]> Frank Brehm's Git Trees - config/helga-hetzner/etc.git/commitdiff
committing changes in /etc made by "apt install -y ulogd2 ulogd2-dbi ulogd2-json...
authorFrank Brehm <frank@brehm-online.com>
Mon, 12 Apr 2021 13:28:10 +0000 (15:28 +0200)
committerFrank Brehm <frank@brehm-online.com>
Mon, 12 Apr 2021 13:28:10 +0000 (15:28 +0200)
Package changes:
+libc-ares2 1.14.0-1 amd64
+libdbi1 0.9.0-5 amd64
+libmaxminddb0 1.3.2-1+deb10u1 amd64
+libnetfilter-acct1 1.0.3-2 amd64
+libnetfilter-log1 1.0.1-1.1+b1 amd64
+libnl-3-200 3.4.0-1 amd64
+libnl-genl-3-200 3.4.0-1 amd64
+libpcap0.8 1.8.1-6 amd64
+libpq5 11.11-0+deb10u1 amd64
+libsbc1 1.4-1 amd64
+libsmi2ldbl 0.4.8+dfsg2-16 amd64
+libspandsp2 0.0.6+dfsg-2 amd64
+libssh-gcrypt-4 0.8.7-1+deb10u1 amd64
+libwireshark-data 2.6.20-0+deb10u1 all
+libwireshark11 2.6.20-0+deb10u1 amd64
+libwiretap8 2.6.20-0+deb10u1 amd64
+libwscodecs2 2.6.20-0+deb10u1 amd64
+libwsutil9 2.6.20-0+deb10u1 amd64
+mmdb-bin 1.3.2-1+deb10u1 amd64
+tcpdump 4.9.3-1~deb10u2 amd64
+tshark 2.6.20-0+deb10u1 amd64
+ulogd2 2.0.7-1+b1 amd64
+ulogd2-dbi 2.0.7-1+b1 amd64
+ulogd2-json 2.0.7-1+b1 amd64
+ulogd2-mysql 2.0.7-1+b1 amd64
+ulogd2-pcap 2.0.7-1+b1 amd64
+ulogd2-pgsql 2.0.7-1+b1 amd64
+ulogd2-sqlite3 2.0.7-1+b1 amd64
+wireshark-common 2.6.20-0+deb10u1 amd64

27 files changed:
.etckeeper
apparmor.d/local/usr.sbin.tcpdump [new file with mode: 0644]
apparmor.d/usr.sbin.tcpdump [new file with mode: 0644]
group
group-
gshadow
gshadow-
init.d/ulogd2 [new file with mode: 0755]
libnl-3/classid [new file with mode: 0644]
libnl-3/pktloc [new file with mode: 0644]
logrotate.d/ulogd2 [new file with mode: 0644]
passwd
passwd-
rc0.d/K01ulogd2 [new symlink]
rc1.d/K01ulogd2 [new symlink]
rc2.d/S01ulogd2 [new symlink]
rc3.d/S01ulogd2 [new symlink]
rc4.d/S01ulogd2 [new symlink]
rc5.d/S01ulogd2 [new symlink]
rc6.d/K01ulogd2 [new symlink]
shadow
shadow-
smi.conf [new file with mode: 0644]
systemd/system/multi-user.target.wants/ulogd2.service [new symlink]
systemd/system/ulogd.service [new symlink]
ulogd.conf [new file with mode: 0644]
wireshark/init.lua [new file with mode: 0644]

index 8d5a14d2ec3035f83b020d133918d63a169cfbff..2575f63d25898d2ceb6e67993a7c6cb520fbbd03 100755 (executable)
@@ -255,12 +255,14 @@ maybe chmod 0644 'apparmor.d/local/usr.bin.man'
 maybe chmod 0644 'apparmor.d/local/usr.sbin.chronyd'
 maybe chmod 0644 'apparmor.d/local/usr.sbin.clamd'
 maybe chmod 0644 'apparmor.d/local/usr.sbin.named'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.tcpdump'
 maybe chmod 0644 'apparmor.d/usr.bin.freshclam'
 maybe chmod 0644 'apparmor.d/usr.bin.man'
 maybe chmod 0644 'apparmor.d/usr.sbin.chronyd'
 maybe chmod 0644 'apparmor.d/usr.sbin.clamd'
 maybe chmod 0644 'apparmor.d/usr.sbin.mysqld'
 maybe chmod 0644 'apparmor.d/usr.sbin.named'
+maybe chmod 0644 'apparmor.d/usr.sbin.tcpdump'
 maybe chmod 0755 'apt'
 maybe chmod 0644 'apt/SALTSTACK-GPG-KEY.pub'
 maybe chmod 0755 'apt/apt.conf.d'
@@ -702,6 +704,7 @@ maybe chmod 0755 'init.d/spamassassin'
 maybe chmod 0755 'init.d/ssh'
 maybe chmod 0755 'init.d/sudo'
 maybe chmod 0755 'init.d/udev'
+maybe chmod 0755 'init.d/ulogd2'
 maybe chmod 0755 'init.d/uwsgi'
 maybe chmod 0644 'init/php7.3-fpm.conf'
 maybe chmod 0755 'initramfs-tools'
@@ -766,6 +769,9 @@ maybe chmod 0644 'ldap/ldap.conf'
 maybe chmod 0755 'ldap/schema'
 maybe chmod 0644 'ldap/schema/amavis.schema'
 maybe chmod 0644 'libaudit.conf'
+maybe chmod 0755 'libnl-3'
+maybe chmod 0644 'libnl-3/classid'
+maybe chmod 0644 'libnl-3/pktloc'
 maybe chmod 0644 'locale.alias'
 maybe chmod 0644 'locale.gen'
 maybe chmod 0755 'logcheck'
@@ -806,6 +812,7 @@ maybe chmod 0644 'logrotate.d/nginx'
 maybe chmod 0644 'logrotate.d/php7.3-fpm'
 maybe chmod 0644 'logrotate.d/rsyslog'
 maybe chmod 0644 'logrotate.d/salt-common'
+maybe chmod 0644 'logrotate.d/ulogd2'
 maybe chmod 0644 'logrotate.d/uwsgi'
 maybe chmod 0644 'logrotate.d/wtmp'
 maybe chmod 0755 'logwatch'
@@ -1192,6 +1199,7 @@ maybe chmod 0644 'skel/.bashrc'
 maybe chmod 0644 'skel/.bashrc.orig'
 maybe chmod 0644 'skel/.cloud-locale-test.skip'
 maybe chmod 0644 'skel/.profile'
+maybe chmod 0644 'smi.conf'
 maybe chmod 0755 'spamassassin'
 maybe chmod 0644 'spamassassin/65_debian.cf'
 maybe chmod 0644 'spamassassin/init.pre'
@@ -1288,6 +1296,7 @@ maybe chmod 0644 'ufw/applications.d/dovecot-pop3d'
 maybe chmod 0644 'ufw/applications.d/nginx'
 maybe chmod 0644 'ufw/applications.d/openssh-server'
 maybe chmod 0644 'ufw/applications.d/postfix'
+maybe chmod 0600 'ulogd.conf'
 maybe chmod 0755 'update-motd.d'
 maybe chmod 0755 'update-motd.d/10-uname'
 maybe chmod 0644 'updatedb.conf'
@@ -1301,6 +1310,8 @@ maybe chmod 0644 'vim/vimrc'
 maybe chmod 0644 'vim/vimrc.local'
 maybe chmod 0644 'vim/vimrc.tiny'
 maybe chmod 0644 'wgetrc'
+maybe chmod 0755 'wireshark'
+maybe chmod 0644 'wireshark/init.lua'
 maybe chmod 0644 'xattr.conf'
 maybe chmod 0755 'xdg'
 maybe chmod 0755 'xdg/systemd'
diff --git a/apparmor.d/local/usr.sbin.tcpdump b/apparmor.d/local/usr.sbin.tcpdump
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/apparmor.d/usr.sbin.tcpdump b/apparmor.d/usr.sbin.tcpdump
new file mode 100644 (file)
index 0000000..7a7da4f
--- /dev/null
@@ -0,0 +1,63 @@
+# vim:syntax=apparmor
+#include <tunables/global>
+
+/usr/sbin/tcpdump {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+
+  capability net_raw,
+  capability setuid,
+  capability setgid,
+  capability dac_override,
+  network raw,
+  network packet,
+
+  # for -D
+  @{PROC}/bus/usb/ r,
+  @{PROC}/bus/usb/** r,
+
+  # for finding an interface
+  @{PROC}/[0-9]*/net/dev r,
+  /sys/bus/usb/devices/ r,
+  /sys/class/net/ r,
