summaryrefslogtreecommitdiffstats
path: root/collector_sample
diff options
context:
space:
mode:
authorDaniel Baumann <daniel@debian.org>2024-11-21 15:51:37 +0100
committerDaniel Baumann <daniel@debian.org>2024-11-21 15:51:37 +0100
commitebb64aabedd789b5affbf30f03e43fcf3a0561f4 (patch)
treeec4dd9937434be85039f900efcc48c75c182d81d /collector_sample
parentInitial commit. (diff)
downloadpacketq-ebb64aabedd789b5affbf30f03e43fcf3a0561f4.tar.xz
packetq-ebb64aabedd789b5affbf30f03e43fcf3a0561f4.zip
Adding upstream version 1.7.3+dfsg.upstream/1.7.3+dfsgupstream
Signed-off-by: Daniel Baumann <daniel@debian.org>
Diffstat (limited to 'collector_sample')
-rw-r--r--collector_sample/packetq.conf42
-rw-r--r--collector_sample/pq_tracesplit.pl294
2 files changed, 336 insertions, 0 deletions
diff --git a/collector_sample/packetq.conf b/collector_sample/packetq.conf
new file mode 100644
index 0000000..cec9ff7
--- /dev/null
+++ b/collector_sample/packetq.conf
@@ -0,0 +1,42 @@
+## packetq pid file
+pidfile=/var/run/packetq.pid
+
+## Name of the DNS server. Parameter is used first in filename when creating
+## tcpdump files.
+server="my_server"
+
+## Directory where pcap files are stored
+# make sure path ends with trailing "/"
+destdir=/tmp/
+
+## Name of the network interface(s) to monitor
+interface=eth0,eth1
+
+## How often to rotate dump file, in seconds
+interval=300
+
+## zip compression for pcap data
+compression_level=9
+
+## BSD libtrace promiscous interface hack
+# (uses a tcpdump session on port 100 to keep the interface in promisc mode)
+#bsdpromischack=YES
+bsdpromischack=NO
+
+## path to the tcpdump binary (only needed for promisc hack above)
+tcpdump=tcpdump
+
+## path to the tracesplit binary
+# tracesplit is distributed in the tools folder of the libtrace library
+# which at the time of this writing could be obtained at:
+# http://research.wand.net.nz/software/libtrace.php
+# make sure it's built and installed.
+tracesplit=/usr/local/bin/tracesplit
+
+### choose a packet filter:
+## collect TCP and UDP, requests and responses:
+filter="port 53 and not host 192.168.1.3 and not host 192.168.1.8"
+
+## run command after moving file
+command="echo \"path:%P filename:%F server:%S interface:%I date:%Y %M %D time:%h %m %s\""
+
diff --git a/collector_sample/pq_tracesplit.pl b/collector_sample/pq_tracesplit.pl
new file mode 100644
index 0000000..3d03731
--- /dev/null
+++ b/collector_sample/pq_tracesplit.pl
@@ -0,0 +1,294 @@
+#!/usr/bin/perl
+# usage:
+# start daemon using /etc/packetq.conf:
+# pq_tracesplit.pl
+
+# stop daemon:
+# pq_tracesplit.pl stop
+
+# run in foreground with conf file
+# pq_tracesplit.pl -f -c my.conf
+
+# stop with custom conf file
+# pq_tracesplit.pl -c my.conf stop
+
+
+
+
+use POSIX;
+use POSIX qw(setsid);
+use Sys::Syslog qw(:DEFAULT setlogsock); # default set, plus setlogsock()
+use File::Path;
+use File::Copy;
+use Getopt::Std;
+use Data::Dumper;
+use strict;
+no strict "subs";
+
+my $conffile = "/etc/packetq.conf";
+my %opts;
+getopts('fc:', \%opts);
