gamelinux / cxtracker Goto Github PK
View Code? Open in Web Editor NEWConnection Tracker is a passive network connection tracker for profiling, history, auditing and network discovery.
Home Page: http://www.gamelinux.org/
Connection Tracker is a passive network connection tracker for profiling, history, auditing and network discovery.
Home Page: http://www.gamelinux.org/
So after doing some test,
it seems that when I start to read from the right after the
pcapfile-header (24bytes), I see that cxtracker is printing the start byte
of the 2. packet in the session.
/tmp/2658 <-- 2658 is the offset outputed by cxtracker
/tmp/24 <-- 24 the pcap file header
$ diff -u /tmp/2658 /tmp/24
--- /tmp/2658 2011-11-16 23:17:42.291931155 +0000
+++ /tmp/24 2011-11-16 23:17:32.531933229 +0000
@@ -1,3 +1,4 @@
+12:29:27.911430 IP 192.168.8.5.1032 > 71.86.84.8.3030: Flags [S], seq3489876656, win 65535, options [mss 1460,nop,nop,sackOK], length 0
12:29:27.960132 IP 71.86.84.8.3030 > 192.168.8.5.1032: Flags [S.], seq090130120, ack 3489876657, win 8192, options [mss 1380,nop,nop,sackOK],length 0
12:29:27.960366 IP 192.168.8.5.1032 > 71.86.84.8.3030: Flags [.], ack1, win 65535, length 0
12:29:28.031383 IP 192.168.8.5.1032 > 71.86.84.8.3030: Flags [P.], seq1:5, ack 1, win 65535, length 4
But this looks great!
Essentially a feature to store only enough pcaps to fill the disk up to x%. Once that disk use is reached, pcaps are deleted in the order they were recorded, freeing space for newer pcaps.
OpenFPC uses this feature of Daemonlogger in conjunction with its own capability to roll the session files off the database to accomplish FPC of the most recent time period that there is sufficient storage to handle.
I'm planning to work on this after the InnoDB VIEW issue. If you know of a good / preferred way to implement this, I'll follow your lead.
Greetings, I'd like to submit a couple patches to enable compiling of cxtracker on FreeBSD. The patches were created against the master branch on 11/5/2011 and tested on FreeBSD 8.2(i386).
-Dave
diff -cr cxtracker_ORG/src/cxtracker.h cxtracker_PATCHED/src/cxtracker.h
*** cxtracker_ORG/src/cxtracker.h Sat Nov 5 13:08:15 2011
--- cxtracker_PATCHED/src/cxtracker.h Sat Nov 5 13:11:45 2011
***************
*** 26,31 ****
--- 26,35 ----
/* I N C L U D E S **********************************************************/
#include "ip.h"
+ #ifdef __FreeBSD__
+ #include <sys/types.h>
+ #endif /* __FreeBSD__ */
+
/* D E F I N E S ************************************************************/
#define VERSION "0.9.7"
#define TIMEOUT 45
diff -cr cxtracker_ORG/src/ip.c cxtracker_PATCHED/src/ip.c
*** cxtracker_ORG/src/ip.c Sat Nov 5 13:08:15 2011
--- cxtracker_PATCHED/src/ip.c Sat Nov 5 13:00:57 2011
***************
*** 24,30 ****
--- 24,33 ----
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
+
+ #ifndef __FreeBSD__
#include <error.h>
+ #endif /* __FreeBSD__ */
// private functions
diff -cr cxtracker_ORG/src/ip.h cxtracker_PATCHED/src/ip.h
*** cxtracker_ORG/src/ip.h Sat Nov 5 13:08:15 2011
--- cxtracker_PATCHED/src/ip.h Sat Nov 5 12:58:04 2011
***************
*** 26,31 ****
--- 26,35 ----
#include <netinet/in.h>
#include <netdb.h>
+ #ifdef __FreeBSD__
+ #include <sys/socket.h>
+ #endif /* __FreeBSD__ */
+
#define IP_ADDRMAX NI_MAXHOST
// TODO: raise these values to deconflict with the NI_* flags
Review INSTALL and README - Very very very outdated!
