Tutorial: Plugin summary files


When all data is processed or T2 is interrupted by ^C or a signal, then the end report is printed. At the same time certain global information can be printed by your plugin. Before we start doing this, clean out your plugin .so directory if this is the first tutorial you follow. Then all unnecessary plugins should be deleted from the plugin folder ./tranalyzer/plugins and compile basicFlow, basicStats and txtSink.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$ t2build basicFlow txtSink

Compiling the basicFlow took now a bit longer, because t2 had to rebuild the subnetfiles for geolocation. ‘t2build -e’ also removes the subnetfile. You can also use a rm, which does not remove the old subnetfile:

$ rm ~/.tranalyzer/plugins/*.so
$ t2build basicFlow txtSink

Then the compilation will be considerable faster, as the subnetfile already exists.

If you didn’t read the tutorials before, here is the basis plugin which we will extend: tcpWin

The annonymized sample pcap can be downloaded here: annoloc2.pcap. Please extract it under your data folder, if you not already have. Now you are all set for summary file programming.

Summary files

Every plugin can produce a summary of traffic content. Let’s produce a file which lists all IP’s with their maximal winThCnts, so we could find the IP’s having the largest L4 trouble. In order to do so, we need to define all necessary variables global to the plugin.

Move to the tcpWin plugin and open tcpWin.c

$ tran
$ cd tcpWin/src
$ vim tcpWin.c

For the matter of simplicity we just have arrays and a global index. Just add the lines marked by <–

Now go to the onFlowTerminate callback. First we need the pointer to the flow structure. To show the principal we just do a linear search whether we already have the IP stored and check whether its counter is greater than the potential existing, then we store the new data. Yes, it can be more elegant, using a hash or a tree. We will discuss T2 support for that matter in tutorial t2kunfu

onApplicationTerminate not only serves to free flow memory but also to produce all kinds of global output into specialized files. The code below stores the IP and its count. Just add it after the free command.

Now open tcpWin.h and add the maximal size of the global IP/window size count array and the appendix of the global file. Just add the lines and gwz_t typdef marked by <–

So you are all set. Compile and run t2:

shellshell $ t2build tcpWin … $ t2 -r ~/data/annoloc2.pcap -w ~/results … ```

Open your results cmd window and look what t2 produced

$ ls
annoloc2_flows.txt  annoloc2_headers.txt  annoloc2_tcpwin.txt

Actually we did not need the txtSink, so we generated *a _flows.txt* and *_headers.txt* file but now also a *_tcpwin.txt* file. When you open that file you will see all IP’s and their counts

tcol annoloc2_tcpwin.txt
# IP             pktTcpCnt  winRelThCnt     538        0.001859     1332       0.000751    365        0.016438    250        0.016000      415        0.002410  2309       0.000433  429        0.489510  4465       0.002016   1134       0.000882      235        0.140426   315        0.196825  251        0.247012   1081       0.001850   244        0.004098    2079       0.009620   249        0.004016  205        0.229268    719        0.002782   340        0.041176    843        0.011862     388        0.164948   670        0.001493   957        0.005225    618        0.001618   977        0.002047   847        0.035419

If the file is too big you may sort for the 3rd column.

sort -nr -k3,3 annoloc2_tcpwin.txt | tcol  429        0.489510  251        0.247012  205        0.229268   315        0.196825     388        0.164948      235        0.140426   340        0.041176   847        0.035419    365        0.016438    250        0.016000    843        0.011862    2079       0.009620   957        0.005225   244        0.004098   249        0.004016    719        0.002782      415        0.002410   977        0.002047  4465       0.002016     538        0.001859   1081       0.001850    618        0.001618   670        0.001493   1134       0.000882     1332       0.000751  2309       0.000433
# IP             pktTcpCnt  winRelThCnt

So half of the packets the host asked the opposite IP to stop sending packets. Now add the destination address and improve the measure by adding the WS option. That’s your job now. Let yourself inspire by the tcpFlags plugin of t2. Have fun!