Tutorial: Plugin monitoring
Contents
As detailed in monitoring mode tutorial, T2 can either be remotely controlled by USR1/2 signals or the t2stat command. Each plugin can implement a monitoring function which will be called during monitoring or report operation.
First, change the configuration of main.h to enable monitoring on a pcap using pcap time. Just change MONINTTMPCP=1 and switch t2 to machine diff mode with the following t2conf command:
$ t2conf tranalyzer2 -D MONINTTMPCP=1 -D DIFF_REPORT=1 -D MACHINE_REPORT=1
$Then reset your plugin directory into a pristine state and compile
$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$ t2build tranalyzer2 tcpStates
...
$If you did not read the tutorials before, here is the basis plugin which we will extend: tcpWin
The anonymized sample pcap can be downloaded here: annoloc2.pcap. Please extract it under your data folder: ~/data, if you haven’t already. Now you are all set for monitoring mode programming.
Implementing the Monitoring
If your plugin wants to contribute information to the monitoring mode, then global variables and a monitoring(FILE *stream, uint8_t state) callback have to be added.
So open tcpWin.c in an editor of your choice and add two global variables after the tcpWinFlows definition. Look for the <-- markers below. If you already completed the end report tutorial, you only need to add the winStatG0 variable, which will be used in the differential mode to store the old value of winStatG. If this is your first plugin just add both variables: winStatG and winStatG0.
...
/*
* Plugin variables that may be used by other plugins (MUST be declared in
* the header file as 'extern tcpWinFlow_t *tcpWinFlows;'
*/
tcpWinFlow_t *tcpWinFlows;
static uint32_t winThCntG, winThCntG0; // <-- Aggregated win threshold count and variable for the last threshold count
static uint8_t winStatG; // <-- Aggregated status
...Then add in the onFlowTerminate(...) callback the lines marked by <-- to aggregate winStat and winThCnt of all flows, if you did not do the end report tutorial. Here we aggregate all flow information into global variables. Note, that
...
void onFlowTerminate(unsigned long flowIndex) {
tcpWinFlow_t * const tcpWinFlowP = &tcpWinFlows[flowIndex];
winStatG |= tcpWinFlowP->stat; // <-- Aggregate all packet flags
winThCntG += tcpWinFlowP->winThCnt; // <-- Sum all winThCnt packet counts
OUTBUF_APPEND_U8(main_output_buffer, tcpWinFlowP->stat);
OUTBUF_APPEND_U32(main_output_buffer, tcpWinFlowP->winThCnt);
}
...Note, that a snapshot taken by the monitoring is now only representing the terminated flows not the actually existing state in the memory. If you want that, you need to shift that code, a bit modified into the claimLayer4Information(...) callback. We will try that later.
Implementing the monitoring(FILE *stream, uint8_t state) callback
Now add the monitoring(FILE *stream, uint8_t state) callback after the onFlowTerminate(...) callback (or after the pluginReport(...) callback if you implemented the end report already).
The monitoring(...) function is called by the core at T2 initialization: T2_MON_PRI_HDR for the machine mode to output header information. At a USR1/2 interrupt: T2_MON_PRI_VAL to print data in the machine mode and T2_MON_PRI_REPORT for the report mode. If one case is not implemented, nothing will appear. Note the DIFF_REPORT pragma, which implements the backup of the old winThCntG value.
void monitoring(FILE *stream, uint8_t state) {
switch (state) {
case T2_MON_PRI_HDR: // hdr output at the beginning
fputs("winPktThCnt\t", stream); // Note the trailing tab (\t)
return;
case T2_MON_PRI_VAL: // USR1/2 interrupt machine mode
fprintf(stream, "%"PRIu32"\t", winThCntG-winThCntG0); // print the column and the trailing tab
break;
case T2_MON_PRI_REPORT: // USR1/2 interrupt report mode
T2_PLOG_DIFFNUMP(stream, "tcpWin", "Number of TCP winsize packets below threshold", winThCntG, numPackets);
break;
default: // Invalid state, do nothing
return;
}
#if DIFF_REPORT == 1
winThCntG0 = winThCntG; // differential mode, save the old value
#endif // DIFF_REPORT == 1
}Save the file and compile tcpWin.
$ t2build tcpWinIf compilation was error free, execute T2 with the -l option to redirect all end report info to the file ~/data/annoloc2_log.txt.
$ t2build tcpWin
...