+  /sys/devices/**/net/* r,
+
+  # for -j
+  capability net_admin,
+
+  # for tracing USB bus, which libpcap supports
+  /dev/usbmon* r,
+  /dev/bus/usb/ r,
+  /dev/bus/usb/** r,
+
+  # for init_etherarray(), with -e
+  /etc/ethers r,
+
+  # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
+  /dev/bus/usb/**/[0-9]* w,
+
+  # for -z
+  /{usr/,}bin/gzip ixr,
+  /{usr/,}bin/bzip2 ixr,
+
+  # for -F and -w
+  audit deny @{HOME}/.* mrwkl,
+  audit deny @{HOME}/.*/ rw,
+  audit deny @{HOME}/.*/** mrwkl,
+  audit deny @{HOME}/bin/ rw,
+  audit deny @{HOME}/bin/** mrwkl,
+  owner @{HOME}/ r,
+  owner @{HOME}/** rw,
+
+  # for -r, -F and -w
+  /**.[pP][cC][aA][pP] rw,
+
+  # for convenience with -r (ie, read pcap files from other sources)
+  /var/log/snort/*log* r,
+
+  /usr/sbin/tcpdump mr,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.tcpdump>
+}
diff --git a/group b/group
index 8a4ad652bac2b8bd762347736f6d70b6aa57c4ec..d25de8c9f111f3adf225b8803c9c97d7f7ce721f 100644 (file)
--- a/group
+++ b/group
@@ -66,3 +66,4 @@ mlmmj:x:2003:
 iredadmin:x:2001:
 iredapd:x:2002:
 netdata:x:2004:
+ulog:x:124:
diff --git a/group- b/group-
index 25433ec4a6c6fa9d6aef2a6d08ea15906b050da2..8a4ad652bac2b8bd762347736f6d70b6aa57c4ec 100644 (file)
--- a/group-
+++ b/group-
@@ -10,7 +10,7 @@ mail:x:8:frank
 news:x:9:
 uucp:x:10:
 man:x:12:frank
-proxy:x:13:
+proxy:x:13:netdata
 kmem:x:15:
 dialout:x:20:
 fax:x:21:
diff --git a/gshadow b/gshadow
index e5ce20300123060d90edc3daa0830e66957de941..0c7420602b99325b4a7b8f16316dc30ebe070ad6 100644 (file)
--- a/gshadow
+++ b/gshadow
@@ -66,3 +66,4 @@ mlmmj:!::
 iredadmin:!::
 iredapd:!::
 netdata:!::
+ulog:!::
index d4c00cae1333e9733e96be1eba23f0525b35ebb8..e5ce20300123060d90edc3daa0830e66957de941 100644 (file)
--- a/gshadow-
+++ b/gshadow-
@@ -10,7 +10,7 @@ mail:*::frank
 news:*::
 uucp:*::
 man:*::frank
-proxy:*::
+proxy:*::netdata
 kmem:*::
 dialout:*::
 fax:*::
diff --git a/init.d/ulogd2 b/init.d/ulogd2
new file mode 100755 (executable)
index 0000000..2a759e3
--- /dev/null
@@ -0,0 +1,131 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          ulogd2 ulogd
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Starts ulogd2
+# Description:       Starts the netfilter userspace log daemon
+### END INIT INFO
+
+# Author: Chris Boot <bootc@debian.org>
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="netfilter userspace log daemon"
+NAME=ulogd
+DAEMON=/usr/sbin/$NAME
+DAEMON_USER=ulog
+PIDDIR=/run/ulog
+PIDFILE=$PIDDIR/$NAME.pid
+DAEMON_ARGS="--daemon --uid $DAEMON_USER --pidfile $PIDFILE"
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+       # Make sure our /run directory exists
+       if [ ! -d $PIDDIR ]; then
+               mkdir $PIDDIR
+               chown $DAEMON_USER: $PIDDIR
+       fi
+
+       # Return
+       #   0 if daemon has been started
+       #   1 if daemon was already running
+       #   2 if daemon could not be started
+       start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON \
+               --test > /dev/null || return 1
+       start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
+               $DAEMON_ARGS || return 2
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+       # Return
+       #   0 if daemon has been stopped
+       #   1 if daemon was already stopped
+       #   2 if daemon could not be stopped
+       #   other if a failure occurred
+       start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 \
+               --pidfile $PIDFILE --name $NAME
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+       start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE \
+               --name $NAME
+       return 0
+}
+
+case "$1" in
+  start)
+       log_daemon_msg "Starting $DESC" "$NAME"
+       do_start; RET=$?
+       case $RET in
+               0|1) log_end_msg 0; exit 0 ;;
+               *) log_end_msg 1; exit 1 ;;
+       esac
+       ;;
+  stop)
+       log_daemon_msg "Stopping $DESC" "$NAME"
+       do_stop; RET=$?
+       case $RET in
+               0|1) log_end_msg 0; exit 0 ;;
+               *) log_end_msg 1; exit 1 ;;
+       esac
+       ;;
+  status)
+       status_of_proc "$DAEMON" "$NAME"
+       ;;
+  reload|force-reload)
+       log_daemon_msg "Reloading $DESC" "$NAME"
+       do_reload; RET=$?
+       log_end_msg $RET
+       exit $RET
+       ;;
+  restart)
+       log_daemon_msg "Restarting $DESC" "$NAME"
+       do_stop; RET=$?
+       case $RET in
+         0|1)
+               do_start; RET=$?
+               case $RET in
+                       0) log_end_msg 0; exit 0 ;;
+                       1) log_end_msg 1; exit 1 ;; # Old process is still running
+                       *) log_end_msg 1; exit 1 ;; # Failed to start
+               esac
+               ;;
+         *)
+               # Failed to stop
+               log_end_msg 1; exit 1
+               ;;
+       esac
+       ;;
+  *)
+       echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2
+       exit 3
+       ;;
+esac
+
diff --git a/libnl-3/classid b/libnl-3/classid
new file mode 100644 (file)
index 0000000..2203243
--- /dev/null
@@ -0,0 +1,45 @@
+###############################################################################
+#
+# ClassID <-> Name Translation Table
+#
+# This file can be used to assign names to classids for easier reference
+# in all libnl tools.
+#
+# Format:
+#   <MAJ:>             <NAME>          # qdisc definition
+#   <MAJ:MIN>          <NAME>          # class deifnition
+#   <NAME:MIN>         <NAME>          # class definition referencing an
+#                                        existing qdisc definition.
