Tutorial: Plugin Packet Mode

plugin development

Introduction

The packet mode of T2 is enabled with the -s command line option. Each plugin can implement code activated by a sPktFile switch activated by -s. Then, its contribution is added in plugin order to the packet file.

Getting started

Create folders for your data and results

If you have not created a separate data and results directory yet, please do it now. This will greatly facilitate your workflow:

mkdir ~/data ~/results

Reset tranalyzer2 and the plugins configuration

If you have followed the other tutorials, you may have modified some of the core and plugins configuration. To ensure your results match those in this tutorial, make sure to reset everything:

t2conf -a --reset

You can also clean all build files:

t2build -a -c

Empty the plugin folder

To ensure we are not left with some unneeded plugins or plugins which were built using different core configuration, it is safer to empty the plugins folder:

t2build -e -y 

Are you sure you want to empty the plugin folder '/home/user/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Download the PCAP file

The PCAP files used in this tutorial can be downloaded here:

Please save them in your ~/data folder:

wget --no-check-certificate -P ~/data https://tranalyzer.com/download/data/{annoloc2,faf-exercise}.pcap

Build tranalyzer2 and the required plugins

For this tutorial, we will need to build the core (tranalyzer2) and the following plugins:

As you may have modified some of the automatically generated files, it is safer to use the -r and -f options.

t2build -r -f tranalyzer2 basicFlow txtSink 

...

BUILDING SUCCESSFUL

Source Code

In this tutorial, we will extend tcpWin05.tar.gz, the final version of the previous tutorial (Plugin Monitoring).

If you are impatient, you can download the final versions of the tcpWin plugin we will develop in this tutorial.

To use one of those plugins, just unpack it in the plugins folder of your T2 installation.

tranpl

tar -xf ~/Downloads/tcpWin06.tar.gz

And let t2_aliases know about it:

source "$T2HOME/scripts/t2_aliases"

Adding the Packet Mode

In order to implement the packet mode, the sPktFile switch has to be added to the t2Init() function of your plugin and the header of the packet file has to be defined (see also the t2PSkel skeleton plugin):

So open tcpWin.c and add in the t2Init() callback the line marked by // <--, a simple fputs() function into the packet file, denoting the header description in the packet file.

tcpWin

vi src/tcpWin.c

Now we need to output data for every packet. Add in t2OnLayer4(...) callback the line marked by // <--, again a simple fprintf() into the packet file. Note the trailing separator SEP_CHR in the format, do NOT forget them!

vi src/tcpWin.c 

...
void t2OnLayer4(packet_t *packet, unsigned long flowIndex) {
    flow_t * const flowP = &flows[flowIndex];
    if (flowP->l4Proto != L3_TCP) {             // <-- process only TCP
        if (sPktFile) {                         // <-- if not TCP we need to print empty columns
            fputs(/* tcpWinSize     */ SEP_CHR  // <-- Note the trailing separator SEP_CHR
                  /* tcpWinThPktCnt */ SEP_CHR  // <-- Note the trailing separator SEP_CHR
                  , sPktFile);                  // <--
        }                                       // <--
        return;                                 // <-- go back to core
    }                                           // <--

    // only 1. frag packet will be processed
    if (!t2_is_first_fragment(packet)) {        // <--
        if (sPktFile) {                         // <-- if not TCP we need to print empty columns
            fputs(/* tcpWinSize     */ SEP_CHR  // <-- Note the trailing separator SEP_CHR
                  /* tcpWinThPktCnt */ SEP_CHR  // <-- Note the trailing separator SEP_CHR
                  , sPktFile);                  // <--
        }                                       // <--
        return;                                 // <-- go back to core
    }                                           // <--

    tcpWinFlow_t * const tcpWinFlowP = &tcpWinFlows[flowIndex];
    const tcpHeader_t * const tcpHeader = TCP_HEADER(packet);   // cast l4HdrP to tcpHeader struct
    const uint32_t tcpWin = ntohs(tcpHeader->window);           // convert window size to little endian

    if (tcpWin < TCPWIN_THRES) {               // is the window size below the threshold?
        tcpWinFlowP->winThCnt++;               // count the packet / flow
        tcpWinFlowP->stat |= TCPWIN_STAT_THU;  // set the status bit
    }

