L2/3 flow aggregation modes
Contents
L2/3 flow aggregation modes
As already introduced in the basics tutorial, we like to explore the different flow aggregation modes of T2.
So the five tuple: (srcIP, srcPort, dstIP, dstPort, l4Proto) aggregation is commonly used, right?
But that is far from reality, which is more complex, e.g. there are these ominous virtual LANs, aka VLANs.
The flows gets messed up if different VLANs using the same five tuple. Yes, I know who gets traffic from an LNS or a trunk…
So a six tuple. Aehm, what about SCTP? Right, so that has to be integrated into the definition of a flow as well, as discussed in the SCTP tutorial. Seven tuple. There are several L2 protocols, oups! So we need to add the ether type and the Ethernet addresses as well. Now we are ending up with a 10 tuple. The configuration of these different modes will be the topic of the following tutorial.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow basicStats tcpStates connStat txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAPs used in this tutorial can be downloaded here:
Please save them in your ~/data folder.
Now you’re all set!
T2 protocol flow aggregation
The constants controlling the flow aggregation are residing in networkHeaders.h.
Open the file and search for USER CONFIGURATION FLAGS as shown below:
tranalyzer2
vi src/networkHeaders.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define IPV6_ACTIVATE 2 // 0: IPv4 only
// 1: IPv6 only
// 2: dual mode
#define ETH_ACTIVATE 1 // 0: No L2 flows,
// 1: Activate L2 flows,
// 2: Also use Ethernet addresses for IPv4/6 flows
#define LAPD_ACTIVATE 0 // 0: No LAPD/Q.931 flows
// 1: Activate LAPD/Q.931 flow generation
#define LAPD_OVER_UDP 0 // 0: Do not try dissecting LAPD over UDP
// 1: Dissect LAPD over UDP (experimental)
#define SCTP_ACTIVATE 0 // 0: standard flows
// 1: activate SCTP chunk streams -> flows
// 2: activate SCTP association -> flows
// 3: activate SCTP chunk & association -> flows
#define SCTP_STATFINDEX 1 // 0: findex increments
// 1: findex constant for all SCTP streams in a packet
#define MULTIPKTSUP 0 // multi-packet suppression
#define T2_PRI_HDRDESC 1 // keep track of the headers traversed
#define T2_HDRDESC_AGGR 1 // aggregate repetitive headers, e.g., vlan{2}
#define T2_HDRDESC_LEN 128 // max length of the headers description
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...By default T2 operates in dual IP mode, so IPv4/6 flows are produced, even IPv4 in
IPv6 or vise versa, any combination you can have with any L2 encapsulation protocols
including fragmentation and all crap you can imagine. Search for // Protocol stack in
tranalyzer.h as shown below:
vi src/tranalyzer.h
...
// Protocol stack
#define AYIYA 1 // AYIYA processing on: 1, off: 0
#define GENEVE 1 // GENEVE processing on: 1, off: 0
#define TEREDO 1 // TEREDO processing on: 1, off: 0
#define L2TP 1 // L2TP processing on: 1, off: 0
#define GRE 1 // GRE processing on: 1, off: 0
#define GTP 1 // GTP processing on: 1, off: 0
#define VXLAN 1 // VXLAN processing on: 1, off: 0
#define IPIP 1 // IPv4/6 in IPv4/6 processing on: 1, off: 0
#define ETHIP 1 // Ethernet over IP on: 1, off: 0
#define CAPWAP 1 // CAPWAP processing on: 1, off: 0
#define LWAPP 1 // LWAPP processing on: 1, off: 0
...It is a legacy that you cannot switch off IPv4, we will change it to independent switches in a later version. The SCTP constants are discussed in detail in the SCTP tutorial, so we will skip that here.
If you got traffic from a monitor port of a switch where somebody forgot to
suppress either the port egress or ingress traffic, essentially the resulting pcap
contains all duplicate packets. No big deal, switch on MULTIPKTSUP, t2build tranalyzer2
and that mishap is gone. This mode only works with IPv4, as these IETF guys defining
IPv6 forgot the IPID in the IPv6 main header. Morons!!
If you want the header description being created by the core leave T2_PRI_HDRDESC on,
unless you want to gain performance. T2_HDRDESC_AGGR aggregates multiple header descriptions,
a good choice if you want to reduce the length of the header description column in the
flow/packet file. Also the T2_HDRDESC_LEN limits the length of the column.
In the basics tutorial,
the form and effect of the header description config was already demonstrated.
