gamelinux / cxtracker Goto Github PK

So after doing some test,

it seems that when I start to read from the right after the
pcapfile-header (24bytes), I see that cxtracker is printing the start byte
of the 2. packet in the session.

/tmp/2658 <-- 2658 is the offset outputed by cxtracker
/tmp/24 <-- 24 the pcap file header

$ diff -u /tmp/2658 /tmp/24
--- /tmp/2658 2011-11-16 23:17:42.291931155 +0000
+++ /tmp/24 2011-11-16 23:17:32.531933229 +0000
@@ -1,3 +1,4 @@
+12:29:27.911430 IP 192.168.8.5.1032 > 71.86.84.8.3030: Flags [S], seq3489876656, win 65535, options [mss 1460,nop,nop,sackOK], length 0
12:29:27.960132 IP 71.86.84.8.3030 > 192.168.8.5.1032: Flags [S.], seq090130120, ack 3489876657, win 8192, options [mss 1380,nop,nop,sackOK],length 0
12:29:27.960366 IP 192.168.8.5.1032 > 71.86.84.8.3030: Flags [.], ack1, win 65535, length 0
12:29:28.031383 IP 192.168.8.5.1032 > 71.86.84.8.3030: Flags [P.], seq1:5, ack 1, win 65535, length 4

But this looks great!

Essentially a feature to store only enough pcaps to fill the disk up to x%. Once that disk use is reached, pcaps are deleted in the order they were recorded, freeing space for newer pcaps.

OpenFPC uses this feature of Daemonlogger in conjunction with its own capability to roll the session files off the database to accomplish FPC of the most recent time period that there is sufficient storage to handle.

I'm planning to work on this after the InnoDB VIEW issue. If you know of a good / preferred way to implement this, I'll follow your lead.

Greetings, I'd like to submit a couple patches to enable compiling of cxtracker on FreeBSD. The patches were created against the master branch on 11/5/2011 and tested on FreeBSD 8.2(i386).

-Dave

diff -cr cxtracker_ORG/src/cxtracker.h cxtracker_PATCHED/src/cxtracker.h
*** cxtracker_ORG/src/cxtracker.h   Sat Nov  5 13:08:15 2011
--- cxtracker_PATCHED/src/cxtracker.h   Sat Nov  5 13:11:45 2011
***************
*** 26,31 ****
--- 26,35 ----
  /*  I N C L U D E S  **********************************************************/
  #include "ip.h"

+ #ifdef __FreeBSD__
+ #include <sys/types.h>
+ #endif /* __FreeBSD__ */
+ 
  /*  D E F I N E S  ************************************************************/
  #define VERSION                       "0.9.7"
  #define TIMEOUT                       45


diff -cr cxtracker_ORG/src/ip.c cxtracker_PATCHED/src/ip.c
*** cxtracker_ORG/src/ip.c  Sat Nov  5 13:08:15 2011
--- cxtracker_PATCHED/src/ip.c  Sat Nov  5 13:00:57 2011
***************
*** 24,30 ****
--- 24,33 ----
  #include <sys/types.h>
  #include <sys/socket.h>
  #include <arpa/inet.h>
+ 
+ #ifndef __FreeBSD__
  #include <error.h>
+ #endif /* __FreeBSD__ */

  // private functions

diff -cr cxtracker_ORG/src/ip.h cxtracker_PATCHED/src/ip.h
*** cxtracker_ORG/src/ip.h  Sat Nov  5 13:08:15 2011
--- cxtracker_PATCHED/src/ip.h  Sat Nov  5 12:58:04 2011
***************
*** 26,31 ****
--- 26,35 ----
  #include <netinet/in.h>
  #include <netdb.h>

+ #ifdef __FreeBSD__
+ #include <sys/socket.h>
+ #endif /* __FreeBSD__ */
+ 
  #define IP_ADDRMAX       NI_MAXHOST

  // TODO: raise these values to deconflict with the NI_* flags

Review INSTALL and README - Very very very outdated!