    // Packet mode                                      // <--
    if (sPktFile) {                                     // <--
        fprintf(sPktFile,                               // <--
                "%" PRIu32 /* tcpWinSize     */ SEP_CHR // <-- Note the trailing separator SEP_CHR
                "%" PRIu32 /* tcpWinThPktCnt */ SEP_CHR // <-- Note the trailing separator SEP_CHR
                , tcpWin, tcpWinFlowP->winThCnt);       // <--
    }                                                   // <--
}
...

Done? No! Here comes the catch, as already explained before in buildyourownplugin, we need now to compensate the missing two L4 columns of our plugin in case of a pure L2 flow appears. It won’t in our pcap, but it may if you use your own traffic. In case of -s option set you need to output two tabs, so that the columns match at the l7content column produced by the core. Place the following code before the t2OnLayer4() function.

The code is added if ETH_ACTIVATE is activated in the core. As you can see, we have quite a bit of code duplication… Let’s define a macro to print the appropriate number of separators for the packet mode. You can copy it at the start of your tcpWin.c, after the section reserved for Static function prototypes.

Now we can replace, the code in t2OnLayer2() and t2onlayer4() with a call to the macro:

Much clearer isn’t it?

After you edited the skeleton code you should compare your implementation with tcpWin06.tar.gz.

Now compile tcpWin and rerun T2 with the -s option in order to produce a flow and a packet file:

t2build tcpWin

t2 -r ~/data/annoloc2.pcap -w ~/results -s 

================================================================================
Tranalyzer 0.9.0 (Anteater), Cobra. PID: 33774, SID: 666
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.1
    02: tcpWin, 0.9.0
    03: txtSink, 0.9.0
[INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481503 (481.50 K)
[INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41497 (41.50 K)
Processing file: /home/wurst/data/annoloc2.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 66
Dump start: 1022171701.691172000 sec (Thu 23 May 2002 16:35:01 GMT)
[WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500
Dump stop : 1022171726.640398000 sec (Thu 23 May 2002 16:35:26 GMT)
Total dump duration: 24.949226000 sec
Finished processing. Elapsed time: 0.263058000 sec
Finished unloading flow memory. Time: 0.352172000 sec
Percentage completed: 100.00%
Number of processed packets: 1219015 (1.22 M)
Number of processed bytes: 64082726 (64.08 M)
Number of raw bytes: 844642686 (844.64 M)
Number of pad bytes: 8591685635 (8.59 G)
Number of pcap bytes: 83586990 (83.59 M)
Number of IPv4 packets: 1218588 (1.22 M) [99.96%]