+if (defined $opts{c})
+{
+ $conffile = $opts{c};
+}
+my $foreground = undef;
+$foreground = 1 if (defined $opts{f});
+
+openlog('pqcollector','pid,perror','LOG_USER');
+
+######### read config file
+
+my %config;
+open(CONFIG,$conffile) or die "error reading config file $conffile exiting";
+while (<CONFIG>)
+{
+ chomp;
+ next if /^\s*\#/;
+ next unless /=/;
+ my ($key, $variable) = split(/=/,$_,2);
+ $variable =~ s/(\$(\w+))/$config{$2}/g;
+ $config{$key} = $variable;
+}
+close CONFIG;
+
+my $pidfile = $config{'pidfile'};
+my $logfile = "/dev/null";
+
+##### start daemon
+
+if (-e $pidfile)
+{
+ open (PFILE, $pidfile);
+ my $pidfromfile = <PFILE>;
+ close PFILE;
+
+ if (($pidfromfile =~ /[0-9]+/) && kill( 0, $pidfromfile))
+ {
+ if ($ARGV[0] eq 'stop')
+ {
+ syslog 'info',"Stopping daemon pid: $pidfromfile\n";
+ while (kill( 0, $pidfromfile))
+ {
+ kill( - SIGQUIT, $pidfromfile);
+ sleep(1);
+ }
+ exit;
+ }
+ else
+ {
+ syslog LOG_INFO,"Pid file $pidfile exist and the program ($pidfromfile) is running ! exiting ...\n";
+ }
+ exit;
+ }
+ else
+ {
+ unlink($pidfile);
+ }
+}
+
+if ($ARGV[0] eq 'stop')
+{
+ syslog 'info',"Cannot stop packetq.pl as it's not running\n";
+ exit;
+}
+&daemonize() unless defined $foreground;
+open FILE, ">$pidfile" or die "unable to open pidfile : $pidfile $!";
+print FILE $$."\n";
+close FILE;
+
+##### catch signals
+
+my $keep_going = 1;
+$SIG{HUP} = sub { print("Caught SIGHUP: exiting gracefully\n"); $keep_going = 0; };
+$SIG{INT} = sub { print("Caught SIGINT: exiting gracefully\n"); $keep_going = 0; };
+$SIG{QUIT} = sub { print("Caught SIGQUIT: exiting gracefully\n"); $keep_going = 0; };
+$SIG{TERM} = sub { print("Caught SIGTERM: exiting gracefully\n"); $keep_going = 0; };
+
+########## start collection
+foreach my $k (keys %config)
+{
+ print $k."=".$config{$k}."\n";
+ $config{$k} =~ s/^\"(.*)\"$/$1/;
+}
+
+my $interval = $config{'interval'};
+my $interface = $config{'interface'};
+my @interfaces = split(/,/,$interface);
+my $filter = $config{'filter'};
+my $server = $config{'server'};
+my $destdir = $config{'destdir'};
+
+my $stime = floor(time()/$interval) * $interval + $interval;
+
+syslog LOG_INFO,"Starting packetq collector daemon (pid:".$$.") destdir: $config{'destdir'}\n";
+
+my @tdpid;
+my @tspid;
+my $ifcnt = 0;
+foreach my $if (@interfaces)
+{
+ if ($config{'bsdpromischack'} eq "YES")
+ {
+ my $pid;
+ #my $tcpdumpcmd="$config{'tcpdump'} -i $if port 100 2>/dev/null";
+ my $tcpdumpcmd="$config{'tcpdump'} -i $if port 100";
+ $pid = spawn ($tcpdumpcmd);
+ print "tcp pid $pid";
+ if ($pid == 0)
+ {
+ syslog LOG_ERROR,"Cannot run $tcpdumpcmd exiting \n";
+ exit;
+ }
+ syslog LOG_INFO,"Keeping the interface ($if) in promisc mode by letting tcpdump ($pid) listen on port 100 \n";
+ @tdpid[$ifcnt] = $pid;
+ }
+
+ my $tracesplitcmd = $config{'tracesplit'}." pcapint:$if -s $stime -z $config{'compression_level'} -i $interval -f \"$filter\" pcapfile:$destdir/$server-$if";
+ my $tspid = spawn($tracesplitcmd);
+ print "ts pid $tspid";
+ if ($tspid == 0)
+ {