$ t2 -r ~/data/annoloc2.pcap -l%repTyp time dur memUsageKB fillSzHashMap numFlows numAFlows numBFlows numPkts numAPkts numBPkts numV4Pkts numV6Pkts numVxPkts numBytes numABytes numBBytes numFrgV4Pkts numFrgV6Pkts numAlarms rawBandwidth globalWarn 0x0042Pkts 0x0042Bytes 0x00fePkts 0x00feBytes 0x0806Pkts 0x0806Bytes 0x8035Pkts 0x8035Bytes 0x0800Pkts 0x0800Bytes 0x86ddPkts 0x86ddBytes ICMPPkts ICMPBytes IGMPPkts IGMPBytes TCPPkts TCPBytes UDPPkts UDPBytes GREPkts GREBytes ICMPv6Pkts ICMPv6Bytes SCTPPkts SCTPBytes winPktThCnt
USR1MR_D 1022171702.000125 0.308953 33976 2143 2151 1219 932 14548 6878 7670 14544 1 0 765516 358988 406528 31 0 0 262155.094 0x0c00981a0202c044 0 0 0 0 3 126 0 0 14544 765324 1 66 34 2220 0 0 11316 628896 3192 134172 0 0 0 0 0 0 5
USR1MR_D 1022171703.000027 0.999902 2836 1735 1770 963 807 49194 22820 26374 49162 22 0 2586276 1191528 1394748 97 0 0 270888.438 0x0c00987a0202c044 0 0 0 0 10 420 0 0 49162 2584404 22 1452 129 7938 0 0 37923 2109222 11132 468696 0 0 0 0 0 0 23
USR1MR_D 1022171704.000334 1.000307 568 1069 1131 650 481 48765 22660 26105 48734 26 0 2562726 1182212 1380514 91 0 0 267914.906 0x0c00987a0202c044 0 0 0 0 5 210 0 0 48734 2560800 26 1716 133 8202 0 0 37502 2085364 11125 468950 0 0 0 0 0 0 39
USR1MR_D 1022171705.000030 0.999696 744 757 833 489 344 47156 22079 25077 47147 1 0 2471500 1148578 1322922 91 0 0 253765.031 0x0c00987a0202c044 0 0 0 0 8 336 0 0 47147 2471098 1 66 124 7704 0 0 36153 2006038 10870 457388 0 0 0 0 0 0 43
USR1MR_D 1022171706.000009 0.999979 416 617 686 383 303 47251 21942 25309 47240 2 0 2480982 1143508 1337474 96 0 0 257045.938 0x0c00987a0202c044 0 0 0 0 9 378 0 0 47240 2480476 2 128 139 8814 0 0 36192 2013364 10909 458330 0 0 1 62 0 0 52
USR1MR_D 1022171707.000298 1.000289 424 628 714 396 318 48061 22155 25906 48038 5 0 2520286 1153038 1367248 71 0 0 263887.188 0x0c00987a0202d044 0 0 0 0 18 756 0 0 48038 2519208 5 322 112 7032 0 0 37267 2064558 10657 447646 5 170 2 124 0 0 47
USR1MR_D 1022171708.000102 0.999804 992 559 622 339 283 48284 22114 26170 48262 3 0 2539600 1155564 1384036 79 0 0 266056.719 0x0c00987a0202d044 0 0 0 0 19 798 0 0 48262 2538612 3 190 117 7458 0 0 37526 2084196 10619 446990 1 34 2 124 0 0 37
USR1MR_D 1022171709.000695 1.000593 168 525 596 349 247 49272 22973 26299 49251 5 0 2587936 1198894 1389042 96 0 0 270947.375 0x0c00987a0202d044 0 0 0 0 16 672 0 0 49251 2586938 5 326 143 8910 0 0 38179 2117206 10931 461018 0 0 1 62 0 0 58
USR1MR_D 1022171710.000175 0.999480 540 528 583 323 260 50508 23624 26884 50497 4 0 2662064 1237564 1424500 97 0 0 282688.781 0x0c00987a0202d044 0 0 0 0 7 294 0 0 50497 2661506 4 264 109 6738 0 0 39825 2209682 10560 445112 7 238 0 0 0 0 28
USR1MR_D 1022171711.000193 1.000018 184 474 524 306 218 48619 22823 25796 48603 2 0 2563366 1196706 1366660 84 0 0 272032.375 0x0c00987a0202d044 0 0 0 0 14 588 0 0 48603 2562646 2 132 113 7122 0 0 38302 2125628 10189 429994 0 0 0 0 0 0 28
USR1MR_D 1022171712.000691 1.000498 188 535 574 332 242 49611 23075 26536 49599 0 0 2603054 1202538 1400516 95 0 0 277082.562 0x0c00987a0202d044 0 0 0 0 12 504 0 0 49599 2602550 0 0 134 8508 0 0 38673 2139862 10792 454180 0 0 0 0 0 0 23
USR1MR_D 1022171713.000000 0.999309 596 447 529 293 236 50143 23468 26675 50134 0 0 2631530 1223992 1407538 96 0 0 278520.219 0x0c00987a0202d044 0 0 0 0 9 378 0 0 50134 2631152 0 0 113 7050 0 0 39099 2164110 10922 459992 0 0 0 0 0 0 24
