maybe chmod 0644 'apparmor.d/local/usr.sbin.chronyd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.clamd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.named'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.tcpdump'
maybe chmod 0644 'apparmor.d/usr.bin.freshclam'
maybe chmod 0644 'apparmor.d/usr.bin.man'
maybe chmod 0644 'apparmor.d/usr.sbin.chronyd'
maybe chmod 0644 'apparmor.d/usr.sbin.clamd'
maybe chmod 0644 'apparmor.d/usr.sbin.mysqld'
maybe chmod 0644 'apparmor.d/usr.sbin.named'
+maybe chmod 0644 'apparmor.d/usr.sbin.tcpdump'
maybe chmod 0755 'apt'
maybe chmod 0644 'apt/SALTSTACK-GPG-KEY.pub'
maybe chmod 0755 'apt/apt.conf.d'
maybe chmod 0755 'init.d/ssh'
maybe chmod 0755 'init.d/sudo'
maybe chmod 0755 'init.d/udev'
+maybe chmod 0755 'init.d/ulogd2'
maybe chmod 0755 'init.d/uwsgi'
maybe chmod 0644 'init/php7.3-fpm.conf'
maybe chmod 0755 'initramfs-tools'
maybe chmod 0755 'ldap/schema'
maybe chmod 0644 'ldap/schema/amavis.schema'
maybe chmod 0644 'libaudit.conf'
+maybe chmod 0755 'libnl-3'
+maybe chmod 0644 'libnl-3/classid'
+maybe chmod 0644 'libnl-3/pktloc'
maybe chmod 0644 'locale.alias'
maybe chmod 0644 'locale.gen'
maybe chmod 0755 'logcheck'
maybe chmod 0644 'logrotate.d/php7.3-fpm'
maybe chmod 0644 'logrotate.d/rsyslog'
maybe chmod 0644 'logrotate.d/salt-common'
+maybe chmod 0644 'logrotate.d/ulogd2'
maybe chmod 0644 'logrotate.d/uwsgi'
maybe chmod 0644 'logrotate.d/wtmp'
maybe chmod 0755 'logwatch'
maybe chmod 0644 'skel/.bashrc.orig'
maybe chmod 0644 'skel/.cloud-locale-test.skip'
maybe chmod 0644 'skel/.profile'
+maybe chmod 0644 'smi.conf'
maybe chmod 0755 'spamassassin'
maybe chmod 0644 'spamassassin/65_debian.cf'
maybe chmod 0644 'spamassassin/init.pre'
maybe chmod 0644 'ufw/applications.d/nginx'
maybe chmod 0644 'ufw/applications.d/openssh-server'
maybe chmod 0644 'ufw/applications.d/postfix'
+maybe chmod 0600 'ulogd.conf'
maybe chmod 0755 'update-motd.d'
maybe chmod 0755 'update-motd.d/10-uname'
maybe chmod 0644 'updatedb.conf'
maybe chmod 0644 'vim/vimrc.local'
maybe chmod 0644 'vim/vimrc.tiny'
maybe chmod 0644 'wgetrc'
+maybe chmod 0755 'wireshark'
+maybe chmod 0644 'wireshark/init.lua'
maybe chmod 0644 'xattr.conf'
maybe chmod 0755 'xdg'
maybe chmod 0755 'xdg/systemd'
--- /dev/null
+# vim:syntax=apparmor
+#include <tunables/global>
+
+/usr/sbin/tcpdump {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ capability net_raw,
+ capability setuid,
+ capability setgid,
+ capability dac_override,
+ network raw,
+ network packet,
+
+ # for -D
+ @{PROC}/bus/usb/ r,
+ @{PROC}/bus/usb/** r,
+
+ # for finding an interface
+ @{PROC}/[0-9]*/net/dev r,
+ /sys/bus/usb/devices/ r,
+ /sys/class/net/ r,
+ /sys/devices/**/net/* r,
+
+ # for -j
+ capability net_admin,
+
+ # for tracing USB bus, which libpcap supports
+ /dev/usbmon* r,
+ /dev/bus/usb/ r,
+ /dev/bus/usb/** r,
+
+ # for init_etherarray(), with -e
+ /etc/ethers r,
+
+ # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
+ /dev/bus/usb/**/[0-9]* w,
+
+ # for -z
+ /{usr/,}bin/gzip ixr,
+ /{usr/,}bin/bzip2 ixr,
+
+ # for -F and -w
+ audit deny @{HOME}/.* mrwkl,
+ audit deny @{HOME}/.*/ rw,
+ audit deny @{HOME}/.*/** mrwkl,
+ audit deny @{HOME}/bin/ rw,
+ audit deny @{HOME}/bin/** mrwkl,
+ owner @{HOME}/ r,
+ owner @{HOME}/** rw,
+
+ # for -r, -F and -w
+ /**.[pP][cC][aA][pP] rw,
+
+ # for convenience with -r (ie, read pcap files from other sources)
+ /var/log/snort/*log* r,
+
+ /usr/sbin/tcpdump mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.tcpdump>
+}
iredadmin:x:2001:
iredapd:x:2002:
netdata:x:2004:
+ulog:x:124:
news:x:9:
uucp:x:10:
man:x:12:frank
-proxy:x:13:
+proxy:x:13:netdata
kmem:x:15:
dialout:x:20:
fax:x:21:
iredadmin:!::
iredapd:!::
netdata:!::
+ulog:!::
news:*::
uucp:*::
man:*::frank
-proxy:*::
+proxy:*::netdata
kmem:*::
dialout:*::
fax:*::
--- /dev/null
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: ulogd2 ulogd
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Starts ulogd2
+# Description: Starts the netfilter userspace log daemon
+### END INIT INFO
+
+# Author: Chris Boot <bootc@debian.org>
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="netfilter userspace log daemon"
+NAME=ulogd
+DAEMON=/usr/sbin/$NAME
+DAEMON_USER=ulog
+PIDDIR=/run/ulog
+PIDFILE=$PIDDIR/$NAME.pid
+DAEMON_ARGS="--daemon --uid $DAEMON_USER --pidfile $PIDFILE"
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Make sure our /run directory exists
+ if [ ! -d $PIDDIR ]; then
+ mkdir $PIDDIR
+ chown $DAEMON_USER: $PIDDIR
+ fi
+
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON \
+ --test > /dev/null || return 1
+ start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS || return 2
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 \
+ --pidfile $PIDFILE --name $NAME
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE \
+ --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ log_daemon_msg "Starting $DESC" "$NAME"
+ do_start; RET=$?
+ case $RET in
+ 0|1) log_end_msg 0; exit 0 ;;
+ *) log_end_msg 1; exit 1 ;;
+ esac
+ ;;
+ stop)
+ log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop; RET=$?
