445112 7 238 0 0 0 0 0
USR1MR_D 1022171711.193000 1.018000 312 516 516 302 214 48619 22823 25796 48603 2 0 2563366 1196706 1366660 84 0 0 272032.375 0x0c00987a0202d044 0 0 0 0 14 588 0 0 48603 2562646 2 132 113 7122 0 0 38302 2125628 10189 429994 0 0 0 0 0 0 0
USR1MR_D 1022171712.691000 1.498000 295 565 565 327 238 49611 23075 26536 49599 0 0 2603054 1202538 1400516 95 0 0 277082.562 0x0c00987a0202d044 0 0 0 0 12 504 0 0 49599 2602550 0 0 134 8508 0 0 38673 2139862 10792 454180 0 0 0 0 0 0 0
USR1MR_D 1022171713.000000 0.999309000 352 517 517 286 231 50143 23467 26676 50134 0 0 2631530 1223930 1407600 96 0 0 278520.219 0x0c00987a0202d044 0 0 0 0 9 378 0 0 50134 2631152 0 0 113 7050 0 0 39099 2164110 10922 459992 0 0 0 0 0 0 0
USR1MR_D 1022171714.741000 1.741000 287 472 472 274 198 47899 22508 25391 47873 17 0 2514274 1172604 1341670 94 0 0 263678.375 0x0c00987a0202d044 0 0 0 0 9 378 0 0 47873 2512870 17 1026 115 7278 1 38 37075 2056666 10696 449812 0 0 0 0 0 0 0
USR1MR_D 1022171715.263000 0.999522000 266 452 452 260 192 49110 22878 26232 49096 3 0 2582484 1195104 1387380 89 0 0 272797.156 0x0c00987a0202d044 0 0 0 0 11 462 0 0 49096 2581824 3 198 130 8052 1 38 38284 2123868 10684 450064 0 0 0 0 0 0 0
USR1MR_D 1022171716.269000 1.006000 336 527 527 307 220 49985 23187 26798 49976 4 0 2627906 1210650 1417256 94 0 0 278140.844 0x0c00987a0202d044 0 0 0 0 5 210 0 0 49976 2627432 4 264 128 8064 0 0 39083 2166434 10769 453198 0 0 0 0 0 0 0
USR1MR_D 1022171717.932000 1.663000 299 479 479 273 206 48938 22517 26421 48921 6 0 2575532 1178110 1397422 93 0 0 273963.812 0x0c00987a0202d044 0 0 0 0 11 462 0 0 48921 2574738 6 332 130 8148 0 0 38233 2122014 10562 444840 0 0 0 0 0 0 0
USR1MR_D 1022171718.200000 0.999268000 221 410 410 230 180 47700 21873 25827 47675 21 0 2501292 1138298 1362994 88 0 0 263612.438 0x0c00987a0202d044 0 0 0 0 4 168 0 0 47675 2499750 21 1374 121 7530 0 0 37041 2050350 10528 442956 3 102 3 186 0 0 0
USR1MR_D 1022171719.284000 1.084000 266 451 451 275 176 48263 21982 26281 48249 2 0 2532294 1143108 1389186 97 0 0 268193.375 0x0c00987a0202d044 0 0 0 0 12 504 0 0 48249 2531690 2 100 134 8532 0 0 37445 2074682 10671 448542 0 0 0 0 0 0 0
USR1MR_D 1022171720.1095000 1.811000 295 507 507 294 213 49621 22621 27000 49599 4 0 2611286 1179958 1431328 93 0 0 277837.719 0x0c00987a0202d044 0 0 0 0 18 756 0 0 49599 2610330 4 200 113 7074 0 0 39044 2164776 10444 438612 0 0 0 0 0 0 0
USR1MR_D 1022171721.640000 0.999545000 233 486 486 273 213 50166 22964 27202 50160 0 0 2639776 1198584 1441192 93 0 0 280237.719 0x0c00987a0222d044 0 0 0 0 6 252 0 0 50160 2639524 0 0 125 7746 0 0 39445 2186290 10590 445488 0 0 0 0 0 0 0
USR1MR_D 1022171722.427000 0.999787000 250 539 539 314 225 47175 21896 25279 47160 4 0 2478598 1140152 1338446 92 0 0 256399.453 0x0c00987a0222d044 0 0 0 0 11 462 0 0 47160 2477872 4 264 117 7458 0 0 36225 2015758 10822 454920 0 0 0 0 0 0 0
USR1MR_D 1022171723.058000 0.999631000 205 455 455 259 196 48872 22649 26223 48858 8 0 2578544 1187274 1391270 99 0 0 271465.625 0x0c00987a0222d044 0 0 0 0 6 252 0 0 48858 2577860 8 432 114 7260 0 0 38162 2124068 10587 446862 0 0 0 0 0 0 0
