Plugin geo labeling
Contents
Introduction
Since version 0.8.8, all subnet processing is provided by the core. Meaning that every plugin can now profit from its services and no dependencies to basicFlow are necessary anymore. Thus, it became easier to write your own geo plugins. This is what we will do now in this tutorial. Moreover an introduction to the IPv4/6 flow processing is integrated in the tutorial.
Getting started
Create folders for your data and results
If you have not created a separate data and results directory yet, please do it now. This will greatly facilitate your workflow:
mkdir ~/data ~/results
Reset tranalyzer2 and the plugins configuration
If you have followed the other tutorials, you may have modified some of the core and plugins configuration. To ensure your results match those in this tutorial, make sure to reset everything:
t2conf -a --reset
You can also clean all build files:
t2build -a -c
Empty the plugin folder
To ensure we are not left with some unneeded plugins or plugins which were built using different core configuration, it is safer to empty the plugins folder:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/user/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Download the PCAP file
The PCAP file used in this tutorial can be downloaded here:
Please save it in your ~/data folder:
wget --no-check-certificate -P ~/data https://tranalyzer.com/download/data/annoloc2.pcap
Build tranalyzer2 and the required plugins
For this tutorial, we will need to build the core (tranalyzer2) and the following plugins:
As you may have modified some of the automatically generated files, it is safer to use the -r and -f options.
...
BUILDING SUCCESSFUL
Source code
In this tutorial, we will extend tcpWin07.tar.gz, the final version of the previous tutorial (Plugin summary files).
If you are impatient, you can download the final versions of the tcpWin plugin we will develop in this tutorial.
To use one of those plugins, just unpack it in the plugins folder of your T2 installation.
tranpl
tar -xf ~/Downloads/tcpWin08.tar.gz
And let t2_aliases know about it:
source "$T2HOME/scripts/t2_aliases"
The core subnet processing
As subnet processing is now part of the core, the flow and packet structure provides an index to the global IPv4/6 subnet table. That means we have now also to take care of different IP versions and core configuration, which I avoided so far for simplicity.
tranalyzer2
vi src/flow.h
...
#if SUBNET_INIT != 0
uint32_t subnetNrSrc; // <--
uint32_t subnetNrDst; // <--
#endif // SUBNET_INIT != 0
...Hence, the user can access the subnet index for the src and dest address via the flow structure:
flowP->subnetNrSrcflowP->subnetNrDst
The same is accessible in the packet structure, see // <--
vi src/packet.h
...
#if ((SUBNET_INIT != 0) || (AGGREGATIONFLAG & (SUBNET | SRCIP | DSTIP)))
#if IPV6_ACTIVATE > 0
ipAddr_t srcIPC;
ipAddr_t dstIPC;
#else // IPV6_ACTIVATE == 0
ip4Addr_t srcIPC;
ip4Addr_t dstIPC;
#endif // IPV6_ACTIVATE == 0
uint32_t subnetNrSrc;
uint32_t subnetNrDst;
uint16_t srcPortC;
uint16_t dstPortC;
uint8_t l4ProtoC;
#endif // ((SUBNET_INIT != 0) || (AGGREGATIONFLAG & (SUBNET | SRCIP | DSTIP)))
...In your program, e.g., at the t2OnLayer4() callback, you access the index
via the packet structure:
packet->subnetNrSrcpacket->subnetNrDst
That’s it. So how do I convert this ominous index to viable subnet information? Easy, use the following macros (defined in $T2HOME/utils/subnetHL.h):
const uint32_t num = packet->subnetNrSrc;
const uint_fast8_t ipver = PACKET_IPVER(packet);
SUBNET_ASN(dest, ipver, num) // Autonomous System Number
SUBNET_LOC(dest, ipver, num) // Country
SUBNET_CNTY(dest, ipver, num) // County
SUBNET_CTY(dest, ipver, num) // City
SUBNET_ORG(dest, ipver, num) // Organization
SUBNET_NETID(dest, ipver, num) // Hex code
SUBNET_LAT(dest, ipver, num) // Latitude
SUBNET_LNG(dest, ipver, num) // Longitude
SUBNET_PREC(dest, ipver, num) // PrecisionYour code must react to the following core switches, in order to avoid compiler errors or unexpected results if you reconfigure tranalyzer core.