USR1MR_D 1022171714.000741 1.000741 172 377 496 284 212 47899 22509 25390 47876 14 0 2514274 1172650 1341624 94 0 0 263678.375 0x0c00987a0202d044 0 0 0 0 9 378 0 0 47876 2512972 14 924 115 7278 1 38 37075 2056666 10696 449812 0 0 0 0 0 0 35
USR1MR_D 1022171715.000263 0.999522 172 378 477 275 202 49110 22878 26232 49096 3 0 2582484 1195104 1387380 89 0 0 272797.156 0x0c00987a0202d044 0 0 0 0 11 462 0 0 49096 2581824 3 198 130 8052 1 38 38284 2123868 10684 450064 0 0 0 0 0 0 46
USR1MR_D 1022171716.000269 1.000006 184 471 543 316 227 49985 23187 26798 49976 4 0 2627906 1210650 1417256 94 0 0 278140.844 0x0c00987a0202d044 0 0 0 0 5 210 0 0 49976 2627432 4 264 128 8064 0 0 39083 2166434 10769 453198 0 0 0 0 0 0 25
USR1MR_D 1022171717.000932 1.000663 172 384 498 284 214 48938 22518 26420 48923 4 0 2575532 1178164 1397368 93 0 0 273963.812 0x0c00987a0202d044 0 0 0 0 11 462 0 0 48923 2574806 4 264 130 8148 0 0 38233 2122014 10562 444840 0 0 0 0 0 0 29
USR1MR_D 1022171718.000200 0.999268 180 309 427 240 187 47700 21873 25827 47675 21 0 2501292 1138298 1362994 88 0 0 263612.438 0x0c00987a0202d044 0 0 0 0 4 168 0 0 47675 2499750 21 1374 121 7530 0 0 37041 2050350 10528 442956 3 102 3 186 0 0 34
USR1MR_D 1022171719.000284 1.000084 244 373 471 285 186 48263 21982 26281 48250 1 0 2532294 1143108 1389186 97 0 0 268193.375 0x0c00987a0202d044 0 0 0 0 12 504 0 0 48250 2531724 1 66 134 8532 0 0 37445 2074682 10671 448542 0 0 0 0 0 0 34
USR1MR_D 1022171720.001095 1.000811 308 397 531 306 225 49621 22621 27000 49601 2 0 2611286 1179958 1431328 93 0 0 277837.719 0x0c00987a0202d044 0 0 0 0 18 756 0 0 49601 2610398 2 132 113 7074 0 0 39044 2164776 10444 438612 0 0 0 0 0 0 32
USR1MR_D 1022171721.000640 0.999545 180 406 506 282 224 50166 22964 27202 50160 0 0 2639776 1198584 1441192 93 0 0 280237.719 0x0c00987a0202d044 0 0 0 0 6 252 0 0 50160 2639524 0 0 125 7746 0 0 39445 2186290 10590 445488 0 0 0 0 0 0 109
USR1MR_D 1022171722.000427 0.999787 184 459 562 327 235 47175 21896 25279 47160 4 0 2478598 1140152 1338446 92 0 0 256399.453 0x0c00987a0202d044 0 0 0 0 11 462 0 0 47160 2477872 4 264 117 7458 0 0 36225 2015758 10822 454920 0 0 0 0 0 0 40
USR1MR_D 1022171723.000058 0.999631 188 356 484 274 210 48872 22649 26223 48861 5 0 2578544 1187294 1391250 99 0 0 271465.625 0x0c00987a0202d044 0 0 0 0 6 252 0 0 48861 2577962 5 330 114 7260 0 0 38162 2124068 10587 446862 0 0 0 0 0 0 41
USR1MR_D 1022171724.000127 1.000069 192 411 574 320 254 50089 23028 27061 50081 2 0 2634246 1201068 1433178 88 0 0 281685.219 0x0c00987a0202d044 0 0 0 0 6 252 0 0 50081 2633866 2 128 107 6726 0 0 39264 2177144 10710 450028 0 0 1 62 0 0 55
USR1MR_D 1022171725.000274 1.000147 0 376 544 319 225 49908 22880 27028 49883 18 0 2627904 1195840 1432064 93 0 0 279872.562 0x0c00987a0202d044 0 0 0 0 7 294 0 0 49883 2626422 18 1188 139 8694 3 114 39002 2165132 10756 453636 0 0 0 0 0 0 63
USR1MR_D 1022171726.000378 1.000104 180 292 496 280 216 48767 22322 26445 48755 5 0 2565306 1165528 1399778 90 0 0 271439.000 0x0c00987a0202d044 0 0 0 0 7 294 0 0 48755 2564682 5 330 133 8394 5 190 37987 2109006 10634 447388 0 0 0 0 0 0 76You will notice your monitoring column. Wasn’t so difficult, right?
