Tranalyzer2 cheatsheet
Contents
- List of Tranalyzer2 plugins
- List of Tranalyzer2 scripts and utilities
- List of Tranalyzer2 navigation shortcuts
- List of important Tranalyzer2 configuration flags
- t2conf: configure Tranalyzer2 and the plugins
- t2build: build Tranalyzer2 and the plugins
- t2/st2: run Tranalyzer2
- t2doc: access Tranalyzer2 and plugins documentation
- t2fm: PDF report generation from PCAP
- t2whois: query Tranalyzer2 subnet file
- Post-processing
This cheatsheet summarizes the most important scripts and commands used and discussed in the various tutorials.
List of Tranalyzer2 plugins
For an overview of Tranalyzer2 plugins, refer to The plugins tutorial.
List of Tranalyzer2 scripts and utilities
| t2 | run Tranalyzer |
| st2 | run Tranalyzer as root (sudo) |
| gt2 | run Tranalyzer in the gdb (Linux) or lldb (macOS) debugger |
| t2build | build (load/unload) plugins |
| t2conf | configure plugins |
| t2doc | access plugin documentation |
| t2docker | run T2 commands inside Docker, create and manage T2 containers |
| t2b2t | convert T2 binary file to text or json |
| t2fm | generate a PDF report from a PCAP file |
| t2flowstat | generate flow statistics from flow file |
| t2fuzz | corrupt PCAP files and run T2 against them |
| t2locate | query location database to acquire information about a city near float point terrestrial coordinates |
| t2mmdb | query IPs from MaxMind DB and get the results in T2 format |
| t2netID | decode hexadecimal network IDs |
| t2plot | 2D/3D plot |
| t2plugin | create new plugins and list existing plugins |
| t2py | Control and Operate T2 with Python |
| t2rrd | Monitoring and plotting with RRD Tool |
| t2stat | send signals (interrupts) to Tranalyzer2 |
| t2test | run a toggle test on a specified plugin |
| t2timeline | generate a timeline from a flow file |
| t2update | check for a new version of Tranalyzer and update if requested |
| t2viz | generates a graphviz script which can be loaded into xdot or dotty |
| t2whois | query the anteaters subnet file |
| fextractor | use findexer *_flows.xer* file to extract specific flows/packets into a new pcap |
| protStat | sort and manipulate protocol statistics files |
| fpsGplt | transform 2/3D statistics output from pktSIATHisto to gnuplot format |
| statGplt | transform the output from nFrstPkts to gnuplot format |
| tawk | awk for Tranalyzer flow and packet files |
For more details about a specific command, use the script -h or --help option.
List of Tranalyzer2 navigation shortcuts
$T2HOME |
tranalyzer root folder |
$T2PLHOME |
tranalyzer plugin root folder |
tran |
go to tranalyzer root folder |
tranpl |
go to tranalyzer plugin root folder |
pluginName |
go to tranalyzer pluginName root folder, e.g., tcpFlags |
.tran |
go to tranalyzer active plugin folder (~/.tranalyzer/plugins) |
subnetutils |
go to tranalyzer subnet utils directory ($T2HOME/utils/subnet/) |
List of important Tranalyzer2 configuration flags
Refer to the Tranalyzer2 Configuration Cheatsheet.
t2conf: configure Tranalyzer2 and the plugins
To change the value of a configuration flag run:
To set the value in the header file, e.g., pluginName.h: t2conf pluginName -D FLAG_NAME=new_value
To set the value in the config file, i.e., pluginName.config: t2conf pluginName -D FLAG_NAME=new_value -g
To set the value in a specific config file: t2conf pluginName -D FLAG_NAME=new_value -g /path/to/myconfig.cfg
To reset the value of a configuration flag to its default:
To reset the value in the header file, e.g., pluginName.h: t2conf pluginName -D FLAG_NAME=default
To reset the value in the config file, i.e., pluginName.config: t2conf pluginName -D FLAG_NAME=default -g
To reset the value in a specific config file: t2conf pluginName -D FLAG_NAME=default -g /path/to/myconfig.cfg
To check the value of a configuration flag run:
To get the value from the header file, e.g., pluginName.h: t2conf pluginName -G FLAG_NAME
To get the value from the config file, i.e., pluginName.config: t2conf pluginName -g -G FLAG_NAME
To get the default value from default.config: t2conf pluginName -g default -G FLAG_NAME
To get the value from a specific config file: t2conf pluginName -g /path/to/myconfig.cfg -G FLAG_NAME
To list the configuration flags available run:
t2conf pluginName -I
To list the environment configuration flags available run:
t2conf pluginName -E
To list the environment configuration flags currently set run:
t2conf pluginName -e
To reset a plugin configuration to its default values run:
t2conf pluginName --reset
To save a plugin configuration run (if no filename is specified, default to
$T2HOME/plugins/pluginName/pluginName.config):t2conf pluginName -g
t2conf pluginName -g /where/to/save/file.config
To load plugin configuration run:
t2conf pluginName -C /path/to/file.config
Note that if the default filename is used (
$T2HOME/plugins/pluginName/pluginName.config), then-C autocan be used insteadt2conf pluginName -C auto
Create a plugin loading list (if no filename is specified, default to
$HOME/.tranalyzer/plugins/plugins.load):t2conf -L plugin1 plugin2 ...
t2conf -L plugins.txt plugin1 plugin2 ...
Extract active plugins from a loading list (if no filename is specified, default to
$HOME/.tranalyzer/plugins/plugins.load):t2conf -S
t2conf -S plugins.txt
Graphical selection and configuration of the plugins [Tutorial]:
t2conf --gui
Graphical configuration of a plugin [Tutorial]:
t2conf pluginName --gui
Graphically editing configuration files, e.g., pluginName.config, instead of header files:
t2conf pluginName -g --gui
Graphically create a plugin loading list:
t2conf -L --gui
t2conf -L plugins.txt --gui
For more details about
t2conf, run:t2conf --help
For an in-depth discussion about
t2conf, refer to the Configuration kung fu tutorial.
t2build: build Tranalyzer2 and the plugins
Build the default plugins:
t2build
Build specific plugins:
t2build pluginName1 pluginName2
Build everything:
t2build -a
Rebuild Tranalyzer2 and the current plugins:
t2build -R
Unload (deactivate) a plugin:
t2build -u pluginName
List the plugins in the plugin folder:
t2build -l
Empty the plugin folder:
t2build -e
Update a plugin (blacklists, …):
t2build -U pluginName
Change the build backend
meson t2build -B meson pluginName
cmake t2build -B cmake pluginName
autotools t2build -B autotools-out-of-tree pluginName
Alternatively:
meson T2BUILD_BACKEND=meson t2build pluginName
cmake T2BUILD_BACKEND=cmake t2build pluginName
autotools T2BUILD_BACKEND=autotools-out-of-tree t2build pluginName
For more details about
t2build, run:t2build --help
For an in-depth discussion about
t2build, refer to the Building kung fu tutorial.
t2/st2: run Tranalyzer2
Analyze a pcap:
t2 -r file.pcap
Change the output prefix:
t2 -r file.pcap -w /path/prefix
Save the final report in a file:
t2 -r file.pcap -l
Save the monitoring output in a file:
t2 -r file.pcap -m
Create the packet file:
t2 -r file.pcap -s
Analyze traffic (as root) from an interface:
st2 -i eth0
For more details about
t2, run:t2 --help
t2doc: access Tranalyzer2 and plugins documentation
Access the complete documentation:
t2doc
Access the documentation of a specific plugin:
t2doc pluginName
Access the documentation of specific plugins:
t2doc pluginName1 pluginName2
Access the FAQ, tawk, t2fm and the various scripts documentation:
t2doc faq tawk t2fm scripts
For more details about
t2doc, run:t2doc --help
t2fm: PDF report generation from PCAP
Configure and build tranalyzer and the plugins (
-b), runt2on file.pcap and open the generated report (-A):t2fm -b -A -r file.pcap
Create a report from an existing flow file:
t2fm -F file_flows.txt
Create a report from a MongoDB database named
tranalyzer:t2fm -m tranalyzer
Create a report from a PostgreSQL database named
tranalyzer:t2fm -p tranalyzer
For more details about
t2fm, run:t2fm --help
For an in-depth discussion about t2fm, refer to the PDF Report Generation from PCAP using t2fm tutorial.
t2whois: query Tranalyzer2 subnet file
t2whois can be used to query basicFlow geolocation database.
Query one or more IP addresses:
t2whois 127.0.0.1 ::1
Query IP addresses from file:
head file.txt
1.2.3.4 5.6.7.8t2whois -r file.txt
Query IP addresses from a file and output the results as one tab separated line:
tawk -H '{ print $srcIP "" print $dstIP }' file_flows.txt | sort -u | t2whois -l
Only output specific fields:
t2whois -o netmask,who 1.2.3.4
List the fields available:
t2whois -L
Enter the interactive (prompt) mode:
t2whois
Generate a KML file which can be loaded in, e.g., Google Earth or Google Maps:
tawk '{ print $dstIP }' file_flows.txt | sort -u | t2whois -k file.kml
Get information about the databases:
t2whois -V
For more details about
t2whois, run:t2whois -h
For an in-depth discussion about t2whois, refer to the Geolocation and WHOIS behind it tutorial.
Post-processing
tawk: awk for Tranalyzer flow files
Decode Tranalyzer status bitfields
tawk -V name
tawk -V name=value
Decode layer 2 protocols
tawk -V ethType
tawk -V ethType=value
Decode layer 4 protocols
tawk -V l4Proto
tawk -V l4Proto=value
Decode all aggregated fields in Tranalyzer log file
tawk -L out_log.txt
t2 -r file.pcap | tawk -L
List the column names and numbers of a flow file:
tawk -l file_flows.txt
List the functions provided by
tawk:tawk -g
Alternatively, refer to the Alphabetical list of Tawk functions.
