Plugin packet mode
Contents
Introduction
The packet mode of T2 is enabled with the -s command line option.
Each plugin can implement code activated by a sPktFile switch activated by -s.
Then, its contribution is added in plugin order to the packet file.
Getting started
Create folders for your data and results
If you have not created a separate data and results directory yet, please do it now. This will greatly facilitate your workflow:
mkdir ~/data ~/results
Reset tranalyzer2 and the plugins configuration
If you have followed the other tutorials, you may have modified some of the core and plugins configuration. To ensure your results match those in this tutorial, make sure to reset everything:
t2conf -a --reset
You can also clean all build files:
t2build -a -c
Empty the plugin folder
To ensure we are not left with some unneeded plugins or plugins which were built using different core configuration, it is safer to empty the plugins folder:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/user/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Download the PCAP file
The PCAP files used in this tutorial can be downloaded here:
Please save them in your ~/data folder:
wget --no-check-certificate -P ~/data https://tranalyzer.com/download/data/{annoloc2,faf-exercise}.pcap
Build tranalyzer2 and the required plugins
For this tutorial, we will need to build the core (tranalyzer2) and the following plugins:
As you may have modified some of the automatically generated files, it is safer to use the -r and -f options.
...
BUILDING SUCCESSFUL
Source code
In this tutorial, we will extend tcpWin05.tar.gz, the final version of the previous tutorial (Plugin monitoring).
If you are impatient, you can download the final versions of the tcpWin plugin we will develop in this tutorial.
To use one of those plugins, just unpack it in the plugins folder of your T2 installation.
tranpl
tar -xf ~/Downloads/tcpWin06.tar.gz
And let t2_aliases know about it:
source "$T2HOME/scripts/t2_aliases"
Adding the packet mode
In order to implement the packet mode, the sPktFile switch has to be added to the
t2Init() function of your plugin and the header of the packet file has to be defined
(see also the t2PSkel skeleton plugin):
So open tcpWin.c and add in the t2Init() callback the line marked by // <--, a simple fputs() function
into the packet file, denoting the header description in the packet file.
tcpWin
vi src/tcpWin.c
...
void t2Init() {
// allocate struct for all flows and initialize to 0
T2_PLUGIN_STRUCT_NEW(tcpWinFlows);
// Packet mode // <--
if (sPktFile) { // <--
fputs("tcpWinSize" SEP_CHR // <-- Note the trailing separator SEP_CHR
"tcpWinThPktCnt" SEP_CHR // <-- Note the trailing separator SEP_CHR
, sPktFile); // <--
}
}
...Now we need to output data for every packet.
Add in t2OnLayer4(...) callback the line marked by // <--,
again a simple fprintf() into the packet file.
Note the trailing separator SEP_CHR in the format, do NOT forget them!
vi src/tcpWin.c
...
void t2OnLayer4(packet_t *packet, unsigned long flowIndex) {
flow_t * const flowP = &flows[flowIndex];
if (flowP->l4Proto != L3_TCP) { // <-- process only TCP
if (sPktFile) { // <-- if not TCP we need to print empty columns
fputs(/* tcpWinSize */ SEP_CHR // <-- Note the trailing separator SEP_CHR
/* tcpWinThPktCnt */ SEP_CHR // <-- Note the trailing separator SEP_CHR
, sPktFile); // <--
} // <--
return; // <-- go back to core
} // <--
// only 1. frag packet will be processed
if (!t2_is_first_fragment(packet)) { // <--
if (sPktFile) { // <-- if not TCP we need to print empty columns
fputs(/* tcpWinSize */ SEP_CHR // <-- Note the trailing separator SEP_CHR
/* tcpWinThPktCnt */ SEP_CHR // <-- Note the trailing separator SEP_CHR
, sPktFile); // <--
} // <--
return; // <-- go back to core
} // <--
tcpWinFlow_t * const tcpWinFlowP = &tcpWinFlows[flowIndex];
const tcpHeader_t * const tcpHeader = TCP_HEADER(packet); // cast l4HdrP to tcpHeader struct
const uint32_t tcpWin = ntohs(tcpHeader->window); // convert window size to little endian
if (tcpWin < TCPWIN_THRES) { // is the window size below the threshold?
