Tutorial: Tranalyzer2 Configuration Cheatsheet
cheatsheetContents
Configuration hints from the final report
[WRN] snapL2Length: XXX - snapL3Length: YYY - IP length in header: ZZZ- Data is snapped (snaplen =
XXX), be cautious with content plugins, especially L7
- Data is snapped (snaplen =
Number of LAPD packets: ...
- Activate LAPD dissection in the core: t2conf tranalyzer2 -D LAPD_ACTIVATE=1 && t2build -R
- Configure basicFlow to output LAPD information: t2conf basicFlow -D BFO_LAPD=1 && t2build basicFlow
Number of IGMP packets: ...
- Load the igmpDecode plugin t2build igmpDecode
Number of ICMP packets: ...
- Load the icmpDecode plugin: t2build icmpDecode
Number of ICMPv6 packets: ...
- Load the icmpDecode plugin: t2build icmpDecode
Number of flows terminated by autopilot: ...
- Fix: Use
t2 -foption
- Fix: Use
[WRN] L2 header snapped- Payload snapped: no need to load L3/4 or L7 plugins (
t2plugin -l=l3 -l=l7)
- Payload snapped: no need to load L3/4 or L7 plugins (
[WRN] L3 header snapped- Payload snapped: no need to load L4 or L7 plugins (
t2plugin -l=l3 -l=l7)
- Payload snapped: no need to load L4 or L7 plugins (
[WRN] L4 header snapped- Payload snapped: no need to load L7 plugins (
t2plugin -l=l7)
- Payload snapped: no need to load L7 plugins (
[WRN] L3 SnapLength < Length in IP header- Be cautious with the output of L7 plugins (
t2plugin -l=l7)
- Be cautious with the output of L7 plugins (
[WRN] Timestamp jump, probably due to multi-path packet delay or NTP operation- Be cautious with time-based information (packet inter-arrival time, …)
[WRN] PCAP packet length > IO_BUFFER_MAX_MTU, caplen reduced- Be cautious with content-based plugins: your payload may be truncated.
- Fix: t2conf tranalyzer2 -D IO_BUFFER_MAX_MTU=XXX where
XXX>t2conf tranalyzer2 -G IO_BUFFER_MAX_MTU
[WRN] Header description overrun- Be cautious with the
hdrDesccolumn… it may be truncated. - Fix: t2conf tranalyzer2 -D T2_HDRDESC_LEN=XXX where
XXX>t2conf tranalyzer2 -G T2_HDRDESC_LEN
- Be cautious with the
[INF] SCTP- Activate SCTP dissection in the core: t2conf tranalyzer2 -D SCTP_ACTIVATE=1 && t2build -R
- Load the sctpDecode plugin: t2build sctpDecode
- Hint: you may change the definition of a SCTP flow by running:
t2conf tranalyzer2 -D SCTP_ACTIVATE=0=> Standard flows (default)t2conf tranalyzer2 -D SCTP_ACTIVATE=1=> Activate SCTP chunk streams -> flowst2conf tranalyzer2 -D SCTP_ACTIVATE=2=> Activate SCTP association -> flowst2conf tranalyzer2 -D SCTP_ACTIVATE=3=> Activate SCTP chunk & association -> flows
[INF] No Ethernet header- No need to load L2 plugins (
t2plugin -l=l2)
- No need to load L2 plugins (
[INF] ARP- Load the arpDecode plugin: t2build arpDecode
[INF] RARP- Load the arpDecode plugin: t2build arpDecode
[INF] LLDP- Load the lldpDecode plugin: t2build lldpDecode
[INF] EtherIP- Activate Ethernet over IP dissection in the core (default): t2conf tranalyzer2 -D ETHIP=1 && t2build -R
[INF] VLAN encapsulation- VLAN present, load the basicFlow plugin: t2build basicFlow
- Hint: change the output format by running:
t2conf basicFlow -D BFO_VLAN=0=> Do not output VLAN informationt2conf basicFlow -D BFO_VLAN=1=> Output VLAN numbers (default)t2conf basicFlow -D BFO_VLAN=2=> Output VLAN headers as hex
- Hint: change the maximum number of VLAN numbers/headers to output by running: t2conf basicFlow -D BFO_MAX_VLAN=XXX were
XXX>t2conf basicFlow -G BFO_MAX_VLAN
[INF] IPv4/6 fragmentation- Activate IPv4/6 fragmentation dissection in the core (default): t2conf tranalyzer2 -D FRAGMENTATION=1 && t2build -R
[INF] IPv4/6 in IPv4/6- Activate IPv4/6 in IPv4/6 dissection in the core (default): t2conf tranalyzer2 -D IPIP=1 && t2build -R
[INF] VXLAN encapsulation- Activate VXLAN dissection in the core (default): t2conf tranalyzer2 -D VXLAN=1 && t2build -R
[INF] GENEVE encapsulation- Activate GENEVE dissection in the core (default): t2conf tranalyzer2 -D GENEVE=1 && t2build -R
[INF] MPLS encapsulation- MPLS present, load basicFlow and activate the dissection in the core (default): t2conf tranalyzer2 -D MPLS=1 && t2build -R
- Hint: change the output format by running:
t2conf basicFlow -D BFO_MPLS=0=> Do not output MPLS information (default)t2conf basicFlow -D BFO_MPLS=1=> Output MPLS labelst2conf basicFlow -D BFO_MPLS=2=> Output MPLS headers as hext2conf basicFlow -D BFO_MPLS=3=> Output decoded MPLS headers as label_ToS_S_TTL
- Hint: change the maximum number of MPLS labels/headers to output by running: t2conf basicFlow -D BFO_MAX_MPLS=XXX were
XXX>t2conf basicFlow -G BFO_MAX_MPLS
[INF] L2TP encapsulation- Activate L2TP dissection in the core (default): t2conf tranalyzer2 -D L2TP=1 && t2build -R
- Configure basicFlow to output L2TP information: t2conf basicFlow -D BFO_L2TP=1 && t2build basicFlow
- Hint: activate subnet tests on L2TP addresses: t2conf basicFlow -D BFO_SUBNET_TEST_L2TP=1 && t2build -R
[INF] GRE encapsulation- Activate GRE dissection in the core (default): t2conf tranalyzer2 -D GRE=1 && t2build -R
[INF] ERSPAN encapsulation- Activate ERSPAN dissection in the core (default): t2conf tranalyzer2 -D ERSPAN=1 && t2build -R
[INF] AYIYA tunnel- Activate AYIYA dissection in the core (default): t2conf tranalyzer2 -D AYIYA=1 && t2build -R
[INF] GTP tunnel- Activate GTP dissection in the core (default): t2conf tranalyzer2 -D GTP=1 && t2build -R
- Load the gtpDecode plugin: t2build gtpDecode
[INF] Teredo tunnel- Activate Teredo dissection in the core (default): t2conf tranalyzer2 -D TEREDO=1 && t2build -R
- Configure basicFlow to output Teredo information: t2conf basicFlow -D BFO_TEREDO=1 && t2build basicFlow
- Hint 1: activate subnet tests on Teredo addresses: t2conf basicFlow -D BFO_SUBNET_TEST_TEREDO=1
[INF] CAPWAPP/LWAPP tunnel- CAPWAPP/LWAPP present, activate the dissection in the core (default): t2conf tranalyzer2 -D CAPWAP=1 -D LWAPP=1 && t2build -R
[INF] SIP/RTP- SIP/RTP protocol present, load the voipDetector plugin: t2build voipDetector
[INF] Tor addresses- Tor addresses present, load the torDetector plugin: t2build torDetector
List of important Tranalyzer2 configuration flags
This section summarizes the most important configuration flags available for Tranalyzer2.