It is advisable to read the following tutorials first, if you feel uneasy about these core configurations:
Enabling switches reside in tranalyzer.h and main.h:
| Flag | Description | File |
|---|---|---|
IPV6_ACTIVATE |
Controls the focus on IPv4/6 or both | tranalyzer.h |
SUBNET_ON |
Enables the subnet functions in the core | main.h |
AGGREGATIONFLAG |
Controls aggregation modes of flows. | main.h |
The code SUBNET=0x80 enables also subnet functions like SUBNET_ON. |
main.h | |
SUBNET_INIT |
Switch for plugin programmers enabling subnet functions. | main.h |
A logical OR of SUBNET_ON and SUBNET. |
main.h |
tranalyzer2
vi src/networkHeaders.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define IPV6_ACTIVATE 2 // 0: IPv4 only
// 1: IPv6 only
// 2: dual mode
...vi src/tranalyzer.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
...
#define SUBNET_ON 1 // Core control of subnet function for plugins
/* -------------------------------------------------------------------------- */
/* -------------------- DO NOT EDIT THE FOLLOWING BLOCKS -------------------- */
/* -------------------------------------------------------------------------- */
// Aggregation modes
#define L4PROT 0x01
#define DSTPORT 0x02
#define SRCPORT 0x04
#define DSTIP 0x08
#define SRCIP 0x10
#define VLANID 0x20
#define SUBNET 0x80
// SUBNET mode: IP flow aggregation network masks
#define CNTRY_MSK 0xff800000
#define TOR_MSK 0x00400000
#define ORG_MSK 0x003fffff
#define NETIDMSK (CNTRY_MSK | ORG_MSK) // netID mask
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
// Flow Aggregation
#define AGGREGATIONFLAG 0x00 // each bit: 1: aggregation activated
// (see aggregation modes defined above)
...
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...
#define SUBNET_INIT (SUBNET_ON | (AGGREGATIONFLAG & SUBNET))
#endif // T2_TRANALYZER_H_INCLUDEDWe leave everything at default.
An important part for a programmer are the macros T2 supplies to facilitate subnet tests and information extraction. They also shield the user from the global table pointers defined in the core main.c. These pointers contain the IPv4/6 subnet file information according to the users configuration in subnetHL.h.
utils
vi src/subnetHL.h
...
#if SUBNET_INIT != 0
void *subnetTableP[2];
#if IPV6_ACTIVATE == 0 || IPV6_ACTIVATE == 2
subnettable4_t *subnetTable4P;
#endif
#if IPV6_ACTIVATE > 0
subnettable6_t *subnetTable6P;
#endif
#endif // SUBNET_INIT != 0
...The definition of the IPv4/6 structs is located at the end of the subnetHL.h
in the utils folder. Note that CNTYCTY is switched off by default, saving space
in the binary subnet file.
The said macros are defined in the middle part of subnetHL.h. Nevertheless, you may use the global pointers to access any info using the supplied index. Your choice.
utils
vi subnetHL.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define SUBRNG 0 // IP range definition: 0: CIDR only, 1: Begin-End
#define CNTYCTY 0 // 1: add county, city
#define WHOADDR 0 // 1: add whois address info
#define SUB_MAP 1 // 1: mmap subnet, 0: normal read
#define CNTYLEN 14 // length of County record
#define CTYLEN 14 // length of City record
#define WHOLEN 30 // length of Organization record
#define ADDRLEN 30 // length of Address record
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define SUBNET_UNK "-" // Representation of unknown locations
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...That is all you need to know for now. Let’s implement geo stuff now.
Implementing IPv4/6 switches in t2OnFlowTerminate()
Open tcpGeoWin.c and scroll to t2OnFlowTerminate().
The other callbacks before are the same as in previous tutorials.
We want to detect all packets where the window size is below TCPWIN_THRES
and store it in the gwz structure if the count for an IP address is higher
than the previous one.
As indicated by // <-- the flowP->subnetNrSrc contains the subnet index for
the specific IP address provided by the core. That is all you need to access.
Easy he?