tcpWinFlowP->winThCnt++; // count the packet / flow
tcpWinFlowP->stat |= TCPWIN_STAT_THU; // set the status bit
}
// Packet mode // <--
if (sPktFile) { // <--
fprintf(sPktFile, // <--
"%" PRIu32 /* tcpWinSize */ SEP_CHR // <-- Note the trailing separator SEP_CHR
"%" PRIu32 /* tcpWinThPktCnt */ SEP_CHR // <-- Note the trailing separator SEP_CHR
, tcpWin, tcpWinFlowP->winThCnt); // <--
} // <--
}
...Done? No! Here comes the catch, as already explained before in buildyourownplugin,
we need now to compensate the missing two L4 columns of our plugin in case of a pure L2 flow appears. It won’t in our pcap, but it may
if you use your own traffic. In case of -s option set you need to output two tabs, so that the columns match
at the l7content column produced by the core. Place the following code before the t2OnLayer4() function.
...
#if ETH_ACTIVATE > 0
/*
* This function is called for every packet with a layer 2.
* If flowIndex is HASHTABLE_ENTRY_NOT_FOUND, this means the packet also
* has a layer 4 and thus a call to t2OnLayer4() will follow.
*/
void t2OnLayer2(packet_t *packet UNUSED, unsigned long flowIndex) {
if (flowIndex == HASHTABLE_ENTRY_NOT_FOUND) return;
// This packet does not have a layer 4.
// Print the appropriate amount of separators (SEP_CHR) to keep the packet file aligned
if (sPktFile) { // <--
fputs(/* tcpWinSize */ SEP_CHR // <-- Note the trailing separator SEP_CHR
/* tcpWinThPktCnt */ SEP_CHR // <-- Note the trailing separator SEP_CHR
, sPktFile); // <--
} // <--
}
#endif // ETH_ACTIVATE > 0
...The code is added if ETH_ACTIVATE is activated in the core.
As you can see, we have quite a bit of code duplication…
Let’s define a macro to print the appropriate number of separators for the packet mode.
You can copy it at the start of your tcpWin.c, after the section reserved for Static function prototypes.
#define TCPWIN_SPKTMD_PRI_NONE() \
if (sPktFile) { \
fputs(/* tcpWinSize */ SEP_CHR \
/* tcpWinThPktCnt */ SEP_CHR \
, sPktFile); \
}Now we can replace, the code in t2OnLayer2() and t2onlayer4() with a call to the macro:
...
void t2OnLayer2(packet_t *packet UNUSED, unsigned long flowIndex) {
if (flowIndex == HASHTABLE_ENTRY_NOT_FOUND) return;
// This packet does not have a layer 4.
// Print the appropriate amount of separators (SEP_CHR) to keep the packet file aligned
TCPWIN_SPKTMD_PRI_NONE(); // <-- Packet mode
}
......
void t2OnLayer4(packet_t *packet, unsigned long flowIndex) {
flow_t * const flowP = &flows[flowIndex];
if (flowP->l4Proto != L3_TCP) { // <-- process only TCP
TCPWIN_SPKTMD_PRI_NONE(); // <-- Packet mode
return; // <--
} // <--
// only 1. frag packet will be processed
if (!t2_is_first_fragment(packet)) { // <--
TCPWIN_SPKTMD_PRI_NONE(); // <-- Packet mode
return; // <--
} // <--
tcpWinFlow_t * const tcpWinFlowP = &tcpWinFlows[flowIndex];
const tcpHeader_t * const tcpHeader = (tcpHeader_t*)packet->l4HdrP; // cast l4HdrP to tcpHeader struct
const uint32_t tcpWin = ntohs(tcpHeader->window); // convert window size to little endian
...
}
...Much clearer isn’t it?
After you edited the skeleton code you should compare your implementation with tcpWin06.tar.gz.