Basics
| Constant | Meaning | File |
|---|---|---|
ETH_ACTIVATE |
Handling of layer 2 flows | networkHeaders.h |
IPV6_ACTIVATE |
IP version(s) to dissect | networkHeaders.h |
T2_HDRDESC_AGGR |
Aggregate repetitive headers, e.g., vlan{2} instead of vlan:vlan |
networkHeaders.h |
T2_PRI_HDRDESC |
Keep track of the headers traversed | networkHeaders.h |
GRE |
Activate GRE processing | tranalyzer.h |
IPIP |
Activate IPv4/6 in IPv4/6 processing | tranalyzer.h |
L2TP |
Activate L2TP processing | tranalyzer.h |
TEREDO |
Activate Teredo processing | tranalyzer.h |
VERBOSE |
Verbose level of final report | tranalyzer.h |
Packet Mode
| Constant | Meaning | File |
|---|---|---|
SPKTMD_PKTNO |
Print packet number | main.h |
SPKTMD_PCNTC |
Print L7 content as characters (-s option) |
main.h |
SPKTMD_PCNTH |
Print L7 content as hex (-s option) |
main.h |
Interface
| Constant | Meaning | file |
|---|---|---|
ENABLE_IO_BUFFERING |
Input buffering (store packets in a queue) | ioBuffer.h |
HASHFACTOR |
Default multiplication factor for HASHTABLE_BASE_SIZE |
tranalyzer.h |
HASH_CHAIN_FACTOR |
Default multiplication factor for HASHCHAINTABLE_BASE_SIZE |
tranalyzer.h |
Monitoring
| Constant | Meaning | File |
|---|---|---|
PLUGIN_REPORT |
enable plugins to contribute to Tranalyzer command line end report | tranalyzer.h |
DIFF_REPORT |
Absolute/differential Tranalyzer command line USR1 report | tranalyzer.h |
MACHINE_REPORT |
Human/machine compliant report | tranalyzer.h |
MONINTTHRD |
Threaded interrupt handling: default | main.h |
MONINTBLK |
Non-threaded, block interrupts during packet processing | main.h |
MONINTPSYNC |
Synchronized print statistics | main.h |
MONINTTMPCP |
Time-base for monitoring | main.h |
MONINTTMPCP_ON |
Automatic start of monitoring | main.h |
MONINTV |
Interval (seconds) of monitoring output | main.h |
MONPROTMD |
Output protocol numbers or names | main.h |
Alarm Mode
| Constant | Meaning | File |
|---|---|---|
ALARM_MODE |
Only flow output if an alarm based plugin fires | tranalyzer.h |
ALARM_AND |
Logical operation of all alarm based plugins (AND/OR) | tranalyzer.h |
Force Mode
| Constant | Meaning | File |
|---|---|---|
FORCE_MODE |
Parameter induced flow termination, implemented by plugins | tranalyzer.h |
Flow Aggregation
| Constant | Meaning | File |
|---|---|---|
AGGREGATIONFLAG |
Flow aggregation | tranalyzer.h |
DSTPORTHW |
Dst port upper bound | tranalyzer.h |
DSTPORTLW |
Dst port lower bound | tranalyzer.h |
SRCPORTHW |
Src port upper bound | tranalyzer.h |
SRCPORTLW |
Src port lower bound | tranalyzer.h |
Flow Timeout
| Constant | Meaning | File |
|---|---|---|
FDURLIMIT |
Flow duration limitation | tranalyzer.h |
FDLSFINDEX |
Same findex for early duration limited flows | tranalyzer.h |
FLOW_TIMEOUT |
Standard flow timeout | tranalyzer.h |
SCTP
| Constant | Meaning | File |
|---|---|---|
SCTP_ACTIVATE |
Activate SCTP streams -> flows | tranalyzer.h |
SCTP_STATFINDEX |
Findex increments or constant for all SCTP streams in a packet | tranalyzer.h |
Geolocation
| Constant | Meaning | File |
|---|---|---|
CNTYCTY |
Output county and city | subnetHL.h |
SUBNET_ON |
Enable subnet functions | subnetHL.h |
SUBRNG |
IP range definition | subnetHL.h |
Packet length statistics
| Constant | Meaning | File |
|---|---|---|
PACKETLENGTH |
controls L2-7 length included in packet->len |
packetCapture.h |
FRGIPPKTLENVIEW |
IP header added in 2nd fragment in packet->len |
packetCapture.h |
Multiple file I/O
| Constant | Meaning | File |
|---|---|---|
MFPTMOUT |
Timeout for poll timing > POLLTM |
tranalyzer.h |
RROP |
Round robin operation | tranalyzer.h |
Kung-Fu
| Constant | Meaning | File |
|---|---|---|
NOLAYER2 |
Set it to 1 to manually set your layer 3 pointer to NOL2_L3HDROFFSET |
packetCapture.h |
NOL2_L3HDROFFSET |
Offset at which your layer 3 header starts (require NOLAYER2=1) |
packetCapture.h |