Now remove tcpStates and rerun T2:
$ t2build -u tcpStates
Plugin 'tcpStates'
BUILD SUCCESSFUL
$ t2 -r ~/data/annoloc2.pcap -l%repTyp time dur memUsageKB fillSzHashMap numFlows numAFlows numBFlows numPkts numAPkts numBPkts numV4Pkts numV6Pkts numVxPkts numBytes numABytes numBBytes numFrgV4Pkts numFrgV6Pkts numAlarms rawBandwidth globalWarn 0x0042Pkts 0x0042Bytes 0x00fePkts 0x00feBytes 0x0806Pkts 0x0806Bytes 0x8035Pkts 0x8035Bytes 0x0800Pkts 0x0800Bytes 0x86ddPkts 0x86ddBytes ICMPPkts ICMPBytes IGMPPkts IGMPBytes TCPPkts TCPBytes UDPPkts UDPBytes GREPkts GREBytes ICMPv6Pkts ICMPv6Bytes SCTPPkts SCTPBytes winPktThCnt
USR1MR_D 1022171702.000125 0.308953 33904 2151 2151 1219 932 14548 6878 7670 14544 1 0 765516 358988 406528 31 0 0 262155.094 0x0c00981a0202c044 0 0 0 0 3 126 0 0 14544 765324 1 66 34 2220 0 0 11316 628896 3192 134172 0 0 0 0 0 0 0
USR1MR_D 1022171703.000027 0.999902 2800 1767 1767 961 806 49194 22820 26374 49162 22 0 2586276 1191528 1394748 97 0 0 270888.438 0x0c00987a0202c044 0 0 0 0 10 420 0 0 49162 2584404 22 1452 129 7938 0 0 37923 2109222 11132 468696 0 0 0 0 0 0 0
USR1MR_D 1022171704.000334 1.000307 932 1112 1112 639 473 48765 22660 26105 48734 26 0 2562726 1182212 1380514 91 0 0 267914.906 0x0c00987a0202c044 0 0 0 0 5 210 0 0 48734 2560800 26 1716 133 8202 0 0 37502 2085364 11125 468950 0 0 0 0 0 0 0
USR1MR_D 1022171705.000030 0.999696 800 816 816 480 336 47156 22079 25077 47147 1 0 2471500 1148578 1322922 91 0 0 253765.031 0x0c00987a0202c044 0 0 0 0 8 336 0 0 47147 2471098 1 66 124 7704 0 0 36153 2006038 10870 457388 0 0 0 0 0 0 0
USR1MR_D 1022171706.000009 0.999979 292 657 657 368 289 47251 21942 25309 47240 2 0 2480982 1143508 1337474 96 0 0 257045.938 0x0c00987a0202c044 0 0 0 0 9 378 0 0 47240 2480476 2 128 139 8814 0 0 36192 2013364 10909 458330 0 0 1 62 0 0 0
USR1MR_D 1022171707.000298 1.000289 856 685 685 381 304 48061 22155 25906 48038 5 0 2520286 1153038 1367248 71 0 0 263887.188 0x0c00987a0202d044 0 0 0 0 18 756 0 0 48038 2519208 5 322 112 7032 0 0 37267 2064558 10657 447646 5 170 2 124 0 0 0
USR1MR_D 1022171708.000102 0.999804 564 595 595 325 270 48284 22114 26170 48262 3 0 2539600 1155564 1384036 79 0 0 266056.719 0x0c00987a0202d044 0 0 0 0 19 798 0 0 48262 2538612 3 190 117 7458 0 0 37526 2084196 10619 446990 1 34 2 124 0 0 0
USR1MR_D 1022171709.000695 1.000593 404 577 577 337 240 49272 22973 26299 49251 5 0 2587936 1198894 1389042 96 0 0 270947.375 0x0c00987a0202d044 0 0 0 0 16 672 0 0 49251 2586938 5 326 143 8910 0 0 38179 2117206 10931 461018 0 0 1 62 0 0 0
USR1MR_D 1022171710.000175 0.999480 180 564 564 312 252 50508 23624 26884 50497 4 0 2662064 1237564 1424500 97 0 0 282688.781 0x0c00987a0202d044 0 0 0 0 7 294 0 0 50497 2661506 4 264 109 6738 0 0 39825 2209682 10560 445112 7 238 0 0 0 0 0
USR1MR_D 1022171711.000193 1.000018 360 516 516 302 214 48619 22823 25796 48603 2 0 2563366 1196706 1366660 84 0 0 272032.375 0x0c00987a0202d044 0 0 0 0 14 588 0 0 48603 2562646 2 132 113 7122 0 0 38302 2125628 10189 429994 0 0 0 0 0 0 0