Access the documentation of a
tawkfunction:tawk -d name
Create a pcap with flows selected by a
tawkfilter (Tutorial:tawk -x file.pcap ‘filter’ file_flows.txt
Create a pcap with packets selected by a
tawkfilter (Tutorial:tawk -x file.pcap -P ‘filter’ file_packets.txt
Open selected flows in Wireshark (Tutorial:
tawk -k ‘filter’ file_flows.txt
Open selected packets in Wireshark (Tutorial:
tawk -k -P ‘filter’ file_packets.txt
Process Bro/Zeek log files:
tawk --bro 'program' file.log
tawk --zeek 'program' file.log
Process CSV log files:
tawk --csv 'program' log.csv
Change the input field separator:
tawk -F ',' 'program' log.csv
Change the output field separator:
tawk -O ',' 'program' file.tsv
For more details about
tawk, run:tawk --help
For an in-depth discussion about tawk, refer to the Post-processing with Tawk tutorial.
protStat: sort and manipulate protocol statistics files
The protStat script can be used to sort, filter and manipulate one of the files generated by one of those plugins:
protoStats: _protocols.txt
icmpDecode: _icmpStats.txt
igmpDecode: _igmpStats.txt
nDPI: _nDPI.txt
Sort a file by packets:
protStat file.txt
Sort a file by bytes:
protStat -b file.txt
Sort in reverse order:
protStat -r file.txt
Only display values with packet probability greater than 50%:
protStat -p 50 file.txt
Only display values with byte probability smaller than 1%:
protStat -b -p -1 file.txt
Only display the 5 values with highest byte count:
protStat -b -n 5 file.txt
Only display the 10 values with lowest packet count:
protStat -n -10 file.txt
For more details about
protStat, run:protStat --help
t2plot: 2D/3D plot
Basic histograms:
t2plot -D file_with_one_columns.txt
tawk '{ print $col1 }' file_with_many_columns.txt | t2plot -D
t2plot -D -o colName file_with_many_columns.txt
t2plot -D -o colNumber file_with_many_columns.txt
Basic 2D plots:
t2plot file_with_two_columns.txt
tawk '{ print $col1, $col2 }' file_with_many_columns.txt | t2plot
t2plot -D -o colName1:colName2 file_with_many_columns.txt
t2plot -D -o colNumber1:colNumber2 file_with_many_columns.txt
Basic 3D plots:
t2plot file_with_three_columns.txt
tawk '{ print $col1, $col2, $col3 }' file_with_many_columns.txt | t2plot
t2plot -D -o colName1:colName2:colName3 file_with_many_columns.txt
t2plot -D -o colNumber1:colNumber2:colNumber3 file_with_many_columns.txt
Reducing X-, Y- or Z- range:
t2plot -sx lowestValueX:highestValueX -sy lowestValueY:highestValueY -sz lowestValueZ:highestValueZ ...
For more examples with
t2plot, run:t2plot -e
For more details about
t2plot, run:t2plot --help
t2b2t: convert Tranalyzer binary files
Convert a binary file to txt (keeping the same prefix):
t2b2t -r file_flows.bin
Convert a binary file to JSON:
t2b2t -r file_flows.bin -j
Convert a binary file to compressed (gzip) txt:
t2b2t -r file_flows.bin -c
Convert a binary file to compressed (gzip) JSON:
t2b2t -r file_flows.bin -j -c
Use a custom name for the output file:
t2b2t -r file_flows.bin -w my_file.txt
t2b2t -r file_flows.bin -w my_file.json.gz
t2b2t -r file_flows.bin -w my_file.txt
t2b2t -r file_flows.bin -w my_file.json.gz
Write the converted file to
stdout:t2b2t -r file_flows.bin -w -
List the column names and exit
t2b2t -r file_flows.bin -l
For more details about
t2b2t, run:t2b2t --help
t2plugin: create new plugins and list existing plugins
Create a new C plugin:
t2plugin -c pluginName
Create a new C plugin with a specific plugin number
t2plugin -c pluginName -n 123
Create a new C++ plugin:
t2plugin -c pluginName --cpp
Create a new Rust plugin:
t2plugin -c pluginName --rust
List all the available plugins, their numbers and description:
t2plugin -l
List all the name of all available plugins:
t2plugin -l -N
List all the name of all available plugins without any header:
t2plugin -l -N -H
For more details about
t2plugin, run:t2plugin --help
t2docker: create and manage Tranalyzer Docker containers
Create a Docker container:
t2docker -B t2-latest.tar.gz
Download the latest version of T2 and create a Docker container:
t2docker -B latest
List existing Tranalyzer Docker containers:
t2docker -ls
Save a Docker image:
t2docker -S image-name-or-id
Load a Docker image:
t2docker -L t2docker-image.tar[.gz]
Get a Shell in a Docker image:
t2docker -X image-name-or-id
Run Tranalyzer inside a Docker container:
t2docker -r file.pcap
Run another T2 command inside a Docker container:
t2docker tawk -V flowStat
For more details about
t2docker, run:t2docker --help