1 Introduction to Tranalyzer2
Tranalyzer2 is a lightweight traffic generator and packet analyzer designed for practitioners and researchers. Particular value lies in simplicity, high performance and scalability. It extends the capabilities of Cisco NetFlow and enables analysts to process very large packet dumps. It supports in-depth analysis of traffic or even packets of interest, and is able to quickly generate a minified pcap that can then be analyzed in-depth via its own text-based packet patterns, or simply loaded into tcpdump or Wireshark.
The program is open source, implemented in C language, and built on the libpcap library. Tranalyzer provides the ability to analyze and generate key parameters and statistics for IP traces captured in real time from Ethernet interfaces or pcap files. The amount of Tranalyzer's binary and text output depends on the enabled plugins. Thus, users have the possibility to customize the output according to their needs. Furthermore, additional plugins can be developed independently of the functionality of other plugins.
Official website address: Tranalyzer2
2 Installation (Ubuntu 20.04 as an example)
- Download the source package at https://tranalyzer.com/downloads:
- Install dependencies first on Ubuntu:
apt-get install autoconf autoconf-archive automake libbsd-dev libpcap-dev libreadline-dev libtool make meson zlib1g-dev
- Unzip the downloaded compressed package:
tar xzf tranalyzer2-0.8.13lmw2.tar.gz
- Enter the directory to execute the installation script:
cd tranalyzer2-0.8.13
./setup.sh
Notes: The installation may report an error , for example:
Here we first follow the prompts to execute " setup.sh -N" and skip the error part of the installation.
After the script is executed, enter:
source ~/.bashrc
Then, we manually install the part that just went wrong, and enter:
t2build dnsDecode
t2build macRecorder
t2build sshDecode
t2build sslDecode
Taking macRecorder as an example, an error may appear again during installation:
notice that the cause of the error occurs when executing line 28 of
" " , open the script and observe: at line 28, the script calls: " ", and we It is found that this file does not have execution permission by default, so here we need to add execution permission to it first:/root/software/tranalyzer2-0.8.13/plugins/macRecorder/autogen.shPermission denied
/root/software/tranalyzer2-0.8.13/plugins/macRecorder/utils/aconv
chmod +x /root/software/tranalyzer2-0.8.13/plugins/macRecorder/utils/aconv
Then run " t2build macRecorder" again
Notes: This kind of error may appear multiple times, and the processing method is the same
After compiling and installing the 4 plug-ins that reported errors before, execute:
t2build
This time, the system will automatically compile and install all the necessary plug-ins for us:
the installation part is over, and the following describes how to use the tool.
3 Tutorial
3.1 Flow mode
After the installation is complete, the command Tranalyzer2to is t2to enter t2 -hto view the available options:
as you can see, the input can be a specified network card, or a single/multiple pcap files
eg specify a network card to capture and analyze:
t2 -i eth0
CTRL + CAfter capturing the packet, you can see the output statistical results in the corresponding folder:
eg read a pcap file and write the input result to the specified folder:
t2 -r /root/pcap/test.pcap -w /root/result/
The program running results are as follows:
Check the output directory, a total of five files are output (depending on the number of enabled plugins):
test_protocols.txtThe file is mainly for layered byte count statistics, and its content is as follows:
-The test_nDPI.txtfile is mainly for packet-level byte counts by protocol, and its content is as follows:
test_icmpStats.txtThe file counts the information of ICMP packets, and its content is as follows:
test.pcapThe file does not containicmppackets, so it is empty heretest_headers.txtThe specific meaning of each column name field in the filetest_flows.txtis reflected in the file:
test_flows.txtThe file records the valid fields extracted by the tool from the stream, and the specific meaning is introduced in the previous file:
3.2 Packet mode
In addition to extracting features in streaming mode, t2 can also extract feature fields at the package level, run:
t2 -r /root/pcap/test.pcap -w /root/result1/ -s
There are more folders test_protocols.txt:
test_protocols.txtt2Extracted package-level feature fields in the file for :
3.3 IDS mode
By modifying the regular configuration file, Tranalyzer2the feature field can be matched in the data packet, taking the official website demoas an example. View the default regular rule configuration file:
regex_pcre
tcol scripts/regfile.txt
At this point, when running the t2analysis pcapfile again, the rules for the command will generate a warning:
3.4 Statistical analysis
Tranalyzer2Statistics.txt can be obtained from the " " file generated in the previous step and a file can be generated:PDF
t2fm -F /root/result/test_flows.txt
Statistics can also bepcap generated directly from a file :PDF
t2fm -b -A -r /root/pcap/test.pcap
PDFThe content of the file is as follows:
