Latest news
News archive
News archive
Tranalyzer2 Cobra version 0.9.1lmw1 is out!
- tranalyzer2:
- Added
LIVEBUFSIZE
define to set libpcap internal buffer size on live captures - Added
T2_USEC_PREC
andT2_PRI_USEC
macros - Added sensor ID to monitoring machine report
- Added support for DTLS 1.2
- Added
-S
/--snaplen
and-B
/--rx-bufsize
command line options - Added
-P
/--priority
option to set process priority (renice) - Added
-M
/--mon-interval
option to set monitoring interval - Added
-m
/--monfile
option to redirect monitoring output to _monitoring.txt - Added
FLOW_IS_A()
andFLOW_IS_B()
macros - Extended support for Q-in-Q VLAN (ethertypes 0x9100 and 0x9200)
- Reduced memory footprint of
flow_t
structure ifFRAGMENTATION=0
- Reduced list of L2/3 protocols to monitor (can be easily extended with
MONPROTL[23]
) - Removed
B2T_NANOSECS
macro, usedTSTAMP_PREC
instead - Renamed
ENABLE_IO_BUFFERING
macro toIO_BUFFERING
- Added
- basicFlow:
- Added MPLS information to packet mode
- Added option to output MPLS labels as hexadecimal
- Added
BFO_VLAN=3
option to output decoded VLAN headers - Fixed nanoseconds representation in packet mode
- nDPI:
- Updated nDPI library to version 4.8
- nFrstPkts:
- Fixed nanoseconds representation for inter-arrival times
- pcapd:
- Added
PD_CHKSUM
option to correct IPv4 checksum
- Added
- sslDecode:
- Renamed
SSL_PROTO_LIST
toSSL_ALPN_LIST
- Renamed
sslProtoList
andsslNumProto
tosslALPNList
andsslNumALPNList
- Extract list of signature hash algorithms
- Extract list of ALPN, NPN and ALPS
- Extract list of record, handshake and supported versions
- Extended
sslProto
to flag GREASE values and more - Added support for TLS 1.3 draft versions
- Added support for missing TLS 1.3 ciphers
- Added support for missing TLS 1.3 alerts
- Added number of TLS 1.3 draft versions flows to plugin report
- Added number of DTLS 1.3 flows to plugin report
- Added support for JA4/JA4S fingerprints
- Fixed handling of GREASE values in JA3 fingerprints
- Updated list of insecure, weak, secure and recommended ciphers
- Updated JA3 fingerprints
- Updated SSL blacklist
- Renamed
- tcpFlags:
- Added support for JA4T fingerprints
- tp0f:
- Added packet mode
- txtSink:
- Report process priority in headers file
- voipDetector:
- Added
VOIP_SIP
,VOIP_RTP
,VOIP_RTCP
to control protocol dissection - Added
VOIP_BUFMODE
,RTPBUFSIZE
,RTPSUBDIRS
,VOIP_PERM
macros - Decode RTCP by default
- Output SIP contacts and Call-IDs
- Output SDP session ID
- Fixed description of RTP payload type 125
- Code hardening
- Added
- fsutils.[ch]:
- New helper macro:
T2_MKPATH_WITH_FLAGS()
- New helper macro:
- t2buf.[ch]:
- New function:
t2buf_ptr()
- New function:
- t2log.h:
- New macros:
T2_FPLOG_DIFFNUM
,T2_FPLOG_DIFFNUM0
- New macros:
- t2utils.[ch]:
- New helper macros:
DTLS12_HEADER()
t2_calloc()
,t2_malloc()
- New functions:
t2_strncpy()
t2_tcp_socket_connect()
,t2_tcp_socket_connect_to_server()
,t2_udp_socket_init()
t2_calloc_fatal()
,t2_malloc_fatal()
- Fixed nanoseconds representation in
t2_log_date()
andt2_log_time()
- New helper macros:
- API break:
- Renamed
t2_calloc
/t2_malloc
tot2_[cm]alloc_fatal()
- Renamed
- tawk:
- tawk is now faster
- Inverted
-t
option behavior: use it to validate column names (slow)
- scripts:
- t2build:
- Added
--lto
option to enable link time optimization (meson only)
- Added
- t2caplist:
- Added
-x
option to filter by extension (faster, but less precise) - Added
-t
option to sort list by first packet time
- Added
- t2conf:
- Fixed
t2conf tranalyzer2 --gui
- Several other fixes and improvements
- Fixed
- t2fm:
- Added information about ASNs
- Added
-d
/--data-carving
option to report EXE downloads
- t2fuzz:
- Added
-S
/-P
/-a
options to start netcat (nc
) before runningt2
- Added
- t2build:
Tranalyzer2 Cobra version 0.9.0lmw1 is out!
- tranalyzer2:
- Switched to nanoseconds precision:
- New default values:
TSTAMP_PREC=1
,B2T_NANOSECS=1
- New default values:
- New subnet files
- Added
ENVCNTRL
flag to control plugin configuration via environment variables - Added support for XXH3 (64-bits and 128-bits) hash functions
- Monitoring mode output field separator can now be changed with
SEP_CHR
- Packet mode output field separator can now be changed with
SEP_CHR
- Report sensor ID and bound CPU number (if
-c
option was used) in final report - Report link layer type in monitoring (status) report
- Report snapshot length in final and monitoring (status) report
- Fallback to user’s default plugin folder when running T2 with sudo
- Fixed dissection of IPv6/AH/IPv6
- Updated t1ha to version v2.1.4
- Updated wyhash to version wyhash_final4
- Updated xxhash to version v0.8.1
- New macros:
- Minor fixes and improvements
- Switched to nanoseconds precision:
- plugins/*:
- Added support for
ENVCNTRL
- Renamed configuration flags
- Minor fixes and improvements
- Added support for
- basicFlow:
- Renamed
ethVlanID
andethVlanHdr
tovlanID
andvlanHdr
- Renamed
- basicStats:
- Added
udpLen
,snapL[47]Len
to packet mode
- Added
- connStat:
- Added new
connG
feature
- Added new
- dnsDecode:
- Added geolocation information to packet mode
- geoip:
- Also output
geoStat
column whenGEOIP_LIB=0
- Also output
- httpSniffer:
- Added packet mode
- mndpDecode:
- Fixed autotools backend
- nDPI:
- Added packet mode
- Updated nDPI library to version 4.6
- netflowSink:
- Plugin now also working when
BLOCK_BUF=1
- Plugin now also working when
- pcapd:
- Added possibility to modify packets before saving them:
PD_TSHFT
(time)PD_MACSHFT
(MAC addresses)PD_VLNSHFT
(VLAN ID)PD_IPSHFT
(IPv4/6 addresses)- More flags to control the modification process
- Fixed
PD_MODE_OUT=1
when-e
option was used
- Added possibility to modify packets before saving them:
- portClassifier:
- Fixed packet mode for L2 flows
- sctpDecode:
- Improved packet mode
- sslDecode:
- Updated SSL blacklist
- tcpFlags:
- Added flag for invalid length in UDP/UDP-Lite header
- Output UDP length and snapped layer 4/7 length in packet mode
- txtSink:
- Report libpcap version in _headers.txt file
- voipDetector:
- Added
VOIP_SIP
to (de)activate SIP dissection - Added support for MPEG-2 transport stream (MP2T, RTP type 33)
- Extract X-Real-IP from SIP header
- Report number of SIP, SDP, RTP and RTCP packets
- Fixed extraction of SIP User-Agent
- Added
- New plugins:
- bayesClassifier: classification using Naive Bayes
- kafkaSink: output into an Apache Kafka event streaming platform
- fsutils.[ch]:
- New helper functions:
- iputils.[ch]:
- New helper functions:
ipv4_to_mask()
,ipv6_to_mask()
mask_to_ipv4()
,mask_to_ipv6()
- New helper functions:
- subnetHL.h:
- New helper macros:
SUBNET_POS_UNKNOWN
andSUBNET_POS_IS_UNKNOWN()
SUBNET[46]_{ASN,CNTY,CTY,NETID,LAT,LNG,PREC,ORG}
- New helper macros:
- t2base64.[ch]:
- New helper functions to base64 encode data
- t2buf.h:
- New helper macro:
t2buf_rewind()
- New helper macro:
- t2crypto.[ch]:
- New helper functions to compute message digests (md5, sha1, …)
- t2Plugin.h:
- New helper macro:
T2_PLUGIN_STRUCT_RESET_ITEM()
- New helper macro:
- t2utils.[ch]:
- New functions and macros for
ENVCNTRL
: - New helper macros:
FLOW_IS_IP()
,PACKET_IS_IP()
L2_HEADER()
,L3_HEADER()
,L4_HEADER()
,L7_HEADER()
,ETH_HEADER()
,LAPD_HEADER()
IPV4_HEADER()
,IPV6_HEADER()
ICMP_HEADER()
,IGMP_HEADER()
,PIM_HEADER()
,SCTP_HEADER()
,TCP_HEADER()
, [UDP_HEADER()]
(/tutorial/plugindevcheatsheet#layer-4-header)L2_PROTO()
,L3_PROTO()
,L4_PROTO()
,PROTO_IS_IPV4()
,PROTO_IS_IPV6()
PROTO_IS_ICMP4()
,PROTO_IS_ICMP6()
,PROTO_IS_IGMP()
,PROTO_IS_SCTP()
,PROTO_IS_TCP()
,PROTO_IS_UDP()
T2_MKPATH()
T2_MAC_STRLEN
T2_FREE_CONST()
T2_IPV4_TO_STR()
,T2_IPV6_TO_STR()
- New helper functions:
t2_alloc_strcat()
t2_swap_mac()
t2_fopen_in_dir()
,t2_fopen_with_suffix()
t2_discard_trailing_chars()
- New functions and macros for
- fpsGplt:
- Added support for t2plot options
- statGplt:
- Added
-f
/--flow
option to plot specific flow only - Added
-d
/--dir
option to plot specific direction only - Automatically derive output filename