--- /etc/init.d/cxtracker 2010-09-18 18:59:11.000000000 +0000 +++ cxtracker.new 2010-10-27 13:02:09.000000000 +0000 @@ -26,7 +26,7 @@ start) # chown -R ${CXT_UID}.${CXT_GID} ${CXT_ARCHIVE_DIR}/ echo -n "Starting $NAME ..." - $DAEMON $CXT_ARCHIVE_DIR $CXT_INTERFACE $CXT_USER $CXT_GROUP > /var/log/$NAME.log 2>&1 & + $DAEMON $CXT_ARCHIVE_DIR $CXT_INTERFACE $CXT_USER $CXT_GROUP -b "$CXT_BPF" >> /var/log/$NAME.log 2>&1 & PID1=$! echo "$PID1" > $PIDFILE echo " done." --- /etc/default/cxtracker.old 2010-10-27 13:05:08.000000000 +0000 +++ /etc/default/cxtracker 2010-10-27 13:05:23.000000000 +0000 @@ -1,5 +1,5 @@ # Set main configuration options here -CXT_ARCHIVE_DIR="/nsm_data/`hostname -s`/cxtracker" +CXT_ARCHIVE_DIR="-d /nsm_data/`hostname -s`/cxtracker" CXT_INTERFACE="-i eth0" CXT_USER="-u nsm" CXT_GROUP="-g nsm"
Searching with cxt2pcap.pl results in not finding the stream if you are looking for UDP or ICMP data.
I've been using cxtracker for a while now and ive seen that it works pretty much like sancp's stat mode. So my question is if its possible to run it in realtime, similar to sancp through an option or a special configuration.
I have to say im pretty new to pcap and connection trackers in general, so i might be missing something.
Thanks.
We should record and output vlan tag to the logs if wanted.
When cxtracker2db.pl starts up:
--- INSTALL 2013-01-14 07:56:47.026341642 -0500
+++ INSTALL-new 2013-01-14 07:57:16.838341877 -0500
@@ -35,11 +35,11 @@
# Prepare the mysql database
GRANT USAGE ON *.* TO 'cxtracker'@'localhost' identified by 'cxtracker';
-GRANT ALL ON fpcgui.* TO 'cxtracker'@'localhost' IDENTIFIED BY 'cxtracker';
+GRANT ALL ON cxtracker.* TO 'cxtracker'@'localhost' IDENTIFIED BY 'cxtracker';
FLUSH PRIVILEGES;
-CREATE DATABASE openfpc;
-\u openfpc
+CREATE DATABASE cxtracker;
+\u cxtracker
# You need to add two function to mysql to handle IPv6
# INET_ATON6 and INET_NTOA6:
Having an official versioned tarball to download would make this easier to officially include into Linux distros.
In e1837f7, running without specifying a SDIR results in renaming failed files to failedstats.interface.time rather than leaving the name the same and moving to the correct directory.
Patched in wmesser@f6ba520
I don't know if this would be good or not, but I could see it being useful.
This is low priority for me but is something that would slightly complicate the step of roll-off in #16, so I'm going ahead and talking about it now.
Vision: pcaps are logged to directories like /pcaps/2013-01-15/cxt.eth0.1358251200
This might make management on disk easier for two reasons:
Downside:
When processing a pcap with cxtracker, the stat file has name like: stats.(null).1292429344
Should be:
stats.nameofpcapfile.1292429344
Change from using:
MERGE and MyISAM
to
VIEW and InnoDB
i just cloned the latest and cd
to src
and i get this error.
make
gcc -c -Wall -g -O3 -Wall -Wextra cxtracker.c
cxtracker.c:32:18: fatal error: pcap.h: No such file or directory
compilation terminated.
make: *** [cxtracker.o] Error 1
Make it so that you can choose if you want to store "standard" format or "indexed" format in cxtracker2db.pl
In cxt2pcap.pl, add ability to pull out flows that use IPv6 Addresses. Currently the [1].[2].[3].[4] approach indicates that it's IPv4 only.
The headers say
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
However, there is no copy of the GPL.
I believe standard practice for code licensed as "GPL v2 or later" is to include the text from this file http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt as a file called "COPYING" somewhere in the project.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.