From ebb64aabedd789b5affbf30f03e43fcf3a0561f4 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Thu, 21 Nov 2024 15:51:37 +0100 Subject: Adding upstream version 1.7.3+dfsg. Signed-off-by: Daniel Baumann --- collector_sample/packetq.conf | 42 ++++++ collector_sample/pq_tracesplit.pl | 294 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 336 insertions(+) create mode 100644 collector_sample/packetq.conf create mode 100644 collector_sample/pq_tracesplit.pl (limited to 'collector_sample') diff --git a/collector_sample/packetq.conf b/collector_sample/packetq.conf new file mode 100644 index 0000000..cec9ff7 --- /dev/null +++ b/collector_sample/packetq.conf @@ -0,0 +1,42 @@ +## packetq pid file +pidfile=/var/run/packetq.pid + +## Name of the DNS server. Parameter is used first in filename when creating +## tcpdump files. +server="my_server" + +## Directory where pcap files are stored +# make sure path ends with trailing "/" +destdir=/tmp/ + +## Name of the network interface(s) to monitor +interface=eth0,eth1 + +## How often to rotate dump file, in seconds +interval=300 + +## zip compression for pcap data +compression_level=9 + +## BSD libtrace promiscous interface hack +# (uses a tcpdump session on port 100 to keep the interface in promisc mode) +#bsdpromischack=YES +bsdpromischack=NO + +## path to the tcpdump binary (only needed for promisc hack above) +tcpdump=tcpdump + +## path to the tracesplit binary +# tracesplit is distributed in the tools folder of the libtrace library +# which at the time of this writing could be obtained at: +# http://research.wand.net.nz/software/libtrace.php +# make sure it's built and installed. +tracesplit=/usr/local/bin/tracesplit + +### choose a packet filter: +## collect TCP and UDP, requests and responses: +filter="port 53 and not host 192.168.1.3 and not host 192.168.1.8" + +## run command after moving file +command="echo \"path:%P filename:%F server:%S interface:%I date:%Y %M %D time:%h %m %s\"" + diff --git a/collector_sample/pq_tracesplit.pl b/collector_sample/pq_tracesplit.pl new file mode 100644 index 0000000..3d03731 --- /dev/null +++ b/collector_sample/pq_tracesplit.pl @@ -0,0 +1,294 @@ +#!/usr/bin/perl +# usage: +# start daemon using /etc/packetq.conf: +# pq_tracesplit.pl + +# stop daemon: +# pq_tracesplit.pl stop + +# run in foreground with conf file +# pq_tracesplit.pl -f -c my.conf + +# stop with custom conf file +# pq_tracesplit.pl -c my.conf stop + + + + +use POSIX; +use POSIX qw(setsid); +use Sys::Syslog qw(:DEFAULT setlogsock); # default set, plus setlogsock() +use File::Path; +use File::Copy; +use Getopt::Std; +use Data::Dumper; +use strict; +no strict "subs"; + +my $conffile = "/etc/packetq.conf"; +my %opts; +getopts('fc:', \%opts); +if (defined $opts{c}) +{ + $conffile = $opts{c}; +} +my $foreground = undef; +$foreground = 1 if (defined $opts{f}); + +openlog('pqcollector','pid,perror','LOG_USER'); + +######### read config file + +my %config; +open(CONFIG,$conffile) or die "error reading config file $conffile exiting"; +while () +{ + chomp; + next if /^\s*\#/; + next unless /=/; + my ($key, $variable) = split(/=/,$_,2); + $variable =~ s/(\$(\w+))/$config{$2}/g; + $config{$key} = $variable; +} +close CONFIG; + +my $pidfile = $config{'pidfile'}; +my $logfile = "/dev/null"; + +##### start daemon + +if (-e $pidfile) +{ + open (PFILE, $pidfile); + my $pidfromfile = ; + close PFILE; + + if (($pidfromfile =~ /[0-9]+/) && kill( 0, $pidfromfile)) + { + if ($ARGV[0] eq 'stop') + { + syslog 'info',"Stopping daemon pid: $pidfromfile\n"; + while (kill( 0, $pidfromfile)) + { + kill( - SIGQUIT, $pidfromfile); + sleep(1); + } + exit; + } + else + { + syslog LOG_INFO,"Pid file $pidfile exist and the program ($pidfromfile) is running ! exiting ...\n"; + } + exit; + } + else + { + unlink($pidfile); + } +} + +if ($ARGV[0] eq 'stop') +{ + syslog 'info',"Cannot stop packetq.pl as it's not running\n"; + exit; +} +&daemonize() unless defined $foreground; +open FILE, ">$pidfile" or die "unable to open pidfile : $pidfile $!"; +print FILE $$."\n"; +close FILE; + +##### catch signals + +my $keep_going = 1; +$SIG{HUP} = sub { print("Caught SIGHUP: exiting gracefully\n"); $keep_going = 0; }; +$SIG{INT} = sub { print("Caught SIGINT: exiting gracefully\n"); $keep_going = 0; }; +$SIG{QUIT} = sub { print("Caught SIGQUIT: exiting gracefully\n"); $keep_going = 0; }; +$SIG{TERM} = sub { print("Caught SIGTERM: exiting gracefully\n"); $keep_going = 0; }; + +########## start collection +foreach my $k (keys %config) +{ + print $k."