- Added support for t2plot options
- Minor fixes and improvements
- Added
- tawk:
- Improved
texscape()
function - Minor fixes and improvements
- Improved
- t2build:
- Fix for old meson versions (< 0.36.0)
- t2conf:
- Added
-e
option to list plugins currently set environment variables - Added
-E
option to list plugins available environment variables - Fixed
-D
option for empty strings - Fixed handling of
-m
,--dual
,--ip4
and--ip6
options - Minor fixes and improvements
- Added
- t2docker:
- Improved error reporting
- Minor fixes and improvements
- t2fm:
- Report number of flows in Summary section
- Report snapshot length in Summary section
- Report unique VLAN tags in Summary section
- Improved error reporting
- Minor fixes and improvements
- t2netID:
- Improved output readability
- t2plot:
- Improved support for mouse interaction
- t2plugin:
- Added
-m
/--minimal
,-t
/--t2buf
and-s/--sink
options - Added
-y
/--yes
option - Improved plugin number testing/generation for sink plugins
- Minor fixes and improvements
- Added
- t2py:
- Improved readability of
T2.status()
and T2Plugin.status()
- Improved readability of
- t2test:
- If *.flags is empty, run t2build instead of aborting
- t2utils.sh:
* New helper functions:
abort_required_dir
,abort_required_file_or_dir
- New script:
- t2fuzz: corrupt PCAP files and run T2 against them
- API break:
flow.h:
- Some fields in
flow_t
have been renamed
- Some fields in
packet.h:
-
- Renamed
OUTBUF_APPEND_OPTSTR()
toOUTBUF_APPEND_OPT_STR()
- Renamed
t2utils.h:
- Changed signatures of
t2_alloc_filename()
andt2_build_filename()
t2_open_filename()
was renamed tot2_fopen()
- Changed signatures of
binaryValue.h:
bv_new_bv()
: swapped parametersname
anddesc
to match order ofBV_APPEND_*()
macros
Renamed plugins callbacks:
New callback function Old callback function Handled by t2PluginName
get_plugin_name
T2_PLUGIN_INIT*()
t2PluginVersion
get_plugin_version
T2_PLUGIN_INIT*()
t2SupportedT2Major
get_supported_tranalyzer_version_major
T2_PLUGIN_INIT*()
t2SupportedT2Minor
get_supported_tranalyzer_version_minor
T2_PLUGIN_INIT*()
t2Dependencies
get_dependencies
T2_PLUGIN_INIT_WITH_DEPS()
t2Init
initialize
t2PrintHeader
printHeader
t2OnNewFlow
onFlowGenerated
t2OnLayer2
claimLayer2Information
t2OnLayer4
claimLayer4Information
t2OnFlowTerminate
onFlowTerminate
t2PluginReport
pluginReport
t2Monitoring
monitoring
t2Finalize
onApplicationTerminate
t2BufferToSink
bufferToSink
t2SaveState
saveState
t2RestoreState
restoreState
New signatures for callbacks:
t2BufferToSink
receives thebinary_value_t
to decode the buffer:void t2BufferToSink(outputBuffer_t *buf, binary_value_t *bv)
t2OnFlowTerminate
receives the buffer to fill:void onFlowTerminate(unsigned long flowIndex, outputBuffer_t *buf)
Tranalyzer2 Tarantula version 0.8.14lmw1 is out!
- tranalyzer2:
- Added support for configuring aggregation mode with t2conf
--gui
- Added support for bit operations in packet mode (
SPKTMD_BOPS
) - Added number of L2/IPv4/IPv6 flows to end report
- Fixed reporting of ARP/RARP packets in final report
- Added support for configuring aggregation mode with t2conf
- descriptiveStats:
- Added
DS_QUARTILES
flag to control quartiles calculation - Renamed
ENABLE_{IAT,PS}_CALC
toDS_{IAT,PS}_CALC
- Added
- nDPI:
- Updated nDPI library to version 4.4
- portClassifier:
- Added packet mode
- psqlSink:
- Improved documentation
- regex_pcre:
- Added packet mode
- sctpDecode:
- Improved packet mode
- Various fixes and improvements
- sslDecode:
- Updated SSL blacklist
- tcpFlags:
- Added MPTCP variables to packet mode
- Various fixes and improvements
- New plugins:
- clickhouseSink: output into a ClickHouse database
- mndpDecode: MikroTik Neighbor Discovery Protocol
- tawk:
- New functions:
bitshift
,isfloat
,isint
,isuint
,nibble_swap
- Added variables descriptions (
-V
option) for MPTCP - Various fixes and improvements
- New functions:
- t2fm:
- Added
-c
option to generate a PDF report from a ClickHouse database - Various fixed and improvements
- Added
- scripts:
- t2doc: added
-n
option to not open the generated PDF - t2timeline: bugfixes and improvements
- t2conf: added support for bitfields in GUI mode
- t2doc: added