USR1MR_D 1022171724.127000 1.069000 234 552 552 309 243 50089 23027 27062 50080 3 0 2634246 1201014 1433232 88 0 0 281685.219 0x0c00987a0222d044 0 0 0 0 6 252 0 0 50080 2633832 3 162 107 6726 0 0 39264 2177144 10710 450028 0 0 1 62 0 0 0
USR1MR_D 1022171725.274000 1.147000 233 517 517 301 216 49908 22880 27028 49883 18 0 2627904 1195840 1432064 93 0 0 279872.562 0x0c00987a0222d044 0 0 0 0 7 294 0 0 49883 2626422 18 1188 139 8694 3 114 39002 2165132 10756 453636 0 0 0 0 0 0 0
USR1MR_D 1022171726.378000 1.104000 238 473 473 269 204 48767 22322 26445 48754 6 0 2565306 1165528 1399778 90 0 0 271439.000 0x0c00987a0222d044 0 0 0 0 7 294 0 0 48754 2564648 6 364 133 8394 5 190 37987 2109006 10634 447388 0 0 0 0 0 0 0Comparing the column winPktThCnt you notice that without the tcpStates plugin all output of your tcpWin plugin is now 0. Why? Because no flow terminated yet! The timeout is by default three minutes (180 seconds) and the processing time of the pcap is only 0.5 seconds. So one way is to reduce the flow timeout (FLOW_TIMEOUT in tranalyzer.h), the other is to move the code to the t2OnLayer4(...) callback as already indicated above. So delete or comment out the two lines we added in the t2OnFlowTerminate(...) callback and add the lines marked with // <-- in the t2OnLayer4(...) callback.
vi src/tcpWin.c
...
void t2OnLayer4(packet_t *packet, unsigned long flowIndex) {
const flow_t * const flowP = &flows[flowIndex];
if (flowP->l4Proto != L3_TCP) return; // process only TCP
// only 1. frag packet will be processed
if (!t2_is_first_fragment(packet)) return;
tcpWinFlow_t * const tcpWinFlowP = &tcpWinFlows[flowIndex];
const tcpHeader_t * const tcpHeader = (tcpHeader_t*)packet->l4HdrP;
const uint32_t tcpWin = ntohs(tcpHeader->window);
if (tcpWin < TCPWIN_THRES) {
tcpWinFlowP->winThCnt++; // count the packet
tcpWinFlowP->stat |= TCPWIN_STAT_THU; // set the status bit
tcpWinStat |= tcpWinFlowP->stat; // <-- Aggregate all packet flags
winThCntG++; // <-- count all winThCnt packet
}
}
...Recompile and rerun t2:
t2build tcpWin
t2 -r ~/data/annoloc2.pcap -l -w ~/results/
%repTyp time dur memUsageKB fillSzHashMap numFlows numAFlows numBFlows numPkts numAPkts numBPkts numV4Pkts numV6Pkts numVxPkts numBytes numABytes numBBytes numFrgV4Pkts numFrgV6Pkts numAlarms rawBandwidth globalWarn 0x0042Pkts 0x0042Bytes 0x00fePkts 0x00feBytes 0x0806Pkts 0x0806Bytes 0x8035Pkts 0x8035Bytes 0x0800Pkts 0x0800Bytes 0x86ddPkts 0x86ddBytes ICMPPkts ICMPBytes IGMPPkts IGMPBytes TCPPkts TCPBytes UDPPkts UDPBytes GREPkts GREBytes ICMPv6Pkts ICMPv6Bytes SCTPPkts SCTPBytes winPktThCnt
USR1MR_D 1022171702.125000 0.308953000 18825 2152 2152 1220 932 14548 6878 7670 14542 3 0 765516 358988 406528 31 0 0 262155.094 0x0c00881a0202c044 0 0 0 0 3 126 0 0 14542 765256 3 134 34 2220 0 0 11316 628896 3192 134172 0 0 0 0 0 0 25
USR1MR_D 1022171703.027000 0.999902000 2003 1767 1767 961 806 49194 22820 26374 49162 22 0 2586276 1191528 1394748 97 0 0 270888.438 0x0c00987a0202c044 0 0 0 0 10 420 0 0 49162 2584404 22 1452 129 7938 0 0 37923 2109222 11132 468696 0 0 0 0 0 0 104
USR1MR_D 1022171704.334000 1.307000 835 1112 1112 639 473 48765 22660 26105 48734 26 0 2562726 1182212 1380514 91 0 0 267914.906 0x0c00987a0202c044 0 0 0 0 5 210 0 0 48734 2560800 26 1716 133 8202 0 0 37502 2085364 11125 468950 0 0 0 0 0 0 126
