Tutorial: Flexible flow export via socketSink

This example is prepared for Unix systems (Linux and Mac) only. In order to assure that no old or unnecessary plugins are being loaded please clean your plugin directory by

$ t2build -e
Plugin folder emptied

Unlike netflowSink the socketSink plugin exports all plugin output, as it appears in any Sink plugin in binary, text or JSON. So compile all standard plugins for the beginning and remove txtSink, as we do not need it to duplicate output and add unnecessary delays.

$ t2build

$ t2build -u txtSink

The anonymized sample PCAP being used here, can be downloaded here: faf-exercise.pcap. Please extract it under your data folder.

SocketSink Configuration

To illustrate the configuration and application of the socketSink

First move to the socketSink directory

$ socketSink
$ vi socketSink.h

Lets have a look at the configuration:

The default address to log is the local interface, if you want to log remotely change the address in SERVADD. To be faster and compatible with the netflowSink experiment we choose UDP socket. All else we leave at the default values. Then recompile the plugin.

$ t2build socketSink

Flow export to another IP

To collect T2 flow data open netcat in another window

$ nc -l -p 6666

Now start tranalyzer with a pcap file on your local machine:

$ t2 -r ~/data/faf-exercise.pcap

or from an interface

$ t2 -i interface