Now compile tcpWin and rerun T2 with the -s option in order to produce a flow and a packet file:
t2build tcpWin
t2 -r ~/data/annoloc2.pcap -w ~/results -s================================================================================ Tranalyzer 0.9.0 (Anteater), Cobra. PID: 33774, SID: 666 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.1 02: tcpWin, 0.9.0 03: txtSink, 0.9.0 [INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481503 (481.50 K) [INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41497 (41.50 K) Processing file: /home/wurst/data/annoloc2.pcap Link layer type: Ethernet [EN10MB/1] Snapshot length: 66 Dump start: 1022171701.691172000 sec (Thu 23 May 2002 16:35:01 GMT) [WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500 Dump stop : 1022171726.640398000 sec (Thu 23 May 2002 16:35:26 GMT) Total dump duration: 24.949226000 sec Finished processing. Elapsed time: 0.263058000 sec Finished unloading flow memory. Time: 0.352172000 sec Percentage completed: 100.00% Number of processed packets: 1219015 (1.22 M) Number of processed bytes: 64082726 (64.08 M) Number of raw bytes: 844642686 (844.64 M) Number of pad bytes: 8591685635 (8.59 G) Number of pcap bytes: 83586990 (83.59 M) Number of IPv4 packets: 1218588 (1.22 M) [99.96%] Number of IPv6 packets: 180 [0.01%] Number of A packets: 564228 (564.23 K) [46.29%] Number of B packets: 654787 (654.79 K) [53.71%] Number of A bytes: 29447896 (29.45 M) [45.95%] Number of B bytes: 34634830 (34.63 M) [54.05%] Average A packet load: 52.19 Average B packet load: 52.89 -------------------------------------------------------------------------------- tcpWin: Aggregated tcpWinStat=0x01 tcpWin: Number of TCP winsize packets below threshold 1: 2415 (2.42 K) [0.25%] -------------------------------------------------------------------------------- Headers count: min: 2, max: 5, average: 3.01 Number of ARP packets: 247 [0.02%] Number of GRE packets: 20 [0.00%] Number of IGMP packets: 12 [0.00%] Number of ICMP packets: 3059 (3.06 K) [0.25%] Number of ICMPv6 packets: 11 [0.00%] Number of TCP packets: 948743 (948.74 K) [77.83%] Number of TCP bytes: 52643546 (52.64 M) [82.15%] Number of UDP packets: 266900 (266.90 K) [21.89%] Number of UDP bytes: 11234272 (11.23 M) [17.53%] Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 17100 (17.10 K) Number of processed L2 flows: 99 [0.58%] Number of processed IPv4 flows: 16937 (16.94 K) [99.05%] Number of processed IPv6 flows: 64 [0.37%] Number of processed A flows: 9719 (9.72 K) [56.84%] Number of processed B flows: 7381 (7.38 K) [43.16%] Number of request flows: 9676 (9.68 K) [56.58%] Number of reply flows: 7424 (7.42 K) [43.42%] Total A/B flow asymmetry: 0.14 Total req/rply flow asymmetry: 0.13 Number of processed packets/flows: 71.29 Number of processed A packets/flows: 58.05 Number of processed B packets/flows: 88.71 Number of processed total packets/s: 48859.83 (48.86 K) Number of processed A+B packets/s: 48859.83 (48.86 K) Number of processed A packets/s: 22615.05 (22.61 K) Number of processed B packets/s: 26244.78 (26.24 K) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 685.39 Average full raw bandwidth: 270835712 b/s (270.84 Mb/s) Average snapped bandwidth : 20548206 b/s (20.55 Mb/s) Average full bandwidth : 270268480 b/s (270.27 Mb/s) Max number of flows in memory: 17100 (17.10 K) [6.52%] Memory usage: 0.06 GB [0.09%] Aggregated flowStat=0x0c0098fa0222d044 [WRN] L3 SnapLength < Length in IP header [WRN] L4 header snapped [WRN] Consecutive duplicate IP ID [WRN] IPv4/6 payload length > framing length [WRN] IPv4/6 fragmentation header packet missing [WRN] IPv4/6 packet fragmentation sequence not finished [INF] Stop dissecting: Clipped packet, unhandled protocol or subsequent fragment [INF] Layer 2 flows [INF] IPv4 flows [INF] IPv6 flows [INF] ARP [INF] IPv4/6 fragmentation [INF] IPv4/6 in IPv4/6 [INF] GRE encapsulation [INF] GTP tunnel [INF] SSDP/UPnP
Note that we have loaded the txtSink plugin, which is not necessary for producing a packet file, to illustrate that T2 can do everything in parallel correctly.
This means that if you only want a packet plugin, you can omit the t2OnFlowTerminate() callback.