Let’s focus here on the IP and Ethernet aggregation modes first.
IP modes
You should know by now that the annoloc2.pcap contains L2, IPv4 and IPv6 flows. Let us switch to L4 mode only, as all plugins implement the aggregation mode the core and all plugins loaded have to be recompiled:
t2conf tranalyzer2 -D IPV6_ACTIVATE=0 -D ETH_ACTIVATE=0 && t2build -R
t2 -r ~/data/annoloc2.pcap -w ~/results/
Now we see only IPv4 flows, but we still receive statistics about all other protocols such as IPv6 or ARP. So even when filtering out traffic in the core you have the full overview of the traffic. Really useful, because somebody might promise you IPv4 traffic only, you switch T2 to IPv4 mode and then you discover that there is still IPv6 traffic in it without even looking into a single flow file. So you can show it to the guy, and make him eat furniture.
At the beginning of the report you see: Number of packets without flow: 407 [0.03%]
These are the 0.03% IPv6 + L2 packets T2 does not dissect. So the statistics is marginally different
from dual mode. To prove that the core filtering works, select either the IPv4/6 flowStat bits
and aggregate them or aggregate hdrDesc. Here I chose the latter, because it is human readable:
tawk 'aggrrep($hdrDesc)' ~/results/annoloc2_flows.txt | tcol
hdrDesc Flows
eth:ipv4:tcp 10442
eth:ipv4:udp 5987
eth:ipv4:icmp 561
eth:ipv4:udp:ssdp 419
eth:ipv4:igmp 11
eth:ipv4:ipv4:tcp 8
eth:ipv4:pim 3
eth:ipv4:udp:gtp 2
eth:ipv4:udp:gtp:ssdp 1
eth:ipv4:ipv6:vrrp 1
eth:ipv4:ipv6:vines 1
eth:ipv4:ipv6:UNK(95) 1
eth:ipv4:ipv6:UNK(79) 1
eth:ipv4:ipv6:UNK(22) 1
eth:ipv4:ipv6:UNK(168) 1
eth:ipv4:ipv6:UNK(147) 1
eth:ipv4:ipv6:UNK(133) 1
eth:ipv4:ipv6:UNK(131) 1
eth:ipv4:ipv6:UNK(126) 1
eth:ipv4:ipv6:dsr 1
eth:ipv4:gre:UNK(0xefe6) 1
eth:ipv4:gre:UNK(0xc098) 1
eth:ipv4:gre:UNK(0xa11f) 1
eth:ipv4:gre:UNK(0x6d6f) 1
eth:ipv4:gre:UNK(0x6d38) 1
eth:ipv4:gre:UNK(0x697d) 1
eth:ipv4:gre:UNK(0x18aa) 1
eth:ipv4:gre:UNK(0x111d) 1
eth:ipv4:gre:UNK(0x0f0e) 1
eth:ipv4:gre:UNK(0x0db3) 1
eth:ipv4:gre:UNK(0x0a90) 1
eth:ipv4:gre:UNK(0x09c3) 1
eth:ipv4:gre:UNK(0x08a8) 1
eth:ipv4:gre:UNK(0x05e8) 1
eth:ipv4:gre:UNK(0x0496) 1
eth:ipv4:gre:UNK(0x0401) 1
eth:ipv4:gre:UNK(0x008b) 1
eth:ipv4:gre:UNK(0x0051) 1
eth:ipv4:gre:UNK(0x0014) 1The UNK() is a complaint from the core that these flows contain header snapped packets.
Now switch on only IPv6, still L2 flows off.
t2conf tranalyzer2 -D IPV6_ACTIVATE=1 && t2build -R
t2 -r ~/data/annoloc2.pcap -w ~/results/
Now more flows are ignored: Number of packets without flow: 1218855 (1.22 M) [99.99%]
These are the 99.9% IPv4 + L2 which are not processed by T2 core. Only 44 IPv6 Flows are listed in the flow file. To test whether the anteater does a good job, here is the proof:
tawk 'aggr($hdrDesc)' ~/results/annoloc2_flows.txt | tcol
hdrDesc Flows
eth:ipv6:tcp 37
eth:ipv6:icmpv6 7
eth:ipv4:ipv6:vrrp 1
eth:ipv4:ipv6:vines 1
eth:ipv4:ipv6:UNK(95) 1
eth:ipv4:ipv6:UNK(79) 1
eth:ipv4:ipv6:UNK(64) 1
eth:ipv4:ipv6:UNK(28) 1
eth:ipv4:ipv6:UNK(231) 1
eth:ipv4:ipv6:UNK(23) 1
eth:ipv4:ipv6:UNK(229) 1
eth:ipv4:ipv6:UNK(228) 1
eth:ipv4:ipv6:UNK(223) 1
eth:ipv4:ipv6:UNK(22) 1
eth:ipv4:ipv6:UNK(168) 1
eth:ipv4:ipv6:UNK(147) 1
eth:ipv4:ipv6:UNK(133) 1
eth:ipv4:ipv6:UNK(131) 1
eth:ipv4:ipv6:UNK(126) 1
eth:ipv4:ipv6:UNK(114) 1
eth:ipv4:ipv6:dsr 1
eth:ipv4:ipv6 1Switching certain protocols off in the core save time and memory. Hence, if you definitely know that on your interface or trunk port is ONLY one type of traffic, first run T2 in full Dual and L2 mode and look at the end report, then switch certain protocols off.