USR1MR_D 1022171712.000691 1.000498 428 565 565 327 238 49611 23075 26536 49599 0 0 2603054 1202538 1400516 95 0 0 277082.562 0x0c00987a0202d044 0 0 0 0 12 504 0 0 49599 2602550 0 0 134 8508 0 0 38673 2139862 10792 454180 0 0 0 0 0 0 0
USR1MR_D 1022171713.000000 0.999309 360 517 517 286 231 50143 23467 26676 50134 0 0 2631530 1223930 1407600 96 0 0 278520.219 0x0c00987a0202d044 0 0 0 0 9 378 0 0 50134 2631152 0 0 113 7050 0 0 39099 2164110 10922 459992 0 0 0 0 0 0 0
USR1MR_D 1022171714.000741 1.000741 180 469 469 271 198 47899 22508 25391 47876 14 0 2514274 1172604 1341670 94 0 0 263678.375 0x0c00987a0202d044 0 0 0 0 9 378 0 0 47876 2512972 14 924 115 7278 1 38 37075 2056666 10696 449812 0 0 0 0 0 0 0
USR1MR_D 1022171715.000263 0.999522 172 452 452 260 192 49110 22878 26232 49096 3 0 2582484 1195104 1387380 89 0 0 272797.156 0x0c00987a0202d044 0 0 0 0 11 462 0 0 49096 2581824 3 198 130 8052 1 38 38284 2123868 10684 450064 0 0 0 0 0 0 0
USR1MR_D 1022171716.000269 1.000006 360 527 527 307 220 49985 23187 26798 49976 4 0 2627906 1210650 1417256 94 0 0 278140.844 0x0c00987a0202d044 0 0 0 0 5 210 0 0 49976 2627432 4 264 128 8064 0 0 39083 2166434 10769 453198 0 0 0 0 0 0 0
USR1MR_D 1022171717.000932 1.000663 180 477 477 271 206 48938 22517 26421 48923 4 0 2575532 1178110 1397422 93 0 0 273963.812 0x0c00987a0202d044 0 0 0 0 11 462 0 0 48923 2574806 4 264 130 8148 0 0 38233 2122014 10562 444840 0 0 0 0 0 0 0
USR1MR_D 1022171718.000200 0.999268 180 410 410 230 180 47700 21873 25827 47675 21 0 2501292 1138298 1362994 88 0 0 263612.438 0x0c00987a0202d044 0 0 0 0 4 168 0 0 47675 2499750 21 1374 121 7530 0 0 37041 2050350 10528 442956 3 102 3 186 0 0 0
USR1MR_D 1022171719.000284 1.000084 248 450 450 274 176 48263 21982 26281 48250 1 0 2532294 1143108 1389186 97 0 0 268193.375 0x0c00987a0202d044 0 0 0 0 12 504 0 0 48250 2531724 1 66 134 8532 0 0 37445 2074682 10671 448542 0 0 0 0 0 0 0
USR1MR_D 1022171720.001095 1.000811 308 507 507 294 213 49621 22621 27000 49601 2 0 2611286 1179958 1431328 93 0 0 277837.719 0x0c00987a0202d044 0 0 0 0 18 756 0 0 49601 2610398 2 132 113 7074 0 0 39044 2164776 10444 438612 0 0 0 0 0 0 0
USR1MR_D 1022171721.000640 0.999545 188 486 486 273 213 50166 22964 27202 50160 0 0 2639776 1198584 1441192 93 0 0 280237.719 0x0c00987a0202d044 0 0 0 0 6 252 0 0 50160 2639524 0 0 125 7746 0 0 39445 2186290 10590 445488 0 0 0 0 0 0 0
USR1MR_D 1022171722.000427 0.999787 188 539 539 314 225 47175 21896 25279 47160 4 0 2478598 1140152 1338446 92 0 0 256399.453 0x0c00987a0202d044 0 0 0 0 11 462 0 0 47160 2477872 4 264 117 7458 0 0 36225 2015758 10822 454920 0 0 0 0 0 0 0
USR1MR_D 1022171723.000058 0.999631 192 454 454 257 197 48872 22648 26224 48861 5 0 2578544 1187240 1391304 99 0 0 271465.625 0x0c00987a0202d044 0 0 0 0 6 252 0 0 48861 2577962 5 330 114 7260 0 0 38162 2124068 10587 446862 0 0 0 0 0 0 0
USR1MR_D 1022171724.000127 1.000069 196 551 551 308 243 50089 23027 27062 50081 2 0 2634246 1201014 1433232 88 0 0 281685.219 0x0c00987a0202d044 0 0 0 0 6 252 0 0 50081 2633866 2 128 107 6726 0 0 39264 2177144 10710 450028 0 0 1 62 0 0 0
USR1MR_D 1022171725.000274 1.000147 0 517 517 301 216 49908 22880 27028 49883 18 0 2627904 1195840 1432064 93 0 0 279872.562 0x0c00987a0202d044 0 0 0 0 7 294 0 0 49883 2626422 18 1188 139 8694 3 114 39002 2165132 10756 453636 0 0 0 0 0 0 0