+#
+# Example:
+#   1:                 top             # top -> 1:0
+#   top:1              interactive     # interactive -> 1:1
+#   top:2              www             # www -> 1:2
+#   top:3              bulk            # bulk -> 1:3
+#   2:1                        test_class      # test_class -> 2:1
+#
+# Illegal Example:
+#   30:1                classD
+#   classD:2            invalidClass    # classD refers to a class, not a qdisc
+#
+###############################################################################
+
+# <CLASSID>            <NAME>
+
+# Reserved default classids
+0:0                    none
+ffff:ffff              root
+ffff:fff1              ingress
+
+#
+# List your classid definitions here:
+#
+
+
+
+###############################################################################
+# List of auto-generated classids
+#
+# DO NOT ADD CLASSID DEFINITIONS BELOW THIS LINE
+#
+# <CLASSID>            <NAME>
diff --git a/libnl-3/pktloc b/libnl-3/pktloc
new file mode 100644 (file)
index 0000000..8559161
--- /dev/null
@@ -0,0 +1,76 @@
+#
+# Location definitions for packet matching
+#
+
+# name         alignment       offset          mask            shift
+ip.version     u8              net+0           0xF0            4
+ip.hdrlen      u8              net+0           0x0F
+ip.diffserv    u8              net+1
+ip.length      u16             net+2
+ip.id          u16             net+4
+ip.flag.res    u8              net+6           0xff            7
+ip.df          u8              net+6           0x40            6
+ip.mf          u8              net+6           0x20            5
+ip.offset      u16             net+6           0x1FFF
+ip.ttl         u8              net+8
+ip.proto       u8              net+9
+ip.chksum      u16             net+10
+ip.src         u32             net+12
+ip.dst         u32             net+16
+
+# if ip.ihl > 5
+ip.opts                u32             net+20
+
+
+#
+# IP version 6
+#
+# name         alignment       offset          mask            shift
+ip6.version    u8              net+0           0xF0            4
+ip6.tc         u16             net+0           0xFF0           4
+ip6.flowlabel  u32             net+0           0xFFFFF
+ip6.length     u16             net+4
+ip6.nexthdr    u8              net+6
+ip6.hoplimit   u8              net+7
+ip6.src                16              net+8
+ip6.dst                16              net+24
+
+#
+# Transmission Control Protocol (TCP)
+#
+# name         alignment       offset          mask            shift
+tcp.sport      u16             tcp+0
+tcp.dport      u16             tcp+2
+tcp.seq                u32             tcp+4
+tcp.ack                u32             tcp+8
+
+# Data offset (4 bits)
+tcp.off                u8              tcp+12          0xF0            4
+
+# Reserved [0 0 0] (3 bits)
+tcp.reserved   u8              tcp+12          0x04            1
+
+# ECN [N C E] (3 bits)
+tcp.ecn                u16             tcp+12          0x01C00         6
+
+# Individual TCP flags (0|1) (6 bits in total)
+tcp.flag.urg   u8              tcp+13          0x20            5
+tcp.flag.ack   u8              tcp+13          0x10            4
+tcp.flag.psh   u8              tcp+13          0x08            3
+tcp.flag.rst   u8              tcp+13          0x04            2
+tcp.flag.syn   u8              tcp+13          0x02            1
+tcp.flag.fin   u8              tcp+13          0x01
+
+tcp.win                u16             tcp+14
+tcp.csum       u16             tcp+16
+tcp.urg                u16             tcp+18
+tcp.opts       u32             tcp+20
+
+#
+# User Datagram Protocol (UDP)
+#
+# name         alignment       offset          mask            shift
+udp.sport      u16             tcp+0
+udp.dport      u16             tcp+2
+udp.length     u16             tcp+4
+udp.csum       u16             tcp+6
diff --git a/logrotate.d/ulogd2 b/logrotate.d/ulogd2
new file mode 100644 (file)
index 0000000..4d03ba9
--- /dev/null
@@ -0,0 +1,14 @@
+/var/log/ulog/*.log /var/log/ulog/*.pcap {
+    missingok
+    compress
+    delaycompress
+    sharedscripts
+    create 640 ulog adm
+    postrotate
+       if [ -d /run/systemd/system ] && command systemctl >/dev/null 2>&1 && systemctl is-active --quiet ulogd2.service; then
+           systemctl kill --kill-who main --signal=SIGHUP ulogd2.service
+       else
+           invoke-rc.d ulogd2 reload > /dev/null
+       fi
+    endscript
+}
diff --git a/passwd b/passwd
index 107f7e6c19d6ae449c7ab2f394a711d12998d5c0..91a1b700a5fe87dd1590a05772ad747dd2d0388f 100644 (file)
--- a/passwd
+++ b/passwd
@@ -38,3 +38,4 @@ mlmmj:x:2003:2003::/var/vmail/mlmmj:/usr/sbin/nologin
 iredadmin:x:2001:2001::/home/iredadmin:/usr/sbin/nologin
 iredapd:x:2002:2002::/home/iredapd:/usr/sbin/nologin
 netdata:x:2004:2004::/home/netdata:/usr/sbin/nologin
+ulog:x:115:124::/var/log/ulog:/bin/false
diff --git a/passwd- b/passwd-
index 927e4c0bf57513a872e2c0fc879ce0eb8347693e..91a1b700a5fe87dd1590a05772ad747dd2d0388f 100644 (file)
--- a/passwd-
+++ b/passwd-
@@ -37,3 +37,5 @@ vmail:x:2000:2000::/home/vmail:/usr/sbin/nologin
 mlmmj:x:2003:2003::/var/vmail/mlmmj:/usr/sbin/nologin
 iredadmin:x:2001:2001::/home/iredadmin:/usr/sbin/nologin
 iredapd:x:2002:2002::/home/iredapd:/usr/sbin/nologin
+netdata:x:2004:2004::/home/netdata:/usr/sbin/nologin
+ulog:x:115:124::/var/log/ulog:/bin/false
diff --git a/rc0.d/K01ulogd2 b/rc0.d/K01ulogd2
new file mode 120000 (symlink)
index 0000000..aac15cc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/ulogd2
\ No newline at end of file
diff --git a/rc1.d/K01ulogd2 b/rc1.d/K01ulogd2
new file mode 120000 (symlink)
index 0000000..aac15cc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/ulogd2
\ No newline at end of file
diff --git a/rc2.d/S01ulogd2 b/rc2.d/S01ulogd2
new file mode 120000 (symlink)
index 0000000..aac15cc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/ulogd2
\ No newline at end of file
diff --git a/rc3.d/S01ulogd2 b/rc3.d/S01ulogd2
new file mode 120000 (symlink)
index 0000000..aac15cc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/ulogd2
\ No newline at end of file
diff --git a/rc4.d/S01ulogd2 b/rc4.d/S01ulogd2
new file mode 120000 (symlink)
index 0000000..aac15cc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/ulogd2
\ No newline at end of file
diff --git a/rc5.d/S01ulogd2 b/rc5.d/S01ulogd2
new file mode 120000 (symlink)
index 0000000..aac15cc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/ulogd2
\ No newline at end of file
diff --git a/rc6.d/K01ulogd2 b/rc6.d/K01ulogd2
new file mode 120000 (symlink)
index 0000000..aac15cc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/ulogd2
\ No newline at end of file
diff --git a/shadow b/shadow
index 84b864c77c4876016ec2a9ffabb1117d7613cfd9..f99089bede50429161a0ebda2812371e21b53cb6 100644 (file)
--- a/shadow
+++ b/shadow
@@ -38,3 +38,4 @@ mlmmj:!:18725:0:99999:7:::
 iredadmin:!:18725:0:99999:7:::
 iredapd:!:18725:0:99999:7:::
 netdata:!:18725:0:99999:7:::
+ulog:*:18729:0:99999:7:::
diff --git a/shadow- b/shadow-
index e03436024a790433aea1b6c3c95365a6ef12d505..f99089bede50429161a0ebda2812371e21b53cb6 100644 (file)
--- a/shadow-
+++ b/shadow-
@@ -37,3 +37,5 @@ vmail:!:18725:0:99999:7:::
 mlmmj:!:18725:0:99999:7:::
 iredadmin:!:18725:0:99999:7:::
 iredapd:!:18725:0:99999:7:::
+netdata:!:18725:0:99999:7:::
+ulog:*:18729:0:99999:7:::
diff --git a/smi.conf b/smi.conf
new file mode 100644 (file)
index 0000000..744ec22
--- /dev/null
+++ b/smi.conf
@@ -0,0 +1,41 @@
+#
+# smi.conf - Global SMI configuration file.
+#
+# Copyright (c) 2000 Frank Strauss, Technical University of Braunschweig.
+#
+# See the file "COPYING" for information on usage and redistribution
+# of this file, and for a DISCLAIMER OF ALL WARRANTIES.
+#
+# See smi_config(3) for detailed information on configuration files.
+#
+# Debian version by Remco van de Meent <remco@debian.org>
+# 20010612
+
+# Extend (note the semicolon) the libsmi default module search path.
+# (On Windows systems, use `;' instead of `:', and `\' instead of `/'.)
+
+path :/usr/share/snmp/mibs
+path :/usr/share/snmp/mibs/iana
+path :/usr/share/snmp/mibs/ietf
+path :/usr/share/snmp/mibs/site
+path :/var/lib/snmp/mibs/site
+path :/usr/share/mibs/site
+
+# Don't show any errors by default.
+level 0
+
+# Preload some basic SMIv2 modules.
+load SNMPv2-SMI
+load SNMPv2-TC
+load SNMPv2-CONF
+
+# Make smilint shout loud to report all errors and warnings.
