Tutorial: Plugin Packet Mode

The packet mode of T2 is enabled with the -s command line option. Each pluging can implement code activated by a sPktFile switch activated by -s. Then, its contribution is added in plugin order to the packet file.

Before we start doing this, clean out your plugin .so directory if this is the first tutorial you follow. Then all unnecessary plugins should be deleted from the plugin folder ./tranalyzer/plugins and compile basicFlow, basicStats and txtSink.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$ t2build basicFlow txtSink
...
BUILD SUCCESSFUL

Compiling the basicFlow took now a bit longer, because t2 had to rebuild the subnetfiles for geolocation. ‘t2build -e’ also removes the subnetfile. You can also use a rm, which does not remove the old subnetfile:

$ rm ~/.tranalyzer/plugins/*.so
$ t2build basicFlow txtSink
...
BUILD SUCCESSFUL

Then the compilation will be considerable faster, as the subnetfile already exists.

If you didn’t read the tutorials before, here is the basis plugin which we will extend: tcpWin

The annonymized sample pcap can be downloaded here: annoloc2.pcap. Please extract it under your data folder, if you not already have. Now you are all set for packet mode fun.

Adding the Packet Mode

In order to implement the packet mode, the sPktFile switch has to be added to the initialize() function of your plugin and the header of the packet file has to be defined: (see also Skeleton plugin)

So open tcpWin.c and add in the initialize callback the line marked by <–, as simple fprintf into the packet file

Now we need to output data for every packet. Add in claimLayer4Information callback the line marked by <–, again a simple printf into the packet file. Note the trailing ‘’ in the format, don’t forget it.

Compile tcpWin and rerun T2 with the -s option.

now change to your results window and look at the packet file

tawk 'flow(637)' annoloc2_packets.txt | tcol
%pktNo   flowInd  flowStat            time               pktIAT    duration   numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP            srcIPCC  srcIPWho             srcPort  dstIP            dstIPCC  dstIPWho             dstPort  l4Proto  pktLen  l7Len  winSize  pktTcpCnt  l7Content
...
37450    637      0x0000000200004001  1022171702.462789  0.000148  0.710191   3        eth:ipv4:tcp             00:50:fc:28:a5:eb  00:d0:02:6d:78:00  0x0800   138.212.187.181  jp       asahi kasei corpora  58401    193.86.108.236   cz       vienna point a.s.    1485     6        1514    1460   5840     0          
40422    637      0x0000000000004000  1022171702.523534  0.075901  0.780101   3        eth:ipv4:tcp             00:d0:02:6d:78:00  00:50:fc:28:a5:eb  0x0800   193.86.108.236   cz       vienna point a.s.    1485     138.212.187.181  jp       asahi kasei corpora  58401    6        60      0      5840     0          
40692    637      0x0000000000004000  1022171702.528525  0.004991  0.785092   3        eth:ipv4:tcp             00:d0:02:6d:78:00  00:50:fc:28:a5:eb  0x0800   193.86.108.236   cz       vienna point a.s.    1485     138.212.187.181  jp       asahi kasei corpora  58401    6        60      0      2920     0          
40925    637      0x0000000000004000  1022171702.534186  0.005661  0.790753   3        eth:ipv4:tcp             00:d0:02:6d:78:00  00:50:fc:28:a5:eb  0x0800   193.86.108.236   cz       vienna point a.s.    1485     138.212.187.181  jp       asahi kasei corpora  58401    6        60      0      0        1          
41273    637      0x0000000000004000  1022171702.540717  0.006531  0.797284   3        eth:ipv4:tcp             00:d0:02:6d:78:00  00:50:fc:28:a5:eb  0x0800   193.86.108.236   cz       vienna point a.s.    1485     138.212.187.181  jp       asahi kasei corpora  58401    6        60      0      1460     1          
41831    637      0x0000000200004001  1022171702.553544  0.090755  0.800946   3        eth:ipv4:tcp             00:50:fc:28:a5:eb  00:d0:02:6d:78:00  0x0800   138.212.187.181  jp       asahi kasei corpora  58401    193.86.108.236   cz       vienna point a.s.    1485     6        1514    1460   5840     0          
50751    637      0x0000000000004000  1022171702.737617  0.196900  0.994184   3        eth:ipv4:tcp             00:d0:02:6d:78:00  00:50:fc:28:a5:eb  0x0800   193.86.108.236   cz       vienna point a.s.    1485     138.212.187.181  jp       asahi kasei corpora  58401    6        60      0      8760     1 
...

That was not so hard, right? I extracted the flow 637 with the header to the position when the window size first hit ‘0’. For researchers: Note that you already have the packet interdistances per findex available. Why is there no L7content? Have a look what t2 warns you about the snapLength… There is none! Use another pcap: faf-exercise.pcap and you will see L7content. I extracted an interesting flow 35 below.