USR1MR_D 1022171726.000378 1.000104 196 472 472 268 204 48767 22322 26445 48755 5 0 2565306 1165528 1399778 90 0 0 271439.000 0x0c00987a0202d044 0 0 0 0 7 294 0 0 48755 2564682 5 330 133 8394 5 190 37987 2109006 10634 447388 0 0 0 0 0 0 0Comparing the column winPktThCnt you notice that without tcpStates plugin all output of your plugin is 0. Why? Because no flow terminated yet! The timeout is by default three minutes (180 seconds) and the processing time of the pcap is only 0.5 seconds. So one way is to reduce the flow timeout: FLOW_TIMEOUT in tranalyzer.h, or to move the code to claimLayer4Information(...) as indicated above. So delete or comment out the two lines we added in onFlowTerminate(...) and add the following with <-- marked lines in the claimLayer4Information() function.
/*
* This function is called for every packet with a layer 4.
*/
void claimLayer4Information(packet_t *packet, unsigned long flowIndex) {
const flow_t * const flowP = &flows[flowIndex];
if (flowP->layer4Protocol != L3_TCP) return; // process only TCP
// only 1. frag packet will be processed
if (!t2_is_first_fragment(packet)) return;
tcpWinFlow_t * const tcpWinFlowP = &tcpWinFlows[flowIndex];
const tcpHeader_t * const tcpHeader = (tcpHeader_t*)packet->layer4Header;
const uint32_t tcpWin = ntohs(tcpHeader->window);
if (tcpWin < TCPWIN_THRES) {
tcpWinFlowP->winThCnt++; // count the packet
tcpWinFlowP->stat |= TCPWIN_THU; // set the status bit
winStatG |= tcpWinFlowP->stat; // <-- Aggregate all packet flags
winThCntG++; // <-- count all winThCnt packet counts
}
}Recompile and rerun t2:
$ t2build tcpWin
...
$ t2 -r ~/data/annoloc2.pcap -l%repTyp time dur memUsageKB fillSzHashMap numFlows numAFlows numBFlows numPkts numAPkts numBPkts numV4Pkts numV6Pkts numVxPkts numBytes numABytes numBBytes numFrgV4Pkts numFrgV6Pkts numAlarms rawBandwidth globalWarn 0x0042Pkts 0x0042Bytes 0x00fePkts 0x00feBytes 0x0806Pkts 0x0806Bytes 0x8035Pkts 0x8035Bytes 0x0800Pkts 0x0800Bytes 0x86ddPkts 0x86ddBytes ICMPPkts ICMPBytes IGMPPkts IGMPBytes TCPPkts TCPBytes UDPPkts UDPBytes GREPkts GREBytes ICMPv6Pkts ICMPv6Bytes SCTPPkts SCTPBytes winPktThCnt
USR1MR_D 1022171702.000125 0.308953 33900 2151 2151 1219 932 14548 6878 7670 14544 1 0 765516 358988 406528 31 0 0 262155.094 0x0c00981a0202c044 0 0 0 0 3 126 0 0 14544 765324 1 66 34 2220 0 0 11316 628896 3192 134172 0 0 0 0 0 0 25
USR1MR_D 1022171703.000027 0.999902 2800 1767 1767 961 806 49194 22820 26374 49162 22 0 2586276 1191528 1394748 97 0 0 270888.438 0x0c00987a0202c044 0 0 0 0 10 420 0 0 49162 2584404 22 1452 129 7938 0 0 37923 2109222 11132 468696 0 0 0 0 0 0 104
USR1MR_D 1022171704.000334 1.000307 932 1112 1112 639 473 48765 22660 26105 48734 26 0 2562726 1182212 1380514 91 0 0 267914.906 0x0c00987a0202c044 0 0 0 0 5 210 0 0 48734 2560800 26 1716 133 8202 0 0 37502 2085364 11125 468950 0 0 0 0 0 0 126
USR1MR_D 1022171705.000030 0.999696 804 816 816 480 336 47156 22079 25077 47147 1 0 2471500 1148578 1322922 91 0 0 253765.031 0x0c00987a0202c044 0 0 0 0 8 336 0 0 47147 2471098 1 66 124 7704 0 0 36153 2006038 10870 457388 0 0 0 0 0 0 121