+smilint: level 9
+
+# But please don't claim about any names longer than 32 chars.
+# (note: this is the prefix of errors `namelength-32-module,
+#  -type, -object, -enumeration, and -bit)
+smilint: hide namelength-32
+
+# Preloading some more modules for special applications.
+# smiquery: load IF-MIB
diff --git a/systemd/system/multi-user.target.wants/ulogd2.service b/systemd/system/multi-user.target.wants/ulogd2.service
new file mode 120000 (symlink)
index 0000000..c2b8879
--- /dev/null
@@ -0,0 +1 @@
+/lib/systemd/system/ulogd2.service
\ No newline at end of file
diff --git a/systemd/system/ulogd.service b/systemd/system/ulogd.service
new file mode 120000 (symlink)
index 0000000..c2b8879
--- /dev/null
@@ -0,0 +1 @@
+/lib/systemd/system/ulogd2.service
\ No newline at end of file
diff --git a/ulogd.conf b/ulogd.conf
new file mode 100644 (file)
index 0000000..285cf9b
--- /dev/null
@@ -0,0 +1,332 @@
+# Example configuration for ulogd
+# Adapted to Debian by Achilleas Kotsis <achille@debian.gr>
+
+[global]
+######################################################################
+# GLOBAL OPTIONS
+######################################################################
+
+
+# logfile for status messages
+logfile="syslog"
+
+# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5)
+loglevel=3
+
+######################################################################
+# PLUGIN OPTIONS
+######################################################################
+
+# We have to configure and load all the plugins we want to use
+
+# general rules:
+#
+# 0. don't specify any plugin for ulogd to load them all
+# 1. load the plugins _first_ from the global section
+# 2. options for each plugin in seperate section below
+
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_ULOG.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_UNIXSOCK.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2HBIN.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_MARK.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_XML.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SQLITE3.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GPRINT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_NACCT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PCAP.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PGSQL.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_MYSQL.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_DBI.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFACCT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GRAPHITE.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_JSON.so"
+
+# this is a stack for logging packet send by system via LOGEMU
+stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+
+# this is a stack for packet-based logging via LOGEMU
+#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+
+# this is a stack for ULOG packet-based logging via LOGEMU
+#stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+
+# this is a stack for packet-based logging via LOGEMU with filtering on MARK
+#stack=log2:NFLOG,base1:BASE,mark1:MARK,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+
+# this is a stack for packet-based logging via GPRINT
+#stack=log1:NFLOG,gp1:GPRINT
+
+# this is a stack for flow-based logging via LOGEMU
+#stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU
+
+# this is a stack for flow-based logging via GPRINT
+#stack=ct1:NFCT,gp1:GPRINT
+
+# this is a stack for flow-based logging via XML
+#stack=ct1:NFCT,xml1:XML
+
+# this is a stack for logging in XML
+#stack=log1:NFLOG,xml1:XML
+
+# this is a stack for accounting-based logging via XML
+#stack=acct1:NFACCT,xml1:XML
+
+# this is a stack for accounting-based logging to a Graphite server
+#stack=acct1:NFACCT,graphite1:GRAPHITE
+
+# this is a stack for NFLOG packet-based logging to PCAP
+#stack=log2:NFLOG,base1:BASE,pcap1:PCAP
+
+# this is a stack for logging packet to MySQL
+#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL
+
+# this is a stack for logging packet to PGsql after a collect via NFLOG
+#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,pgsql1:PGSQL
+
+# this is a stack for logging packet to JSON formatted file after a collect via NFLOG
+#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON
+
+# this is a stack for logging packets to syslog after a collect via NFLOG
+#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
+
+# this is a stack for logging packets to syslog after a collect via NuFW
+#stack=nuauth1:UNIXSOCK,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
+
+# this is a stack for flow-based logging to MySQL
+#stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL
+
+# this is a stack for flow-based logging to PGSQL
+#stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL
+
+# this is a stack for flow-based logging to PGSQL without local hash
+#stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL
+
+# this is a stack for flow-based logging to SQLITE3
+#stack=ct1:NFCT,sqlite3_ct:SQLITE3
+
+# this is a stack for logging packet to SQLITE3
+#stack=log1:NFLOG,sqlite3_pkt:SQLITE3
+
+# this is a stack for flow-based logging in NACCT compatible format
+#stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT
+
+# this is a stack for accounting-based logging via GPRINT
+#stack=acct1:NFACCT,gp1:GPRINT
+
+[ct1]
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+#netlink_resync_timeout=60 # seconds to wait to perform resynchronization
+#pollinterval=10 # use poll-based logging instead of event-driven
+# If pollinterval is not set, NFCT plugin will work in event mode
+# In this case, you can use the following filters on events:
+#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks
+#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks
+#accept_proto_filter=tcp,sctp # layer 4 proto of connections
+
+[ct2]
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+#reliable=1 # enable reliable flow-based logging (may drop packets)
+hash_enable=0
+
+# Logging of system packet through NFLOG
+[log1]
+# netlink multicast group (the same as the iptables --nflog-group param)
+# Group O is used by the kernel to log connection tracking invalid message
+group=0
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+# set number of packet to queue inside kernel
+#netlink_qthreshold=1
+# set the delay before flushing packet in the queue inside kernel (in 10ms)
+#netlink_qtimeout=100
+
+# packet logging through NFLOG for group 1
+[log2]
+# netlink multicast group (the same as the iptables --nflog-group param)
+group=1 # Group has to be different from the one use in log1
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+# If your kernel is older than 2.6.29 and if a NFLOG input plugin with
+# group 0 is not used by any stack, you need to have at least one NFLOG
+# input plugin with bind set to 1. If you don't do that you may not
+# receive any message from the kernel.
+#bind=1
+
+# packet logging through NFLOG for group 2, numeric_label is
+# set to 1
+[log3]
+# netlink multicast group (the same as the iptables --nflog-group param)
+group=2 # Group has to be different from the one use in log1/log2
+numeric_label=1 # you can label the log info based on the packet verdict
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+#bind=1
+
+[ulog1]
+# netlink multicast group (the same as the iptables --ulog-nlgroup param)
+nlgroup=1
+#numeric_label=0 # optional argument
+
+[nuauth1]
+socket_path="/tmp/nuauth_ulogd2.sock"
+
+[emu1]
+file="/var/log/ulog/syslogemu.log"
+sync=1
+
+[op1]
+file="/var/log/ulog/oprint.log"
+sync=1
+
+[gp1]
+file="/var/log/ulog/gprint.log"
+sync=1
+timestamp=1
+
+[xml1]
+directory="/var/log/ulog/"
+sync=1
+
+[json1]
+sync=1
+#file="/var/log/ulog/ulogd.json"
+#timestamp=0
+# device name to be used in JSON message
+#device="My awesome Netfilter firewall"
+# If boolean_label is set to 1 then the numeric_label put on packet
+# by the input plugin is coding the action on packet: if 0, then
+# packet has been blocked and if non null it has been accepted.
+#boolean_label=1
+# Uncomment the following line to use JSON v1 event format that
+# can provide better compatility with some JSON file reader.
+#eventv1=1
+
+[pcap1]
+#default file is /var/log/ulogd.pcap
+#file="/var/log/ulog/ulogd.pcap"
+sync=1
+
+[mysql1]
+db="nulog"
+host="localhost"
+user="nupik"
+table="ulog"
+pass="changeme"
+procedure="INSERT_PACKET_FULL"
+# backlog configuration:
+# set backlog_memcap to the size of memory that will be
+# allocated to store events in memory if data is temporary down
+# and insert them when the database came back.
+#backlog_memcap=1000000
+# number of events to insert at once when backlog is not empty
+#backlog_oneshot_requests=10
+
+[mysql2]
+db="nulog"
+host="localhost"
+user="nupik"
+table="conntrack"
+pass="changeme"
+procedure="INSERT_CT"
+
+[pgsql1]
+db="nulog"
+host="localhost"
+user="nupik"
+table="ulog"
+#schema="public"
+pass="changeme"
+procedure="INSERT_PACKET_FULL"
+# connstring can be used to define PostgreSQL connection string which
+# contains all parameters of the connection. If set, this value has
+# precedence on other variables used to build the connection string.
