From 59662641cbbb8ee3579759af175832b5c6094cc8 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Mon, 15 Oct 2018 23:30:29 +0200 Subject: [PATCH] committing changes in /etc after apt run Package changes: +libc-ares2 1.14.0-1 amd64 +libnetfilter-acct1 1.0.3-1 amd64 +libnetfilter-log1 1.0.1-1.1 amd64 +libsmi2ldbl 0.4.8+dfsg2-15 amd64 +libwireshark-data 2.6.3-1~ubuntu18.04.1 all +libwireshark11 2.6.3-1~ubuntu18.04.1 amd64 +libwiretap8 2.6.3-1~ubuntu18.04.1 amd64 +libwscodecs2 2.6.3-1~ubuntu18.04.1 amd64 +libwsutil9 2.6.3-1~ubuntu18.04.1 amd64 +tshark 2.6.3-1~ubuntu18.04.1 amd64 +ulogd2 2.0.5-5 amd64 +ulogd2-json 2.0.5-5 amd64 +ulogd2-mysql 2.0.5-5 amd64 +ulogd2-pcap 2.0.5-5 amd64 +ulogd2-pgsql 2.0.5-5 amd64 +ulogd2-sqlite3 2.0.5-5 amd64 +wireshark-common 2.6.3-1~ubuntu18.04.1 amd64 --- .etckeeper | 7 + group | 1 + group- | 1 + gshadow | 1 + gshadow- | 1 + init.d/ulogd2 | 131 ++++ init/ulogd2.conf | 13 + logrotate.d/ulogd2 | 9 + passwd | 1 + passwd- | 3 +- rc0.d/K01ulogd2 | 1 + rc1.d/K01ulogd2 | 1 + rc2.d/S01ulogd2 | 1 + rc3.d/S01ulogd2 | 1 + rc4.d/S01ulogd2 | 1 + rc5.d/S01ulogd2 | 1 + rc6.d/K01ulogd2 | 1 + shadow | 1 + shadow- | 1 + smi.conf | 41 + .../multi-user.target.wants/ulogd2.service | 1 + systemd/system/ulogd.service | 1 + ulogd.conf | 330 +++++++++ wireshark/init.lua | 701 ++++++++++++++++++ 24 files changed, 1250 insertions(+), 1 deletion(-) create mode 100755 init.d/ulogd2 create mode 100644 init/ulogd2.conf create mode 100644 logrotate.d/ulogd2 create mode 120000 rc0.d/K01ulogd2 create mode 120000 rc1.d/K01ulogd2 create mode 120000 rc2.d/S01ulogd2 create mode 120000 rc3.d/S01ulogd2 create mode 120000 rc4.d/S01ulogd2 create mode 120000 rc5.d/S01ulogd2 create mode 120000 rc6.d/K01ulogd2 create mode 100644 smi.conf create mode 120000 systemd/system/multi-user.target.wants/ulogd2.service create mode 120000 systemd/system/ulogd.service create mode 100644 ulogd.conf create mode 100644 wireshark/init.lua diff --git a/.etckeeper b/.etckeeper index ab18f6c..15ccf9f 100755 --- a/.etckeeper +++ b/.etckeeper @@ -1911,6 +1911,7 @@ maybe chmod 0755 'init.d/speech-dispatcher' maybe chmod 0755 'init.d/ssh' maybe chmod 0755 'init.d/udev' maybe chmod 0755 'init.d/ufw' +maybe chmod 0755 'init.d/ulogd2' maybe chmod 0755 'init.d/uuidd' maybe chmod 0755 'init.d/virtlogd' maybe chmod 0755 'init.d/winbind' @@ -1921,6 +1922,7 @@ maybe chmod 0644 'init/plexmediaserver.conf' maybe chmod 0644 'init/portmap-wait.conf' maybe chmod 0644 'init/rpcbind-boot.conf' maybe chmod 0644 'init/rpcbind.conf' +maybe chmod 0644 'init/ulogd2.conf' maybe chmod 0755 'initramfs-tools' maybe chmod 0755 'initramfs-tools/conf.d' maybe chmod 0644 'initramfs-tools/conf.d/resume' @@ -2167,6 +2169,7 @@ maybe chmod 0644 'logrotate.d/rsyslog' maybe chmod 0644 'logrotate.d/samba' maybe chmod 0644 'logrotate.d/speech-dispatcher' maybe chmod 0644 'logrotate.d/ufw' +maybe chmod 0644 'logrotate.d/ulogd2' maybe chmod 0644 'logrotate.d/winbind' maybe chmod 0644 'logrotate.d/wtmp' maybe chmod 0644 'lsb-release' @@ -2688,6 +2691,7 @@ maybe chmod 0755 'smartmontools/run.d/10mail' maybe chmod 0755 'smartmontools/run.d/10powersave-notify' maybe chmod 0755 'smartmontools/run.d/60smart-notifier' maybe chmod 0755 'smartmontools/smartd_warning.d' +maybe chmod 0644 'smi.conf' maybe chmod 0755 'sound' maybe chmod 0755 'sound/events' maybe chmod 0644 'sound/events/mate-battstat_applet.soundlist' @@ -2827,6 +2831,7 @@ maybe chmod 0644 'ufw/sysctl.conf' maybe chmod 0644 'ufw/ufw.conf' maybe chmod 0640 'ufw/user.rules' maybe chmod 0640 'ufw/user6.rules' +maybe chmod 0600 'ulogd.conf' maybe chmod 0755 'update-manager' maybe chmod 0644 'update-manager/meta-release' maybe chmod 0644 'update-manager/release-upgrades' @@ -2863,6 +2868,8 @@ maybe chmod 0644 'vim/vimrc.tiny' maybe chmod 0644 'wgetrc' maybe chmod 0755 'wildmidi' maybe chmod 0644 'wildmidi/wildmidi.cfg' +maybe chmod 0755 'wireshark' +maybe chmod 0644 'wireshark/init.lua' maybe chmod 0755 'wpa_supplicant' maybe chmod 0755 'wpa_supplicant/action_wpa.sh' maybe chmod 0755 'wpa_supplicant/functions.sh' diff --git a/group b/group index 908def0..e07937f 100644 --- a/group +++ b/group @@ -84,3 +84,4 @@ nobody:x:1001: sambamachines:x:1002: plex:x:963:frank _chrony:x:142: +ulog:x:143: diff --git a/group- b/group- index fe12092..908def0 100644 --- a/group- +++ b/group- @@ -83,3 +83,4 @@ winbindd_priv:x:141: nobody:x:1001: sambamachines:x:1002: plex:x:963:frank +_chrony:x:142: diff --git a/gshadow b/gshadow index 1859a6a..c496ca9 100644 --- a/gshadow +++ b/gshadow @@ -84,3 +84,4 @@ nobody:!:: sambamachines:!:: plex:!::frank _chrony:!:: +ulog:!:: diff --git a/gshadow- b/gshadow- index cc9ca9a..1859a6a 100644 --- a/gshadow- +++ b/gshadow- @@ -83,3 +83,4 @@ winbindd_priv:!:: nobody:!:: sambamachines:!:: plex:!::frank +_chrony:!:: diff --git a/init.d/ulogd2 b/init.d/ulogd2 new file mode 100755 index 0000000..2a759e3 --- /dev/null +++ b/init.d/ulogd2 @@ -0,0 +1,131 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: ulogd2 ulogd +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Starts