Number of IPv6 packets: 180 [0.01%]
Number of A packets: 564228 (564.23 K) [46.29%]
Number of B packets: 654787 (654.79 K) [53.71%]
Number of A bytes: 29447896 (29.45 M) [45.95%]
Number of B bytes: 34634830 (34.63 M) [54.05%]
Average A packet load: 52.19
Average B packet load: 52.89
--------------------------------------------------------------------------------
tcpWin: Aggregated tcpWinStat=0x01
tcpWin: Number of TCP winsize packets below threshold 1: 2415 (2.42 K) [0.25%]
--------------------------------------------------------------------------------
Headers count: min: 2, max: 5, average: 3.01
Number of ARP packets: 247 [0.02%]
Number of GRE packets: 20 [0.00%]
Number of IGMP packets: 12 [0.00%]
Number of ICMP packets: 3059 (3.06 K) [0.25%]
Number of ICMPv6 packets: 11 [0.00%]
Number of TCP packets: 948743 (948.74 K) [77.83%]
Number of TCP bytes: 52643546 (52.64 M) [82.15%]
Number of UDP packets: 266900 (266.90 K) [21.89%]
Number of UDP bytes: 11234272 (11.23 M) [17.53%]
Number of IPv4 fragmented packets: 2284 (2.28 K) [0.19%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 17100 (17.10 K)
Number of processed L2   flows: 99 [0.58%]
Number of processed IPv4 flows: 16937 (16.94 K) [99.05%]
Number of processed IPv6 flows: 64 [0.37%]
Number of processed A    flows: 9719 (9.72 K) [56.84%]
Number of processed B    flows: 7381 (7.38 K) [43.16%]
Number of request        flows: 9676 (9.68 K) [56.58%]
Number of reply          flows: 7424 (7.42 K) [43.42%]
Total   A/B    flow asymmetry: 0.14
Total req/rply flow asymmetry: 0.13
Number of processed   packets/flows: 71.29
Number of processed A packets/flows: 58.05
Number of processed B packets/flows: 88.71
Number of processed total packets/s: 48859.83 (48.86 K)
Number of processed A+B   packets/s: 48859.83 (48.86 K)
Number of processed A     packets/s: 22615.05 (22.61 K)
Number of processed   B   packets/s: 26244.78 (26.24 K)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 685.39
Average full raw bandwidth: 270835712 b/s (270.84 Mb/s)
Average snapped bandwidth : 20548206 b/s (20.55 Mb/s)
Average full bandwidth : 270268480 b/s (270.27 Mb/s)
Max number of flows in memory: 17100 (17.10 K) [6.52%]
Memory usage: 0.06 GB [0.09%]
Aggregated flowStat=0x0c0098fa0222d044
[WRN] L3 SnapLength < Length in IP header
[WRN] L4 header snapped
[WRN] Consecutive duplicate IP ID
[WRN] IPv4/6 payload length > framing length
[WRN] IPv4/6 fragmentation header packet missing
[WRN] IPv4/6 packet fragmentation sequence not finished
[INF] Stop dissecting: Clipped packet, unhandled protocol or subsequent fragment
[INF] Layer 2 flows
[INF] IPv4 flows
[INF] IPv6 flows
[INF] ARP
[INF] IPv4/6 fragmentation
[INF] IPv4/6 in IPv4/6
[INF] GRE encapsulation
[INF] GTP tunnel
[INF] SSDP/UPnP