L2 modes
Now we only want to see L2 flows, so no IP. If you set IPV6_ACTIVATE=0,
you still have IPv4. Bummer, a legacy flaw, which we definitely will correct
in a later version. So you have to add a BPF filter, which messes up the
internal packet index, as not every packet reaches T2’s core. So
comparing with Wireshark is then difficult. Wait, we will take care of it.
Anyway, let’s switch on pure L2 flows, and IPv4 on. Load the macRecorder, which records all mac pairs in an IP flow. We will need it for the number of MAC pairs in a flow as a selection feature.
t2conf tranalyzer2 -D IPV6_ACTIVATE=0 -D ETH_ACTIVATE=1
t2build macRecorder
t2build -R
t2 -r ~/data/annoloc2.pcap -w ~/results/
Total 17545 flows. Now change to your results window again and search for all flows which contain more than one MAC pair during the life time of the flow. We find one, a UDP broadcast.
tawk '$macPairs > 1 || NR == 1' ~/results/annoloc2_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto macStat macPairs srcMac_dstMac_numP srcMacLbl_dstMacLbl numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpStatesAFlags connSip connDip connSipDip connSipDprt connF
A 7669 0x0400000200004000 1022171718.902437 1022171719.151404 0.248967 1 3 eth:ipv4:udp 00:00:1c:b6:17:f2;00:c1:28:01:65:77 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - "-" 68 255.255.255.255 11 "Broadcast" 67 17 0x00 2 00:00:1c:b6:17:f2_ff:ff:ff:ff:ff:ff_1;00:c1:28:01:65:77_ff:ff:ff:ff:ff:ff_2 BellTech,US_Broadcast;-_Broadcast 3 0 915 0 300 312 305 4.133199 0 0.227059 0.082989 0.07443081 12.04979 3675.186 1 1 0x00 1 5 1 1 1Now instruct the core to add the ethertype and the MAC addresses to the flow hash and re-run t2:
t2conf tranalyzer2 -D IPV6_ACTIVATE=0 -D ETH_ACTIVATE=2 && t2build -R
t2 -r ~/data/annoloc2.pcap -w ~/results/
Total 17546 flows, one more. Why? Search in your results window again for all flows which contain more than one MAC pair during the life time of the flow. Oups, gone. Because now the IP flow is split into two flows.
tawk '$macPairs > 1 || NR == 1' ~/results/annoloc2_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto macStat macPairs srcMac_dstMac_numP srcManuf_dstManuf numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpStates connSip connDip connSipDip connSipDprt connFAs homework, produce a tawk to find the said two flows.
SCTP modes
Already covered in the SCTP tutorial
Header description
Now let’s switch off the header description, very convenient but a performance factor.
Note that you need to rebuild also basicFlow, as it implements also the T2_PRI_HDRDESC switch.
So safest is to rebuild all plugins + core.
t2conf tranalyzer2 -D T2_PRI_HDRDESC=0 && t2build -R
t2 -r ~/data/802.1Q_tunneling.cap -w ~/results/
In the end report the header count with min, max, ave is gone.
