Crate t2plugin

This crate allows to easily develop Rust plugins for Tranalyzer2, a network traffic analysis tool.

An example Rust plugin for Tranalyzer2 using this crate can be found here: https://github.com/Tranalyzer/rustExample

Create a new plugin

1. Download and install Tranalyzer2.

2. Use t2plugin to create a new plugin based on the rustTemplate.

   cd $T2HOME/plugins
   t2plugin --rust -c myPluginName
   cd myPluginName
   

3. Optional: change the PLUGINORDER at the top of autogen.sh.

4. Fill the different methods of the T2Plugin trait implementation in src/lib.rs.

Modules

• flow
  Contains the definition of a Flow.
• nethdr
  Contains the definition of the different protocol headers (IP, TCP, UDP, …).
• packet
  Contains the definition of a Packet.
• slread
  Contains the SliceReader which allows to easily read integers and strings from a byte slice.

Macros

• t2plugin
  This macro transforms a struct implementing the T2Plugin trait into a plugin which can be loaded by Tranalyzer2.

Structs

• Header
  This structure represents the output header of this plugin.

Enums

• BinaryType
  Types of values which can be outputted in Tranalyzer2 flow files.
• BinaryValue
  Rust opaque representation of binary_value_t struct from Tranalyzer2
• OutputBuffer
  Rust opaque representation of outputBuffer_t struct from Tranalyzer2

Constants

• DUPIPID
  Consequtive duplicate IP ID
• FDLSIDX
  Flow duration limit, same findex for all subflows
• FLWTMOUT
  Flow timeout instead of protocol termination
• FL_ALARM
  pcapd and PD_ALARM=1: if set dumps the packets from this flow to a new pcap
• FS_IPV4_PKT
  IPv4 packet
• FS_IPV6_PKT
  IPv6 packet
• FS_VLAN0
  A packet had a priority tag (VLAN tag with ID 0)
• HASHTABLE_ENTRY_NOT_FOUND
  flow_index value representing a non-existing Flow.
• HDOVRN
  Header description overrun
• IPV4_FRAG
  IPv4 fragmentation present
• IPV4_FRAG_ERR
  IPv4 fragmentation Error (detailed err s. tcpFlags plugin)
• IPV4_FRAG_HDSEQ_ERR
  IPv4 1. fragment out of sequence or missing
• IPV4_FRAG_PENDING
  Packet fragmentation pending / fragmentation sequence not completed when flow timeouts
• IPV4_HL_TOO_SHORT
  IPv4 header length < 20 bytes
• IP_PL_TOO_BIG
  IPv4/6 payload length > framing length
• L2SNAPLENGTH
  Acquired packet length < minimal L2 datagram
• L2_ARP
  ARP present
• L2_ERSPAN
  Encapsulated Remote Switch Packet ANalysis (ERSPAN)
• L2_FLOW
  Pure L2 Flow
• L2_GRE
  GRE v1/2 present
• L2_IPV4
  IPv4 packets present
• L2_IPV6
  IPv6 packets present
• L2_L2TP
  L2TP v2/3 present
• L2_LLDP
  Link Layer Discovery Protocol (LLDP)
• L2_MPLS
• L2_MPLS_MCAST
  MPLS multicast present
• L2_MPLS_UCAST
  MPLS unicast present
• L2_NO_ETH
  No Ethernet header
• L2_PPP
  PPP header present after L2TP or GRE
• L2_PPPOE_D
  Point to Point Protocol over Ethernet Discovery (PPPoED)
• L2_PPPOE_S
  Point to Point Protocol over Ethernet Service (PPPoES)
• L2_RARP
  Reverse ARP present
• L2_VLAN
  VLANs present
• L2_WCCP
  Cisco Web Cache Communication Protocol (WCCP)
• L3FLOWINVERT
  Inverted flow, did not initiate connection
• L3HDRSHRTLEN
  Acquired packet length < minimal L3 Header
• L3SNAPLENGTH
  Acquired packet length < packet length in L3 header
• L3_AYIYA
  Anything in Anything (AYIYA) Tunnel
• L3_CAPWAP
  Control And Provisioning of Wireless Access Points (CAPWAP), Lightweight Access Point Protocol (LWAPP)
• L3_ETHIPF
  Ethernet via IP
• L3_GENEVE
  Generic Network Virtualization Encapsulation (GENEVE)
• L3_GTP
  GPRS Tunneling Protocol (GTP)
• L3_IPIP
  IPv4/6 in IPv4/6
• L3_IPSEC_AH
  IPsec Authentication Header (AH)
• L3_IPSEC_ESP
  IPsec Encapsulating Security Payload (ESP)
• L3_IPVX
  IPvX bogus packets present
• L3_TRDO
  Teredo Tunnel
• L3_VXLAN
  Virtual eXtensible Local Area Network (VXLAN)
• L4HDRSHRTLEN
  Acquired packet length < minimal L4 Header
• L4_SCTP
  Stream Control Transmission Flows
• L4_UPNP
  SSDP/UPnP
• L7_SIPRTP
  SIP/RTP
• LANDATTACK
  Same src IP && dst IP and src port && dst port
• LAPD_FLOW
  LAPD flow
• PCAPSNPD
  PCAP packet length > MAX_MTU in ioBuffer.h, caplen reduced
• PPP_NRHD
  PPPL3 header not readable, compressed
• RMFLOW
  Alarm mode: remove this flow instantly
• RMFLOW_HFULL
  Autopilot: Flow removed to free space in main hash map
• SNAPLENGTH
• STPDSCT
  Stop dissecting
• SUBN_FLW_TST
  Subnet tested for that flow
• TIMEJUMP
  Time slip possibly due to NTP operations on the capture machine
• TORADD
  Tor address detected
• __RESERVED__
  RESERVED, do not use

Traits

• T2Plugin
  Trait to tranform a per flow struct into a Tranalyzer2 plugin.

Functions

• getflow
  Returns the flow::Flow structure of the flow with flow_index=index.
• hashchaintable_size
  Returns the number of flows that Tranalyzer2 can store in its internal hashtable.
• output_bytes
  Appends bytes to Tranalyzer2 output buffer.
• output_ip
  Appends an IP address to Tranalyzer2 output buffer.
• output_num
  Appends a number (integer or float) to Tranalyzer2 output buffer.
• output_nums
  Appends a list of numbers (integers or floats) to Tranalyzer2 output buffer.
• output_string
  Appends a string to Tranalyzer2 output buffer.
• output_strings
  Appends a list of strings to Tranalyzer2 output buffer.

Type Definitions

• c_ulong
  unsigned long in C: u32 on 32-bit systems and u64 on 64-bit systems.