ulogd2 +# Description: Starts the netfilter userspace log daemon +### END INIT INFO + +# Author: Chris Boot + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="netfilter userspace log daemon" +NAME=ulogd +DAEMON=/usr/sbin/$NAME +DAEMON_USER=ulog +PIDDIR=/run/ulog +PIDFILE=$PIDDIR/$NAME.pid +DAEMON_ARGS="--daemon --uid $DAEMON_USER --pidfile $PIDFILE" +SCRIPTNAME=/etc/init.d/$NAME + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Make sure our /run directory exists + if [ ! -d $PIDDIR ]; then + mkdir $PIDDIR + chown $DAEMON_USER: $PIDDIR + fi + + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON \ + --test > /dev/null || return 1 + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS || return 2 +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 \ + --pidfile $PIDFILE --name $NAME +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE \ + --name $NAME + return 0 +} + +case "$1" in + start) + log_daemon_msg "Starting $DESC" "$NAME" + do_start; RET=$? + case $RET in + 0|1) log_end_msg 0; exit 0 ;; + *) log_end_msg 1; exit 1 ;; + esac + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + do_stop; RET=$? + case $RET in + 0|1) log_end_msg 0; exit 0 ;; + *) log_end_msg 1; exit 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" + ;; + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload; RET=$? + log_end_msg $RET + exit $RET + ;; + restart) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop; RET=$? + case $RET in + 0|1) + do_start; RET=$? + case $RET in + 0) log_end_msg 0; exit 0 ;; + 1) log_end_msg 1; exit 1 ;; # Old process is still running + *) log_end_msg 1; exit 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1; exit 1 + ;; + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2 + exit 3 + ;; +esac + diff --git a/init/ulogd2.conf b/init/ulogd2.conf new file mode 100644 index 0000000..e0ddf04 --- /dev/null +++ b/init/ulogd2.conf @@ -0,0 +1,13 @@ +# ulogd2 - Netfilter Userspace Logging Daemon +# +# ulogd is an advanced netfilter logging daemon. + +description "Netfilter Userspace Logging Daemon" + +start on runlevel [2345] +stop on runlevel [!2345] + +expect fork +respawn + +exec /usr/sbin/ulogd --daemon --uid ulog diff --git a/logrotate.d/ulogd2 b/logrotate.d/ulogd2 new file mode 100644 index 0000000..56c691e --- /dev/null +++ b/logrotate.d/ulogd2 @@ -0,0 +1,9 @@ +/var/log/ulog/*.log /var/log/ulog/*.pcap { + missingok + compress + sharedscripts + create 640 ulog adm + postrotate + invoke-rc.d ulogd2 reload > /dev/null + endscript +} diff --git a/passwd b/passwd index 0658191..97f44b8 100644 --- a/passwd +++ b/passwd @@ -60,3 +60,4 @@ mysql:x:128:140:MySQL Server:/nonexistent:/bin/false smbguest:x:1125:1001:Samba guest account:/dev/null:/dev/null plex:x:136:963:Plex Media Server:/var/lib/plexmediaserver:/bin/bash _chrony:x:129:142:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin +ulog:x:130:143::/var/log/ulog:/bin/false diff --git a/passwd- b/passwd- index 3cd2259..97f44b8 100644 --- a/passwd- +++ b/passwd- @@ -59,4 +59,5 @@ kameu:x:1001:100:Karin Meusel:/home/kameu:/bin/bash mysql:x:128:140:MySQL Server:/nonexistent:/bin/false smbguest:x:1125:1001:Samba guest account:/dev/null:/dev/null plex:x:136:963:Plex Media Server:/var/lib/plexmediaserver:/bin/bash -_chrony:x:129:142::/var/lib/chrony:/usr/sbin/nologin +_chrony:x:129:142:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin +ulog:x:130:143::/var/log/ulog:/bin/false diff --git a/rc0.d/K01ulogd2 b/rc0.d/K01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc0.d/K01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/rc1.d/K01ulogd2 b/rc1.d/K01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc1.d/K01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/rc2.d/S01ulogd2 b/rc2.d/S01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc2.d/S01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/rc3.d/S01ulogd2 b/rc3.d/S01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc3.d/S01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/rc4.d/S01ulogd2 b/rc4.d/S01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc4.d/S01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/rc5.d/S01ulogd2 b/rc5.d/S01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc5.d/S01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/rc6.d/K01ulogd2 b/rc6.d/K01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc6.d/K01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/shadow b/shadow index de0f2db..de103b4 100644 --- a/shadow +++ b/shadow @@ -60,3 +60,4 @@ mysql:!:17722:0:99999:7::: smbguest:!:17723:0:99999:7::: plex:!:17743:0:99999:7::: _chrony:*:17751:0:99999:7::: +ulog:*:17819:0:99999:7::: diff --git a/shadow- b/shadow- index de0f2db..de103b4 100644 --- a/shadow- +++ b/shadow- @@ -60,3 +60,4 @@ mysql:!:17722:0:99999:7::: smbguest:!:17723:0:99999:7::: plex:!:17743:0:99999:7::: _chrony:*:17751:0:99999:7::: +ulog:*:17819:0:99999:7::: diff --git a/smi.conf b/smi.conf new file mode 100644 index 0000000..744ec22 --- /dev/null +++ b/smi.conf @@ -0,0 +1,41 @@ +# +# smi.conf - Global SMI configuration file. +# +# Copyright (c) 2000 Frank Strauss, Technical University of Braunschweig. +# +# See the file "COPYING" for information on usage and redistribution +# of this file, and for a DISCLAIMER OF ALL WARRANTIES. +# +# See smi_config(3) for detailed information on configuration files. +# +# Debian version by Remco van de Meent +# 20010612 + +# Extend (note the semicolon) the libsmi default module search path. +# (On Windows systems, use `;' instead of `:', and `\' instead of `/'.) + +path :/usr/share/snmp/mibs +path :/usr/share/snmp/mibs/iana +path :/usr/share/snmp/mibs/ietf +path :/usr/share/snmp/mibs/site +path :/var/lib/snmp/mibs/site +path :/usr/share/mibs/site + +# Don't show any errors by default. +level 0 + +# Preload some basic SMIv2 modules. +load SNMPv2-SMI +load SNMPv2-TC +load SNMPv2-CONF + +# Make smilint shout loud to report all errors and warnings. +smilint: level 9 + +# But please don't claim about any names longer than 32 chars. +# (note: this is the prefix of errors `namelength-32-module, +# -type, -object, -enumeration, and -bit) +smilint: hide namelength-32 + +# Preloading some more modules for special applications. +# smiquery: load IF-MIB diff --git a/systemd/system/multi-user.target.wants/ulogd2.service b/systemd/system/multi-user.target.wants/ulogd2.service new file mode 120000 index 0000000..c2b8879 --- /dev/null +++ b/systemd/system/multi-user.target.wants/ulogd2.service @@ -0,0 +1 @@ +/lib/systemd/system/ulogd2.service \ No newline at end of file diff --git a/systemd/system/ulogd.service b/systemd/system/ulogd.service new file mode 120000 index 0000000..c2b8879 --- /dev/null +++ b/systemd/system/ulogd.service @@ -0,0 +1 @@ +/lib/systemd/system/ulogd2.service \ No newline at end of file diff --git a/ulogd.conf b/ulogd.conf new file mode 100644 index 0000000..331d538 --- /dev/null +++ b/ulogd.conf @@ -0,0 +1,330 @@ +# Example configuration for ulogd +# Adapted to Debian by Achilleas Kotsis + +[global] +###################################################################### +# GLOBAL OPTIONS +###################################################################### + + +# logfile for status messages +logfile="syslog" + +# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5) +loglevel=3 + +###################################################################### +# PLUGIN OPTIONS +###################################################################### + +# We have to configure and load all the plugins we want to use + +# general rules: +# 1. load the plugins _first_ from the global section +# 2. options for each plugin in seperate section below + + +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_ULOG.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_UNIXSOCK.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2HBIN.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_MARK.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_XML.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SQLITE3.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GPRINT.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_NACCT.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PCAP.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PGSQL.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_MYSQL.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_DBI.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFACCT.so" +plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GRAPHITE.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_JSON.so" + +# this is a stack for logging packet send by system via LOGEMU +stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + +# this is a stack for packet-based logging via LOGEMU +#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + +# this is a stack for ULOG packet-based logging via LOGEMU +#stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + +# this is a stack for packet-based logging via LOGEMU with filtering on MARK +#stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + +# this is a stack for packet-based logging via GPRINT +#stack=log1:NFLOG,gp1:GPRINT + +# this is a stack for flow-based logging via LOGEMU +#stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU + +# this is a stack for flow-based logging via GPRINT +#stack=ct1:NFCT,gp1:GPRINT + +# this is a stack for flow-based logging via XML +#stack=ct1:NFCT,xml1:XML + +# this is a stack for logging in XML +#stack=log1:NFLOG,xml1:XML + +# this is a stack for accounting-based logging via XML +#stack=acct1:NFACCT,xml1:XML + +# this is a stack for accounting-based logging to a Graphite server +#stack=acct1:NFACCT,graphite1:GRAPHITE + +# this is a stack for NFLOG packet-based logging to PCAP +#stack=log2:NFLOG,base1:BASE,pcap1:PCAP + +# this is a stack for logging packet to MySQL +#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL + +# this is a stack for logging packet to PGsql after a collect via NFLOG +#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,pgsql1:PGSQL + +# this is a stack for logging packet to JSON formatted file after a collect via NFLOG +#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON + +# this is a stack for logging packets to syslog after a collect via NFLOG +#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG + +# this is a stack for logging packets to syslog after a collect via NuFW +#stack=nuauth1:UNIXSOCK,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG + +# this is a stack for flow-based logging to MySQL +#stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL + +# this is a stack for flow-based logging to PGSQL +#stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL + +# this is a stack for flow-based logging to PGSQL without local hash +#stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL + +# this is a stack for flow-based logging to SQLITE3 +#stack=ct1:NFCT,sqlite3_ct:SQLITE3 + +# this is a stack for logging packet to SQLITE3 +#stack=log1:NFLOG,sqlite3_pkt:SQLITE3 + +# this is a stack for flow-based logging in NACCT compatible format +#stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT + +# this is a stack for accounting-based logging via GPRINT +#stack=acct1:NFACCT,gp1:GPRINT + +[ct1] +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +#netlink_resync_timeout=60 # seconds to wait to perform resynchronization +#pollinterval=10 # use poll-based logging instead of event-driven +# If pollinterval is not set, NFCT plugin will work in event mode +# In this case, you can use the following filters on events: +#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks +#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks +#accept_proto_filter=tcp,sctp # layer 4 proto of connections + +[ct2] +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +#reliable=1 # enable reliable flow-based logging (may drop packets) +hash_enable=0 + +# Logging of system packet through NFLOG +[log1] +# netlink multicast group (the same as the iptables --nflog-group param) +# Group O is used by the kernel to log connection tracking invalid message +group=0 +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +# set number of packet to queue inside kernel +#netlink_qthreshold=1 +# set the delay before flushing packet in the queue inside kernel (in 10ms) +#netlink_qtimeout=100 + +# packet logging through NFLOG for group 1 +[log2] +# netlink multicast group (the same as the iptables --nflog-group param) +group=1 # Group has to be different from the one use in log1 +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +# If your kernel is older than 2.6.29 and if a NFLOG input plugin with +# group 0 is not used by any stack, you need to have at least one NFLOG +# input plugin with bind set to 1. If you don't do that you may not +# receive any message from the kernel. +#bind=1 + +# packet logging through NFLOG for group 2, numeric_label is +# set to 1 +[log3] +# netlink multicast group (the same as the iptables --nflog-group param) +group=2 # Group has to be different from the one use in log1/log2 +numeric_label=1 # you can label the log info based on the packet verdict +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +#bind=1 + +[ulog1] +# netlink multicast group (the same as the iptables --ulog-nlgroup param) +nlgroup=1 +#numeric_label=0 # optional argument + +[nuauth1] +socket_path="/tmp/nuauth_ulogd2.sock" + +[emu1] +file="/var/log/ulog/syslogemu.log" +sync=1 + +[op1] +file="/var/log/ulog/oprint.log" +sync=1 + +[gp1] +file="/var/log/ulog/gprint.log" +sync=1 +timestamp=1 + +[xml1] +directory="/var/log/" +sync=1 + +[json1] +sync=1 +#file="/var/log/ulog/ulogd.json" +#timestamp=0 +# device name to be used in JSON message +#device="My awesome Netfilter firewall" +# If boolean_label is set to 1 then the numeric_label put on packet +# by the input plugin is coding the action on packet: if 0, then +# packet has been blocked and if non null it has been accepted. +#boolean_label=1 + +[pcap1] +#default file is /var/log/ulogd.pcap +#file="/var/log/ulog/ulogd.pcap" +sync=1 + +[mysql1] +db="nulog" +host="localhost" +user="nupik" +table="ulog" +pass="changeme" +procedure="INSERT_PACKET_FULL" +# backlog configuration: +# set backlog_memcap to the size of memory that will be +# allocated to store events in memory if data is temporary down +# and insert them when the database came back. +#backlog_memcap=1000000 +# number of events to insert at once when backlog is not empty +#backlog_oneshot_requests=10 + +[mysql2] +db="nulog" +host="localhost" +user="nupik" +table="conntrack" +pass="changeme" +procedure="INSERT_CT" + +[pgsql1] +db="nulog" +host="localhost" +user="nupik" +table="ulog" +#schema="public" +pass="changeme" +procedure="INSERT_PACKET_FULL" +# connstring can be used to define PostgreSQL connection string which +# contains all parameters of the connection. If set, this value has +# precedence on other variables used to build the connection string. +# See http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING +# for a complete description of options. +#connstring="host=localhost