+ case $RET in
+ 0|1) log_end_msg 0; exit 0 ;;
+ *) log_end_msg 1; exit 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME"
+ ;;
+ reload|force-reload)
+ log_daemon_msg "Reloading $DESC" "$NAME"
+ do_reload; RET=$?
+ log_end_msg $RET
+ exit $RET
+ ;;
+ restart)
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop; RET=$?
+ case $RET in
+ 0|1)
+ do_start; RET=$?
+ case $RET in
+ 0) log_end_msg 0; exit 0 ;;
+ 1) log_end_msg 1; exit 1 ;; # Old process is still running
+ *) log_end_msg 1; exit 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1; exit 1
+ ;;
+ esac
+ ;;
+ *)
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
--- /dev/null
+###############################################################################
+#
+# ClassID <-> Name Translation Table
+#
+# This file can be used to assign names to classids for easier reference
+# in all libnl tools.
+#
+# Format:
+# <MAJ:> <NAME> # qdisc definition
+# <MAJ:MIN> <NAME> # class deifnition
+# <NAME:MIN> <NAME> # class definition referencing an
+# existing qdisc definition.
+#
+# Example:
+# 1: top # top -> 1:0
+# top:1 interactive # interactive -> 1:1
+# top:2 www # www -> 1:2
+# top:3 bulk # bulk -> 1:3
+# 2:1 test_class # test_class -> 2:1
+#
+# Illegal Example:
+# 30:1 classD
+# classD:2 invalidClass # classD refers to a class, not a qdisc
+#
+###############################################################################
+
+# <CLASSID> <NAME>
+
+# Reserved default classids
+0:0 none
+ffff:ffff root
+ffff:fff1 ingress
+
+#
+# List your classid definitions here:
+#
+
+
+
+###############################################################################
+# List of auto-generated classids
+#
+# DO NOT ADD CLASSID DEFINITIONS BELOW THIS LINE
+#
+# <CLASSID> <NAME>
--- /dev/null
+#
+# Location definitions for packet matching
+#
+
+# name alignment offset mask shift
+ip.version u8 net+0 0xF0 4
+ip.hdrlen u8 net+0 0x0F
+ip.diffserv u8 net+1
+ip.length u16 net+2
+ip.id u16 net+4
+ip.flag.res u8 net+6 0xff 7
+ip.df u8 net+6 0x40 6
+ip.mf u8 net+6 0x20 5
+ip.offset u16 net+6 0x1FFF
+ip.ttl u8 net+8
+ip.proto u8 net+9
+ip.chksum u16 net+10
+ip.src u32 net+12
+ip.dst u32 net+16
+
+# if ip.ihl > 5
+ip.opts u32 net+20
+
+
+#
+# IP version 6
+#
+# name alignment offset mask shift
+ip6.version u8 net+0 0xF0 4
+ip6.tc u16 net+0 0xFF0 4
+ip6.flowlabel u32 net+0 0xFFFFF
+ip6.length u16 net+4
+ip6.nexthdr u8 net+6
+ip6.hoplimit u8 net+7
+ip6.src 16 net+8
+ip6.dst 16 net+24
+
+#
+# Transmission Control Protocol (TCP)
+#
+# name alignment offset mask shift
+tcp.sport u16 tcp+0
+tcp.dport u16 tcp+2
+tcp.seq u32 tcp+4
+tcp.ack u32 tcp+8
+
+# Data offset (4 bits)
+tcp.off u8 tcp+12 0xF0 4
+
+# Reserved [0 0 0] (3 bits)
+tcp.reserved u8 tcp+12 0x04 1
+
+# ECN [N C E] (3 bits)
+tcp.ecn u16 tcp+12 0x01C00 6
+
+# Individual TCP flags (0|1) (6 bits in total)
+tcp.flag.urg u8 tcp+13 0x20 5
+tcp.flag.ack u8 tcp+13 0x10 4
+tcp.flag.psh u8 tcp+13 0x08 3
+tcp.flag.rst u8 tcp+13 0x04 2
+tcp.flag.syn u8 tcp+13 0x02 1
+tcp.flag.fin u8 tcp+13 0x01
+
+tcp.win u16 tcp+14
+tcp.csum u16 tcp+16
+tcp.urg u16 tcp+18
+tcp.opts u32 tcp+20
+
+#
+# User Datagram Protocol (UDP)
+#
+# name alignment offset mask shift
+udp.sport u16 tcp+0
+udp.dport u16 tcp+2
+udp.length u16 tcp+4
+udp.csum u16 tcp+6
--- /dev/null
+/var/log/ulog/*.log /var/log/ulog/*.pcap {
+ missingok
+ compress
+ delaycompress
+ sharedscripts
+ create 640 ulog adm
+ postrotate
+ if [ -d /run/systemd/system ] && command systemctl >/dev/null 2>&1 && systemctl is-active --quiet ulogd2.service; then
+ systemctl kill --kill-who main --signal=SIGHUP ulogd2.service
+ else
+ invoke-rc.d ulogd2 reload > /dev/null
+ fi
+ endscript
+}
iredadmin:x:2001:2001::/home/iredadmin:/usr/sbin/nologin
iredapd:x:2002:2002::/home/iredapd:/usr/sbin/nologin
netdata:x:2004:2004::/home/netdata:/usr/sbin/nologin
+ulog:x:115:124::/var/log/ulog:/bin/false
mlmmj:x:2003:2003::/var/vmail/mlmmj:/usr/sbin/nologin
iredadmin:x:2001:2001::/home/iredadmin:/usr/sbin/nologin
iredapd:x:2002:2002::/home/iredapd:/usr/sbin/nologin
+netdata:x:2004:2004::/home/netdata:/usr/sbin/nologin
+ulog:x:115:124::/var/log/ulog:/bin/false
--- /dev/null
+../init.d/ulogd2
\ No newline at end of file
--- /dev/null
+../init.d/ulogd2
\ No newline at end of file
--- /dev/null
+../init.d/ulogd2
\ No newline at end of file
--- /dev/null
+../init.d/ulogd2
\ No newline at end of file
--- /dev/null
+../init.d/ulogd2
\ No newline at end of file
--- /dev/null
+../init.d/ulogd2
\ No newline at end of file
--- /dev/null
+../init.d/ulogd2
\ No newline at end of file
iredadmin:!:18725:0:99999:7:::
iredapd:!:18725:0:99999:7:::
netdata:!:18725:0:99999:7:::
+ulog:*:18729:0:99999:7:::
mlmmj:!:18725:0:99999:7:::
iredadmin:!:18725:0:99999:7:::
iredapd:!:18725:0:99999:7:::
+netdata:!:18725:0:99999:7:::
+ulog:*:18729:0:99999:7:::
--- /dev/null
+#
+# smi.conf - Global SMI configuration file.
+#
+# Copyright (c) 2000 Frank Strauss, Technical University of Braunschweig.
+#
+# See the file "COPYING" for information on usage and redistribution
+# of this file, and for a DISCLAIMER OF ALL WARRANTIES.