In the flow file the description of the headers is also gone,
but you still have the flowStat bit encoding.
tcol ~/results/802.1Q_tunneling_flows.txt
%dir flowInd flowStat timeFirst timeLast duration srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto macStat macPairs srcMac_dstMac_numP srcManuf_dstManuf numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpStates connSip connDip connSipDip connSipDprt connF
A 1 0x0400000000004100 1277840495.135052 1277840495.141708 0.006656 00:13:c3:df:ae:18 00:1b:d4:1b:a4:d8 0x0800 118;10 10.118.10.1 04 "Private network" 0 10.118.10.2 04 "Private network" 0 1 0x00 1 00:13:c3:df:ae:18_00:1b:d4:1b:a4:d8_5 Cisco_Cisco 5 5 360 360 72 72 72 0 0 0.00188 0.0013312 0.0004990491 751.2019 54086.54 0 0 0x00 1 1 2 2 2
B 1 0x0400000000004101 1277840495.135910 1277840495.142543 0.006633 00:1b:d4:1b:a4:d8 00:13:c3:df:ae:18 0x0800 118;10 10.118.10.2 04 "Private network" 0 10.118.10.1 04 "Private network" 0 1 0x00 1 00:1b:d4:1b:a4:d8_00:13:c3:df:ae:18_5 Cisco_Cisco 5 5 360 360 72 72 72 0 0 0.001721 0.0013266 0.0005040318 753.8067 54274.09 0 0 0x00 1 1 1 1 1
A 2 0x0400000000004100 1277840503.708352 1277840503.714432 0.006080 00:19:aa:7d:e6:88 00:21:55:c8:f1:3c 0x0800 209;20 10.209.20.3 04 "Private network" 0 10.209.20.4 04 "Private network" 0 1 0x00 1 00:19:aa:7d:e6:88_00:21:55:c8:f1:3c_5 Cisco_Cisco 5 5 360 360 72 72 72 0 0 0.001733 0.001216 0.0004763269 822.3684 59210.52 0 0 0x00 1 1 2 2 2
B 2 0x0400000000004101 1277840503.709181 1277840503.715133 0.005952 00:21:55:c8:f1:3c 00:19:aa:7d:e6:88 0x0800 209;20 10.209.20.4 04 "Private network" 0 10.209.20.3 04 "Private network" 0 1 0x00 1 00:21:55:c8:f1:3c_00:19:aa:7d:e6:88_5 Cisco_Cisco 5 5 360 360 72 72 72 0 0 0.001666 0.0011904 0.0004731365 840.0538 60483.87 0 0 0x00 1 1 1 1 1
A 3 0x0000000000000104 1277840510.969363 1277840510.969363 0.000000 00:13:c3:df:ae:18 01:00:0c:cd:cd:d0 0x2000 118 0.0.0.0 - "-" 0 0.0.0.0 - "-" 0 0 0x00 1 00:13:c3:df:ae:18_01:00:0c:cd:cd:d0_1 Cisco_- 1 0 349 0 349 349 349 0 0 0 0 0 0 0 1 1 0x00 0 0 0 0 0
A 4 0x0000000000000104 1277840511.384783 1277840511.384783 0.000000 00:19:aa:7d:e6:88 01:00:0c:cd:cd:d0 0x2000 209 0.0.0.0 - "-" 0 0.0.0.0 - "-" 0 0 0x00 1 00:19:aa:7d:e6:88_01:00:0c:cd:cd:d0_1 Cisco_- 1 0 347 0 347 347 347 0 0 0 0 0 0 0 1 1 0x00 0 0 0 0 0
A 5 0x0000000000000004 1277840525.369320 1277840525.369320 0.000000 00:0f:34:5f:16:8d 01:00:0c:cc:cc:cc 0x2000 0.0.0.0 - "-" 0 0.0.0.0 - "-" 0 0 0x00 1 00:0f:34:5f:16:8d_01:00:0c:cc:cc:cc_1 Cisco_- 1 0 353 0 353 353 353 0 0 0 0 0 0 0 1 1 0x00 0 0 0 0 0
A 6 0x0000000000000004 1277840525.404193 1277840525.404193 0.000000 00:13:c4:12:0f:0d 01:00:0c:cc:cc:cc 0x2000 0.0.0.0 - "-" 0 0.0.0.0 - "-" 0 0 0x00 1 00:13:c4:12:0f:0d_01:00:0c:cc:cc:cc_1 Cisco_- 1 0 353 0 353 353 353 0 0 0 0 0 0 0 1 1 0x00 0 0 0 0 0
A 7 0x0000000000000104 1277840528.106320 1277840528.106320 0.000000 00:1b:d4:1b:a4:d8 01:00:0c:cd:cd:d0 0x2000 118 0.0.0.0 - "-" 0 0.0.0.0 - "-" 0 0 0x00 1 00:1b:d4:1b:a4:d8_01:00:0c:cd:cd:d0_1 Cisco_- 1 0 349 0 349 349 349 0 0 0 0 0 0 0 1 1 0x00 0 0 0 0 0
A 8 0x0000000000000104 1277840530.538713 1277840530.538713 0.000000 00:21:55:c8:f1:3c 01:00:0c:cd:cd:d0 0x2000 209 0.0.0.0 - "-" 0 0.0.0.0 - "-" 0 0 0x00 1 00:21:55:c8:f1:3c_01:00:0c:cd:cd:d0_1 Cisco_- 1 0 347 0 347 347 347 0 0 0 0 0 0 0 1 1 0x00 0 0 0 0 0Now switch on the header description but switch off the header aggregation, so unlike the default config now each header is printed, instead of an aggregated count.