USR1MR_D 1022171705.030000 0.999696000 570 816 816 480 336 47156 22079 25077 47146 2 0 2471500 1148578 1322922 91 0 0 253765.031 0x0c00987a0202c044 0 0 0 0 8 336 0 0 47146 2471064 2 100 124 7704 0 0 36153 2006038 10870 457388 0 0 0 0 0 0 121
USR1MR_D 1022171706.009000 0.999979000 528 658 658 369 289 47251 21942 25309 47239 3 0 2480982 1143508 1337474 96 0 0 257045.938 0x0c00987a0202c044 0 0 0 0 9 378 0 0 47239 2480442 3 162 139 8814 0 0 36192 2013364 10909 458330 0 0 1 62 0 0 110
USR1MR_D 1022171707.298000 1.289000 488 685 685 381 304 48061 22155 25906 48038 5 0 2520286 1153038 1367248 71 0 0 263887.188 0x0c00987a0202d044 0 0 0 0 18 756 0 0 48038 2519208 5 322 112 7032 0 0 37267 2064558 10657 447646 5 170 2 124 0 0 111
USR1MR_D 1022171708.102000 0.999804000 454 595 595 325 270 48284 22114 26170 48262 3 0 2539600 1155564 1384036 79 0 0 266056.719 0x0c00987a0202d044 0 0 0 0 19 798 0 0 48262 2538612 3 190 117 7458 0 0 37526 2084196 10619 446990 1 34 2 124 0 0 90
USR1MR_D 1022171709.695000 1.593000 340 579 579 339 240 49272 22973 26299 49249 7 0 2587936 1198894 1389042 96 0 0 270947.375 0x0c00987a0202d044 0 0 0 0 16 672 0 0 49249 2586870 7 394 143 8910 0 0 38179 2117206 10931 461018 0 0 1 62 0 0 122
USR1MR_D 1022171710.175000 0.999480000 467 564 564 312 252 50508 23624 26884 50497 4 0 2662064 1237564 1424500 97 0 0 282688.781 0x0c00987a0202d044 0 0 0 0 7 294 0 0 50497 2661506 4 264 109 6738 0 0 39825 2209682 10560 445112 7 238 0 0 0 0 96
USR1MR_D 1022171711.193000 1.018000 311 516 516 302 214 48619 22823 25796 48603 2 0 2563366 1196706 1366660 84 0 0 272032.375 0x0c00987a0202d044 0 0 0 0 14 588 0 0 48603 2562646 2 132 113 7122 0 0 38302 2125628 10189 429994 0 0 0 0 0 0 84
USR1MR_D 1022171712.691000 1.498000 295 565 565 327 238 49611 23075 26536 49599 0 0 2603054 1202538 1400516 95 0 0 277082.562 0x0c00987a0202d044 0 0 0 0 12 504 0 0 49599 2602550 0 0 134 8508 0 0 38673 2139862 10792 454180 0 0 0 0 0 0 81
USR1MR_D 1022171713.000000 0.999309000 353 517 517 286 231 50143 23467 26676 50134 0 0 2631530 1223930 1407600 96 0 0 278520.219 0x0c00987a0202d044 0 0 0 0 9 378 0 0 50134 2631152 0 0 113 7050 0 0 39099 2164110 10922 459992 0 0 0 0 0 0 89
USR1MR_D 1022171714.741000 1.741000 286 472 472 274 198 47899 22508 25391 47873 17 0 2514274 1172604 1341670 94 0 0 263678.375 0x0c00987a0202d044 0 0 0 0 9 378 0 0 47873 2512870 17 1026 115 7278 1 38 37075 2056666 10696 449812 0 0 0 0 0 0 115
USR1MR_D 1022171715.263000 0.999522000 267 452 452 260 192 49110 22878 26232 49096 3 0 2582484 1195104 1387380 89 0 0 272797.156 0x0c00987a0202d044 0 0 0 0 11 462 0 0 49096 2581824 3 198 130 8052 1 38 38284 2123868 10684 450064 0 0 0 0 0 0 98
USR1MR_D 1022171716.269000 1.006000 335 527 527 307 220 49985 23187 26798 49976 4 0 2627906 1210650 1417256 94 0 0 278140.844 0x0c00987a0202d044 0 0 0 0 5 210 0 0 49976 2627432 4 264 128 8064 0 0 39083 2166434 10769 453198 0 0 0 0 0 0 72
USR1MR_D 1022171717.932000 1.663000 299 479 479 273 206 48938 22517 26421 48921 6 0 2575532 1178110 1397422 93 0 0 273963.812 0x0c00987a0202d044 0 0 0 0 11 462 0 0 48921 2574738 6 332 130 8148 0 0 38233 2122014 10562 444840 0 0 0 0 0 0 78