USR1MR_D 1022171706.000009 0.999979 292 657 657 368 289 47251 21942 25309 47240 2 0 2480982 1143508 1337474 96 0 0 257045.938 0x0c00987a0202c044 0 0 0 0 9 378 0 0 47240 2480476 2 128 139 8814 0 0 36192 2013364 10909 458330 0 0 1 62 0 0 110
USR1MR_D 1022171707.000298 1.000289 852 685 685 381 304 48061 22155 25906 48038 5 0 2520286 1153038 1367248 71 0 0 263887.188 0x0c00987a0202d044 0 0 0 0 18 756 0 0 48038 2519208 5 322 112 7032 0 0 37267 2064558 10657 447646 5 170 2 124 0 0 111
USR1MR_D 1022171708.000102 0.999804 564 595 595 325 270 48284 22114 26170 48262 3 0 2539600 1155564 1384036 79 0 0 266056.719 0x0c00987a0202d044 0 0 0 0 19 798 0 0 48262 2538612 3 190 117 7458 0 0 37526 2084196 10619 446990 1 34 2 124 0 0 90
USR1MR_D 1022171709.000695 1.000593 408 577 577 337 240 49272 22973 26299 49251 5 0 2587936 1198894 1389042 96 0 0 270947.375 0x0c00987a0202d044 0 0 0 0 16 672 0 0 49251 2586938 5 326 143 8910 0 0 38179 2117206 10931 461018 0 0 1 62 0 0 122
USR1MR_D 1022171710.000175 0.999480 176 564 564 312 252 50508 23624 26884 50497 4 0 2662064 1237564 1424500 97 0 0 282688.781 0x0c00987a0202d044 0 0 0 0 7 294 0 0 50497 2661506 4 264 109 6738 0 0 39825 2209682 10560 445112 7 238 0 0 0 0 96
USR1MR_D 1022171711.000193 1.000018 300 516 516 302 214 48619 22823 25796 48603 2 0 2563366 1196706 1366660 84 0 0 272032.375 0x0c00987a0202d044 0 0 0 0 14 588 0 0 48603 2562646 2 132 113 7122 0 0 38302 2125628 10189 429994 0 0 0 0 0 0 84
USR1MR_D 1022171712.000691 1.000498 368 565 565 327 238 49611 23075 26536 49599 0 0 2603054 1202538 1400516 95 0 0 277082.562 0x0c00987a0202d044 0 0 0 0 12 504 0 0 49599 2602550 0 0 134 8508 0 0 38673 2139862 10792 454180 0 0 0 0 0 0 81
USR1MR_D 1022171713.000000 0.999309 356 517 517 286 231 50143 23467 26676 50134 0 0 2631530 1223930 1407600 96 0 0 278520.219 0x0c00987a0202d044 0 0 0 0 9 378 0 0 50134 2631152 0 0 113 7050 0 0 39099 2164110 10922 459992 0 0 0 0 0 0 89
USR1MR_D 1022171714.000741 1.000741 180 469 469 271 198 47899 22508 25391 47876 14 0 2514274 1172604 1341670 94 0 0 263678.375 0x0c00987a0202d044 0 0 0 0 9 378 0 0 47876 2512972 14 924 115 7278 1 38 37075 2056666 10696 449812 0 0 0 0 0 0 115
USR1MR_D 1022171715.000263 0.999522 176 452 452 260 192 49110 22878 26232 49096 3 0 2582484 1195104 1387380 89 0 0 272797.156 0x0c00987a0202d044 0 0 0 0 11 462 0 0 49096 2581824 3 198 130 8052 1 38 38284 2123868 10684 450064 0 0 0 0 0 0 98
USR1MR_D 1022171716.000269 1.000006 360 527 527 307 220 49985 23187 26798 49976 4 0 2627906 1210650 1417256 94 0 0 278140.844 0x0c00987a0202d044 0 0 0 0 5 210 0 0 49976 2627432 4 264 128 8064 0 0 39083 2166434 10769 453198 0 0 0 0 0 0 72
USR1MR_D 1022171717.000932 1.000663 176 477 477 271 206 48938 22517 26421 48923 4 0 2575532 1178110 1397422 93 0 0 273963.812 0x0c00987a0202d044 0 0 0 0 11 462 0 0 48923 2574806 4 264 130 8148 0 0 38233 2122014 10562 444840 0 0 0 0 0 0 78
USR1MR_D 1022171718.000200 0.999268 184 410 410 230 180 47700 21873 25827 47675 21 0 2501292 1138298 1362994 88 0 0 263612.438 0x0c00987a0202d044 0 0 0 0 4 168 0 0 47675 2499750 21 1374 121 7530 0 0 37041 2050350 10528 442956 3 102 3 186 0 0 97