t2conf tranalyzer2 -D T2_PRI_HDRDESC=1 -D T2_HDRDESC_AGGR=0 && t2build -R
t2 -r ~/data/802.1Q_tunneling.cap -w ~/results/... -------------------------------------------------------------------------------- basicStats: Biggest L2 talker: 00:13:c3:df:ae:18: 1 [3.85%] packets basicStats: Biggest L2 talker: 00:13:c3:df:ae:18: 375 [8.00%] bytes basicStats: Biggest L3 talker: 10.118.10.1: 5 [19.23%] packets basicStats: Biggest L3 talker: 10.118.10.1: 610 [13.02%] bytes connStat: Number of unique source IPs: 2 connStat: Number of unique destination IPs: 2 connStat: Number of unique source/destination IPs connections: 2 connStat: Max unique number of source IP / destination port connections: 2 connStat: IP prtcon/sdcon, prtcon/scon: 1.000000, 1.000000 connStat: Source IP with max connections: 10.118.10.1: 1 connections connStat: Destination IP with max connections: 10.118.10.2: 1 connections -------------------------------------------------------------------------------- Headers count: min: 3, max: 5, average: 4.69 Max VLAN header count: 2 Number of LLC packets: 6 [23.08%] Number of GRE packets: 6 [23.08%] Number of ICMP packets: 20 [76.92%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ...
The headers count is back and note the vlan:vlan instead of vlan{2} in the flow file below.
tcol ~/results/802.1Q_tunneling_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto macStat macPairs srcMac_dstMac_numP srcMacLbl_dstMacLbl numPktsSnt numPktsRcvd numBytesSnt numBytesRcvd minPktSz maxPktSz avePktSize stdPktSize minIAT maxIAT aveIAT stdIAT pktps bytps pktAsm bytAsm tcpStatesAFlags connSip connDip connSipDip connSipDprt connF
A 1 0x0400000000004100 1277840495.135052 1277840495.141708 0.006656 1 5 eth:vlan:vlan:ipv4:icmp 00:13:c3:df:ae:18 00:1b:d4:1b:a4:d8 0x0800 118;10 10.118.10.1 04 "Private network" 0 10.118.10.2 04 "Private network" 0 1 0x00 1 00:13:c3:df:ae:18_00:1b:d4:1b:a4:d8_5 CiscoSyst,US_CiscoSyst,US 5 5 360 360 72 72 72 0 0 0.00188 0.0013312 0.0004990491 751.2019 54086.54 0 0 0x00 1 1 2 2 2
B 1 0x0400000000004101 1277840495.135910 1277840495.142543 0.006633 1 5 eth:vlan:vlan:ipv4:icmp 00:1b:d4:1b:a4:d8 00:13:c3:df:ae:18 0x0800 118;10 10.118.10.2 04 "Private network" 0 10.118.10.1 04 "Private network" 0 1 0x00 1 00:1b:d4:1b:a4:d8_00:13:c3:df:ae:18_5 CiscoSyst,US_CiscoSyst,US 5 5 360 360 72 72 72 0 0 0.001721 0.0013266 0.0005040318 753.8067 54274.09 0 0 0x00 1 1 1 1 1
A 2 0x0400000000004100 1277840503.708352 1277840503.714432 0.006080 1 5 eth:vlan:vlan:ipv4:icmp 00:19:aa:7d:e6:88 00:21:55:c8:f1:3c 0x0800 209;20 10.209.20.3 04 "Private network" 0 10.209.20.4 04 "Private network" 0 1 0x00 1 00:19:aa:7d:e6:88_00:21:55:c8:f1:3c_5 CiscoSyst,US_CiscoSyst,US 5 5 360 360 72 72 72 0 0 0.001733 0.001216 0.0004763269 822.3684 59210.52 0 0 0x00 1 1 2 2 2