+ syslog LOG_ERROR,"Cannot run $tracesplitcmd exiting \n";
+ exit;
+ }
+ syslog LOG_INFO,"Starting tracesplit \"$tracesplitcmd\"(pid:$tspid)\n";
+ @tspid[$ifcnt] = $tspid;
+
+ $ifcnt++;
+}
+
+########## infinite loop
+reaper();
+
+while($keep_going == 1)
+{
+ foreach my $if (@interfaces)
+ {
+ opendir(DIR, $destdir) or last;
+ my @files;
+
+ while (my $file = readdir(DIR))
+ {
+ # Use a regular expression to ignore files beginning with a period
+ next if ($file =~ m/^\./);
+ next unless ($file =~ m/^$server-$if.*/);
+ push(@files,$file);
+ }
+ @files= sort(@files);
+ if (@files>1)
+ {
+ pop @files;
+ #print "files: \n".join("\n",@files)."\n";
+ foreach my $f (@files)
+ {
+ if($f =~ /^$server-$if-(.*)\.gz/)
+ {
+ ##my ($sec, $min, $hour, $day,$month,$year) = (localtime($1))[0,1,2,3,4,5,6];
+ my ($sec, $min, $hour, $day,$month,$year) = (gmtime($1))[0,1,2,3,4,5,6];
+ $year+=1900;
+ $month++;
+ $sec = "0".$sec if $sec <10;
+ $min = "0".$min if $min <10;
+ $hour = "0".$hour if $hour <10;
+ $day = "0".$day if $day <10;
+ $month = "0".$month if $month<10;
+
+ my $file = "$server-$year$month$day-$hour$min$sec-$if.pcap.gz";
+ my $dir = "$year/$month/$day/$hour";
+ my $cmd = $config{command};
+ $cmd =~ s/%F/$file/g;
+ $cmd =~ s/%S/$server/g;
+ $cmd =~ s/%I/$if/g;
+ $cmd =~ s/%P/$dir/g;
+ $cmd =~ s/%Y/$year/g;
+ $cmd =~ s/%M/$month/g;
+ $cmd =~ s/%D/$day/g;
+ $cmd =~ s/%h/$hour/g;
+ $cmd =~ s/%m/$min/g;
+ $cmd =~ s/%s/$sec/g;
+
+ #print "$cmd\n";
+
+ mkpath "$destdir/$dir";
+ move ("$destdir/$f","$destdir/$dir/$file");
+ spawn($cmd);
+ #print "hello $hour, $min, $sec,-- $day,$month,$year\n";
+ #print "mkdir $dir\n";
+ #print "mv $destdir/$f $destdir/$dir/$file\n";
+ }
+ }
+ }
+ closedir(DIR);
+ }
+ #printf("blipp\n");
+ sleep(5);
+}
+
+########## exit cleanup
+
+syslog 'info',"Shutting down collector ...\n";
+foreach my $pid (@tspid)
+{
+ if ($pid ne 0)
+ {
+ print "Stopping tracesplit ($pid)\n";
+ syslog LOG_INFO,"Stopping tracesplit ($pid)\n";
+ kill( - SIGABRT, $pid);
+ }
+}
+
+foreach my $pid (@tdpid)
+{
+ if ($pid ne 0)
+ {
+ syslog LOG_INFO,"Stopping tcpdump ($pid)\n";
+ kill( - SIGABRT, $pid);
+ }
+}
+
+syslog LOG_INFO,"removing pidfile\n";
+unlink($pidfile);
+
+syslog LOG_INFO,"bye bye\n";
+closelog;
+exit;
+
+########## functions
+
+sub spawn
+{
+ my $cmd = shift;
+ defined(my $pid = fork) or die "Can't fork: $!";
+ if ($pid == 0)
+ {
+ exec $cmd;
+ syslog LOG_ERROR,"Couldn't run $cmd\n";
+ die "Couldn't run $cmd";
+ }
+ return $pid;
+}
+
+sub daemonize
+{
+ chdir '/' or die "Can't chdir to /: $!";
+ defined(my $pid = fork) or die "Can't fork: $!";
+ exit if $pid;
+ setsid or die "Can't start a new session: $!";
+ umask 0;
+
+ open STDIN, '/dev/null' or die "Can't read /dev/null: $!";
+ open STDOUT, ">>$logfile" or die "Can't write to $logfile: $!";
+ open STDERR, ">>$logfile" or die "Can't write to $logfile: $!";
+}
+
+sub reaper {
+ my $stiff;
+ while ( ($stiff = waitpid(-1, &WNOHANG) ) > 0 )
+ {
+ #print "child $stiff terminated -- status $?";
+ }
+ $SIG{CHLD} = \&reaper;
+}
+
+