port=4321 dbname=nulog user=nupik password=changeme" +#backlog_memcap=1000000 +#backlog_oneshot_requests=10 +# If superior to 1 a thread dedicated to SQL request execution +# is created. The value stores the number of SQL request to keep +# in the ring buffer +#ring_buffer_size=1000 + +[pgsql2] +db="nulog" +host="localhost" +user="nupik" +table="ulog2_ct" +#schema="public" +pass="changeme" +procedure="INSERT_CT" + +[pgsql3] +db="nulog" +host="localhost" +user="nupik" +table="ulog2_ct" +#schema="public" +pass="changeme" +procedure="INSERT_OR_REPLACE_CT" + +[pgsql4] +db="nulog" +host="localhost" +user="nupik" +table="nfacct" +#schema="public" +pass="changeme" +procedure="INSERT_NFACCT" + +[dbi1] +db="ulog2" +dbtype="pgsql" +host="localhost" +user="ulog2" +table="ulog" +pass="ulog2" +procedure="INSERT_PACKET_FULL" + +[sqlite3_ct] +table="ulog_ct" +db="/var/log/ulog/ulogd.sqlite3db" +buffer=200 + +[sqlite3_pkt] +table="ulog_pkt" +db="/var/log/ulog/ulogd.sqlite3db" +buffer=200 + +[sys2] +facility=LOG_LOCAL2 + +[nacct1] +sync = 1 +#file = /var/log/ulog/nacct.log + +[mark1] +mark = 1 + +[acct1] +pollinterval = 2 +# If set to 0, we don't reset the counters for each polling (default is 1). +#zerocounter = 0 +# Set timestamp (default is 0, which means not set). This timestamp can be +# interpreted by the output plugin. +#timestamp = 1 + +[graphite1] +host="127.0.0.1" +port="2003" +# Prefix of data name sent to graphite server +prefix="netfilter.nfacct" diff --git a/wireshark/init.lua b/wireshark/init.lua new file mode 100644 index 0000000..271d5de --- /dev/null +++ b/wireshark/init.lua @@ -0,0 +1,701 @@ +-- init.lua +-- +-- initialize wireshark's lua +-- +-- This file is going to be executed before any other lua script. +-- It can be used to load libraries, disable functions and more. +-- +-- Wireshark - Network traffic analyzer +-- By Gerald Combs +-- Copyright 1998 Gerald Combs +-- +-- SPDX-License-Identifier: GPL-2.0-or-later + +-- Set disable_lua to true to disable Lua support. +disable_lua = false + +if disable_lua then + return +end + +-- If set and we are running with special privileges this setting +-- tells whether scripts other than this one are to be run. +run_user_scripts_when_superuser = false + + +-- disable potentialy harmful lua functions when running superuser +if running_superuser then + local hint = "has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user." + local disabled_lib = {} + setmetatable(disabled_lib,{ __index = function() error("this package ".. hint) end } ); + + dofile = function() error("dofile " .. hint) end + loadfile = function() error("loadfile " .. hint) end + loadlib = function() error("loadlib " .. hint) end + require = function() error("require " .. hint) end + os = disabled_lib + io = disabled_lib + file = disabled_lib +end + +-- to avoid output to stdout which can cause problems lua's print () +-- has been suppresed so that it yields an error. +-- have print() call info() instead. +if gui_enabled() then + print = info +end + +function typeof(obj) + local mt = getmetatable(obj) + return mt and mt.__typeof or obj.__typeof or type(obj) +end + +-- the following function checks if a file exists +-- since 1.11.3 +function file_exists(name) + local f = io.open(name,"r") + if f ~= nil then io.close(f) return true else return false end +end + +-- the following function prepends the given directory name to +-- the package.path, so that a 'require "foo"' will work if 'foo' +-- is in the directory name given to this function. For example, +-- if your Lua file will do a 'require "foo"' and the foo.lua +-- file is in a local directory (local to your script) named 'bar', +-- then call this function before doing your 'require', by doing +-- package.prepend_path("bar") +-- and that will let Wireshark's Lua find the file "bar/foo.lua" +-- when you later do 'require "foo"' +-- +-- Because this function resides here in init.lua, it does not +-- have the same environment as your script, so it has to get it +-- using the debug library, which is why the code appears so +-- cumbersome. +-- +-- since 1.11.3 +function package.prepend_path(name) + local debug = require "debug" + -- get the function calling this package.prepend_path function + local dt = debug.getinfo(2, "f") + if not dt then + error("could not retrieve debug info table") + end + -- get its upvalue + local _, val = debug.getupvalue(dt.func, 1) + if not val or type(val) ~= 'table' then + error("No calling function upvalue or it is not a table") + end + -- get the __DIR__ field in its upvalue table + local dir = val["__DIR__"] + -- get the platform-specific directory separator character + local sep = package.config:sub(1,1) + -- prepend the dir and given name to path + if dir and dir:len() > 0 then + package.path = dir .. sep .. name .. sep .. "?.lua;" .. package.path + end + -- also prepend just the name as a directory + package.path = name .. sep .. "?.lua;" .. package.path +end + +-- Wiretap encapsulations XXX +wtap_encaps = { + ["PER_PACKET"] = -1, + ["UNKNOWN"] = 