B 2 0x0400000000004101 1277840503.709181 1277840503.715133 0.005952 1 5 eth:vlan:vlan:ipv4:icmp 00:21:55:c8:f1:3c 00:19:aa:7d:e6:88 0x0800 209;20 10.209.20.4 04 "Private network" 0 10.209.20.3 04 "Private network" 0 1 0x00 1 00:21:55:c8:f1:3c_00:19:aa:7d:e6:88_5 CiscoSyst,US_CiscoSyst,US 5 5 360 360 72 72 72 0 0 0.001666 0.0011904 0.0004731365 840.0538 60483.87 0 0 0x00 1 1 1 1 1
A 3 0x0000000000000104 1277840510.969363 1277840510.969363 0.000000 1 4 eth:vlan:llc:cdp 00:13:c3:df:ae:18 01:00:0c:cd:cd:d0 0x2000 118 0.0.0.0 - "-" 0 0.0.0.0 - "-" 0 0 0x00 1 00:13:c3:df:ae:18_01:00:0c:cd:cd:d0_1 CiscoSyst,US_- 1 0 349 0 349 349 349 0 0 0 0 0 0 0 1 1 0x00 0 0 0 0 0
A 4 0x0000000000000104 1277840511.384783 1277840511.384783 0.000000 1 4 eth:vlan:llc:cdp 00:19:aa:7d:e6:88 01:00:0c:cd:cd:d0 0x2000 209 0.0.0.0 - "-" 0 0.0.0.0 - "-" 0 0 0x00 1 00:19:aa:7d:e6:88_01:00:0c:cd:cd:d0_1 CiscoSyst,US_- 1 0 347 0 347 347 347 0 0 0 0 0 0 0 1 1 0x00 0 0 0 0 0
A 5 0x0000000000000004 1277840525.369320 1277840525.369320 0.000000 1 3 eth:llc:cdp 00:0f:34:5f:16:8d 01:00:0c:cc:cc:cc 0x2000 0.0.0.0 - "-" 0 0.0.0.0 - "-" 0 0 0x00 1 00:0f:34:5f:16:8d_01:00:0c:cc:cc:cc_1 CiscoSyst,US_CDP 1 0 353 0 353 353 353 0 0 0 0 0 0 0 1 1 0x00 0 0 0 0 0
A 6 0x0000000000000004 1277840525.404193 1277840525.404193 0.000000 1 3 eth:llc:cdp 00:13:c4:12:0f:0d 01:00:0c:cc:cc:cc 0x2000 0.0.0.0 - "-" 0 0.0.0.0 - "-" 0 0 0x00 1 00:13:c4:12:0f:0d_01:00:0c:cc:cc:cc_1 CiscoSyst,US_CDP 1 0 353 0 353 353 353 0 0 0 0 0 0 0 1 1 0x00 0 0 0 0 0
A 7 0x0000000000000104 1277840528.106320 1277840528.106320 0.000000 1 4 eth:vlan:llc:cdp 00:1b:d4:1b:a4:d8 01:00:0c:cd:cd:d0 0x2000 118 0.0.0.0 - "-" 0 0.0.0.0 - "-" 0 0 0x00 1 00:1b:d4:1b:a4:d8_01:00:0c:cd:cd:d0_1 CiscoSyst,US_- 1 0 349 0 349 349 349 0 0 0 0 0 0 0 1 1 0x00 0 0 0 0 0
A 8 0x0000000000000104 1277840530.538713 1277840530.538713 0.000000 1 4 eth:vlan:llc:cdp 00:21:55:c8:f1:3c 01:00:0c:cd:cd:d0 0x2000 209 0.0.0.0 - "-" 0 0.0.0.0 - "-" 0 0 0x00 1 00:21:55:c8:f1:3c_01:00:0c:cd:cd:d0_1 CiscoSyst,US_- 1 0 347 0 347 347 347 0 0 0 0 0 0 0 1 1 0x00 0 0 0 0 0Conclusion
Play around a bit with the different modes applied to other pcaps and do not forget to reset the core for the other tutorials to the default mode
and recompile the loaded plugins, as they also implement the IPV6_ACTIVATE and ETH_ACTIVATE constant.
t2conf tranalyzer2 -D IPV6_ACTIVATE=2 -D ETH_ACTIVATE=1 -D T2_PRI_HDRDESC=1 -D T2_HDRDESC_AGGR=1
t2build -R
Or use the new command:
t2conf --reset tranalyzer2
Have fun experimenting wit the Anteater!