+#
+# See smi_config(3) for detailed information on configuration files.
+#
+# Debian version by Remco van de Meent <remco@debian.org>
+# 20010612
+
+# Extend (note the semicolon) the libsmi default module search path.
+# (On Windows systems, use `;' instead of `:', and `\' instead of `/'.)
+
+path :/usr/share/snmp/mibs
+path :/usr/share/snmp/mibs/iana
+path :/usr/share/snmp/mibs/ietf
+path :/usr/share/snmp/mibs/site
+path :/var/lib/snmp/mibs/site
+path :/usr/share/mibs/site
+
+# Don't show any errors by default.
+level 0
+
+# Preload some basic SMIv2 modules.
+load SNMPv2-SMI
+load SNMPv2-TC
+load SNMPv2-CONF
+
+# Make smilint shout loud to report all errors and warnings.
+smilint: level 9
+
+# But please don't claim about any names longer than 32 chars.
+# (note: this is the prefix of errors `namelength-32-module,
+# -type, -object, -enumeration, and -bit)
+smilint: hide namelength-32
+
+# Preloading some more modules for special applications.
+# smiquery: load IF-MIB
--- /dev/null
+/lib/systemd/system/ulogd2.service
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/ulogd2.service
\ No newline at end of file
--- /dev/null
+# Example configuration for ulogd
+# Adapted to Debian by Achilleas Kotsis <achille@debian.gr>
+
+[global]
+######################################################################
+# GLOBAL OPTIONS
+######################################################################
+
+
+# logfile for status messages
+logfile="syslog"
+
+# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5)
+loglevel=3
+
+######################################################################
+# PLUGIN OPTIONS
+######################################################################
+
+# We have to configure and load all the plugins we want to use
+
+# general rules:
+#
+# 0. don't specify any plugin for ulogd to load them all
+# 1. load the plugins _first_ from the global section
+# 2. options for each plugin in seperate section below
+
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_ULOG.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_UNIXSOCK.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2HBIN.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_MARK.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_XML.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SQLITE3.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GPRINT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_NACCT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PCAP.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PGSQL.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_MYSQL.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_DBI.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFACCT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GRAPHITE.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_JSON.so"
+
+# this is a stack for logging packet send by system via LOGEMU
+stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+
+# this is a stack for packet-based logging via LOGEMU
+#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+
+# this is a stack for ULOG packet-based logging via LOGEMU
+#stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+
+# this is a stack for packet-based logging via LOGEMU with filtering on MARK
+#stack=log2:NFLOG,base1:BASE,mark1:MARK,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+
+# this is a stack for packet-based logging via GPRINT
+#stack=log1:NFLOG,gp1:GPRINT
+
+# this is a stack for flow-based logging via LOGEMU
+#stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU
+
+# this is a stack for flow-based logging via GPRINT
+#stack=ct1:NFCT,gp1:GPRINT
+
+# this is a stack for flow-based logging via XML
+#stack=ct1:NFCT,xml1:XML
+
+# this is a stack for logging in XML
+#stack=log1:NFLOG,xml1:XML
+
+# this is a stack for accounting-based logging via XML
+#stack=acct1:NFACCT,xml1:XML
+
+# this is a stack for accounting-based logging to a Graphite server
+#stack=acct1:NFACCT,graphite1:GRAPHITE
+
+# this is a stack for NFLOG packet-based logging to PCAP
+#stack=log2:NFLOG,base1:BASE,pcap1:PCAP
+
+# this is a stack for logging packet to MySQL
+#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL
+
+# this is a stack for logging packet to PGsql after a collect via NFLOG
+#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,pgsql1:PGSQL
+
+# this is a stack for logging packet to JSON formatted file after a collect via NFLOG
+#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON
+
+# this is a stack for logging packets to syslog after a collect via NFLOG
+#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
+
+# this is a stack for logging packets to syslog after a collect via NuFW
+#stack=nuauth1:UNIXSOCK,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
+
+# this is a stack for flow-based logging to MySQL
+#stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL
+
+# this is a stack for flow-based logging to PGSQL
+#stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL
+
+# this is a stack for flow-based logging to PGSQL without local hash
+#stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL
+
+# this is a stack for flow-based logging to SQLITE3
+#stack=ct1:NFCT,sqlite3_ct:SQLITE3
+
+# this is a stack for logging packet to SQLITE3
+#stack=log1:NFLOG,sqlite3_pkt:SQLITE3
+
+# this is a stack for flow-based logging in NACCT compatible format
+#stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT
+
+# this is a stack for accounting-based logging via GPRINT
+#stack=acct1:NFACCT,gp1:GPRINT
+
+[ct1]
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+#netlink_resync_timeout=60 # seconds to wait to perform resynchronization
+#pollinterval=10 # use poll-based logging instead of event-driven
+# If pollinterval is not set, NFCT plugin will work in event mode
+# In this case, you can use the following filters on events:
+#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks
+#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks
+#accept_proto_filter=tcp,sctp # layer 4 proto of connections
+
+[ct2]
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+#reliable=1 # enable reliable flow-based logging (may drop packets)
+hash_enable=0
+
+# Logging of system packet through NFLOG
+[log1]
+# netlink multicast group (the same as the iptables --nflog-group param)
+# Group O is used by the kernel to log connection tracking invalid message
+group=0
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+# set number of packet to queue inside kernel
+#netlink_qthreshold=1
+# set the delay before flushing packet in the queue inside kernel (in 10ms)
+#netlink_qtimeout=100
+
+# packet logging through NFLOG for group 1
+[log2]
+# netlink multicast group (the same as the iptables --nflog-group param)
+group=1 # Group has to be different from the one use in log1
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+# If your kernel is older than 2.6.29 and if a NFLOG input plugin with
+# group 0 is not used by any stack, you need to have at least one NFLOG
+# input plugin with bind set to 1. If you don't do that you may not
+# receive any message from the kernel.
+#bind=1
+
+# packet logging through NFLOG for group 2, numeric_label is
+# set to 1
+[log3]
+# netlink multicast group (the same as the iptables --nflog-group param)
+group=2 # Group has to be different from the one use in log1/log2
+numeric_label=1 # you can label the log info based on the packet verdict
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+#bind=1
+
+[ulog1]
+# netlink multicast group (the same as the iptables --ulog-nlgroup param)
+nlgroup=1
+#numeric_label=0 # optional argument
+
+[nuauth1]
+socket_path="/tmp/nuauth_ulogd2.sock"
+
+[emu1]
+file="/var/log/ulog/syslogemu.log"
+sync=1
+
+[op1]
+file="/var/log/ulog/oprint.log"
+sync=1
+
+[gp1]
+file="/var/log/ulog/gprint.log"
+sync=1
+timestamp=1
+
+[xml1]
+directory="/var/log/ulog/"
+sync=1
+
+[json1]
+sync=1
+#file="/var/log/ulog/ulogd.json"
+#timestamp=0
+# device name to be used in JSON message
+#device="My awesome Netfilter firewall"
+# If boolean_label is set to 1 then the numeric_label put on packet
+# by the input plugin is coding the action on packet: if 0, then
+# packet has been blocked and if non null it has been accepted.
