Tutorial: Plugin Packet Mode

The packet mode of T2 is enabled with the -s command line option. Each pluging can implement code activated by a sPktFile switch activated by -s. Then, its contribution is added in plugin order to the packet file.

Before we start doing this, clean out your plugin .so directory if this is the first tutorial you follow. Then all unnecessary plugins should be deleted from the plugin folder ./tranalyzer/plugins and compile basicFlow, basicStats and txtSink.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$ t2build basicFlow txtSink
...
BUILD SUCCESSFUL

Compiling the basicFlow took now a bit longer, because t2 had to rebuild the subnetfiles for geolocation. ‘t2build -e’ also removes the subnetfile. You can also use a rm, which does not remove the old subnetfile:

$ rm ~/.tranalyzer/plugins/*.so
$ t2build basicFlow txtSink
...
BUILD SUCCESSFUL

Then the compilation will be considerable faster, as the subnetfile already exists.

If you didn’t read the tutorials before, here is the basis plugin which we will extend: tcpWin

The annonymized sample pcap can be downloaded here: annoloc2.pcap. Please extract it under your data folder, if you not already have. Now you are all set for packet mode fun.

Adding the Packet Mode

In order to implement the packet mode, the sPktFile switch has to be added to the initialize() function of your plugin and the header of the packet file has to be defined: (see also Skeleton plugin)

So open tcpWin.c and add in the initialize callback the line marked by <–, a simple fputs function into the packet file, denoting the header description in the packet file.

Now we need to output data for every packet. Add in claimLayer4Information callback the line marked by <–, again a simple printf into the packet file. Note the trailing ‘’ in the format, don’t forget it.

Compile tcpWin and rerun T2 with the -s option.

now change to your results window and look at the packet file. I extracted some interesting lines already for you.

$ tawk 'flow(637) && $pktNo > 37450' annoloc2_packets.txt | head | tcol
%pktNo  flowInd  flowStat            time               pktIAT    flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP            srcIPCC  srcIPWho                 srcPort  dstIP            dstIPCC  dstIPWho                 dstPort  l4Proto  winSize  winThPktCnt  l7Content
37450   637      0x0000000200004001  1022171702.462789  0.000148  0.710191      3        eth:ipv4:tcp             00:50:fc:28:a5:eb  00:d0:02:6d:78:00  0x0800   138.212.187.181  jp       asahi kasei corporation  58401    193.86.108.236   cz       vienna point a.s.        1485     6        5840     0            
40422   637      0x0000000000004000  1022171702.523534  0.075901  0.780101      3        eth:ipv4:tcp             00:d0:02:6d:78:00  00:50:fc:28:a5:eb  0x0800   193.86.108.236   cz       vienna point a.s.        1485     138.212.187.181  jp       asahi kasei corporation  58401    6        5840     0            
40692   637      0x0000000000004000  1022171702.528525  0.004991  0.785092      3        eth:ipv4:tcp             00:d0:02:6d:78:00  00:50:fc:28:a5:eb  0x0800   193.86.108.236   cz       vienna point a.s.        1485     138.212.187.181  jp       asahi kasei corporation  58401    6        2920     0            
40925   637      0x0000000000004000  1022171702.534186  0.005661  0.790753      3        eth:ipv4:tcp             00:d0:02:6d:78:00  00:50:fc:28:a5:eb  0x0800   193.86.108.236   cz       vienna point a.s.        1485     138.212.187.181  jp       asahi kasei corporation  58401    6        0        1            
41273   637      0x0000000000004000  1022171702.540717  0.006531  0.797284      3        eth:ipv4:tcp             00:d0:02:6d:78:00  00:50:fc:28:a5:eb  0x0800   193.86.108.236   cz       vienna point a.s.        1485     138.212.187.181  jp       asahi kasei corporation  58401    6        1460     1            
41831   637      0x0000000200004001  1022171702.553544  0.090755  0.800946      3        eth:ipv4:tcp             00:50:fc:28:a5:eb  00:d0:02:6d:78:00  0x0800   138.212.187.181  jp       asahi kasei corporation  58401    193.86.108.236   cz       vienna point a.s.        1485     6        5840     0            
50751   637      0x0000000000004000  1022171702.737617  0.196900  0.994184      3        eth:ipv4:tcp             00:d0:02:6d:78:00  00:50:fc:28:a5:eb  0x0800   193.86.108.236   cz       vienna point a.s.        1485     138.212.187.181  jp       asahi kasei corporation  58401    6        8760     1            
51325   637      0x0000000200004001  1022171702.749042  0.195498  0.996444      3        eth:ipv4:tcp             00:50:fc:28:a5:eb  00:d0:02:6d:78:00  0x0800   138.212.187.181  jp       asahi kasei corporation  58401    193.86.108.236   cz       vienna point a.s.        1485     6        5840     0            
51329   637      0x0000000200004001  1022171702.749280  0.000238  0.996682      3        eth:ipv4:tcp             00:50:fc:28:a5:eb  00:d0:02:6d:78:00  0x0800   138.212.187.181  jp       asahi kasei corporation  58401    193.86.108.236   cz       vienna point a.s.        1485     6        5840     0
$

That was not so hard, right? I extracted the flow 637 with the header to the position when the window size first hit ‘0’. For researchers: Note that you already have the packet interdistances per findex available. Why is there no L7content? Have a look what t2 warns you about the snapLength… There is none! Use another pcap: faf-exercise.pcap and you will see L7content. I extracted the ftp command/control flow 35 below.

