All about global statistics
Contents
Introduction
Using tawk any statistics can be produced from the flow file. Nevertheless, T2 supplies several statistics in the end report, flow / packet file and extra protocol based files because it is faster and was useful to us in troubleshooting, security and forensic. The latter files will be discussed here, and links to further tutorials are supplied.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the following plugins:
t2build tranalyzer2 basicFlow basicStats icmpDecode igmpDecode ospfDecode vrrpDecode tcpStates nDPI txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The anonymized sample PCAP and the VRRP pcap used in this tutorial can be downloaded here:
Please save them in your ~/data folder.
Now you are all set for T2 IP label experiments.
Basic L3/4 packet/length statistics
Basic packet and packet length statistics is readily available in the end report
as indicated below. Hence, a first impression of the relevance of a pcap
without looking into flow files is possible. Besides basic L3/4 statistics,
every plugin produces its own statistics in the end report between the ---------
lines.
t2 -r ~/data/annoloc2.pcap -w ~/results
Oups, no VRRP and OSPF messages….
Anyway, here is a list of all plugins producing extra global statistics information:
| plugin | files |
|---|---|
| protoStats | _flows.*, _log.txt (end report), _proto.txt |
| basicStats | _flows.*, _log.txt (end report) |
| icmpDecode | _flows.*, _log.txt (end report), _icmp.txt |
| igmpDecode | _flows.*, _log.txt (end report), _igmp.txt |
| ospfDecode | _flows.*, _log.txt (end report), _ospfStats.txt, _ospfHello.txt |
| nDPI | _flows.*, _log.txt (end report), _nDPI.txt |
| vrrpDecode | _flows.*, _log.txt (end report), _vrrp.txt |
protoStats
This plugin is discussed in detail in global statistical plugins.
Detailed statistics
In the following plugins are listed which produce a more detailed view of certain important plugins.
ICMP statistics
Internet Control Message Protocol (ICMP) diagnostic or control. See icmpDecode.
IGMP statistics
Internet Group Management Protocol (IGMP) is a communications protocol to manage multicast group memberships e.g. for streaming services.
OSPF statistics
See ospfDecode tutorial.
nDPI statistics
nDPI is a wrapper for the open source nDPI project. Under the link the plugin is discussed in detail.
VRRP statistics
The Virtual Router Redundancy Protocol (VRRP) provides automatic assignment of routers to hosts. To have an overview about update processes is vital for troubleshooting purposes. This is where the vrrpDecode plugin comes in handy!
Download VRRP_preempt.cap and run t2 on it:
t2 -r ~/data/VRRP_preempt.cap -w ~/results
tcol ~/results/VRRP_preempt_vrrp.txt
VirtualRtrID Priority SkewTime[s] MasterDownInterval[s] AddrCount Addresses Version Type AdverInt[s] AuthType AuthString Checksum CalcChecksum flowIndex
1 100 0.609375 3.609375 1 192.168.0.1 2 1 1 0 0xba52 0xba52 1
1 100 0.609375 3.609375 1 192.168.0.1 2 1 1 0 0xba52 0xba52 1
1 100 0.609375 3.609375 1 192.168.0.1 2 1 1 0 0xba52 0xba52 1
1 100 0.609375 3.609375 1 192.168.0.1 2 1 1 0 0xba52 0xba52 1
1 100 0.609375 3.609375 1 192.168.0.1 2 1 1 0 0xba52 0xba52 1
1 100 0.609375 3.609375 1 192.168.0.1 2 1 1 0 0xba52 0xba52 1
1 100 0.609375 3.609375 1 192.168.0.1 2 1 1 0 0xba52 0xba52 1
1 200 0.218750 3.218750 1 192.168.0.1 2 1 1 0 0x5652 0x5652 2
1 200 0.218750 3.218750 1 192.168.0.1 2 1 1 0 0x5652 0x5652 2
1 200 0.218750 3.218750 1 192.168.0.1 2 1 1 0 0x5652 0x5652 2
1 200 0.218750 3.218750 1 192.168.0.1 2 1 1 0 0x5652 0x5652 2
1 200 0.218750 3.218750 1 192.168.0.1 2 1 1 0 0x5652 0x5652 2
1 200 0.218750 3.218750 1 192.168.0.1 2 1 1 0 0x5652 0x5652 2
1 200 0.218750 3.218750 1 192.168.0.1 2 1 1 0 0x5652 0x5652 2
1 200 0.218750 3.218750 1 192.168.0.1 2 1 1 0 0x5652 0x5652 2
1 200 0.218750 3.218750 1 192.168.0.1 2 1 1 0 0x5652 0x5652 2You see a list of router messages. We plan to do an extra routing tutorial.
Mining based statistics
For traffic mining purposes a specific packet size and inter-distance (PIAT) are good invariants. In order to support researchers for signal approaches the plugin nFrstPkts was developed which served us well over the years.
For the pure statistical approach the pktSIATHisto is supplied which creates a 3-D distribution of PIAT. The plugin descriptiveStats calculates descriptive statistical moments from the PIAT distribution, thus requires pktSIATHisto as dependence.
All these plugins are discussed in detail under the links supplied above.