Tutorial: Flexible flow export via socketSink
In order to assure that no old or unnecessary plugins are being loaded please clean your plugin directory by
$ t2build -e Plugin folder emptied $
Unlike netflowSink, the socketSink plugin exports all plugin output, as it appears in any Sink plugin in binary, text or JSON. So compile all standard plugins for the beginning and remove txtSink, as we do not need it to duplicate output.
$ t2build ... BUILD SUCCESSFUL $ t2build -u txtSink ... $
The anonymized sample PCAP being used here, can be downloaded here: faf-exercise.pcap. Please extract it under your ~/data folder.
First move to the socketSink directory and look into the configuration:
$ socketSink $ vi socketSink.h ...
... ### Plugins and Configuration // User configuration #define SERVADD "127.0.0.1" // destination address #define DPORT 6666 // destination port host order #define SOCKTYPE 0 // 0: UDP; 1: TCP #define CONTENT_TYPE 1 // 0: binary; 1: text; 2: json #define HOST_INFO 0 // 0: no info; 1: all info about host // (only if CONTENT_TYPE == 1) #if SOCKTYPE == 1 #define GZ_COMPRESS 0 // whether or not to compress the output (gzip) [TCP ONLY] #endif // SOCKTYPE == 1 ...
The default address to log is the local interface, if you want to log remotely change the address in
$ t2conf socketSink -D SERVADD="s.h.i.t" $
or leave it at local host. The following tutorial is using the default settings. Then recompile the plugin.
$ t2build socketSink ... $
Now you’re all set.
Flow export to another IP
To collect T2 flow data open netcat in another window
$ nc -l 127.0.0.1 -p 6666
t2 with a pcap file on your local machine:
$ t2 -r ~/data/faf-exercise.pcap
or from an interface
$ st2 -i interface [sudo] password for wurst:
Now you should see flows appearing in your netcat window.