$ t2 -r ~/data/faf-exercise.pcap -w ~/results -s
...
$ tawk 'flow(35)' faf-exercise_packets.txt | tcol
%pktNo  flowInd  flowStat            time               pktIAT      duration    numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPWho          srcPort  dstIP          dstIPCC  dstIPWho          dstPort  l4Proto  pktLen  l7Len  winSize  pktTcpCnt  l7Content
1266    35       0x0000000000004000  1258594162.928342  0.000000    0.000000    3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        66      0      8192     0          
1267    35       0x0000000000004001  1258594163.008594  0.000000    0.000000    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        62      0      4140     0          
1268    35       0x0000000000004000  1258594163.009292  0.080950    0.080950    3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        64      0      64860    0          
1269    35       0x0000000000004001  1258594163.087792  0.079198    0.079198    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        81      27     4140     0          220 Microsoft FTP Service\r\n
1270    35       0x0000000000004000  1258594163.088491  0.079199    0.160149    3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        74      16     64833    0          USER anonymous\r\n
1271    35       0x0000000000004001  1258594163.166256  0.078464    0.157662    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        126     72     4156     0          331 Anonymous access allowed, send identity (e-mail name) as password.\r\n
1272    35       0x0000000000004000  1258594163.168693  0.080202    0.240351    3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        72      14     64761    0          PASS IEUser@\r\n
1273    35       0x0000000000004001  1258594163.247178  0.080922    0.238584    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        1004    950    4170     0          230-Welcome to the Dell FTP site. A service of Dell Inc., Round Rock, Texas.\r\n    For information about DELL, call +1 800 999 3355 All transfers are logged with\r\n    your host name and email address. If you don't like this policy please disconnect now.\r\n    Please be advised that use constitutes consent to monitoring (Elec Comm Priv Act,\r\n    18 USC 2701-2711). Please see the file readme.txt for disclaimers pertaining to this\r\n    service. If your FTP client crashes or hangs shortly after login, try using a dash\r\n    (-) as the first character of your password. This will turn off the informational\r\n    messages which may be confusing your ftp client.\r\n    ********IN CASE OF PROBLEMS*************************\r\n    ** File Content: send EMAIL to dellbbs@dell.com   **\r\n    ** FTP Server: send EMAIL to hostmaster@dell.com  **\r\n    ** WWW Server: send EMAIL to webmaster@dell.com   **\r\n    ****************************************************\r\n
1274    35       0x0000000000004001  1258594163.247187  0.000009    0.238593    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        75      21     4170     0          230 User logged in.\r\n
1275    35       0x0000000000004000  1258594163.247637  0.078944    0.319295    3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        64      0      63790    0          
1276    35       0x0000000000004000  1258594163.249385  0.001748    0.321043    3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        66      8      63790    0          TYPE I\r\n
1277    35       0x0000000000004001  1258594163.327121  0.079934    0.318527    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        74      20     4178     0          200 Type set to I.\r\n
1278    35       0x0000000000004000  1258594163.327845  0.078460    0.399503    3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        64      6      63770    0          PASV\r\n
1279    35       0x0000000000004001  1258594163.407582  0.080461    0.398988    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        104     50     4184     0          227 Entering Passive Mode (143,166,11,10,251,78)\r\n
1283    35       0x0000000000004000  1258594163.487490  0.159645    0.559148    3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        82      24     63720    0          SIZE /video/R79733.EXE\r\n
1284    35       0x0000000000004001  1258594163.565990  0.158408    0.557396    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        67      13     4208     0          213 4255056\r\n
1285    35       0x0000000000004000  1258594163.566694  0.079204    0.638352    3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        82      24     63707    0          RETR /video/R79733.EXE\r\n
1286    35       0x0000000000004001  1258594163.644188  0.078198    0.635594    3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        108     54     4232     0          125 Data connection already open; Transfer starting.\r\n
1303    35       0x0000000000004000  1258594163.838277  0.271583    0.909935    3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        64      0      63653    0          
5898    35       0x0000000000004001  1258594185.427515  21.783327   22.418921   3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        78      24     4232     0          226 Transfer complete.\r\n
5900    35       0x0000000000004000  1258594185.618346  21.780069   22.690004   3        eth:ipv4:tcp             00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  02       private_reserved  49329    143.166.11.10  us       arin              21       6        64      0      63629    0          
5902    35       0x0000000000004001  1258594491.683288  306.255768  328.674683  3        eth:ipv4:tcp             00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       arin              21       192.168.1.105  02       private_reserved  49329    6        54      0      4232     0

Have fun with packet mode programming!