Note that we have loaded the txtSink plugin, which is not necessary for producing a packet file, to illustrate that T2 can do everything in parallel correctly. This means that if you only want a packet plugin, you can omit the t2OnFlowTerminate() callback.

Now change to your results window and look at the packet file. I extracted some interesting lines already for you.

tawk 'hdr() || ($tcpWinThPktCnt > 0 && $tcpWinSize == 0)' ~/results/annoloc2_packets.txt | head | tcol 

%pktNo  flowInd  flowStat            time                  pktIAT    pktTrip   flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP            srcIPCC  srcIPOrg                  srcPort  dstIP            dstIPCC  dstIPOrg                        dstPort  l4Proto  tcpWinSize  tcpWinThPktCnt  l7Content
521     265      0x0400000000004000  1022171701.709116000  0.000000  0.000000  0.000000      3        eth:ipv4:tcp          00:d0:02:6d:78:00  00:50:fc:0e:21:56  0x0800   209.171.12.143   ca       TELUS Communications Inc  4987     138.212.185.230  jp       ASAHI KASEI CORPORATION         41250    6        0           1
1159    60       0x0400000000004001  1022171701.720657000  0.000000  0.027894  0.000000      3        eth:ipv4:tcp          00:d0:02:6d:78:00  00:50:fc:26:95:88  0x0800   193.87.5.62      sk       AS2607-MNT                62486    138.212.188.178  jp       ASAHI KASEI CORPORATION         2100     6        0           1
1167    447      0x0400000000004000  1022171701.721366000  0.000000  0.000000  0.000000      3        eth:ipv4:tcp          00:d0:02:6d:78:00  00:50:fc:3b:62:78  0x0800   217.41.129.13    gb       BT Infrastructure Layer   58872    138.212.187.186  jp       ASAHI KASEI CORPORATION         80       6        0           1
1497    523      0x0400000000004001  1022171701.729052000  0.000000  0.001142  0.000000      3        eth:ipv4:tcp          00:00:b4:a9:15:71  00:d0:02:6d:78:00  0x0800   138.212.185.150  jp       ASAHI KASEI CORPORATION   1207     212.223.121.197  de       MNT-RAK2014                     8000     6        0           1
1684    392      0x0400000000004001  1022171701.732313000  0.000000  0.015315  0.000000      3        eth:ipv4:tcp          00:50:bf:59:85:48  00:d0:02:6d:78:00  0x0800   138.212.188.67   jp       ASAHI KASEI CORPORATION   1214     36.242.181.230   jp       SoftBank Corp                   4685     6        0           1
2004    176      0x0400000000004000  1022171701.739385000  0.035669  0.033833  0.035669      3        eth:ipv4:tcp          00:d0:02:6d:78:00  00:80:48:b3:13:27  0x0800   216.237.125.166  us       Infortech Corporation     3507     138.212.184.193  jp       ASAHI KASEI CORPORATION         8080     6        0           1
2232    633      0x0400000200004001  1022171701.743464000  0.000000  0.000041  0.000000      3        eth:ipv4:tcp          00:60:08:78:1b:63  00:d0:02:6d:78:00  0x0800   138.212.187.203  jp       ASAHI KASEI CORPORATION   6699     19.123.222.7     us       MAINT-APNIC-AP                  1430     6        0           1
2295    642      0x0400000000004000  1022171701.744654000  0.000000  0.000000  0.000000      3        eth:ipv4:tcp          00:80:48:cd:8c:82  00:d0:02:6d:78:00  0x0800   138.212.186.160  jp       ASAHI KASEI CORPORATION   1217     70.196.57.198    us       Cellco Partnership DBA Verizon  9000     6        0           1
3975    176      0x0400000000004000  1022171701.779710000  0.039558  0.038698  0.075994      3        eth:ipv4:tcp          00:d0:02:6d:78:00  00:80:48:b3:13:27  0x0800   216.237.125.166  us       Infortech Corporation     3507     138.212.184.193  jp       ASAHI KASEI CORPORATION         8080     6        0           2

That was not so hard, right?

For researchers: Note that you already have the packet inter-distances per flowIndex and flow direction available. Why is there no L7 content? Have a look what T2 warns you about… the snap length!

Use another pcap: faf-exercise.pcap and you will see L7 content.

t2 -r ~/data/faf-exercise.pcap -w ~/results -s

I extracted the FTP command/control flow 35 below.