+#boolean_label=1
+# Uncomment the following line to use JSON v1 event format that
+# can provide better compatility with some JSON file reader.
+#eventv1=1
+
+[pcap1]
+#default file is /var/log/ulogd.pcap
+#file="/var/log/ulog/ulogd.pcap"
+sync=1
+
+[mysql1]
+db="nulog"
+host="localhost"
+user="nupik"
+table="ulog"
+pass="changeme"
+procedure="INSERT_PACKET_FULL"
+# backlog configuration:
+# set backlog_memcap to the size of memory that will be
+# allocated to store events in memory if data is temporary down
+# and insert them when the database came back.
+#backlog_memcap=1000000
+# number of events to insert at once when backlog is not empty
+#backlog_oneshot_requests=10
+
+[mysql2]
+db="nulog"
+host="localhost"
+user="nupik"
+table="conntrack"
+pass="changeme"
+procedure="INSERT_CT"
+
+[pgsql1]
+db="nulog"
+host="localhost"
+user="nupik"
+table="ulog"
+#schema="public"
+pass="changeme"
+procedure="INSERT_PACKET_FULL"
+# connstring can be used to define PostgreSQL connection string which
+# contains all parameters of the connection. If set, this value has
+# precedence on other variables used to build the connection string.
+# See http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
+# for a complete description of options.
+#connstring="host=localhost port=4321 dbname=nulog user=nupik password=changeme"
+#backlog_memcap=1000000
+#backlog_oneshot_requests=10
+# If superior to 1 a thread dedicated to SQL request execution
+# is created. The value stores the number of SQL request to keep
+# in the ring buffer
+#ring_buffer_size=1000
+
+[pgsql2]
+db="nulog"
+host="localhost"
+user="nupik"
+table="ulog2_ct"
+#schema="public"
+pass="changeme"
+procedure="INSERT_CT"
+
+[pgsql3]
+db="nulog"
+host="localhost"
+user="nupik"
+table="ulog2_ct"
+#schema="public"
+pass="changeme"
+procedure="INSERT_OR_REPLACE_CT"
+
+[pgsql4]
+db="nulog"
+host="localhost"
+user="nupik"
+table="nfacct"
+#schema="public"
+pass="changeme"
+procedure="INSERT_NFACCT"
+
+[dbi1]
+db="ulog2"
+dbtype="pgsql"
+host="localhost"
+user="ulog2"
+table="ulog"
+pass="ulog2"
+procedure="INSERT_PACKET_FULL"
+
+[sqlite3_ct]
+table="ulog_ct"
+db="/var/log/ulog/ulogd.sqlite3db"
+
+[sqlite3_pkt]
+table="ulog_pkt"
+db="/var/log/ulog/ulogd.sqlite3db"
+
+[sys2]
+facility=LOG_LOCAL2
+
+[nacct1]
+sync = 1
+#file = /var/log/ulog/nacct.log
+
+[mark1]
+mark = 1
+
+[acct1]
+pollinterval = 2
+# If set to 0, we don't reset the counters for each polling (default is 1).
+#zerocounter = 0
+# Set timestamp (default is 0, which means not set). This timestamp can be
+# interpreted by the output plugin.
+#timestamp = 1
+
+[graphite1]
+host="127.0.0.1"
+port="2003"
+# Prefix of data name sent to graphite server
+prefix="netfilter.nfacct"
--- /dev/null
+-- init.lua
+--
+-- initialize wireshark's lua
+--
+-- This file is going to be executed before any other lua script.
+-- It can be used to load libraries, disable functions and more.
+--
+-- Wireshark - Network traffic analyzer
+-- By Gerald Combs <gerald@wireshark.org>
+-- Copyright 1998 Gerald Combs
+--
+-- SPDX-License-Identifier: GPL-2.0-or-later
+
+-- Set disable_lua to true to disable Lua support.
+disable_lua = false
+
+if disable_lua then
+ return
+end
+
+-- If set and we are running with special privileges this setting
+-- tells whether scripts other than this one are to be run.
+run_user_scripts_when_superuser = false
+
+
+-- disable potentialy harmful lua functions when running superuser
+if running_superuser then
+ local hint = "has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user."
+ local disabled_lib = {}
+ setmetatable(disabled_lib,{ __index = function() error("this package ".. hint) end } );
+
+ dofile = function() error("dofile " .. hint) end
+ loadfile = function() error("loadfile " .. hint) end
+ loadlib = function() error("loadlib " .. hint) end
+ require = function() error("require " .. hint) end
+ os = disabled_lib
+ io = disabled_lib
+ file = disabled_lib
+end
+
+-- to avoid output to stdout which can cause problems lua's print ()
+-- has been suppresed so that it yields an error.
+-- have print() call info() instead.
+if gui_enabled() then
+ print = info
+end
+
+function typeof(obj)
+ local mt = getmetatable(obj)
+ return mt and mt.__typeof or obj.__typeof or type(obj)
+end
+
+-- the following function checks if a file exists
+-- since 1.11.3
+function file_exists(name)
+ local f = io.open(name,"r")
+ if f ~= nil then io.close(f) return true else return false end
+end
+
+-- the following function prepends the given directory name to
+-- the package.path, so that a 'require "foo"' will work if 'foo'
+-- is in the directory name given to this function. For example,
+-- if your Lua file will do a 'require "foo"' and the foo.lua
+-- file is in a local directory (local to your script) named 'bar',
+-- then call this function before doing your 'require', by doing
+-- package.prepend_path("bar")
+-- and that will let Wireshark's Lua find the file "bar/foo.lua"
+-- when you later do 'require "foo"'
+--
+-- Because this function resides here in init.lua, it does not
+-- have the same environment as your script, so it has to get it
+-- using the debug library, which is why the code appears so
+-- cumbersome.
