Flexible flow export via socketSink

client nc netcat server socket TCP UDP

Introduction
Preparation
SocketSink configuration
Flow export to another IP
Conclusion

Introduction

This tutorial discusses how to use the socketSink plugin to send flow output over the network.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y


Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the core (tranalyzer2) and the default plugins:

t2build


...
BUILD SUCCESSFUL

Then compile socketSink: t2build socketSink

Unlike netflowSink, the socketSink plugin exports all plugin output, as it appears in any sink plugin in binary, text or JSON. As we do not need duplicate output, we can unload the txtSink plugin:

t2build -u txtSink

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAP used in this tutorial can be downloaded here: faf-exercise.pcap.

Please save it in your ~/data folder.

Now you are all set!

SocketSink configuration

First move to the socketSink directory and look into the configuration:

socketSink

vi src/socketSink.h

...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define SKS_SOCKTYPE               1 // 0: UDP; 1: TCP
#define SKS_CONTENT_TYPE           1 // 0: binary; 1: text; 2: JSON
#define SKS_HOST_INFO              0 // 0: no info; 1: all info about host
                                     // (only if CONTENT_TYPE == 0)
#if SOCKTYPE == 1
#define SKS_GZ_COMPRESS            0 // compress the output (gzip) [TCP ONLY]
#endif // SOCKTYPE == 1

/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */

#define SKS_SERVADD      "127.0.0.1" // destination address
#define SKS_DPORT               6666 // destination port (host order)

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

The default address to log is the local interface. If you want to log remotely, change the address in SKS_SERVADD using t2conf:

t2conf socketSink -D SKS_SERVADD="s.h.i.t"

Or leave it at local host. The following tutorial is using the default settings. Then recompile the plugin.

t2build socketSink

Now you’re all set.

Flow export to another IP

To collect T2 flow data open netcat in another window

nc -l 127.0.0.1 -p 6666

Now start t2 with a pcap file on your local machine:

t2 -r ~/data/faf-exercise.pcap

or from an interface

st2 -i interface

[sudo] password for wurst:

Now you should see flows appearing in your netcat window.

Conclusion

Have fun!