We store it in the gwz.sID[i] for later processing. The macro FLOW_IS_IPV4 tests
the flow status for the IPv4/6 bit. We need it in order to store the IPv4/6 address
appropriately. The switch IPV6_ACTIVATE > 0 covers the different modes of tranalyzer
IPv4 only, IPv6 only or both. Same for the storage of the IP’s below.
The switch SUBNET_ON != 0 && (AGGREGATIONFLAG & SUBNET) == 0 activates the code
only if core processes subnets and no aggregation mode is on, as we only
want the standard case here, where we have only one IP per flow.
Yes I could produce a simpler switch for that, will do that later.
tcpWin
vi src/tcpWin.c
...
void t2OnFlowTerminate(unsigned long flowIndex, outputBuffer_t *buf) {
const tcpWinFlow_t * const tcpWinFlowP = &tcpWinFlows[flowIndex];
float f = 0.0;
if (tcpWinFlowP->pktTcpCnt) {
f = (float)tcpWinFlowP->winThCnt/(float)tcpWinFlowP->pktTcpCnt;
pktTcpCnt += tcpWinFlowP->pktTcpCnt; // Count all TCP packets
}
OUTBUF_APPEND_U8(buf, tcpWinFlowP->stat);
OUTBUF_APPEND_U8(buf, tcpWinFlowP->ttl);
OUTBUF_APPEND_U32(buf, tcpWinFlowP->tcpWinInit);
OUTBUF_APPEND_U32(buf, tcpWinFlowP->winThCnt);
OUTBUF_APPEND_FLT(buf, f);
const flow_t * const flowP = &flows[flowIndex];
if (!FLOW_IS_IPV4(flowP)) return; // IPv4 only
if (tcpWinFlowP->winThCnt == 0 || tcpWinFlowP->pktTcpCnt < TCPWIN_MINPKTS) return;
const int wzi = gwz.wzi; // store element count in const local variable, makes the compiler happy
if (wzi >= TCPWIN_MAXWSCNT) return; // If array full, stop saving
int i;
for (i = 0; i < wzi; i++) {
if (gwz.wzip[i].IPv4.s_addr == flowP->srcIP.IPv4.s_addr) break; // does IP exist?
}
if (f > gwz.wzCnt[i]) { // only update if count is greater than the previous one
gwz.tcpCnt[i] = tcpWinFlowP->pktTcpCnt; // update TCP packet count
gwz.wzCnt[i] = f; // update relative count
if (i == wzi) { // new one?
gwz.wzip[i] = flowP->srcIP; // save new IP
#if SUBNET_ON != 0 && (AGGREGATIONFLAG & SUBNET) == 0 // <--
gwz.sID[i] = flowP->subnetNrSrc; // <-- save subnetID from core
#endif // SUBNET_ON != 0 && (AGGREGATIONFLAG & SUBNET) == 0 // <--
gwz.wzi++; // increment global window size counter
}
}
}One flow variable access and you have all subnet info you need.
The configuration is located in tcpGeoWin.h. Most of it we already know from
earlier tutorials. New is the subnet ID sID in the gwz_t struct.
Look for the // <--
vi src/tcpWin.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define TCPWIN_THRES 1 // TCP window threshold for packet counts
#define TCPWIN_MINPKTS 50 // Summary file: minimal TCP packets seen to start saving process
#define TCPWIN_MAXWSCNT 100 // Summary file: maximal number of window size threshold count array elements
#define TCPWIN_SUFFIX "_tcpwin.txt" // Summary file: file name suffix
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
// plugin defines
// tcpWinStat status variable
#define TCPWIN_STAT_THU 0x1 // TCP window threshold undershoot
// Structure
typedef struct {
ipAddr_t wzip [TCPWIN_MAXWSCNT]; // IP address array
#if SUBNET_ON != 0 && (AGGREGATIONFLAG & SUBNET) == 0 // <--
uint32_t sID [TCPWIN_MAXWSCNT]; // <-- subnetID
#endif // SUBNET_ON != 0 && (AGGREGATIONFLAG & SUBNET) == 0 // <--
uint32_t tcpCnt[TCPWIN_MAXWSCNT]; // TCP packet count
float wzCnt [TCPWIN_MAXWSCNT]; // window size count
int wzi; // window size index
} gwz_t;
// Plugin structure
typedef struct { // always large variables first to limit memory fragmentation
uint32_t pktTcpCnt; // flow TCP packet count
uint32_t tcpWinInit; // initial window size
uint32_t winThCnt; // packet count window size below threshold
uint8_t ttl; // TTL
uint8_t stat; // status
} tcpWinFlow_t;
...Adding subnet info to the summary file
After the free call for that tcpWinFlows struct we open the
file TCPWIN_SUFFIX. As above we select the output of
subnet info only if subnet activated and standard flow aggregation.