Now change to your results window and look at the packet file. I extracted some interesting lines already for you.
tawk 'hdr() || ($tcpWinThPktCnt > 0 && $tcpWinSize == 0)' ~/results/annoloc2_packets.txt | head | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpWinSize tcpWinThPktCnt l7Content
521 265 0x0400000000004000 1022171701.709116000 0.000000 0.000000 0.000000 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:fc:0e:21:56 0x0800 209.171.12.143 ca TELUS Communications Inc 4987 138.212.185.230 jp ASAHI KASEI CORPORATION 41250 6 0 1
1159 60 0x0400000000004001 1022171701.720657000 0.000000 0.027894 0.000000 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:fc:26:95:88 0x0800 193.87.5.62 sk AS2607-MNT 62486 138.212.188.178 jp ASAHI KASEI CORPORATION 2100 6 0 1
1167 447 0x0400000000004000 1022171701.721366000 0.000000 0.000000 0.000000 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:50:fc:3b:62:78 0x0800 217.41.129.13 gb BT Infrastructure Layer 58872 138.212.187.186 jp ASAHI KASEI CORPORATION 80 6 0 1
1497 523 0x0400000000004001 1022171701.729052000 0.000000 0.001142 0.000000 3 eth:ipv4:tcp 00:00:b4:a9:15:71 00:d0:02:6d:78:00 0x0800 138.212.185.150 jp ASAHI KASEI CORPORATION 1207 212.223.121.197 de MNT-RAK2014 8000 6 0 1
1684 392 0x0400000000004001 1022171701.732313000 0.000000 0.015315 0.000000 3 eth:ipv4:tcp 00:50:bf:59:85:48 00:d0:02:6d:78:00 0x0800 138.212.188.67 jp ASAHI KASEI CORPORATION 1214 36.242.181.230 jp SoftBank Corp 4685 6 0 1
2004 176 0x0400000000004000 1022171701.739385000 0.035669 0.033833 0.035669 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:80:48:b3:13:27 0x0800 216.237.125.166 us Infortech Corporation 3507 138.212.184.193 jp ASAHI KASEI CORPORATION 8080 6 0 1
2232 633 0x0400000200004001 1022171701.743464000 0.000000 0.000041 0.000000 3 eth:ipv4:tcp 00:60:08:78:1b:63 00:d0:02:6d:78:00 0x0800 138.212.187.203 jp ASAHI KASEI CORPORATION 6699 19.123.222.7 us MAINT-APNIC-AP 1430 6 0 1
2295 642 0x0400000000004000 1022171701.744654000 0.000000 0.000000 0.000000 3 eth:ipv4:tcp 00:80:48:cd:8c:82 00:d0:02:6d:78:00 0x0800 138.212.186.160 jp ASAHI KASEI CORPORATION 1217 70.196.57.198 us Cellco Partnership DBA Verizon 9000 6 0 1
3975 176 0x0400000000004000 1022171701.779710000 0.039558 0.038698 0.075994 3 eth:ipv4:tcp 00:d0:02:6d:78:00 00:80:48:b3:13:27 0x0800 216.237.125.166 us Infortech Corporation 3507 138.212.184.193 jp ASAHI KASEI CORPORATION 8080 6 0 2That was not so hard, right?
For researchers: Note that you already have the packet inter-distances per flowIndex and flow direction available.
Why is there no L7 content? Have a look what T2 warns you about… the snap length!
Use another pcap: faf-exercise.pcap and you will see L7 content.
t2 -r ~/data/faf-exercise.pcap -w ~/results -s
I extracted the FTP command/control flow 35 below.
tawk 'flow(35)' ~/results/faf-exercise_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpWinSize tcpWinThPktCnt l7Content
1266 35 0x0400000000004000 1258594162.928342000 0.000000 0.000000 0.000000 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49329 143.166.11.10 us Dell Technologies 21 6 8192 0
1267 35 0x0400000000004001 1258594163.8594000 0.000000 0.080252 0.000000 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 21 192.168.1.105 07 Private network 49329 6 4140 0
1268 35 0x0400000000004000 1258594163.9292000 0.080950 0.000698 0.080950 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49329 143.166.11.10 us Dell Technologies 21 6 64860 0
1269 35 0x0400000000004001 1258594163.87792000 0.079198 0.078500 0.079198 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 21 192.168.1.105 07 Private network 49329 6 4140 0 220 Microsoft FTP Service\r\n
1270 35 0x0400000000004000 1258594163.88491000 0.079199 0.000699 0.160149 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49329 143.166.11.10 us Dell Technologies 21 6 64833 0 USER anonymous\r\n
1271 35 0x0400000000004001 1258594163.166256000 0.078464 0.077765 0.157662 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 21 192.168.1.105 07 Private network 49329 6 4156 0 331 Anonymous access allowed, send identity (e-mail name) as password.\r\n
1272 35 0x0400000000004000 1258594163.168693000 0.080202 0.002437 0.240351 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49329 143.166.11.10 us Dell Technologies 21 6 64761 0 PASS IEUser@\r\n