USR1MR_D 1022171718.200000 0.999268000 222 410 410 230 180 47700 21873 25827 47675 21 0 2501292 1138298 1362994 88 0 0 263612.438 0x0c00987a0202d044 0 0 0 0 4 168 0 0 47675 2499750 21 1374 121 7530 0 0 37041 2050350 10528 442956 3 102 3 186 0 0 97
USR1MR_D 1022171719.284000 1.084000 266 451 451 275 176 48263 21982 26281 48249 2 0 2532294 1143108 1389186 97 0 0 268193.375 0x0c00987a0202d044 0 0 0 0 12 504 0 0 48249 2531690 2 100 134 8532 0 0 37445 2074682 10671 448542 0 0 0 0 0 0 77
USR1MR_D 1022171720.1095000 1.811000 295 507 507 294 213 49621 22621 27000 49599 4 0 2611286 1179958 1431328 93 0 0 277837.719 0x0c00987a0202d044 0 0 0 0 18 756 0 0 49599 2610330 4 200 113 7074 0 0 39044 2164776 10444 438612 0 0 0 0 0 0 70
USR1MR_D 1022171721.640000 0.999545000 233 486 486 273 213 50166 22964 27202 50160 0 0 2639776 1198584 1441192 93 0 0 280237.719 0x0c00987a0222d044 0 0 0 0 6 252 0 0 50160 2639524 0 0 125 7746 0 0 39445 2186290 10590 445488 0 0 0 0 0 0 83
USR1MR_D 1022171722.427000 0.999787000 250 539 539 314 225 47175 21896 25279 47160 4 0 2478598 1140152 1338446 92 0 0 256399.453 0x0c00987a0222d044 0 0 0 0 11 462 0 0 47160 2477872 4 264 117 7458 0 0 36225 2015758 10822 454920 0 0 0 0 0 0 82
USR1MR_D 1022171723.058000 0.999631000 205 455 455 259 196 48872 22649 26223 48858 8 0 2578544 1187274 1391270 99 0 0 271465.625 0x0c00987a0222d044 0 0 0 0 6 252 0 0 48858 2577860 8 432 114 7260 0 0 38162 2124068 10587 446862 0 0 0 0 0 0 84
USR1MR_D 1022171724.127000 1.069000 233 552 552 309 243 50089 23027 27062 50080 3 0 2634246 1201014 1433232 88 0 0 281685.219 0x0c00987a0222d044 0 0 0 0 6 252 0 0 50080 2633832 3 162 107 6726 0 0 39264 2177144 10710 450028 0 0 1 62 0 0 102
USR1MR_D 1022171725.274000 1.147000 234 517 517 301 216 49908 22880 27028 49883 18 0 2627904 1195840 1432064 93 0 0 279872.562 0x0c00987a0222d044 0 0 0 0 7 294 0 0 49883 2626422 18 1188 139 8694 3 114 39002 2165132 10756 453636 0 0 0 0 0 0 123
USR1MR_D 1022171726.378000 1.104000 237 473 473 269 204 48767 22322 26445 48754 6 0 2565306 1165528 1399778 90 0 0 271439.000 0x0c00987a0222d044 0 0 0 0 7 294 0 0 48754 2564648 6 364 133 8394 5 190 37987 2109006 10634 447388 0 0 0 0 0 0 119See? Looks better right?
Conclusion
Play a bit around with the different types of reporting and change the config in tranalyzer.h and main.h as being discussed in monitoring mode. And compare the results to the end report. Also try to run t2 on an interface, and play around with the different time base modes and remote control options in main.h.
At this point I like to refer to the monitoring mode tutorial.
And don’t forget to reset the monitoring mode:
t2conf tranalyzer2 -D MONINTTMPCP=0 -D DIFF_REPORT=0 -D MACHINE_REPORT=0 && t2build -R
or use the new command:
t2conf --reset tranalyzer2 && t2build -R
You can download the final version of the tcpWin plugin.
The next tutorial will teach you how to add plugin packet output.
Have fun writing plugins!
See Also
- Plugin Programming Cheatsheet
- The Basics: Your First Flow Plugin
- Plugin End Report
- Plugin Packet Mode
- Plugin Summary Files
- Plugin Geo Labeling
- Plugin Dependencies
- Plugin Alarm Mode
- Plugin Force Mode
- Plugin Pcap Extraction
- Plugin Flow Timeout
- Plugin Sink
- Developing Tranalyzer Plugins in C++
- Developing Tranalyzer Plugins in Rust