+--
+-- since 1.11.3
+function package.prepend_path(name)
+ local debug = require "debug"
+ -- get the function calling this package.prepend_path function
+ local dt = debug.getinfo(2, "f")
+ if not dt then
+ error("could not retrieve debug info table")
+ end
+ -- get its upvalue
+ local _, val = debug.getupvalue(dt.func, 1)
+ if not val or type(val) ~= 'table' then
+ error("No calling function upvalue or it is not a table")
+ end
+ -- get the __DIR__ field in its upvalue table
+ local dir = val["__DIR__"]
+ -- get the platform-specific directory separator character
+ local sep = package.config:sub(1,1)
+ -- prepend the dir and given name to path
+ if dir and dir:len() > 0 then
+ package.path = dir .. sep .. name .. sep .. "?.lua;" .. package.path
+ end
+ -- also prepend just the name as a directory
+ package.path = name .. sep .. "?.lua;" .. package.path
+end
+
+-- Wiretap encapsulations XXX
+wtap_encaps = {
+ ["PER_PACKET"] = -1,
+ ["UNKNOWN"] = 0,
+ ["ETHERNET"] = 1,
+ ["TOKEN_RING"] = 2,
+ ["SLIP"] = 3,
+ ["PPP"] = 4,
+ ["FDDI"] = 5,
+ ["FDDI_BITSWAPPED"] = 6,
+ ["RAW_IP"] = 7,
+ ["ARCNET"] = 8,
+ ["ARCNET_LINUX"] = 9,
+ ["ATM_RFC1483"] = 10,
+ ["LINUX_ATM_CLIP"] = 11,
+ ["LAPB"] = 12,
+ ["ATM_PDUS"] = 13,
+ ["ATM_PDUS_UNTRUNCATED"] = 14,
+ ["NULL"] = 15,
+ ["ASCEND"] = 16,
+ ["ISDN"] = 17,
+ ["IP_OVER_FC"] = 18,
+ ["PPP_WITH_PHDR"] = 19,
+ ["IEEE_802_11"] = 20,
+ ["IEEE_802_11_PRISM"] = 21,
+ ["IEEE_802_11_WITH_RADIO"] = 22,
+ ["IEEE_802_11_RADIOTAP"] = 23,
+ ["IEEE_802_11_AVS"] = 24,
+ ["SLL"] = 25,
+ ["FRELAY"] = 26,
+ ["FRELAY_WITH_PHDR"] = 27,
+ ["CHDLC"] = 28,
+ ["CISCO_IOS"] = 29,
+ ["LOCALTALK"] = 30,
+ ["OLD_PFLOG"] = 31,
+ ["HHDLC"] = 32,
+ ["DOCSIS"] = 33,
+ ["COSINE"] = 34,
+ ["WFLEET_HDLC"] = 35,
+ ["SDLC"] = 36,
+ ["TZSP"] = 37,
+ ["ENC"] = 38,
+ ["PFLOG"] = 39,
+ ["CHDLC_WITH_PHDR"] = 40,
+ ["BLUETOOTH_H4"] = 41,
+ ["MTP2"] = 42,
+ ["MTP3"] = 43,
+ ["IRDA"] = 44,
+ ["USER0"] = 45,
+ ["USER1"] = 46,
+ ["USER2"] = 47,
+ ["USER3"] = 48,
+ ["USER4"] = 49,
+ ["USER5"] = 50,
+ ["USER6"] = 51,
+ ["USER7"] = 52,
+ ["USER8"] = 53,
+ ["USER9"] = 54,
+ ["USER10"] = 55,
+ ["USER11"] = 56,
+ ["USER12"] = 57,
+ ["USER13"] = 58,
+ ["USER14"] = 59,
+ ["USER15"] = 60,
+ ["SYMANTEC"] = 61,
+ ["APPLE_IP_OVER_IEEE1394"] = 62,
+ ["BACNET_MS_TP"] = 63,
+ ["NETTL_RAW_ICMP"] = 64,
+ ["NETTL_RAW_ICMPV6"] = 65,
+ ["GPRS_LLC"] = 66,
+ ["JUNIPER_ATM1"] = 67,
+ ["JUNIPER_ATM2"] = 68,
+ ["REDBACK"] = 69,
+ ["NETTL_RAW_IP"] = 70,
+ ["NETTL_ETHERNET"] = 71,
+ ["NETTL_TOKEN_RING"] = 72,
+ ["NETTL_FDDI"] = 73,
+ ["NETTL_UNKNOWN"] = 74,
+ ["MTP2_WITH_PHDR"] = 75,
+ ["JUNIPER_PPPOE"] = 76,
+ ["GCOM_TIE1"] = 77,
+ ["GCOM_SERIAL"] = 78,
+ ["NETTL_X25"] = 79,
+ ["K12"] = 80,
+ ["JUNIPER_MLPPP"] = 81,
+ ["JUNIPER_MLFR"] = 82,
+ ["JUNIPER_ETHER"] = 83,
+ ["JUNIPER_PPP"] = 84,
+ ["JUNIPER_FRELAY"] = 85,
+ ["JUNIPER_CHDLC"] = 86,
+ ["JUNIPER_GGSN"] = 87,
+ ["LINUX_LAPD"] = 88,
+ ["CATAPULT_DCT2000"] = 89,
+ ["BER"] = 90,
+ ["JUNIPER_VP"] = 91,
+ ["USB_FREEBSD"] = 92,
+ ["IEEE802_16_MAC_CPS"] = 93,
+ ["NETTL_RAW_TELNET"] = 94,
+ ["USB_LINUX"] = 95,
+ ["MPEG"] = 96,
+ ["PPI"] = 97,
+ ["ERF"] = 98,
+ ["BLUETOOTH_H4_WITH_PHDR"] = 99,
+ ["SITA"] = 100,
+ ["SCCP"] = 101,
+ ["BLUETOOTH_HCI"] = 102,
+ ["IPMB"] = 103,
+ ["IEEE802_15_4"] = 104,
+ ["X2E_XORAYA"] = 105,
+ ["FLEXRAY"] = 106,
+ ["LIN"] = 107,
+ ["MOST"] = 108,
+ ["CAN20B"] = 109,
+ ["LAYER1_EVENT"] = 110,
+ ["X2E_SERIAL"] = 111,
+ ["I2C"] = 112,
+ ["IEEE802_15_4_NONASK_PHY"] = 113,
+ ["TNEF"] = 114,
+ ["USB_LINUX_MMAPPED"] = 115,
+ ["GSM_UM"] = 116,
+ ["DPNSS"] = 117,
+ ["PACKETLOGGER"] = 118,
+ ["NSTRACE_1_0"] = 119,
+ ["NSTRACE_2_0"] = 120,
+ ["FIBRE_CHANNEL_FC2"] = 121,
+ ["FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS"] = 122,
+ ["JPEG_JFIF"] = 123,
+ ["IPNET"] = 124,
+ ["SOCKETCAN"] = 125,
+ ["IEEE_802_11_NETMON"] = 126,
+ ["IEEE802_15_4_NOFCS"] = 127,
+ ["RAW_IPFIX"] = 128,
+ ["RAW_IP4"] = 129,
+ ["RAW_IP6"] = 130,
+ ["LAPD"] = 131,
+ ["DVBCI"] = 132,
+ ["MUX27010"] = 133,
+ ["MIME"] = 134,
+ ["NETANALYZER"] = 135,