0, + ["ETHERNET"] = 1, + ["TOKEN_RING"] = 2, + ["SLIP"] = 3, + ["PPP"] = 4, + ["FDDI"] = 5, + ["FDDI_BITSWAPPED"] = 6, + ["RAW_IP"] = 7, + ["ARCNET"] = 8, + ["ARCNET_LINUX"] = 9, + ["ATM_RFC1483"] = 10, + ["LINUX_ATM_CLIP"] = 11, + ["LAPB"] = 12, + ["ATM_PDUS"] = 13, + ["ATM_PDUS_UNTRUNCATED"] = 14, + ["NULL"] = 15, + ["ASCEND"] = 16, + ["ISDN"] = 17, + ["IP_OVER_FC"] = 18, + ["PPP_WITH_PHDR"] = 19, + ["IEEE_802_11"] = 20, + ["IEEE_802_11_PRISM"] = 21, + ["IEEE_802_11_WITH_RADIO"] = 22, + ["IEEE_802_11_RADIOTAP"] = 23, + ["IEEE_802_11_AVS"] = 24, + ["SLL"] = 25, + ["FRELAY"] = 26, + ["FRELAY_WITH_PHDR"] = 27, + ["CHDLC"] = 28, + ["CISCO_IOS"] = 29, + ["LOCALTALK"] = 30, + ["OLD_PFLOG"] = 31, + ["HHDLC"] = 32, + ["DOCSIS"] = 33, + ["COSINE"] = 34, + ["WFLEET_HDLC"] = 35, + ["SDLC"] = 36, + ["TZSP"] = 37, + ["ENC"] = 38, + ["PFLOG"] = 39, + ["CHDLC_WITH_PHDR"] = 40, + ["BLUETOOTH_H4"] = 41, + ["MTP2"] = 42, + ["MTP3"] = 43, + ["IRDA"] = 44, + ["USER0"] = 45, + ["USER1"] = 46, + ["USER2"] = 47, + ["USER3"] = 48, + ["USER4"] = 49, + ["USER5"] = 50, + ["USER6"] = 51, + ["USER7"] = 52, + ["USER8"] = 53, + ["USER9"] = 54, + ["USER10"] = 55, + ["USER11"] = 56, + ["USER12"] = 57, + ["USER13"] = 58, + ["USER14"] = 59, + ["USER15"] = 60, + ["SYMANTEC"] = 61, + ["APPLE_IP_OVER_IEEE1394"] = 62, + ["BACNET_MS_TP"] = 63, + ["NETTL_RAW_ICMP"] = 64, + ["NETTL_RAW_ICMPV6"] = 65, + ["GPRS_LLC"] = 66, + ["JUNIPER_ATM1"] = 67, + ["JUNIPER_ATM2"] = 68, + ["REDBACK"] = 69, + ["NETTL_RAW_IP"] = 70, + ["NETTL_ETHERNET"] = 71, + ["NETTL_TOKEN_RING"] = 72, + ["NETTL_FDDI"] = 73, + ["NETTL_UNKNOWN"] = 74, + ["MTP2_WITH_PHDR"] = 75, + ["JUNIPER_PPPOE"] = 76, + ["GCOM_TIE1"] = 77, + ["GCOM_SERIAL"] = 78, + ["NETTL_X25"] = 79, + ["K12"] = 80, + ["JUNIPER_MLPPP"] = 81, + ["JUNIPER_MLFR"] = 82, + ["JUNIPER_ETHER"] = 83, + ["JUNIPER_PPP"] = 84, + ["JUNIPER_FRELAY"] = 85, + ["JUNIPER_CHDLC"] = 86, + ["JUNIPER_GGSN"] = 87, + ["LINUX_LAPD"] = 88, + ["CATAPULT_DCT2000"] = 89, + ["BER"] = 90, + ["JUNIPER_VP"] = 91, + ["USB_FREEBSD"] = 92, + ["IEEE802_16_MAC_CPS"] = 93, + ["NETTL_RAW_TELNET"] = 94, + ["USB_LINUX"] = 95, + ["MPEG"] = 96, + ["PPI"] = 97, + ["ERF"] = 98, + ["BLUETOOTH_H4_WITH_PHDR"] = 99, + ["SITA"] = 100, + ["SCCP"] = 101, + ["BLUETOOTH_HCI"] = 102, + ["IPMB"] = 103, + ["IEEE802_15_4"] = 104, + ["X2E_XORAYA"] = 105, + ["FLEXRAY"] = 106, + ["LIN"] = 107, + ["MOST"] = 108, + ["CAN20B"] = 109, + ["LAYER1_EVENT"] = 110, + ["X2E_SERIAL"] = 111, + ["I2C"] = 112, + ["IEEE802_15_4_NONASK_PHY"] = 113, + ["TNEF"] = 114, + ["USB_LINUX_MMAPPED"] = 115, + ["GSM_UM"] = 116, + ["DPNSS"] = 117, + ["PACKETLOGGER"] = 118, + ["NSTRACE_1_0"] = 119, + ["NSTRACE_2_0"] = 120, + ["FIBRE_CHANNEL_FC2"] = 121, + ["FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS"] = 122, + ["JPEG_JFIF"] = 123, + ["IPNET"] = 124, + ["SOCKETCAN"] = 125, + ["IEEE_802_11_NETMON"] = 126, + ["IEEE802_15_4_NOFCS"] = 127, + ["RAW_IPFIX"] = 128, + ["RAW_IP4"] = 129, + ["RAW_IP6"] = 130, + ["LAPD"] = 131, + ["DVBCI"] = 132, + ["MUX27010"] = 133, + ["MIME"] = 134, + ["NETANALYZER"] = 135, + ["NETANALYZER_TRANSPARENT"] = 136, + ["IP_OVER_IB_SNOOP"] = 137, + ["MPEG_2_TS"] = 138, + ["PPP_ETHER"] = 139, + ["NFC_LLCP"] = 140, + ["NFLOG"] = 141, + ["V5_EF"] = 142, + ["BACNET_MS_TP_WITH_PHDR"] = 143, + ["IXVERIWAVE"] = 144, + ["SDH"] = 145, + ["DBUS"] = 146, + ["AX25_KISS"] = 147, + ["AX25"] = 148, + ["SCTP"] = 149, + ["INFINIBAND"] = 150, + ["JUNIPER_SVCS"] = 151, + ["USBPCAP"] = 152, + ["RTAC_SERIAL"] = 153, + ["BLUETOOTH_LE_LL"] = 154, + ["WIRESHARK_UPPER_PDU"] = 155, + ["STANAG_4607"] = 156, + ["STANAG_5066_D_PDU"] = 157, + ["NETLINK"] = 158, + ["BLUETOOTH_LINUX_MONITOR"] = 159, + ["BLUETOOTH_BREDR_BB"] = 160, + ["BLUETOOTH_LE_LL_WITH_PHDR"] = 161, + ["NSTRACE_3_0"] = 162, + ["LOGCAT"] = 163, + ["LOGCAT_BRIEF"] = 164, + ["LOGCAT_PROCESS"] = 165, + ["LOGCAT_TAG"] = 166, + ["LOGCAT_THREAD"] = 167, + ["LOGCAT_TIME"] = 168, + ["LOGCAT_THREADTIME"] = 169, + ["LOGCAT_LONG"] = 170, + ["PKTAP"] = 171, + ["EPON"] = 172, + ["IPMI_TRACE"] = 173, + ["LOOP"] = 174, + ["JSON"] = 175, + ["NSTRACE_3_5"] = 176, + ["ISO14443"] = 177, + ["GFP_T"] = 178, + ["GFP_F"] = 179, + ["IP_OVER_IB_PCAP"] = 180, + ["JUNIPER_VN"] = 181, + ["USB_DARWIN"] = 182, + ["LORATAP"] = 183, + ["3MB_ETHERNET"] = 184, + ["VSOCK"] = 185, + ["NORDIC_BLE"] = 186, + ["NETMON_NET_NETEVENT"] = 187, + ["NETMON_HEADER"] = 188, + ["NETMON_NET_FILTER"] = 189, + ["NETMON_NETWORK_INFO_EX"] = 190, + ["MA_WFP_CAPTURE_V4"] = 191, + ["MA_WFP_CAPTURE_V6"] = 192, + ["MA_WFP_CAPTURE_2V4"] = 193, + ["MA_WFP_CAPTURE_2V6"] = 194, + ["MA_WFP_CAPTURE_AUTH_V4"] = 195, + ["MA_WFP_CAPTURE_AUTH_V6"] = 196, + ["JUNIPER_ST"] = 197, + ["ETHERNET_MPACKET"] = 198, + ["DOCSIS31_XRA31"] = 199 +} +wtap = wtap_encaps -- for bw compatibility + + +-- Wiretap file types +wtap_filetypes = { + ["UNKNOWN"] = 0, + ["PCAP"] = 1, + ["PCAPNG"] = 2, + ["PCAP_NSEC"] = 3, + ["PCAP_AIX"] = 4, + ["PCAP_SS991029"] = 5, + ["PCAP_NOKIA"] = 6, + ["PCAP_SS990417"] = 7, + ["PCAP_SS990915"] = 8, + ["5VIEWS"] = 9, + ["IPTRACE_1_0"] = 