The macro T2_IP_TO_STR converts IPv4/6 addresses to human
readable strings. SUBNET_LOC and SUBNET_WHO select the country code
and the organization given the stored subnet index. That is
all you need, and you are done. Look for // <--
vi src/tcpWin.c
void t2Finalize() {
free(tcpWinFlows);
// open tcpWin statistics file
FILE *fp = t2_fopen_with_suffix(baseFileName, TCPWIN_SUFFIX, "w");
if (UNLIKELY(!fp)) return; // return if file could not be opened
#if SUBNET_ON != 0 && (AGGREGATIONFLAG & SUBNET) == 0 // <-- compile only if SUBNET core is on and no aggregation mode
fprintf(fp, "# IP\tCntry\tOrg\tpktTcpCnt\twinRelThCnt\n"); // <-- print header
#else // SUBNET_ON == 0 || (AGGREGATIONFLAG & SUBNET) != 0 // <--
fprintf(fp, "# IP\tpktTcpCnt\twinRelThCnt\n"); // print header
#endif // SUBNET_ON != 0 && (AGGREGATIONFLAG & SUBNET) == 0 // <-- compile only if SUBNET core is on and no aggregation mode
char srcIP[INET_ADDRSTRLEN];
for (int i = 0; i < gwz.wzi; i++) {
t2_ipv4_to_str(gwz.wzip[i].IPv4, srcIP, INET_ADDRSTRLEN); // convert IP to string
#if SUBNET_ON != 0 && (AGGREGATIONFLAG & SUBNET) == 0 // <-- compile only if SUBNET core is on and no aggregation mode
char *loc, *org; // <--
SUBNET_LOC(loc, 4, gwz.sID[i]); // <-- get country for IP
SUBNET_ORG(org, 4, gwz.sID[i]); // <-- get organization for IP
fprintf(fp, "%s\t%s\t%s\t%" PRIu32 "\t%f\n", // <-- print in file
srcIP, loc, org, gwz.tcpCnt[i], gwz.wzCnt); // <--
#else // many IP's / flow // <--
fprintf(fp, "%s\t%" PRIu32 "\t%f\n", // print in file
srcIP, gwz.tcpCnt[i], gwz.wzCnt[i]);
#endif // SUBNET_ON != 0 && (AGGREGATIONFLAG & SUBNET) == 0 // <--
}
fclose(fp);
}Two macros and you are subnet ready.
Adding subnet info to t2PluginReport() callback
Adding subnet info in the end report is straightforward, using the same switches as above.
void t2PluginReport(FILE *stream) {
if (winThCntG) {
T2_FPLOG_AGGR_HEX(stream, plugin_name, tcpWinStat);
T2_FPLOG_NUMP(stream, plugin_name,
"Number of TCP winsize packets below threshold " STR(TCPWIN_THRES),
winThCntG, pktTcpCnt);
// <-- Add the following 'if'
if (gwz.wzi) {
uint32_t gzCM = gwz.wzCnt[0];
uint32_t gzi = 0;
// find IP with largest ipCnt
for (int i = 0; i < gwz.wzi; i++) {
if (gwz.wzCnt[i] > gzCM) {
gzCM = gwz.wzCnt[i];
gzi = i;
}
}
char srcIP[INET_ADDRSTRLEN];
t2_ipv4_to_str(gwz.wzip[gzi].IPv4, srcIP, sizeof(srcIP));
#if SUBNET_ON != 0 && (AGGREGATIONFLAG & SUBNET) == 0
char *loc, *org;
SUBNET_LOC(loc, ipver, gwz.sID[gzi]); // <-- get country for IP
SUBNET_ORG(org, ipver, gwz.sID[gzi]); // <-- get organization for IP
T2_FPLOG(stream, plugin_name, "IP: %s, country: %s, org: %s", srcIP, loc, org);
#else // many IP's / flow
T2_FPLOG(stream, plugin_name, "IP: %s", srcIP);
#endif // SUBNET_ON != 0 && (AGGREGATIONFLAG & SUBNET) == 0
}
}
}After you edited the skeleton code you should compare your implementation with tcpWin08.tar.gz.