USR1MR_D 1022171719.000284 1.000084 248 450 450 274 176 48263 21982 26281 48250 1 0 2532294 1143108 1389186 97 0 0 268193.375 0x0c00987a0202d044 0 0 0 0 12 504 0 0 48250 2531724 1 66 134 8532 0 0 37445 2074682 10671 448542 0 0 0 0 0 0 77
USR1MR_D 1022171720.001095 1.000811 304 507 507 294 213 49621 22621 27000 49601 2 0 2611286 1179958 1431328 93 0 0 277837.719 0x0c00987a0202d044 0 0 0 0 18 756 0 0 49601 2610398 2 132 113 7074 0 0 39044 2164776 10444 438612 0 0 0 0 0 0 70
USR1MR_D 1022171721.000640 0.999545 192 486 486 273 213 50166 22964 27202 50160 0 0 2639776 1198584 1441192 93 0 0 280237.719 0x0c00987a0202d044 0 0 0 0 6 252 0 0 50160 2639524 0 0 125 7746 0 0 39445 2186290 10590 445488 0 0 0 0 0 0 83
USR1MR_D 1022171722.000427 0.999787 188 539 539 314 225 47175 21896 25279 47160 4 0 2478598 1140152 1338446 92 0 0 256399.453 0x0c00987a0202d044 0 0 0 0 11 462 0 0 47160 2477872 4 264 117 7458 0 0 36225 2015758 10822 454920 0 0 0 0 0 0 82
USR1MR_D 1022171723.000058 0.999631 192 454 454 257 197 48872 22648 26224 48861 5 0 2578544 1187240 1391304 99 0 0 271465.625 0x0c00987a0202d044 0 0 0 0 6 252 0 0 48861 2577962 5 330 114 7260 0 0 38162 2124068 10587 446862 0 0 0 0 0 0 84
USR1MR_D 1022171724.000127 1.000069 196 551 551 308 243 50089 23027 27062 50081 2 0 2634246 1201014 1433232 88 0 0 281685.219 0x0c00987a0202d044 0 0 0 0 6 252 0 0 50081 2633866 2 128 107 6726 0 0 39264 2177144 10710 450028 0 0 1 62 0 0 102
USR1MR_D 1022171725.000274 1.000147 0 517 517 301 216 49908 22880 27028 49883 18 0 2627904 1195840 1432064 93 0 0 279872.562 0x0c00987a0202d044 0 0 0 0 7 294 0 0 49883 2626422 18 1188 139 8694 3 114 39002 2165132 10756 453636 0 0 0 0 0 0 123
USR1MR_D 1022171726.000378 1.000104 196 472 472 268 204 48767 22322 26445 48755 5 0 2565306 1165528 1399778 90 0 0 271439.000 0x0c00987a0202d044 0 0 0 0 7 294 0 0 48755 2564682 5 330 133 8394 5 190 37987 2109006 10634 447388 0 0 0 0 0 0 119See? Looks better right? Play a bit around with the different types of reporting and change the config in tranalyzer.h and main.h as being discussed in monitoring mode. And compare the results to the end report. Also try to run t2 on an interface, and play around with the different time base modes and remote control options in main.h. At this point I like to refer to the monitoring mode tutorial.
Have fun!
And don’t forget to reset the monitoring mode:
$ t2conf tranalyzer2 -D MONINTTMPCP=0 -D DIFF_REPORT=0 -D MACHINE_REPORT=0 && t2build -R
...
$or use the new command: t2conf --reset tranalyzer2 && t2build -R
Have fun writing plugins!
The next tutorial will teach you how to add plugin packet output
See Also
- Plugin Programming Cheatsheet
- The basics: your first flow plugin
- Adding plugin end report
- Adding plugin packet output
- Producing summary files
- geo-whois-labeling
- All about plugin dependencies
- Plugin sinks
- Manipulating flow timeouts
- Alarm mode
- Force mode
- Pcap extraction
- Developing Tranalyzer plugins in C++
- Developing Tranalyzer plugins in Rust