10, + ["IPTRACE_2_0"] = 11, + ["BER"] = 12, + ["HCIDUMP"] = 13, + ["CATAPULT_DCT2000"] = 14, + ["NETXRAY_OLD"] = 15, + ["NETXRAY_1_0"] = 16, + ["COSINE"] = 17, + ["CSIDS"] = 18, + ["DBS_ETHERWATCH"] = 19, + ["ERF"] = 20, + ["EYESDN"] = 21, + ["NETTL"] = 22, + ["ISERIES"] = 23, + ["ISERIES_UNICODE"] = 24, + ["I4BTRACE"] = 25, + ["ASCEND"] = 26, + ["NGSNIFFER_UNCOMPRESSED"] = 29, + ["NGSNIFFER_COMPRESSED"] = 30, + ["NETXRAY_1_1"] = 31, + ["NETWORK_INSTRUMENTS"] = 33, + ["LANALYZER"] = 34, + ["PPPDUMP"] = 35, + ["RADCOM"] = 36, + ["SNOOP"] = 37, + ["SHOMITI"] = 38, + ["VMS"] = 39, + ["K12"] = 40, + ["TOSHIBA"] = 41, + ["VISUAL_NETWORKS"] = 42, + ["PEEKCLASSIC_V56"] = 43, + ["PEEKCLASSIC_V7"] = 44, + ["PEEKTAGGED"] = 45, + ["MPEG"] = 46, + ["K12TEXT"] = 47, + ["NETSCREEN"] = 48, + ["COMMVIEW"] = 49, + ["BTSNOOP"] = 50, + ["TNEF"] = 51, + ["DCT3TRACE"] = 52, + ["PACKETLOGGER"] = 53, + ["DAINTREE_SNA"] = 54, + ["NETSCALER_1_0"] = 55, + ["NETSCALER_2_0"] = 56, + ["JPEG_JFIF"] = 57, + ["IPFIX"] = 58, + ["MIME"] = 59, + ["AETHRA"] = 60, + ["MPEG_2_TS"] = 61, + ["VWR_80211"] = 62, + ["VWR_ETH"] = 63, + ["CAMINS"] = 64, + ["STANAG_4607"] = 65, + ["NETSCALER_3_0"] = 66, + ["LOGCAT"] = 67, + ["LOGCAT_BRIEF"] = 68, + ["LOGCAT_PROCESS"] = 69, + ["LOGCAT_TAG"] = 70, + ["LOGCAT_THREAD"] = 71, + ["LOGCAT_TIME"] = 72, + ["LOGCAT_THREADTIME"] = 73, + ["LOGCAT_LONG"] = 74, + ["COLASOFT_CAPSA"] = 75, + ["COLASOFT_PACKET_BUILDER"] = 76, + ["JSON"] = 77, + ["NETSCALER_3_5"] = 78, + ["NETTRACE_3GPP_32_423"] = 79, + ["MPLOG"] = 80, + ["TSPREC_SEC"] = 0, + ["TSPREC_DSEC"] = 1, + ["TSPREC_CSEC"] = 2, + ["TSPREC_MSEC"] = 3, + ["TSPREC_USEC"] = 6, + ["TSPREC_NSEC"] = 9 +} + + +-- Wiretap timestamp precision types +wtap_tsprecs = { + ["SEC"] = 0, + ["DSEC"] = 1, + ["CSEC"] = 2, + ["MSEC"] = 3, + ["USEC"] = 6, + ["NSEC"] = 9 +} + + +-- Wiretap file comment types +wtap_comments = { + ["PER_SECTION"] = 0x00000001, + ["PER_INTERFACE"] = 0x00000002, + ["PER_PACKET"] = 0x00000004 +} + + +-- Field Types +ftypes = { + ["NONE"] = 0, + ["PROTOCOL"] = 1, + ["BOOLEAN"] = 2, + ["CHAR"] = 3, + ["UINT8"] = 4, + ["UINT16"] = 5, + ["UINT24"] = 6, + ["UINT32"] = 7, + ["UINT40"] = 8, + ["UINT48"] = 9, + ["UINT56"] = 10, + ["UINT64"] = 11, + ["INT8"] = 12, + ["INT16"] = 13, + ["INT24"] = 14, + ["INT32"] = 15, + ["INT40"] = 16, + ["INT48"] = 17, + ["INT56"] = 18, + ["INT64"] = 19, + ["IEEE_11073_SFLOAT"] = 20, + ["IEEE_11073_FLOAT"] = 21, + ["FLOAT"] = 22, + ["DOUBLE"] = 23, + ["ABSOLUTE_TIME"] = 24, + ["RELATIVE_TIME"] = 25, + ["STRING"] = 26, + ["STRINGZ"] = 27, + ["UINT_STRING"] = 28, + ["ETHER"] = 29, + ["BYTES"] = 30, + ["UINT_BYTES"] = 31, + ["IPv4"] = 32, + ["IPv6"] = 33, + ["IPXNET"] = 34, + ["FRAMENUM"] = 35, + ["PCRE"] = 36, + ["GUID"] = 37, + ["OID"] = 38, + ["EUI64"] = 39, + ["AX25"] = 40, + ["VINES"] = 41, + ["REL_OID"] = 42, + ["SYSTEM_ID"] = 43, + ["STRINGZPAD"] = 44, + ["FCWWN"] = 45 +} + + +-- the following table is since 2.0 +-- Field Type FRAMENUM Types +frametype = { + ["NONE"] = 0, + ["REQUEST"] = 1, + ["RESPONSE"] = 2, + ["ACK"] = 3, + ["DUP_ACK"] = 4, + ["RETRANS_PREV"] = 5, + ["RETRANS_NEXT"] = 6 +} + + +-- the following table is since 1.12 +-- Wiretap record_types +wtap_rec_types = { + ["PACKET"] = 0, -- packet + ["FT_SPECIFIC_EVENT"] = 1, -- file-type-specific event + ["FT_SPECIFIC_REPORT"] = 2, -- file-type-specific report + ["SYSCALL"] = 3, -- system call +} + + +-- the following table is since 1.11.3 +-- Wiretap presence flags +wtap_presence_flags = { + ["TS"] = 1, -- time stamp + ["CAP_LEN"] = 2, -- captured length separate from on-the-network length + ["INTERFACE_ID"] = 4, -- interface ID + ["COMMENTS"] = 8, -- comments + ["DROP_COUNT"] = 16, -- drop count + ["PACK_FLAGS"] = 32, -- packet flags +} + + +-- Display Bases +base = { + ["NONE"] = 0, -- none + ["DEC"] = 1, -- decimal + ["HEX"] = 2, -- hexadecimal + ["OCT"] = 3, -- octal + ["DEC_HEX"] = 4, -- decimal (hexadecimal) + ["HEX_DEC"] = 5, -- hexadecimal (decimal) + ["CUSTOM"] = 6, -- call custom routine (in ->strings) to format + ["ASCII"] = 0, -- shows non-printable ASCII characters as C-style escapes + ["UNICODE"] = 7, -- shows non-printable UNICODE characters as \\uXXXX (XXX for now non-printable characters display depends on UI) + ["DOT"] = 8, -- hexadecimal bytes with a period (.) between each byte + ["DASH"] = 9, -- hexadecimal bytes with a dash (-) between each byte + ["COLON"] = 10, -- hexadecimal bytes with a colon (:) between each byte + ["SPACE"] = 11, -- hexadecimal bytes with a space between each byte + ["NETMASK"] = 12, -- Used for IPv4 address that shouldn't be resolved (like for netmasks) + ["PT_UDP"] = 13, -- UDP port + ["PT_TCP"] = 14, -- TCP port + ["PT_DCCP"] = 15, -- DCCP port + ["PT_SCTP"] = 16, -- SCTP port + ["OUI"] = 17, -- OUI resolution + ["UNIT_STRING"] = 4096, -- Add unit text to the field value + ["LOCAL"] = 1000, -- local time in our time zone, with month and day + ["UTC"] = 1001, -- UTC, with month and day + ["DOY_UTC"] = 1002, -- UTC, with 1-origin day-of-year +} + + +-- Encodings +ENC_BIG_ENDIAN = 0 +ENC_LITTLE_ENDIAN = 2147483648 +ENC_TIME_TIMESPEC = 0 +ENC_TIME_NTP = 2 +ENC_TIME_TOD = 4 +ENC_TIME_RTPS = 8 +ENC_TIME_NTP_BASE_ZERO = 14 +ENC_TIME_TIMEVAL = 16 +ENC_TIME_SECS = 18 +ENC_TIME_MSECS = 20 +ENC_TIME_SECS_NTP = 24 +ENC_TIME_RFC_3971 = 32 +ENC_TIME_MSEC_NTP = 34 +ENC_CHARENCODING_MASK = 2147483646 +ENC_ASCII = 0 +ENC_UTF_8 = 2 +ENC_UTF_16 = 4 +ENC_UCS_2 = 6 +ENC_UCS_4 = 8 +ENC_ISO_8859_1 = 10 +ENC_ISO_8859_2 = 12 +ENC_ISO_8859_3 = 14 +ENC_ISO_8859_4 = 16 +ENC_ISO_8859_5 = 18 +ENC_ISO_8859_6 = 20 +ENC_ISO_8859_7 = 22 +ENC_ISO_8859_8 = 24 +ENC_ISO_8859_9 = 26 +ENC_ISO_8859_10 = 28 +ENC_ISO_8859_11 = 30 +ENC_ISO_8859_13 = 34 +ENC_ISO_8859_14 = 36 +ENC_ISO_8859_15 = 38 +ENC_ISO_8859_16 = 40 +ENC_WINDOWS_1250 = 42 +ENC_3GPP_TS_23_038_7BITS = 44 +ENC_EBCDIC = 46 +ENC_MAC_ROMAN = 48 +ENC_CP437 = 50 +ENC_ASCII_7BITS = 52 +ENC_T61 = 54 +ENC_EBCDIC_CP037 = 56 +ENC_ZIGBEE = 58 +ENC_NA = 0 +ENC_STR_NUM = 16777216 +ENC_STR_HEX = 33554432 +ENC_STRING = 50331648 +ENC_STR_MASK = 65534 +ENC_NUM_PREF = 2097152 +ENC_VARINT_PROTOBUF = 2 +ENC_VARINT_QUIC = 4 +ENC_SEP_NONE = 65536 +ENC_SEP_COLON = 131072 +ENC_SEP_DASH = 262144 +ENC_SEP_DOT = 524288 +ENC_SEP_SPACE = 1048576 +ENC_SEP_MASK = 2031616 +ENC_ISO_8601_DATE = 65536 +ENC_ISO_8601_TIME = 131072 +ENC_ISO_8601_DATE_TIME = 196608 +ENC_RFC_822 = 262144 +ENC_RFC_1123 = 524288 +ENC_STR_TIME_MASK = 983040 + + + +-- Expert flags and facilities (deprecated - see 'expert' table below) +PI_SEVERITY_MASK = 15728640 +PI_COMMENT = 1048576 +PI_CHAT = 2097152 +PI_NOTE = 4194304 +PI_WARN = 6291456 +PI_ERROR = 8388608 +PI_GROUP_MASK = 4278190080 +PI_CHECKSUM = 16777216 +PI_SEQUENCE = 33554432 +PI_RESPONSE_CODE = 50331648 +PI_REQUEST_CODE = 67108864 +PI_UNDECODED = 83886080 +PI_REASSEMBLE = 100663296 +PI_MALFORMED = 117440512 +PI_DEBUG = 134217728 +PI_PROTOCOL = 150994944 +PI_SECURITY = 167772160 +PI_COMMENTS_GROUP = 184549376 +PI_DECRYPTION = 201326592 +PI_ASSUMPTION = 218103808 +PI_DEPRECATED = 234881024 + + + +-- the following table is since 1.11.3 +-- Expert flags and facilities +expert = { + -- Expert event groups + group = { + -- The protocol field has a bad checksum, usually uses PI_WARN severity + ["CHECKSUM"] = 16777216, + -- The protocol field indicates a sequence problem (e.g. TCP window is zero) + ["SEQUENCE"] = 33554432, + -- The protocol field indicates a bad application response code (e.g. HTTP 404), usually PI_NOTE severity + ["RESPONSE_CODE"] = 50331648, + -- The protocol field indicates an application request (e.g. File Handle == xxxx), usually PI_CHAT severity + ["REQUEST_CODE"] = 67108864, + -- The data is undecoded, the protocol dissection is incomplete here, usually PI_WARN severity + ["UNDECODED"] = 83886080, + -- The protocol field indicates a reassemble (e.g. DCE/RPC defragmentation), usually PI_CHAT severity (or PI_ERROR) + ["REASSEMBLE"] = 100663296, + -- The packet data is malformed, the dissector has "given up", usually PI_ERROR severity + ["MALFORMED"] = 117440512, + -- A generic debugging message (shouldn't remain in production code!), usually PI_ERROR severity + ["DEBUG"] = 134217728, + -- The protocol field violates a protocol specification, usually PI_WARN severity + ["PROTOCOL"] = 150994944, + -- The protocol field indicates a security problem (e.g. insecure implementation) + ["SECURITY"] = 167772160, + -- The protocol field indicates a packet comment + ["COMMENTS_GROUP"] = 184549376, + -- The protocol field indicates a decryption problem + ["DECRYPTION"] = 201326592, + -- The protocol field has incomplete data, decode based on assumed value + ["ASSUMPTION"] = 218103808, + -- The protocol field has been deprecated, usually PI_NOTE severity + ["DEPRECATED"] = 234881024, + }, + -- Expert severity levels + severity = { + -- Packet comment + ["COMMENT"] = 1048576, + -- Usual workflow, e.g. TCP connection establishing + ["CHAT"] = 2097152, + -- Notable messages, e.g. an application returned an "unusual" error code like HTTP 404 + ["NOTE"] = 4194304, + -- Warning, e.g. application returned an "unusual" error code + ["WARN"] = 6291456, + -- Serious problems, e.g. a malformed packet + ["ERROR"] = 8388608, + }, +} + + + +-- menu groups for register_menu +MENU_ANALYZE_UNSORTED = 0 +MENU_ANALYZE_CONVERSATION = 1 +MENU_STAT_UNSORTED = 2 +MENU_STAT_GENERIC = 3 +MENU_STAT_CONVERSATION = 4 +MENU_STAT_ENDPOINT = 5 +MENU_STAT_RESPONSE = 6 +MENU_STAT_TELEPHONY = 7 +MENU_STAT_TELEPHONY_ANSI = 8 +MENU_STAT_TELEPHONY_GSM = 9 +MENU_STAT_TELEPHONY_LTE = 10 +MENU_STAT_TELEPHONY_MTP = 11 +MENU_STAT_TELEPHONY_SCTP = 12 +MENU_TOOLS_UNSORTED = 13 + + +-- other useful constants +-- DATA_DIR and USER_DIR have a trailing directory separator. +GUI_ENABLED = gui_enabled() +DATA_DIR = Dir.global_config_path()..package.config:sub(1,1) +USER_DIR = Dir.personal_config_path()..package.config:sub(1,1) + +-- deprecated function names +datafile_path = Dir.global_config_path +persconffile_path = Dir.personal_config_path + + +dofile(DATA_DIR.."console.lua") +--dofile(DATA_DIR.."dtd_gen.lua") -- 2.39.5