+# See http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
+# for a complete description of options.
+#connstring="host=localhost port=4321 dbname=nulog user=nupik password=changeme"
+#backlog_memcap=1000000
+#backlog_oneshot_requests=10
+# If superior to 1 a thread dedicated to SQL request execution
+# is created. The value stores the number of SQL request to keep
+# in the ring buffer
+#ring_buffer_size=1000
+
+[pgsql2]
+db="nulog"
+host="localhost"
+user="nupik"
+table="ulog2_ct"
+#schema="public"
+pass="changeme"
+procedure="INSERT_CT"
+
+[pgsql3]
+db="nulog"
+host="localhost"
+user="nupik"
+table="ulog2_ct"
+#schema="public"
+pass="changeme"
+procedure="INSERT_OR_REPLACE_CT"
+
+[pgsql4]
+db="nulog"
+host="localhost"
+user="nupik"
+table="nfacct"
+#schema="public"
+pass="changeme"
+procedure="INSERT_NFACCT"
+
+[dbi1]
+db="ulog2"
+dbtype="pgsql"
+host="localhost"
+user="ulog2"
+table="ulog"
+pass="ulog2"
+procedure="INSERT_PACKET_FULL"
+
+[sqlite3_ct]
+table="ulog_ct"
+db="/var/log/ulog/ulogd.sqlite3db"
+
+[sqlite3_pkt]
+table="ulog_pkt"
+db="/var/log/ulog/ulogd.sqlite3db"
+
+[sys2]
+facility=LOG_LOCAL2
+
+[nacct1]
+sync = 1
+#file = /var/log/ulog/nacct.log
+
+[mark1]
+mark = 1
+
+[acct1]
+pollinterval = 2
+# If set to 0, we don't reset the counters for each polling (default is 1).
+#zerocounter = 0
+# Set timestamp (default is 0, which means not set). This timestamp can be
+# interpreted by the output plugin.
+#timestamp = 1
+
+[graphite1]
+host="127.0.0.1"
+port="2003"
+# Prefix of data name sent to graphite server
+prefix="netfilter.nfacct"
diff --git a/wireshark/init.lua b/wireshark/init.lua
new file mode 100644 (file)
index 0000000..91c0d10
--- /dev/null
@@ -0,0 +1,703 @@
+-- init.lua
+--
+-- initialize wireshark's lua
+--
+--  This file is going to be executed before any other lua script.
+--  It can be used to load libraries, disable functions and more.
+--
+-- Wireshark - Network traffic analyzer
+-- By Gerald Combs <gerald@wireshark.org>
+-- Copyright 1998 Gerald Combs
+--
+-- SPDX-License-Identifier: GPL-2.0-or-later
+
+-- Set disable_lua to true to disable Lua support.
+disable_lua = false
+
+if disable_lua then
+    return
+end
+
+-- If set and we are running with special privileges this setting
+-- tells whether scripts other than this one are to be run.
+run_user_scripts_when_superuser = false
+
+
+-- disable potentialy harmful lua functions when running superuser
+if running_superuser then
+    local hint = "has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user."
+    local disabled_lib = {}
+    setmetatable(disabled_lib,{ __index = function() error("this package ".. hint) end } );
+
+    dofile = function() error("dofile " .. hint) end
+    loadfile = function() error("loadfile " .. hint) end
+    loadlib = function() error("loadlib " .. hint) end
+    require = function() error("require " .. hint) end
+    os = disabled_lib
+    io = disabled_lib
+    file = disabled_lib
+end
+
+-- to avoid output to stdout which can cause problems lua's print ()
+-- has been suppresed so that it yields an error.
+-- have print() call info() instead.
+if gui_enabled() then
+    print = info
+end
+
+function typeof(obj)
+    local mt = getmetatable(obj)
+    return mt and mt.__typeof or obj.__typeof or type(obj)
+end
+
+-- the following function checks if a file exists
+-- since 1.11.3
+function file_exists(name)
+   local f = io.open(name,"r")
+   if f ~= nil then io.close(f) return true else return false end
+end
+
+-- the following function prepends the given directory name to
+-- the package.path, so that a 'require "foo"' will work if 'foo'
+-- is in the directory name given to this function. For example,
+-- if your Lua file will do a 'require "foo"' and the foo.lua
+-- file is in a local directory (local to your script) named 'bar',
+-- then call this function before doing your 'require', by doing
+--     package.prepend_path("bar")
+-- and that will let Wireshark's Lua find the file "bar/foo.lua"
+-- when you later do 'require "foo"'
+--
+-- Because this function resides here in init.lua, it does not
+-- have the same environment as your script, so it has to get it
+-- using the debug library, which is why the code appears so
+-- cumbersome.
+--
+-- since 1.11.3
+function package.prepend_path(name)
+    local debug = require "debug"
+    -- get the function calling this package.prepend_path function
+    local dt = debug.getinfo(2, "f")
+    if not dt then
+        error("could not retrieve debug info table")
+    end
+    -- get its upvalue
+    local _, val = debug.getupvalue(dt.func, 1)
+    if not val or type(val) ~= 'table' then
+        error("No calling function upvalue or it is not a table")
+    end
+    -- get the __DIR__ field in its upvalue table
+    local dir = val["__DIR__"]
+    -- get the platform-specific directory separator character
+    local sep = package.config:sub(1,1)
+    -- prepend the dir and given name to path
+    if dir and dir:len() > 0 then
+        package.path = dir .. sep .. name .. sep .. "?.lua;" .. package.path
+    end
+    -- also prepend just the name as a directory
+    package.path = name .. sep .. "?.lua;" .. package.path
+end
+
+-- Wiretap encapsulations XXX
+wtap_encaps = {
+       ["PER_PACKET"] = -1,
+       ["UNKNOWN"] = 0,
+       ["ETHERNET"] = 1,
+       ["TOKEN_RING"] = 2,
+       ["SLIP"] = 3,
+       ["PPP"] = 4,
+       ["FDDI"] = 5,
+       ["FDDI_BITSWAPPED"] = 6,
+       ["RAW_IP"] = 7,
+       ["ARCNET"] = 8,
+       ["ARCNET_LINUX"] = 9,
+       ["ATM_RFC1483"] = 10,
+       ["LINUX_ATM_CLIP"] = 11,
+       ["LAPB"] = 12,
+       ["ATM_PDUS"] = 13,
+       ["ATM_PDUS_UNTRUNCATED"] = 14,
+       ["NULL"] = 15,
+       ["ASCEND"] = 16,
+       ["ISDN"] = 17,
+       ["IP_OVER_FC"] = 18,
+       ["PPP_WITH_PHDR"] = 19,
+       ["IEEE_802_11"] = 20,