So you are all set. Compile and run t2:
t2build tcpWin
t2 -r ~/data/annoloc2.pcap -w ~/results================================================================================ Tranalyzer 0.9.0 (Anteater), Cobra. PID: 17736, SID: 666 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.0 02: tcpGeoWin, 0.9.0 03: txtSink, 0.9.0 [INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481503 (481.50 K) [INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41497 (41.50 K) Processing file: /home/wurst/data/annoloc2.pcap Link layer type: Ethernet [EN10MB/1] Snapshot length: 66 Dump start: 1022171701.691172000 sec (Thu 23 May 2002 16:35:01 GMT) [WRN] snapL2Length: 54 - snapL3Length: 40 - IP length in header: 1500 ... -------------------------------------------------------------------------------- tcpWin: Aggregated tcpWinStat=0x01 tcpWin: Number of TCP winsize packets below threshold 1: 2415 (2.42 K) [0.25%] tcpWin: IP: 138.212.187.203, country: jp, org: ASAHI KASEI CORPORATION -------------------------------------------------------------------------------- ...
So you have the basicFlow geo location output and the tcpWin output in the end report as well as additional info in the *_tcpwin.txt* summary file.
If the file is too big you may sort by the 4th column, the TCP window threshold count (winRelThCnt).
tawk -s '#' 't2sort(winRelThCnt)' ~/results/annoloc2_tcpwin.txt
# IP Country Org pktTcpCnt winRelThCnt
138.212.187.203 jp ASAHI KASEI CORPORATION 72 1.000000
36.152.156.46 cn China Mobile Communications Co 79 0.962025
216.237.125.166 us Infortech Corporation 429 0.489510
216.217.165.245 us Windstream Communications LLC 52 0.269231
138.212.186.191 jp ASAHI KASEI CORPORATION 251 0.247012
138.212.185.150 jp ASAHI KASEI CORPORATION 195 0.246154
138.212.186.160 jp ASAHI KASEI CORPORATION 205 0.229268
138.212.186.52 jp ASAHI KASEI CORPORATION 162 0.203704
200.44.192.225 ve CANTV Servicios 315 0.196825
201.98.31.61 mx Uninet SA de CV 388 0.164948
216.56.159.22 us WiscNet 95 0.157895
138.212.186.60 jp ASAHI KASEI CORPORATION 140 0.150000
201.9.136.60 br Telemar Norte Leste SA 197 0.142132
193.87.5.62 sk AS2607-MNT 235 0.140426
201.9.140.14 br Telemar Norte Leste SA 194 0.123711
19.112.1.129 us MAINT-APNIC-AP 78 0.115385
138.212.185.186 jp ASAHI KASEI CORPORATION 74 0.094595
212.88.230.156 be TELENET-OPS-MNT 131 0.045802
201.123.124.98 mx Gestión de direccionamiento 340 0.041176
193.86.108.236 cz AS13036-MNT 847 0.035419
138.212.185.98 jp ASAHI KASEI CORPORATION 133 0.030075
200.50.55.138 cl TELEFONICA CHILE SA 87 0.022989
200.50.132.98 bb Infinetworx Caribbean Inc 111 0.018018
193.87.239.57 sk Provider Local Registry 365 0.016438
83.42.68.176 es Telefonica de Espana SAU 62 0.016129
200.32.26.254 ar Telecom Argentina SA 250 0.016000
19.123.222.7 us MAINT-APNIC-AP 72 0.013889
138.212.188.204 jp ASAHI KASEI CORPORATION 73 0.013699
193.87.97.162 sk AS2607-MNT 843 0.011862
138.212.191.84 jp ASAHI KASEI CORPORATION 92 0.010870
133.26.84.187 jp Meiji University 2079 0.009620
209.132.7.75 us Simple Network Communications 114 0.008772
193.104.31.16 fr OVER-LINK-MNT 133 0.007519
193.87.112.223 sk AS2607-MNT 957 0.005225
209.147.223.37 us Institutions of Higher Learnin 244 0.004098
138.212.188.66 jp ASAHI KASEI CORPORATION 249 0.004016
192.224.45.42 us CDK Global 719 0.002782
70.5.118.83 us Sprint Fort Worth POP 415 0.002410
83.128.136.224 nl CAIW Internet 977 0.002047
36.89.79.225 id PT Telekomunikasi Indonesia 538 0.001859
138.212.184.48 jp ASAHI KASEI CORPORATION 1081 0.001850
201.98.215.67 mx Uninet SA de CV 618 0.001618
219.127.165.87 jp IPSTAR Company Limited 670 0.001493
138.212.188.99 jp ASAHI KASEI CORPORATION 1134 0.000882
201.9.148.42 br Telemar Norte Leste SA 1332 0.000751
138.212.190.117 jp ASAHI KASEI CORPORATION 2309 0.000433If you like to access the county and city information, you need to switch on CNTYCTY
in subnetHL.h and recompile with t2build -R -f.