+ ["NETANALYZER_TRANSPARENT"] = 136,
+ ["IP_OVER_IB_SNOOP"] = 137,
+ ["MPEG_2_TS"] = 138,
+ ["PPP_ETHER"] = 139,
+ ["NFC_LLCP"] = 140,
+ ["NFLOG"] = 141,
+ ["V5_EF"] = 142,
+ ["BACNET_MS_TP_WITH_PHDR"] = 143,
+ ["IXVERIWAVE"] = 144,
+ ["SDH"] = 145,
+ ["DBUS"] = 146,
+ ["AX25_KISS"] = 147,
+ ["AX25"] = 148,
+ ["SCTP"] = 149,
+ ["INFINIBAND"] = 150,
+ ["JUNIPER_SVCS"] = 151,
+ ["USBPCAP"] = 152,
+ ["RTAC_SERIAL"] = 153,
+ ["BLUETOOTH_LE_LL"] = 154,
+ ["WIRESHARK_UPPER_PDU"] = 155,
+ ["STANAG_4607"] = 156,
+ ["STANAG_5066_D_PDU"] = 157,
+ ["NETLINK"] = 158,
+ ["BLUETOOTH_LINUX_MONITOR"] = 159,
+ ["BLUETOOTH_BREDR_BB"] = 160,
+ ["BLUETOOTH_LE_LL_WITH_PHDR"] = 161,
+ ["NSTRACE_3_0"] = 162,
+ ["LOGCAT"] = 163,
+ ["LOGCAT_BRIEF"] = 164,
+ ["LOGCAT_PROCESS"] = 165,
+ ["LOGCAT_TAG"] = 166,
+ ["LOGCAT_THREAD"] = 167,
+ ["LOGCAT_TIME"] = 168,
+ ["LOGCAT_THREADTIME"] = 169,
+ ["LOGCAT_LONG"] = 170,
+ ["PKTAP"] = 171,
+ ["EPON"] = 172,
+ ["IPMI_TRACE"] = 173,
+ ["LOOP"] = 174,
+ ["JSON"] = 175,
+ ["NSTRACE_3_5"] = 176,
+ ["ISO14443"] = 177,
+ ["GFP_T"] = 178,
+ ["GFP_F"] = 179,
+ ["IP_OVER_IB_PCAP"] = 180,
+ ["JUNIPER_VN"] = 181,
+ ["USB_DARWIN"] = 182,
+ ["LORATAP"] = 183,
+ ["3MB_ETHERNET"] = 184,
+ ["VSOCK"] = 185,
+ ["NORDIC_BLE"] = 186,
+ ["NETMON_NET_NETEVENT"] = 187,
+ ["NETMON_HEADER"] = 188,
+ ["NETMON_NET_FILTER"] = 189,
+ ["NETMON_NETWORK_INFO_EX"] = 190,
+ ["MA_WFP_CAPTURE_V4"] = 191,
+ ["MA_WFP_CAPTURE_V6"] = 192,
+ ["MA_WFP_CAPTURE_2V4"] = 193,
+ ["MA_WFP_CAPTURE_2V6"] = 194,
+ ["MA_WFP_CAPTURE_AUTH_V4"] = 195,
+ ["MA_WFP_CAPTURE_AUTH_V6"] = 196,
+ ["JUNIPER_ST"] = 197,
+ ["ETHERNET_MPACKET"] = 198,
+ ["DOCSIS31_XRA31"] = 199
+}
+wtap = wtap_encaps -- for bw compatibility
+
+
+-- Wiretap file types
+wtap_filetypes = {
+ ["UNKNOWN"] = 0,
+ ["PCAP"] = 1,
+ ["PCAPNG"] = 2,
+ ["PCAP_NSEC"] = 3,
+ ["PCAP_AIX"] = 4,
+ ["PCAP_SS991029"] = 5,
+ ["PCAP_NOKIA"] = 6,
+ ["PCAP_SS990417"] = 7,
+ ["PCAP_SS990915"] = 8,
+ ["5VIEWS"] = 9,
+ ["IPTRACE_1_0"] = 10,
+ ["IPTRACE_2_0"] = 11,
+ ["BER"] = 12,
+ ["HCIDUMP"] = 13,
+ ["CATAPULT_DCT2000"] = 14,
+ ["NETXRAY_OLD"] = 15,
+ ["NETXRAY_1_0"] = 16,
+ ["COSINE"] = 17,
+ ["CSIDS"] = 18,
+ ["DBS_ETHERWATCH"] = 19,
+ ["ERF"] = 20,
+ ["EYESDN"] = 21,
+ ["NETTL"] = 22,
+ ["ISERIES"] = 23,
+ ["ISERIES_UNICODE"] = 24,
+ ["I4BTRACE"] = 25,
+ ["ASCEND"] = 26,
+ ["NGSNIFFER_UNCOMPRESSED"] = 29,
+ ["NGSNIFFER_COMPRESSED"] = 30,
+ ["NETXRAY_1_1"] = 31,
+ ["NETWORK_INSTRUMENTS"] = 33,
+ ["LANALYZER"] = 34,
+ ["PPPDUMP"] = 35,
+ ["RADCOM"] = 36,
+ ["SNOOP"] = 37,
+ ["SHOMITI"] = 38,
+ ["VMS"] = 39,
+ ["K12"] = 40,
+ ["TOSHIBA"] = 41,
+ ["VISUAL_NETWORKS"] = 42,
+ ["PEEKCLASSIC_V56"] = 43,
+ ["PEEKCLASSIC_V7"] = 44,
+ ["PEEKTAGGED"] = 45,
+ ["MPEG"] = 46,
+ ["K12TEXT"] = 47,
+ ["NETSCREEN"] = 48,
+ ["COMMVIEW"] = 49,
+ ["BTSNOOP"] = 50,
+ ["TNEF"] = 51,
+ ["DCT3TRACE"] = 52,
+ ["PACKETLOGGER"] = 53,
+ ["DAINTREE_SNA"] = 54,
+ ["NETSCALER_1_0"] = 55,
+ ["NETSCALER_2_0"] = 56,
+ ["JPEG_JFIF"] = 57,
+ ["IPFIX"] = 58,
+ ["MIME"] = 59,
+ ["AETHRA"] = 60,
+ ["MPEG_2_TS"] = 61,
+ ["VWR_80211"] = 62,
+ ["VWR_ETH"] = 63,
+ ["CAMINS"] = 64,
+ ["STANAG_4607"] = 65,
+ ["NETSCALER_3_0"] = 66,
+ ["LOGCAT"] = 67,
+ ["LOGCAT_BRIEF"] = 68,
+ ["LOGCAT_PROCESS"] = 69,
+ ["LOGCAT_TAG"] = 70,
+ ["LOGCAT_THREAD"] = 71,
+ ["LOGCAT_TIME"] = 72,
+ ["LOGCAT_THREADTIME"] = 73,
+ ["LOGCAT_LONG"] = 74,
+ ["COLASOFT_CAPSA"] = 75,
+ ["COLASOFT_PACKET_BUILDER"] = 76,
+ ["JSON"] = 77,
+ ["NETSCALER_3_5"] = 78,
+ ["NETTRACE_3GPP_32_423"] = 79,
+ ["MPLOG"] = 80,
+ ["TSPREC_SEC"] = 0,
+ ["TSPREC_DSEC"] = 1,
+ ["TSPREC_CSEC"] = 2,
+ ["TSPREC_MSEC"] = 3,
+ ["TSPREC_USEC"] = 6,
+ ["TSPREC_NSEC"] = 9
+}
+
+
+-- Wiretap timestamp precision types
+wtap_tsprecs = {
+ ["SEC"] = 0,
+ ["DSEC"] = 1,
+ ["CSEC"] = 2,
+ ["MSEC"] = 3,
+ ["USEC"] = 6,
+ ["NSEC"] = 9
+}
+
+
+-- Wiretap file comment types
+wtap_comments = {
+ ["PER_SECTION"] = 0x00000001,
+ ["PER_INTERFACE"] = 0x00000002,
+ ["PER_PACKET"] = 0x00000004
+}
+
+
+-- Field Types
+ftypes = {
+ ["NONE"] = 0,
+ ["PROTOCOL"] = 1,
+ ["BOOLEAN"] = 2,