+       ["IEEE_802_11_PRISM"] = 21,
+       ["IEEE_802_11_WITH_RADIO"] = 22,
+       ["IEEE_802_11_RADIOTAP"] = 23,
+       ["IEEE_802_11_AVS"] = 24,
+       ["SLL"] = 25,
+       ["FRELAY"] = 26,
+       ["FRELAY_WITH_PHDR"] = 27,
+       ["CHDLC"] = 28,
+       ["CISCO_IOS"] = 29,
+       ["LOCALTALK"] = 30,
+       ["OLD_PFLOG"] = 31,
+       ["HHDLC"] = 32,
+       ["DOCSIS"] = 33,
+       ["COSINE"] = 34,
+       ["WFLEET_HDLC"] = 35,
+       ["SDLC"] = 36,
+       ["TZSP"] = 37,
+       ["ENC"] = 38,
+       ["PFLOG"] = 39,
+       ["CHDLC_WITH_PHDR"] = 40,
+       ["BLUETOOTH_H4"] = 41,
+       ["MTP2"] = 42,
+       ["MTP3"] = 43,
+       ["IRDA"] = 44,
+       ["USER0"] = 45,
+       ["USER1"] = 46,
+       ["USER2"] = 47,
+       ["USER3"] = 48,
+       ["USER4"] = 49,
+       ["USER5"] = 50,
+       ["USER6"] = 51,
+       ["USER7"] = 52,
+       ["USER8"] = 53,
+       ["USER9"] = 54,
+       ["USER10"] = 55,
+       ["USER11"] = 56,
+       ["USER12"] = 57,
+       ["USER13"] = 58,
+       ["USER14"] = 59,
+       ["USER15"] = 60,
+       ["SYMANTEC"] = 61,
+       ["APPLE_IP_OVER_IEEE1394"] = 62,
+       ["BACNET_MS_TP"] = 63,
+       ["NETTL_RAW_ICMP"] = 64,
+       ["NETTL_RAW_ICMPV6"] = 65,
+       ["GPRS_LLC"] = 66,
+       ["JUNIPER_ATM1"] = 67,
+       ["JUNIPER_ATM2"] = 68,
+       ["REDBACK"] = 69,
+       ["NETTL_RAW_IP"] = 70,
+       ["NETTL_ETHERNET"] = 71,
+       ["NETTL_TOKEN_RING"] = 72,
+       ["NETTL_FDDI"] = 73,
+       ["NETTL_UNKNOWN"] = 74,
+       ["MTP2_WITH_PHDR"] = 75,
+       ["JUNIPER_PPPOE"] = 76,
+       ["GCOM_TIE1"] = 77,
+       ["GCOM_SERIAL"] = 78,
+       ["NETTL_X25"] = 79,
+       ["K12"] = 80,
+       ["JUNIPER_MLPPP"] = 81,
+       ["JUNIPER_MLFR"] = 82,
+       ["JUNIPER_ETHER"] = 83,
+       ["JUNIPER_PPP"] = 84,
+       ["JUNIPER_FRELAY"] = 85,
+       ["JUNIPER_CHDLC"] = 86,
+       ["JUNIPER_GGSN"] = 87,
+       ["LINUX_LAPD"] = 88,
+       ["CATAPULT_DCT2000"] = 89,
+       ["BER"] = 90,
+       ["JUNIPER_VP"] = 91,
+       ["USB_FREEBSD"] = 92,
+       ["IEEE802_16_MAC_CPS"] = 93,
+       ["NETTL_RAW_TELNET"] = 94,
+       ["USB_LINUX"] = 95,
+       ["MPEG"] = 96,
+       ["PPI"] = 97,
+       ["ERF"] = 98,
+       ["BLUETOOTH_H4_WITH_PHDR"] = 99,
+       ["SITA"] = 100,
+       ["SCCP"] = 101,
+       ["BLUETOOTH_HCI"] = 102,
+       ["IPMB"] = 103,
+       ["IEEE802_15_4"] = 104,
+       ["X2E_XORAYA"] = 105,
+       ["FLEXRAY"] = 106,
+       ["LIN"] = 107,
+       ["MOST"] = 108,
+       ["CAN20B"] = 109,
+       ["LAYER1_EVENT"] = 110,
+       ["X2E_SERIAL"] = 111,
+       ["I2C"] = 112,
+       ["IEEE802_15_4_NONASK_PHY"] = 113,
+       ["TNEF"] = 114,
+       ["USB_LINUX_MMAPPED"] = 115,
+       ["GSM_UM"] = 116,
+       ["DPNSS"] = 117,
+       ["PACKETLOGGER"] = 118,
+       ["NSTRACE_1_0"] = 119,
+       ["NSTRACE_2_0"] = 120,
+       ["FIBRE_CHANNEL_FC2"] = 121,
+       ["FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS"] = 122,
+       ["JPEG_JFIF"] = 123,
+       ["IPNET"] = 124,
+       ["SOCKETCAN"] = 125,
+       ["IEEE_802_11_NETMON"] = 126,
+       ["IEEE802_15_4_NOFCS"] = 127,
+       ["RAW_IPFIX"] = 128,
+       ["RAW_IP4"] = 129,
+       ["RAW_IP6"] = 130,
+       ["LAPD"] = 131,
+       ["DVBCI"] = 132,
+       ["MUX27010"] = 133,
+       ["MIME"] = 134,
+       ["NETANALYZER"] = 135,
+       ["NETANALYZER_TRANSPARENT"] = 136,
+       ["IP_OVER_IB_SNOOP"] = 137,
+       ["MPEG_2_TS"] = 138,
+       ["PPP_ETHER"] = 139,
+       ["NFC_LLCP"] = 140,
+       ["NFLOG"] = 141,
+       ["V5_EF"] = 142,
+       ["BACNET_MS_TP_WITH_PHDR"] = 143,
+       ["IXVERIWAVE"] = 144,
+       ["SDH"] = 145,
+       ["DBUS"] = 146,
+       ["AX25_KISS"] = 147,
+       ["AX25"] = 148,
+       ["SCTP"] = 149,
+       ["INFINIBAND"] = 150,
+       ["JUNIPER_SVCS"] = 151,
+       ["USBPCAP"] = 152,
+       ["RTAC_SERIAL"] = 153,
+       ["BLUETOOTH_LE_LL"] = 154,
+       ["WIRESHARK_UPPER_PDU"] = 155,
+       ["STANAG_4607"] = 156,
+       ["STANAG_5066_D_PDU"] = 157,
+       ["NETLINK"] = 158,
+       ["BLUETOOTH_LINUX_MONITOR"] = 159,
+       ["BLUETOOTH_BREDR_BB"] = 160,
+       ["BLUETOOTH_LE_LL_WITH_PHDR"] = 161,
+       ["NSTRACE_3_0"] = 162,
+       ["LOGCAT"] = 163,
+       ["LOGCAT_BRIEF"] = 164,
+       ["LOGCAT_PROCESS"] = 165,
+       ["LOGCAT_TAG"] = 166,
+       ["LOGCAT_THREAD"] = 167,
+       ["LOGCAT_TIME"] = 168,
+       ["LOGCAT_THREADTIME"] = 169,
+       ["LOGCAT_LONG"] = 170,
+       ["PKTAP"] = 171,
+       ["EPON"] = 172,
+       ["IPMI_TRACE"] = 173,
+       ["LOOP"] = 174,
+       ["JSON"] = 175,
+       ["NSTRACE_3_5"] = 176,
+       ["ISO14443"] = 177,
+       ["GFP_T"] = 178,
+       ["GFP_F"] = 179,
+       ["IP_OVER_IB_PCAP"] = 180,
+       ["JUNIPER_VN"] = 181,
+       ["USB_DARWIN"] = 182,
+       ["LORATAP"] = 183,
+       ["3MB_ETHERNET"] = 184,
+       ["VSOCK"] = 185,
+       ["NORDIC_BLE"] = 186,
+       ["NETMON_NET_NETEVENT"] = 187,
+       ["NETMON_HEADER"] = 188,
+       ["NETMON_NET_FILTER"] = 189,
+       ["NETMON_NETWORK_INFO_EX"] = 190,
+       ["MA_WFP_CAPTURE_V4"] = 191,
+       ["MA_WFP_CAPTURE_V6"] = 192,
+       ["MA_WFP_CAPTURE_2V4"] = 193,
+       ["MA_WFP_CAPTURE_2V6"] = 194,
+       ["MA_WFP_CAPTURE_AUTH_V4"] = 195,
+       ["MA_WFP_CAPTURE_AUTH_V6"] = 196,
+       ["JUNIPER_ST"] = 197,
+       ["ETHERNET_MPACKET"] = 198,
+       ["DOCSIS31_XRA31"] = 199
+}
+wtap = wtap_encaps -- for bw compatibility
+
+
+-- Wiretap file types
+wtap_filetypes = {
+       ["UNKNOWN"] = 0,
+       ["PCAP"] = 1,
+       ["PCAPNG"] = 2,
+       ["PCAP_NSEC"] = 3,
+       ["PCAP_AIX"] = 4,
+       ["PCAP_SS991029"] = 5,
+       ["PCAP_NOKIA"] = 6,
+       ["PCAP_SS990417"] = 7,
+       ["PCAP_SS990915"] = 8,
+       ["5VIEWS"] = 9,
+       ["IPTRACE_1_0"] = 10,
+       ["IPTRACE_2_0"] = 11,
+       ["BER"] = 12,
+       ["HCIDUMP"] = 13,