=".$config{$k}."\n"; + $config{$k} =~ s/^\"(.*)\"$/$1/; +} + +my $interval = $config{'interval'}; +my $interface = $config{'interface'}; +my @interfaces = split(/,/,$interface); +my $filter = $config{'filter'}; +my $server = $config{'server'}; +my $destdir = $config{'destdir'}; + +my $stime = floor(time()/$interval) * $interval + $interval; + +syslog LOG_INFO,"Starting packetq collector daemon (pid:".$$.") destdir: $config{'destdir'}\n"; + +my @tdpid; +my @tspid; +my $ifcnt = 0; +foreach my $if (@interfaces) +{ + if ($config{'bsdpromischack'} eq "YES") + { + my $pid; + #my $tcpdumpcmd="$config{'tcpdump'} -i $if port 100 2>/dev/null"; + my $tcpdumpcmd="$config{'tcpdump'} -i $if port 100"; + $pid = spawn ($tcpdumpcmd); + print "tcp pid $pid"; + if ($pid == 0) + { + syslog LOG_ERROR,"Cannot run $tcpdumpcmd exiting \n"; + exit; + } + syslog LOG_INFO,"Keeping the interface ($if) in promisc mode by letting tcpdump ($pid) listen on port 100 \n"; + @tdpid[$ifcnt] = $pid; + } + + my $tracesplitcmd = $config{'tracesplit'}." pcapint:$if -s $stime -z $config{'compression_level'} -i $interval -f \"$filter\" pcapfile:$destdir/$server-$if"; + my $tspid = spawn($tracesplitcmd); + print "ts pid $tspid"; + if ($tspid == 0) + { + syslog LOG_ERROR,"Cannot run $tracesplitcmd exiting \n"; + exit; + } + syslog LOG_INFO,"Starting tracesplit \"$tracesplitcmd\"(pid:$tspid)\n"; + @tspid[$ifcnt] = $tspid; + + $ifcnt++; +} + +########## infinite loop +reaper(); + +while($keep_going == 1) +{ + foreach my $if (@interfaces) + { + opendir(DIR, $destdir) or last; + my @files; + + while (my $file = readdir(DIR)) + { + # Use a regular expression to ignore files beginning with a period + next if ($file =~ m/^\./); + next unless ($file =~ m/^$server-$if.*/); + push(@files,$file); + } + @files= sort(@files); + if (@files>1) + { + pop @files; + #print "files: \n".join("\n",@files)."\n"; + foreach my $f (@files) + { + if($f =~ /^$server-$if-(.*)\.gz/) + { + ##my ($sec, $min, $hour, $day,$month,$year) = (localtime($1))[0,1,2,3,4,5,6]; + my ($sec, $min, $hour, $day,$month,$year) = (gmtime($1))[0,1,2,3,4,5,6]; + $year+=1900; + $month++; + $sec = "0".$sec if $sec <10; + $min = "0".$min if $min <10; + $hour = "0".$hour if $hour <10; + $day = "0".$day if $day <10; + $month = "0".$month if $month<10; + + my $file = "$server-$year$month$day-$hour$min$sec-$if.pcap.gz"; + my $dir = "$year/$month/$day/$hour"; + my $cmd = $config{command}; + $cmd =~ s/%F/$file/g; + $cmd =~ s/%S/$server/g; + $cmd =~ s/%I/$if/g; + $cmd =~ s/%P/$dir/g; + $cmd =~ s/%Y/$year/g; + $cmd =~ s/%M/$month/g; + $cmd =~ s/%D/$day/g; + $cmd =~ s/%h/$hour/g; + $cmd =~ s/%m/$min/g; + $cmd =~ s/%s/$sec/g; + + #print "$cmd\n"; + + mkpath "$destdir/$dir"; + move ("$destdir/$f","$destdir/$dir/$file"); + spawn($cmd); + #print "hello $hour, $min, $sec,-- $day,$month,$year\n"; + #print "mkdir $dir\n"; + #print "mv $destdir/$f $destdir/$dir/$file\n"; + } + } + } + closedir(DIR); + } + #printf("blipp\n"); + sleep(5); +} + +########## exit cleanup + +syslog 'info',"Shutting down collector ...\n"; +foreach my $pid (@tspid) +{ + if ($pid ne 0) + { + print "Stopping tracesplit ($pid)\n"; + syslog LOG_INFO,"Stopping tracesplit ($pid)\n"; + kill( - SIGABRT, $pid); + } +} + +foreach my $pid (@tdpid) +{ + if ($pid ne 0) + { + syslog LOG_INFO,"Stopping tcpdump ($pid)\n"; + kill( - SIGABRT, $pid); + } +} + +syslog LOG_INFO,"removing pidfile\n"; +unlink($pidfile); + +syslog LOG_INFO,"bye bye\n"; +closelog; +exit; + +########## functions + +sub spawn +{ + my $cmd = shift; + defined(my $pid = fork) or die "Can't fork: $!"; + if ($pid == 0) + { + exec $cmd; + syslog LOG_ERROR,"Couldn't run $cmd\n"; + die "Couldn't run $cmd"; + } + return $pid; +} + +sub daemonize +{ + chdir '/' or die "Can't chdir to /: $!"; + defined(my $pid = fork) or die "Can't fork: $!"; + exit if $pid; + setsid or die "Can't start a new session: $!"; + umask 0; + + open STDIN, '/dev/null' or die "Can't read /dev/null: $!"; + open STDOUT, ">>$logfile" or die "Can't write to $logfile: $!"; + open STDERR, ">>$logfile" or die "Can't write to $logfile: $!"; +} + +sub reaper { + my $stiff; + while ( ($stiff = waitpid(-1, &WNOHANG) ) > 0 ) + { + #print "child $stiff terminated -- status $?"; + } + $SIG{CHLD} = \&reaper; +} + + -- cgit v1.2.3