1273 35 0x0400000000004001 1258594163.247178000 0.080922 0.078485 0.238584 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 21 192.168.1.105 07 Private network 49329 6 4170 0 230-Welcome to the Dell FTP site. A service of Dell Inc., Round Rock, Texas.\r\n For information about DELL, call +1 800 999 3355 All transfers are logged with\r\n your host name and email address. If you don't like this policy please disconnect now.\r\n Please be advised that use constitutes consent to monitoring (Elec Comm Priv Act,\r\n 18 USC 2701-2711). Please see the file readme.txt for disclaimers pertaining to this\r\n service. If your FTP client crashes or hangs shortly after login, try using a dash\r\n (-) as the first character of your password. This will turn off the informational\r\n messages which may be confusing your ftp client.\r\n ********IN CASE OF PROBLEMS*************************\r\n ** File Content: send EMAIL to dellbbs@dell.com **\r\n ** FTP Server: send EMAIL to hostmaster@dell.com **\r\n ** WWW Server: send EMAIL to webmaster@dell.com **\r\n ****************************************************\r\n
1274 35 0x0400000000004001 1258594163.247187000 0.000009 0.078494 0.238593 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 21 192.168.1.105 07 Private network 49329 6 4170 0 230 User logged in.\r\n
1275 35 0x0400000000004000 1258594163.247637000 0.078944 0.000450 0.319295 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49329 143.166.11.10 us Dell Technologies 21 6 63790 0
1276 35 0x0400000000004000 1258594163.249385000 0.001748 0.002198 0.321043 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49329 143.166.11.10 us Dell Technologies 21 6 63790 0 TYPE I\r\n
1277 35 0x0400000000004001 1258594163.327121000 0.079934 0.077736 0.318527 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 21 192.168.1.105 07 Private network 49329 6 4178 0 200 Type set to I.\r\n
1278 35 0x0400000000004000 1258594163.327845000 0.078460 0.000724 0.399503 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49329 143.166.11.10 us Dell Technologies 21 6 63770 0 PASV\r\n
1279 35 0x0400000000004001 1258594163.407582000 0.080461 0.079737 0.398988 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 21 192.168.1.105 07 Private network 49329 6 4184 0 227 Entering Passive Mode (143,166,11,10,251,78)\r\n
1283 35 0x0400000000004000 1258594163.487490000 0.159645 0.079908 0.559148 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49329 143.166.11.10 us Dell Technologies 21 6 63720 0 SIZE /video/R79733.EXE\r\n
1284 35 0x0400000000004001 1258594163.565990000 0.158408 0.078500 0.557396 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 21 192.168.1.105 07 Private network 49329 6 4208 0 213 4255056\r\n
1285 35 0x0400000000004000 1258594163.566694000 0.079204 0.000704 0.638352 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49329 143.166.11.10 us Dell Technologies 21 6 63707 0 RETR /video/R79733.EXE\r\n
1286 35 0x0400000000004001 1258594163.644188000 0.078198 0.077494 0.635594 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 21 192.168.1.105 07 Private network 49329 6 4232 0 125 Data connection already open; Transfer starting.\r\n
1303 35 0x0400000000004000 1258594163.838277000 0.271583 0.194089 0.909935 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49329 143.166.11.10 us Dell Technologies 21 6 63653 0
5898 35 0x0400000000004001 1258594185.427515000 21.783327 21.589237 22.418921 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 143.166.11.10 us Dell Technologies 21 192.168.1.105 07 Private network 49329 6 4232 0 226 Transfer complete.\r\n
5900 35 0x0400000000004000 1258594185.618346000 21.780069 0.190831 22.690004 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 Private network 49329 143.166.11.10 us Dell Technologies 21 6 63629 0Why are there no packets below the defined windows threshold? Can you find the flow which has some? I leave that to you. Or change the threshold in tcpWin.h.
Conclusion
You can download the final version of the tcpWin plugin.
The next tutorial will teach you how to produce summary files.
Have fun writing plugins!
See also
- Plugin programming cheatsheet
- The basics: your first flow plugin
- Plugin end report
- Plugin monitoring
- Plugin summary files
- Plugin geo labeling
- Plugin dependencies
- Plugin alarm mode
- Plugin force mode
- Plugin pcap extraction
- Plugin flow timeout
- Plugin sink
- Developing Tranalyzer plugins in C++
- Developing Tranalyzer plugins in Rust