+       ["CATAPULT_DCT2000"] = 14,
+       ["NETXRAY_OLD"] = 15,
+       ["NETXRAY_1_0"] = 16,
+       ["COSINE"] = 17,
+       ["CSIDS"] = 18,
+       ["DBS_ETHERWATCH"] = 19,
+       ["ERF"] = 20,
+       ["EYESDN"] = 21,
+       ["NETTL"] = 22,
+       ["ISERIES"] = 23,
+       ["ISERIES_UNICODE"] = 24,
+       ["I4BTRACE"] = 25,
+       ["ASCEND"] = 26,
+       ["NGSNIFFER_UNCOMPRESSED"] = 29,
+       ["NGSNIFFER_COMPRESSED"] = 30,
+       ["NETXRAY_1_1"] = 31,
+       ["NETWORK_INSTRUMENTS"] = 33,
+       ["LANALYZER"] = 34,
+       ["PPPDUMP"] = 35,
+       ["RADCOM"] = 36,
+       ["SNOOP"] = 37,
+       ["SHOMITI"] = 38,
+       ["VMS"] = 39,
+       ["K12"] = 40,
+       ["TOSHIBA"] = 41,
+       ["VISUAL_NETWORKS"] = 42,
+       ["PEEKCLASSIC_V56"] = 43,
+       ["PEEKCLASSIC_V7"] = 44,
+       ["PEEKTAGGED"] = 45,
+       ["MPEG"] = 46,
+       ["K12TEXT"] = 47,
+       ["NETSCREEN"] = 48,
+       ["COMMVIEW"] = 49,
+       ["BTSNOOP"] = 50,
+       ["TNEF"] = 51,
+       ["DCT3TRACE"] = 52,
+       ["PACKETLOGGER"] = 53,
+       ["DAINTREE_SNA"] = 54,
+       ["NETSCALER_1_0"] = 55,
+       ["NETSCALER_2_0"] = 56,
+       ["JPEG_JFIF"] = 57,
+       ["IPFIX"] = 58,
+       ["MIME"] = 59,
+       ["AETHRA"] = 60,
+       ["MPEG_2_TS"] = 61,
+       ["VWR_80211"] = 62,
+       ["VWR_ETH"] = 63,
+       ["CAMINS"] = 64,
+       ["STANAG_4607"] = 65,
+       ["NETSCALER_3_0"] = 66,
+       ["LOGCAT"] = 67,
+       ["LOGCAT_BRIEF"] = 68,
+       ["LOGCAT_PROCESS"] = 69,
+       ["LOGCAT_TAG"] = 70,
+       ["LOGCAT_THREAD"] = 71,
+       ["LOGCAT_TIME"] = 72,
+       ["LOGCAT_THREADTIME"] = 73,
+       ["LOGCAT_LONG"] = 74,
+       ["COLASOFT_CAPSA"] = 75,
+       ["COLASOFT_PACKET_BUILDER"] = 76,
+       ["JSON"] = 77,
+       ["NETSCALER_3_5"] = 78,
+       ["NETTRACE_3GPP_32_423"] = 79,
+       ["MPLOG"] = 80,
+       ["TSPREC_SEC"] = 0,
+       ["TSPREC_DSEC"] = 1,
+       ["TSPREC_CSEC"] = 2,
+       ["TSPREC_MSEC"] = 3,
+       ["TSPREC_USEC"] = 6,
+       ["TSPREC_NSEC"] = 9
+}
+
+
+-- Wiretap timestamp precision types
+wtap_tsprecs = {
+       ["SEC"] = 0,
+       ["DSEC"] = 1,
+       ["CSEC"] = 2,
+       ["MSEC"] = 3,
+       ["USEC"] = 6,
+       ["NSEC"] = 9
+}
+
+
+-- Wiretap file comment types
+wtap_comments = {
+       ["PER_SECTION"] = 0x00000001,
+       ["PER_INTERFACE"] = 0x00000002,
+       ["PER_PACKET"] = 0x00000004
+}
+
+
+-- Field Types
+ftypes = {
+       ["NONE"] = 0,
+       ["PROTOCOL"] = 1,
+       ["BOOLEAN"] = 2,
+       ["CHAR"] = 3,
+       ["UINT8"] = 4,
+       ["UINT16"] = 5,
+       ["UINT24"] = 6,
+       ["UINT32"] = 7,
+       ["UINT40"] = 8,
+       ["UINT48"] = 9,
+       ["UINT56"] = 10,
+       ["UINT64"] = 11,
+       ["INT8"] = 12,
+       ["INT16"] = 13,
+       ["INT24"] = 14,
+       ["INT32"] = 15,
+       ["INT40"] = 16,
+       ["INT48"] = 17,
+       ["INT56"] = 18,
+       ["INT64"] = 19,
+       ["IEEE_11073_SFLOAT"] = 20,
+       ["IEEE_11073_FLOAT"] = 21,
+       ["FLOAT"] = 22,
+       ["DOUBLE"] = 23,
+       ["ABSOLUTE_TIME"] = 24,
+       ["RELATIVE_TIME"] = 25,
+       ["STRING"] = 26,
+       ["STRINGZ"] = 27,
+       ["UINT_STRING"] = 28,
+       ["ETHER"] = 29,
+       ["BYTES"] = 30,
+       ["UINT_BYTES"] = 31,
+       ["IPv4"] = 32,
+       ["IPv6"] = 33,
+       ["IPXNET"] = 34,
+       ["FRAMENUM"] = 35,
+       ["PCRE"] = 36,
+       ["GUID"] = 37,
+       ["OID"] = 38,
+       ["EUI64"] = 39,
+       ["AX25"] = 40,
+       ["VINES"] = 41,
+       ["REL_OID"] = 42,
+       ["SYSTEM_ID"] = 43,
+       ["STRINGZPAD"] = 44,
+       ["FCWWN"] = 45
+}
+
+
+-- the following table is since 2.0
+-- Field Type FRAMENUM Types
+frametype = {
+       ["NONE"] = 0,
+       ["REQUEST"] = 1,
+       ["RESPONSE"] = 2,
+       ["ACK"] = 3,
+       ["DUP_ACK"] = 4,
+       ["RETRANS_PREV"] = 5,
+       ["RETRANS_NEXT"] = 6
+}
+
+
+-- the following table is since 1.12
+-- Wiretap record_types
+wtap_rec_types = {
+       ["PACKET"] = 0,  -- packet 
+       ["FT_SPECIFIC_EVENT"] = 1,  -- file-type-specific event 
+       ["FT_SPECIFIC_REPORT"] = 2,  -- file-type-specific report 
+       ["SYSCALL"] = 3,  -- system call 
+}
+
+
+-- the following table is since 1.11.3
+-- Wiretap presence flags
+wtap_presence_flags = {
+       ["TS"] = 1,  -- time stamp 
+       ["CAP_LEN"] = 2,  -- captured length separate from on-the-network length 
+       ["INTERFACE_ID"] = 4,  -- interface ID 
+       ["COMMENTS"] = 8,  -- comments 
+       ["DROP_COUNT"] = 16,  -- drop count 
+       ["PACK_FLAGS"] = 32,  -- packet flags 
+}
+
+
+-- Display Bases
+base = {
+       ["NONE"] = 0,  -- none
+       ["DEC"] = 1,  -- decimal
+       ["HEX"] = 2,  -- hexadecimal
+       ["OCT"] = 3,  -- octal
+       ["DEC_HEX"] = 4,  -- decimal (hexadecimal)
+       ["HEX_DEC"] = 5,  -- hexadecimal (decimal)
+       ["CUSTOM"] = 6,  -- call custom routine (in ->strings) to format
+       ["ASCII"] = 0,  -- shows non-printable ASCII characters as C-style escapes
+       ["UNICODE"] = 7,  -- shows non-printable UNICODE characters as \\uXXXX (XXX for now non-printable characters display depends on UI)
+       ["DOT"] = 8,  -- hexadecimal bytes with a period (.) between each byte
+       ["DASH"] = 9,  -- hexadecimal bytes with a dash (-) between each byte
+       ["COLON"] = 10,  -- hexadecimal bytes with a colon (:) between each byte
+       ["SPACE"] = 11,  -- hexadecimal bytes with a space between each byte
+       ["NETMASK"] = 12,  -- Used for IPv4 address that shouldn't be resolved (like for netmasks)
+       ["PT_UDP"] = 13,  -- UDP port
+       ["PT_TCP"] = 14,  -- TCP port
+       ["PT_DCCP"] = 15,  -- DCCP port
+       ["PT_SCTP"] = 16,  -- SCTP port
+       ["OUI"] = 17,  -- OUI resolution
+       ["UNIT_STRING"] = 4096,  -- Add unit text to the field value
+       ["LOCAL"] = 1000,  -- local time in our time zone, with month and day