$ t2 -r ~/data/faf-exercise.pcap -w ~/results -s
...
$ tawk 'flow(35)' faf-exercise_packets.txt | tcol
%pktNo  flowInd  flowStat            time               pktIAT     flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPWho          srcPort  dstIP          dstIPCC  dstIPWho          dstPort  l4Proto  winSize  winThPktCnt  l7Content
1266    35       0x0000000000004000  1258594162.928342  0.000000   0.000000      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        8192     0            
1267    35       0x0000000000004001  1258594163.008594  0.000000   0.000000      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        4140     0            
1268    35       0x0000000000004000  1258594163.009292  0.080950   0.080950      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        64860    0            
1269    35       0x0000000000004001  1258594163.087792  0.079198   0.079198      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        4140     0            220 Microsoft FTP Service\r\n
1270    35       0x0000000000004000  1258594163.088491  0.079199   0.160149      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        64833    0            USER anonymous\r\n
1271    35       0x0000000000004001  1258594163.166256  0.078464   0.157662      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        4156     0            331 Anonymous access allowed, send identity (e-mail name) as password.\r\n
1272    35       0x0000000000004000  1258594163.168693  0.080202   0.240351      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        64761    0            PASS IEUser@\r\n
1273    35       0x0000000000004001  1258594163.247178  0.080922   0.238584      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        4170     0            230-Welcome to the Dell FTP site. A service of Dell Inc., Round Rock, Texas.\r\n    For information about DELL, call +1 800 999 3355 All transfers are logged with\r\n    your host name and email address. If you don't like this policy please disconnect now.\r\n    Please be advised that use constitutes consent to monitoring (Elec Comm Priv Act,\r\n    18 USC 2701-2711). Please see the file readme.txt for disclaimers pertaining to this\r\n    service. If your FTP client crashes or hangs shortly after login, try using a dash\r\n    (-) as the first character of your password. This will turn off the informational\r\n    messages which may be confusing your ftp client.\r\n    ********IN CASE OF PROBLEMS*************************\r\n    ** File Content: send EMAIL to dellbbs@dell.com   **\r\n    ** FTP Server: send EMAIL to hostmaster@dell.com  **\r\n    ** WWW Server: send EMAIL to webmaster@dell.com   **\r\n    ****************************************************\r\n
1274    35       0x0000000000004001  1258594163.247187  0.000009   0.238593      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        4170     0            230 User logged in.\r\n
1275    35       0x0000000000004000  1258594163.247637  0.078944   0.319295      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        63790    0            
1276    35       0x0000000000004000  1258594163.249385  0.001748   0.321043      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        63790    0            TYPE I\r\n
1277    35       0x0000000000004001  1258594163.327121  0.079934   0.318527      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        4178     0            200 Type set to I.\r\n
1278    35       0x0000000000004000  1258594163.327845  0.078460   0.399503      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        63770    0            PASV\r\n
1279    35       0x0000000000004001  1258594163.407582  0.080461   0.398988      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        4184     0            227 Entering Passive Mode (143,166,11,10,251,78)\r\n
1283    35       0x0000000000004000  1258594163.487490  0.159645   0.559148      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        63720    0            SIZE /video/R79733.EXE\r\n
1284    35       0x0000000000004001  1258594163.565990  0.158408   0.557396      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        4208     0            213 4255056\r\n
1285    35       0x0000000000004000  1258594163.566694  0.079204   0.638352      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        63707    0            RETR /video/R79733.EXE\r\n
1286    35       0x0000000000004001  1258594163.644188  0.078198   0.635594      3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        4232     0            125 Data connection already open; Transfer starting.\r\n
1303    35       0x0000000000004000  1258594163.838277  0.271583   0.909935      3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        63653    0            
5898    35       0x0000000000004001  1258594185.427515  21.783327  22.418921     3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        4232     0            226 Transfer complete.\r\n
5900    35       0x0000000000004000  1258594185.618346  21.780069  22.690004     3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        63629    0  
$

Why are there no packets below the defined windows threshold? Can you find the flow which has some? I leave that to you. Have fun with packet mode programming!