Exercise: Add County and City info to the end report. What do you need to configure in the core so that this info is added to the subnet table?
Query the IP tables
Assume that a protocol response contains an IP, such as DNS. From that IP you want to know whois behind it, then you need to query the IP tables yourself.
In order to do so you have to call the core functions subnet_testHL4 and subnet_testHL6
for IPv4 and 6 addresses shown below. The return value is the subnetID you can use
to fetch the geo and whois data as already indicated above.
if (subnetTable4P) {
ipAddr_t ip;
const uint32_t subnetID1 = subnet_testHL4(subnetTable4P, ip.IPv4x[0]); // subnet test on IPv4 address
ip4Addr_t ip4;
const uint32_t subnetID2 = subnet_testHL4(subnetTable4P, ip4]); // subnet test on IPv4 address
}if (subnetTable6P) {
ipAddr_t ip;
uint32_t subnetID = subnet_testHL6(subnetTable6P, ip); // subnet test on IPv6 address
}As you can see in the code above, subnetTable[46]P may not exist depending on the configuration of T2,
so to make things simpler, just use the following macros instead:
uint32_t subnetID;
ipAddr_t ip;
ip4Addr_t ip4;
SUBNET_TEST_IP4(subnetID, ip4);
SUBNET_TEST_IP4(subnetID, ip);
SUBNET_TEST_IP6(subnetID, ip);
SUBNET_TEST_IP(subnetID, ip, 4); // For IPv4
SUBNET_TEST_IP(subnetID, ip, 6); // For IPv6It is beneficial to store IPv4 and 6 addresses in one structure, if in dual mode. On the other hand
if only IPv4 addresses are processed the ip4Addr_t structure does not waste 48 bits.
I advise to use the t2 structures as the macros rely on them.
The relevant address structures are defined in ipaddr.h, as shown in the extract below.
tranalyzer2
vi src/ipaddr.h
...
typedef union {
uint32_t IPv4x[4];
struct in_addr IPv4; // IPv4 address
struct in6_addr IPv6; // IPv6 address
uint64_t IPv6L[2]; // IPv6 address 2*64 bit max chunk for masking ops
} __attribute__((packed)) ipAddr_t;
typedef struct {
uint8_t ver; // version
ipAddr_t addr;
} ipVAddr_t;
typedef union {
uint32_t IPv4x[1];
struct in_addr IPv4;
} __attribute__((packed)) ip4Addr_t;
...Instead of using the subnet indexes from the packet structure you can now define your own
and use the SUBNET_TEST_IP[46]() macros or the subnet_testHL[46]() functions.
Try it on tcpWin, it should produce the same output.
Conclusion
Have fun experimenting with subnet info!
You can download the final version of the tcpWin plugin.
The next tutorial will teach you all about plugin dependencies
Have fun writing plugins!
See also
- Plugin programming cheatsheet
- The basics: your first flow plugin
- Plugin end report
- Plugin monitoring
- Plugin packet mode
- Plugin summary files
- Plugin dependencies
- Plugin alarm mode
- Plugin force mode
- Plugin pcap extraction
- Plugin flow timeout
- Plugin sink
- Developing Tranalyzer plugins in C++
- Developing Tranalyzer plugins in Rust