--- /etc/init.d/cxtracker       2010-09-18 18:59:11.000000000 +0000
+++ cxtracker.new       2010-10-27 13:02:09.000000000 +0000
@@ -26,7 +26,7 @@
   start)
 #      chown -R ${CXT_UID}.${CXT_GID} ${CXT_ARCHIVE_DIR}/
        echo -n "Starting $NAME ..."
-       $DAEMON $CXT_ARCHIVE_DIR $CXT_INTERFACE $CXT_USER $CXT_GROUP > /var/log/$NAME.log  2>&1 &
+       $DAEMON $CXT_ARCHIVE_DIR $CXT_INTERFACE $CXT_USER $CXT_GROUP -b "$CXT_BPF" >> /var/log/$NAME.log  2>&1 &
        PID1=$!
         echo "$PID1" > $PIDFILE
        echo " done."

--- /etc/default/cxtracker.old  2010-10-27 13:05:08.000000000 +0000
+++ /etc/default/cxtracker      2010-10-27 13:05:23.000000000 +0000
@@ -1,5 +1,5 @@
 # Set main configuration options here
-CXT_ARCHIVE_DIR="/nsm_data/`hostname -s`/cxtracker"
+CXT_ARCHIVE_DIR="-d /nsm_data/`hostname -s`/cxtracker"
 CXT_INTERFACE="-i eth0"
 CXT_USER="-u nsm"
 CXT_GROUP="-g nsm"

Searching with cxt2pcap.pl results in not finding the stream if you are looking for UDP or ICMP data.

I've been using cxtracker for a while now and ive seen that it works pretty much like sancp's stat mode. So my question is if its possible to run it in realtime, similar to sancp through an option or a special configuration.

I have to say im pretty new to pcap and connection trackers in general, so i might be missing something.

Thanks.

We should record and output vlan tag to the logs if wanted.

When cxtracker2db.pl starts up:

• It should check that the log dir exists, and has OK user+permissions
• It should check if the "failed" dir exists, if not, try to make it, or die if it cant.

Having an official versioned tarball to download would make this easier to officially include into Linux distros.

In e1837f7, running without specifying a SDIR results in renaming failed files to failedstats.interface.time rather than leaving the name the same and moving to the correct directory.

Patched in wmesser@f6ba520

I don't know if this would be good or not, but I could see it being useful.

This is low priority for me but is something that would slightly complicate the step of roll-off in #16, so I'm going ahead and talking about it now.

Vision: pcaps are logged to directories like /pcaps/2013-01-15/cxt.eth0.1358251200

This might make management on disk easier for two reasons:

1. It breaks up storage into multiple directories
2. It names the directories in such a way that retrieval is easier

Downside:

1. OpenFPC currently does not expect pcaps logged by date
2. Creates slight complications for automated retrieval because figuring out directory becomes a necessary step. However, since the directory is the date, and the date is trivially determined in code, automated retrieval is still possible.

When processing a pcap with cxtracker, the stat file has name like: stats.(null).1292429344

Should be:
stats.nameofpcapfile.1292429344

Change from using:

MERGE and MyISAM
to
VIEW and InnoDB

i just cloned the latest and cd to src and i get this error.

make
gcc -c -Wall -g -O3 -Wall -Wextra cxtracker.c
cxtracker.c:32:18: fatal error: pcap.h: No such file or directory
compilation terminated.
make: *** [cxtracker.o] Error 1

Make it so that you can choose if you want to store "standard" format or "indexed" format in cxtracker2db.pl

In cxt2pcap.pl, add ability to pull out flows that use IPv6 Addresses. Currently the [1].[2].[3].[4] approach indicates that it's IPv4 only.

The headers say

** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA

However, there is no copy of the GPL.

I believe standard practice for code licensed as "GPL v2 or later" is to include the text from this file http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt as a file called "COPYING" somewhere in the project.