Tutorial: Flexible flow export via socketSink
This example is prepared for Unix systems (Linux and Mac) only. In order to assure that no old or unnecessary plugins are being loaded please clean your plugin directory by
$ t2build -e Plugin folder emptied $
Unlike netflowSink the socketSink plugin exports all plugin output, as it appears in any Sink plugin in binary, text or JSON. So compile all standard plugins for the beginning and remove txtSink, as we do not need it to duplicate output and add unnecessary delays.
$ t2build ... BUILD SUCCESSFUL $ t2build -u txtSink ... $
The anonymized sample PCAP being used here, can be downloaded here: faf-exercise.pcap. Please extract it under your data folder.
To illustrate the configuration and application of the socketSink
First move to the socketSink directory
$ tran $ cd socketSink/src $ vi socketSink.h
Lets have a look at the configuration:
### Plugins and Configuration // User configuration #define SERVADD "127.0.0.1" // destination address #define DPORT 6666 // destination port host order #define SOCKTYPE 0 // 0: UDP; 1: TCP #define CONTENT_TYPE 1 // 0: binary; 1: text; 2: json #define HOST_INFO 0 // 0: no info; 1: all info about host // (only if CONTENT_TYPE == 1) #if SOCKTYPE == 1 #define GZ_COMPRESS 0 // whether or not to compress the output (gzip) [TCP ONLY] #endif // SOCKTYPE == 1 ...
The default address to log is the local interface, if you want to log remotely change the address in SERVADD. To be faster and compatible with the netflowSink experiment we choose UDP socket. All else we leave at the default values. Then recompile the plugin.
$ t2build socketSink ...
Flow export to another IP
To collect T2 flow data open netcat in another window
$ nc -l 127.0.0.1 6666
Now start tranalyzer with a pcap file on your local machine:
$ t2 -r ~/data/faf-exercise.pcap
or from an interface
$ $ t2 -i interface