+ ["CHAR"] = 3,
+ ["UINT8"] = 4,
+ ["UINT16"] = 5,
+ ["UINT24"] = 6,
+ ["UINT32"] = 7,
+ ["UINT40"] = 8,
+ ["UINT48"] = 9,
+ ["UINT56"] = 10,
+ ["UINT64"] = 11,
+ ["INT8"] = 12,
+ ["INT16"] = 13,
+ ["INT24"] = 14,
+ ["INT32"] = 15,
+ ["INT40"] = 16,
+ ["INT48"] = 17,
+ ["INT56"] = 18,
+ ["INT64"] = 19,
+ ["IEEE_11073_SFLOAT"] = 20,
+ ["IEEE_11073_FLOAT"] = 21,
+ ["FLOAT"] = 22,
+ ["DOUBLE"] = 23,
+ ["ABSOLUTE_TIME"] = 24,
+ ["RELATIVE_TIME"] = 25,
+ ["STRING"] = 26,
+ ["STRINGZ"] = 27,
+ ["UINT_STRING"] = 28,
+ ["ETHER"] = 29,
+ ["BYTES"] = 30,
+ ["UINT_BYTES"] = 31,
+ ["IPv4"] = 32,
+ ["IPv6"] = 33,
+ ["IPXNET"] = 34,
+ ["FRAMENUM"] = 35,
+ ["PCRE"] = 36,
+ ["GUID"] = 37,
+ ["OID"] = 38,
+ ["EUI64"] = 39,
+ ["AX25"] = 40,
+ ["VINES"] = 41,
+ ["REL_OID"] = 42,
+ ["SYSTEM_ID"] = 43,
+ ["STRINGZPAD"] = 44,
+ ["FCWWN"] = 45
+}
+
+
+-- the following table is since 2.0
+-- Field Type FRAMENUM Types
+frametype = {
+ ["NONE"] = 0,
+ ["REQUEST"] = 1,
+ ["RESPONSE"] = 2,
+ ["ACK"] = 3,
+ ["DUP_ACK"] = 4,
+ ["RETRANS_PREV"] = 5,
+ ["RETRANS_NEXT"] = 6
+}
+
+
+-- the following table is since 1.12
+-- Wiretap record_types
+wtap_rec_types = {
+ ["PACKET"] = 0, -- packet
+ ["FT_SPECIFIC_EVENT"] = 1, -- file-type-specific event
+ ["FT_SPECIFIC_REPORT"] = 2, -- file-type-specific report
+ ["SYSCALL"] = 3, -- system call
+}
+
+
+-- the following table is since 1.11.3
+-- Wiretap presence flags
+wtap_presence_flags = {
+ ["TS"] = 1, -- time stamp
+ ["CAP_LEN"] = 2, -- captured length separate from on-the-network length
+ ["INTERFACE_ID"] = 4, -- interface ID
+ ["COMMENTS"] = 8, -- comments
+ ["DROP_COUNT"] = 16, -- drop count
+ ["PACK_FLAGS"] = 32, -- packet flags
+}
+
+
+-- Display Bases
+base = {
+ ["NONE"] = 0, -- none
+ ["DEC"] = 1, -- decimal
+ ["HEX"] = 2, -- hexadecimal
+ ["OCT"] = 3, -- octal
+ ["DEC_HEX"] = 4, -- decimal (hexadecimal)
+ ["HEX_DEC"] = 5, -- hexadecimal (decimal)
+ ["CUSTOM"] = 6, -- call custom routine (in ->strings) to format
+ ["ASCII"] = 0, -- shows non-printable ASCII characters as C-style escapes
+ ["UNICODE"] = 7, -- shows non-printable UNICODE characters as \\uXXXX (XXX for now non-printable characters display depends on UI)
+ ["DOT"] = 8, -- hexadecimal bytes with a period (.) between each byte
+ ["DASH"] = 9, -- hexadecimal bytes with a dash (-) between each byte
+ ["COLON"] = 10, -- hexadecimal bytes with a colon (:) between each byte
+ ["SPACE"] = 11, -- hexadecimal bytes with a space between each byte
+ ["NETMASK"] = 12, -- Used for IPv4 address that shouldn't be resolved (like for netmasks)
+ ["PT_UDP"] = 13, -- UDP port
+ ["PT_TCP"] = 14, -- TCP port
+ ["PT_DCCP"] = 15, -- DCCP port
+ ["PT_SCTP"] = 16, -- SCTP port
+ ["OUI"] = 17, -- OUI resolution
+ ["UNIT_STRING"] = 4096, -- Add unit text to the field value
+ ["LOCAL"] = 1000, -- local time in our time zone, with month and day
+ ["UTC"] = 1001, -- UTC, with month and day
+ ["DOY_UTC"] = 1002, -- UTC, with 1-origin day-of-year
+}
+
+
+-- Encodings
+ENC_BIG_ENDIAN = 0
+ENC_LITTLE_ENDIAN = 2147483648
+ENC_TIME_TIMESPEC = 0
+ENC_TIME_NTP = 2
+ENC_TIME_TOD = 4
+ENC_TIME_RTPS = 8
+ENC_TIME_NTP_BASE_ZERO = 14
+ENC_TIME_TIMEVAL = 16
+ENC_TIME_SECS = 18
+ENC_TIME_MSECS = 20
+ENC_TIME_SECS_NTP = 24
+ENC_TIME_RFC_3971 = 32
+ENC_TIME_MSEC_NTP = 34
+ENC_CHARENCODING_MASK = 2147483646
+ENC_ASCII = 0
+ENC_UTF_8 = 2
+ENC_UTF_16 = 4
+ENC_UCS_2 = 6
+ENC_UCS_4 = 8
+ENC_ISO_8859_1 = 10
+ENC_ISO_8859_2 = 12
+ENC_ISO_8859_3 = 14
+ENC_ISO_8859_4 = 16
+ENC_ISO_8859_5 = 18
+ENC_ISO_8859_6 = 20
+ENC_ISO_8859_7 = 22
+ENC_ISO_8859_8 = 24
+ENC_ISO_8859_9 = 26
+ENC_ISO_8859_10 = 28
+ENC_ISO_8859_11 = 30
+ENC_ISO_8859_13 = 34
+ENC_ISO_8859_14 = 36
+ENC_ISO_8859_15 = 38
+ENC_ISO_8859_16 = 40
+ENC_WINDOWS_1250 = 42
+ENC_3GPP_TS_23_038_7BITS = 44
+ENC_EBCDIC = 46
+ENC_MAC_ROMAN = 48
+ENC_CP437 = 50
+ENC_ASCII_7BITS = 52
+ENC_T61 = 54
+ENC_EBCDIC_CP037 = 56
+ENC_ZIGBEE = 58
+ENC_NA = 0
+ENC_STR_NUM = 16777216
+ENC_STR_HEX = 33554432
+ENC_STRING = 50331648
+ENC_STR_MASK = 65534
+ENC_NUM_PREF = 2097152
+ENC_VARINT_PROTOBUF = 2