+       ["UTC"] = 1001,  -- UTC, with month and day
+       ["DOY_UTC"] = 1002,  -- UTC, with 1-origin day-of-year
+}
+
+
+-- Encodings
+ENC_BIG_ENDIAN = 0
+ENC_LITTLE_ENDIAN = 2147483648
+ENC_TIME_TIMESPEC = 0
+ENC_TIME_NTP = 2
+ENC_TIME_TOD = 4
+ENC_TIME_RTPS = 8
+ENC_TIME_NTP_BASE_ZERO = 14
+ENC_TIME_TIMEVAL = 16
+ENC_TIME_SECS = 18
+ENC_TIME_MSECS = 20
+ENC_TIME_SECS_NTP = 24
+ENC_TIME_RFC_3971 = 32
+ENC_TIME_MSEC_NTP = 34
+ENC_CHARENCODING_MASK = 2147483646
+ENC_ASCII = 0
+ENC_UTF_8 = 2
+ENC_UTF_16 = 4
+ENC_UCS_2 = 6
+ENC_UCS_4 = 8
+ENC_ISO_8859_1 = 10
+ENC_ISO_8859_2 = 12
+ENC_ISO_8859_3 = 14
+ENC_ISO_8859_4 = 16
+ENC_ISO_8859_5 = 18
+ENC_ISO_8859_6 = 20
+ENC_ISO_8859_7 = 22
+ENC_ISO_8859_8 = 24
+ENC_ISO_8859_9 = 26
+ENC_ISO_8859_10 = 28
+ENC_ISO_8859_11 = 30
+ENC_ISO_8859_13 = 34
+ENC_ISO_8859_14 = 36
+ENC_ISO_8859_15 = 38
+ENC_ISO_8859_16 = 40
+ENC_WINDOWS_1250 = 42
+ENC_3GPP_TS_23_038_7BITS = 44
+ENC_EBCDIC = 46
+ENC_MAC_ROMAN = 48
+ENC_CP437 = 50
+ENC_ASCII_7BITS = 52
+ENC_T61 = 54
+ENC_EBCDIC_CP037 = 56
+ENC_ZIGBEE = 58
+ENC_NA = 0
+ENC_STR_NUM = 16777216
+ENC_STR_HEX = 33554432
+ENC_STRING = 50331648
+ENC_STR_MASK = 65534
+ENC_NUM_PREF = 2097152
+ENC_VARINT_PROTOBUF = 2
+ENC_VARINT_QUIC = 4
+ENC_SEP_NONE = 65536
+ENC_SEP_COLON = 131072
+ENC_SEP_DASH = 262144
+ENC_SEP_DOT = 524288
+ENC_SEP_SPACE = 1048576
+ENC_SEP_MASK = 2031616
+ENC_ISO_8601_DATE = 65536
+ENC_ISO_8601_TIME = 131072
+ENC_ISO_8601_DATE_TIME = 196608
+ENC_RFC_822 = 262144
+ENC_RFC_1123 = 524288
+ENC_STR_TIME_MASK = 983040
+
+
+
+-- Expert flags and facilities (deprecated - see 'expert' table below)
+PI_SEVERITY_MASK = 15728640
+PI_COMMENT = 1048576
+PI_CHAT = 2097152
+PI_NOTE = 4194304
+PI_WARN = 6291456
+PI_ERROR = 8388608
+PI_GROUP_MASK = 4278190080
+PI_CHECKSUM = 16777216
+PI_SEQUENCE = 33554432
+PI_RESPONSE_CODE = 50331648
+PI_REQUEST_CODE = 67108864
+PI_UNDECODED = 83886080
+PI_REASSEMBLE = 100663296
+PI_MALFORMED = 117440512
+PI_DEBUG = 134217728
+PI_PROTOCOL = 150994944
+PI_SECURITY = 167772160
+PI_COMMENTS_GROUP = 184549376
+PI_DECRYPTION = 201326592
+PI_ASSUMPTION = 218103808
+PI_DEPRECATED = 234881024
+
+
+
+-- the following table is since 1.11.3
+-- Expert flags and facilities
+expert = {
+       -- Expert event groups
+       group = {
+               -- The protocol field has a bad checksum, usually uses PI_WARN severity
+               ["CHECKSUM"] = 16777216,
+               -- The protocol field indicates a sequence problem (e.g. TCP window is zero)
+               ["SEQUENCE"] = 33554432,
+               -- The protocol field indicates a bad application response code (e.g. HTTP 404), usually PI_NOTE severity
+               ["RESPONSE_CODE"] = 50331648,
+               -- The protocol field indicates an application request (e.g. File Handle == xxxx), usually PI_CHAT severity
+               ["REQUEST_CODE"] = 67108864,
+               -- The data is undecoded, the protocol dissection is incomplete here, usually PI_WARN severity
+               ["UNDECODED"] = 83886080,
+               -- The protocol field indicates a reassemble (e.g. DCE/RPC defragmentation), usually PI_CHAT severity (or PI_ERROR)
+               ["REASSEMBLE"] = 100663296,
+               -- The packet data is malformed, the dissector has "given up", usually PI_ERROR severity
+               ["MALFORMED"] = 117440512,
+               -- A generic debugging message (shouldn't remain in production code!), usually PI_ERROR severity
+               ["DEBUG"] = 134217728,
+               -- The protocol field violates a protocol specification, usually PI_WARN severity
+               ["PROTOCOL"] = 150994944,
+               -- The protocol field indicates a security problem (e.g. insecure implementation)
+               ["SECURITY"] = 167772160,
+               -- The protocol field indicates a packet comment
+               ["COMMENTS_GROUP"] = 184549376,
+               -- The protocol field indicates a decryption problem
+               ["DECRYPTION"] = 201326592,
+               -- The protocol field has incomplete data, decode based on assumed value
+               ["ASSUMPTION"] = 218103808,
+               -- The protocol field has been deprecated, usually PI_NOTE severity
+               ["DEPRECATED"] = 234881024,
+       },
+       -- Expert severity levels
+       severity = {
+               -- Packet comment
+               ["COMMENT"] = 1048576,
+               -- Usual workflow, e.g. TCP connection establishing
+               ["CHAT"] = 2097152,
+               -- Notable messages, e.g. an application returned an "unusual" error code like HTTP 404
+               ["NOTE"] = 4194304,
+               -- Warning, e.g. application returned an "unusual" error code
+               ["WARN"] = 6291456,
+               -- Serious problems, e.g. a malformed packet
+               ["ERROR"] = 8388608,
+       },
+}
+
+
+
+-- menu groups for register_menu
+MENU_ANALYZE_UNSORTED = 0
+MENU_ANALYZE_CONVERSATION = 1
+MENU_STAT_UNSORTED = 2
+MENU_STAT_GENERIC = 3
+MENU_STAT_CONVERSATION = 4
+MENU_STAT_ENDPOINT = 5
+MENU_STAT_RESPONSE = 6
+MENU_STAT_TELEPHONY = 7
+MENU_STAT_TELEPHONY_ANSI = 8
+MENU_STAT_TELEPHONY_GSM = 9
+MENU_STAT_TELEPHONY_LTE = 10
+MENU_STAT_TELEPHONY_MTP = 11
+MENU_STAT_TELEPHONY_SCTP = 12
+MENU_TOOLS_UNSORTED = 13
+
+
+-- other useful constants
+-- DATA_DIR and USER_DIR have a trailing directory separator.
+GUI_ENABLED = gui_enabled()
+DATA_DIR = Dir.global_config_path()..package.config:sub(1,1)
+USER_DIR = Dir.personal_config_path()..package.config:sub(1,1)
+
+-- deprecated function names
+datafile_path = Dir.global_config_path
+persconffile_path = Dir.personal_config_path
+
+
+if not running_superuser or run_user_scripts_when_superuser then
+    dofile(DATA_DIR.."console.lua")
+end
+--dofile(DATA_DIR.."dtd_gen.lua")