tawk 'flow(35)' ~/results/faf-exercise_packets.txt | tcol 

%pktNo  flowInd  flowStat            time                  pktIAT     pktTrip    flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPOrg           srcPort  dstIP          dstIPCC  dstIPOrg           dstPort  l4Proto  tcpWinSize  tcpWinThPktCnt  l7Content
1266    35       0x0400000000004000  1258594162.928342000  0.000000   0.000000   0.000000      3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49329    143.166.11.10  us       Dell Technologies  21       6        8192        0
1267    35       0x0400000000004001  1258594163.8594000    0.000000   0.080252   0.000000      3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  21       192.168.1.105  07       Private network    49329    6        4140        0
1268    35       0x0400000000004000  1258594163.9292000    0.080950   0.000698   0.080950      3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49329    143.166.11.10  us       Dell Technologies  21       6        64860       0
1269    35       0x0400000000004001  1258594163.87792000   0.079198   0.078500   0.079198      3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  21       192.168.1.105  07       Private network    49329    6        4140        0               220 Microsoft FTP Service\r\n
1270    35       0x0400000000004000  1258594163.88491000   0.079199   0.000699   0.160149      3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49329    143.166.11.10  us       Dell Technologies  21       6        64833       0               USER anonymous\r\n
1271    35       0x0400000000004001  1258594163.166256000  0.078464   0.077765   0.157662      3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  21       192.168.1.105  07       Private network    49329    6        4156        0               331 Anonymous access allowed, send identity (e-mail name) as password.\r\n
1272    35       0x0400000000004000  1258594163.168693000  0.080202   0.002437   0.240351      3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49329    143.166.11.10  us       Dell Technologies  21       6        64761       0               PASS IEUser@\r\n
1273    35       0x0400000000004001  1258594163.247178000  0.080922   0.078485   0.238584      3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  21       192.168.1.105  07       Private network    49329    6        4170        0               230-Welcome to the Dell FTP site. A service of Dell Inc., Round Rock, Texas.\r\n    For information about DELL, call +1 800 999 3355 All transfers are logged with\r\n    your host name and email address. If you don't like this policy please disconnect now.\r\n    Please be advised that use constitutes consent to monitoring (Elec Comm Priv Act,\r\n    18 USC 2701-2711). Please see the file readme.txt for disclaimers pertaining to this\r\n    service. If your FTP client crashes or hangs shortly after login, try using a dash\r\n    (-) as the first character of your password. This will turn off the informational\r\n    messages which may be confusing your ftp client.\r\n    ********IN CASE OF PROBLEMS*************************\r\n    ** File Content: send EMAIL to dellbbs@dell.com   **\r\n    ** FTP Server: send EMAIL to hostmaster@dell.com  **\r\n    ** WWW Server: send EMAIL to webmaster@dell.com   **\r\n    ****************************************************\r\n
1274    35       0x0400000000004001  1258594163.247187000  0.000009   0.078494   0.238593      3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  21       192.168.1.105  07       Private network    49329    6        4170        0               230 User logged in.\r\n
1275    35       0x0400000000004000  1258594163.247637000  0.078944   0.000450   0.319295      3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49329    143.166.11.10  us       Dell Technologies  21       6        63790       0
1276    35       0x0400000000004000  1258594163.249385000  0.001748   0.002198   0.321043      3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49329    143.166.11.10  us       Dell Technologies  21       6        63790       0               TYPE I\r\n
1277    35       0x0400000000004001  1258594163.327121000  0.079934   0.077736   0.318527      3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  21       192.168.1.105  07       Private network    49329    6        4178        0               200 Type set to I.\r\n
1278    35       0x0400000000004000  1258594163.327845000  0.078460   0.000724   0.399503      3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49329    143.166.11.10  us       Dell Technologies  21       6        63770       0               PASV\r\n
1279    35       0x0400000000004001  1258594163.407582000  0.080461   0.079737   0.398988      3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  21       192.168.1.105  07       Private network    49329    6        4184        0               227 Entering Passive Mode (143,166,11,10,251,78)\r\n
1283    35       0x0400000000004000  1258594163.487490000  0.159645   0.079908   0.559148      3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49329    143.166.11.10  us       Dell Technologies  21       6        63720       0               SIZE /video/R79733.EXE\r\n
1284    35       0x0400000000004001  1258594163.565990000  0.158408   0.078500   0.557396      3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  21       192.168.1.105  07       Private network    49329    6        4208        0               213 4255056\r\n
1285    35       0x0400000000004000  1258594163.566694000  0.079204   0.000704   0.638352      3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49329    143.166.11.10  us       Dell Technologies  21       6        63707       0               RETR /video/R79733.EXE\r\n
1286    35       0x0400000000004001  1258594163.644188000  0.078198   0.077494   0.635594      3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  21       192.168.1.105  07       Private network    49329    6        4232        0               125 Data connection already open; Transfer starting.\r\n
1303    35       0x0400000000004000  1258594163.838277000  0.271583   0.194089   0.909935      3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49329    143.166.11.10  us       Dell Technologies  21       6        63653       0
5898    35       0x0400000000004001  1258594185.427515000  21.783327  21.589237  22.418921     3        eth:ipv4:tcp          00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800   143.166.11.10  us       Dell Technologies  21       192.168.1.105  07       Private network    49329    6        4232        0               226 Transfer complete.\r\n
5900    35       0x0400000000004000  1258594185.618346000  21.780069  0.190831   22.690004     3        eth:ipv4:tcp          00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800   192.168.1.105  07       Private network    49329    143.166.11.10  us       Dell Technologies  21       6        63629       0

Why are there no packets below the defined windows threshold? Can you find the flow which has some? I leave that to you. Or change the threshold in tcpWin.h.

Conclusion

You can download the final version of the tcpWin plugin.

The next tutorial will teach you how to produce summary files.

Have fun writing plugins!

See Also