+ENC_VARINT_QUIC = 4
+ENC_SEP_NONE = 65536
+ENC_SEP_COLON = 131072
+ENC_SEP_DASH = 262144
+ENC_SEP_DOT = 524288
+ENC_SEP_SPACE = 1048576
+ENC_SEP_MASK = 2031616
+ENC_ISO_8601_DATE = 65536
+ENC_ISO_8601_TIME = 131072
+ENC_ISO_8601_DATE_TIME = 196608
+ENC_RFC_822 = 262144
+ENC_RFC_1123 = 524288
+ENC_STR_TIME_MASK = 983040
+
+
+
+-- Expert flags and facilities (deprecated - see 'expert' table below)
+PI_SEVERITY_MASK = 15728640
+PI_COMMENT = 1048576
+PI_CHAT = 2097152
+PI_NOTE = 4194304
+PI_WARN = 6291456
+PI_ERROR = 8388608
+PI_GROUP_MASK = 4278190080
+PI_CHECKSUM = 16777216
+PI_SEQUENCE = 33554432
+PI_RESPONSE_CODE = 50331648
+PI_REQUEST_CODE = 67108864
+PI_UNDECODED = 83886080
+PI_REASSEMBLE = 100663296
+PI_MALFORMED = 117440512
+PI_DEBUG = 134217728
+PI_PROTOCOL = 150994944
+PI_SECURITY = 167772160
+PI_COMMENTS_GROUP = 184549376
+PI_DECRYPTION = 201326592
+PI_ASSUMPTION = 218103808
+PI_DEPRECATED = 234881024
+
+
+
+-- the following table is since 1.11.3
+-- Expert flags and facilities
+expert = {
+ -- Expert event groups
+ group = {
+ -- The protocol field has a bad checksum, usually uses PI_WARN severity
+ ["CHECKSUM"] = 16777216,
+ -- The protocol field indicates a sequence problem (e.g. TCP window is zero)
+ ["SEQUENCE"] = 33554432,
+ -- The protocol field indicates a bad application response code (e.g. HTTP 404), usually PI_NOTE severity
+ ["RESPONSE_CODE"] = 50331648,
+ -- The protocol field indicates an application request (e.g. File Handle == xxxx), usually PI_CHAT severity
+ ["REQUEST_CODE"] = 67108864,
+ -- The data is undecoded, the protocol dissection is incomplete here, usually PI_WARN severity
+ ["UNDECODED"] = 83886080,
+ -- The protocol field indicates a reassemble (e.g. DCE/RPC defragmentation), usually PI_CHAT severity (or PI_ERROR)
+ ["REASSEMBLE"] = 100663296,
+ -- The packet data is malformed, the dissector has "given up", usually PI_ERROR severity
+ ["MALFORMED"] = 117440512,
+ -- A generic debugging message (shouldn't remain in production code!), usually PI_ERROR severity
+ ["DEBUG"] = 134217728,
+ -- The protocol field violates a protocol specification, usually PI_WARN severity
+ ["PROTOCOL"] = 150994944,
+ -- The protocol field indicates a security problem (e.g. insecure implementation)
+ ["SECURITY"] = 167772160,
+ -- The protocol field indicates a packet comment
+ ["COMMENTS_GROUP"] = 184549376,
+ -- The protocol field indicates a decryption problem
+ ["DECRYPTION"] = 201326592,
+ -- The protocol field has incomplete data, decode based on assumed value
+ ["ASSUMPTION"] = 218103808,
+ -- The protocol field has been deprecated, usually PI_NOTE severity
+ ["DEPRECATED"] = 234881024,
+ },
+ -- Expert severity levels
+ severity = {
+ -- Packet comment
+ ["COMMENT"] = 1048576,
+ -- Usual workflow, e.g. TCP connection establishing
+ ["CHAT"] = 2097152,
+ -- Notable messages, e.g. an application returned an "unusual" error code like HTTP 404
+ ["NOTE"] = 4194304,
+ -- Warning, e.g. application returned an "unusual" error code
+ ["WARN"] = 6291456,
+ -- Serious problems, e.g. a malformed packet
+ ["ERROR"] = 8388608,
+ },
+}
+
+
+
+-- menu groups for register_menu
+MENU_ANALYZE_UNSORTED = 0
+MENU_ANALYZE_CONVERSATION = 1
+MENU_STAT_UNSORTED = 2
+MENU_STAT_GENERIC = 3
+MENU_STAT_CONVERSATION = 4
+MENU_STAT_ENDPOINT = 5
+MENU_STAT_RESPONSE = 6
+MENU_STAT_TELEPHONY = 7
+MENU_STAT_TELEPHONY_ANSI = 8
+MENU_STAT_TELEPHONY_GSM = 9
+MENU_STAT_TELEPHONY_LTE = 10
+MENU_STAT_TELEPHONY_MTP = 11
+MENU_STAT_TELEPHONY_SCTP = 12
+MENU_TOOLS_UNSORTED = 13
+
+
+-- other useful constants
+-- DATA_DIR and USER_DIR have a trailing directory separator.
+GUI_ENABLED = gui_enabled()
+DATA_DIR = Dir.global_config_path()..package.config:sub(1,1)
+USER_DIR = Dir.personal_config_path()..package.config:sub(1,1)
+
+-- deprecated function names
+datafile_path = Dir.global_config_path
+persconffile_path = Dir.personal_config_path
+
+
+if not running_superuser or run_user_scripts_when_superuser then
+ dofile(DATA_DIR.."console.lua")
+end
+--dofile(DATA_DIR.."dtd_gen.lua")