This patch adds support for custom http logging using a format syntax inspired by Apache mod_log_config. The following commented out example is added to the suricata.yaml configuration file.<br><br>#custom: yes # enabled the custom logging format (defined by customformat)<br>
#customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" <br><br>I have left the previous code of log_httplog almost untouched and by default suricata will behave as usual using the old format. <br>
<br>The new format will only be activated if the "custom: yes" is specified in the configuration file.<br><br>In addition to %h, %H, %m, %u, %i, %C, %s, %o and %B - almost - as described by mod_log_config (<a href="http://httpd.apache.org/docs/2.0/mod/mod_log_config.html" target="_blank">http://httpd.apache.org/docs/2.0/mod/mod_log_config.html</a>), I have added %z, %a, %p, %A and %P for the precision time, IPs and ports.<br>
<br><br>---<br>
src/log-httplog.c | 323 ++++++++++++++++++++++++++++++<div>++++++++++++++++-------<br>
<a href="http://suricata.yaml.in/" target="_blank">suricata.yaml.in</a> | 2 +<br>
2 files changed, 282 insertions(+), 43 deletions(-)<br>
<br>
diff --git a/src/log-httplog.c b/src/log-httplog.c<br>
index aeeea50..bf5056c 100644<br>
--- a/src/log-httplog.c<br>
+++ b/src/log-httplog.c<br>
@@ -19,6 +19,7 @@<br>
* \file<br>
*<br>
* \author Victor Julien <<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
+ * \author Ignacio Sanchez <<a href="mailto:sanchezmartin.ji@gmail.com" target="_blank">sanchezmartin.ji@gmail.com</a>><br>
*<br>
* Implements http logging portion of the engine.<br>
*/<br>
@@ -96,13 +97,44 @@ void TmModuleLogHttpLogIPv6Register (void) {<br>
tmm_modules[TMM_LOGHTTPLOG6].RegisterTests = NULL;<br>
}<br>
<br>
+#define LOG_HTTP_MAXN_NODES 64<br>
+#define LOG_HTTP_NODE_STRLEN 256<br>
+<br>
+#define TIMESTAMP_DEFAULT_FORMAT "%b %d, %Y; %H:%M:%S"<br>
+#define LOG_HTTP_CF_NONE "-"<br>
+#define LOG_HTTP_CF_LITERAL '%'<br>
+#define LOG_HTTP_CF_REQUEST_HOST 'h'<br>
+#define LOG_HTTP_CF_REQUEST_PROTOCOL 'H'<br>
+#define LOG_HTTP_CF_REQUEST_METHOD 'm'<br>
+#define LOG_HTTP_CF_REQUEST_URI 'u'<br>
+#define LOG_HTTP_CF_REQUEST_TIME 't'<br>
+#define LOG_HTTP_CF_REQUEST_HEADER 'i'<br>
+#define LOG_HTTP_CF_REQUEST_COOKIE 'C'<br>
+#define LOG_HTTP_CF_RESPONSE_STATUS 's'<br>
+#define LOG_HTTP_CF_RESPONSE_HEADER 'o'<br>
+#define LOG_HTTP_CF_RESPONSE_LEN 'B'<br>
+#define LOG_HTTP_CF_TIMESTAMP 't'<br>
+#define LOG_HTTP_CF_TIMESTAMP_U 'z'<br>
+#define LOG_HTTP_CF_CLIENT_IP 'a'<br>
+#define LOG_HTTP_CF_SERVER_IP 'A'<br>
+#define LOG_HTTP_CF_CLIENT_PORT 'p'<br>
+#define LOG_HTTP_CF_SERVER_PORT 'P'<br>
+<br>
+typedef struct LogHttpCustomFormatNode_ {<br>
+ uint32_t type; /** Node format type. ie: LOG_HTTP_CF_LITERAL, LOG_HTTP_CF_REQUEST_HEADER */<br>
+ char data[LOG_HTTP_NODE_STRLEN]; /** optional data. ie: http header name */<br>
+} LogHttpCustomFormatNode;<br>
+<br>
typedef struct LogHttpFileCtx_ {<br>
LogFileCtx *file_ctx;<br>
uint32_t flags; /** Store mode */<br>
+ uint32_t cf_n; /** Total number of custom string format nodes */<br>
+ LogHttpCustomFormatNode *cf_nodes[LOG_HTTP_MAXN_NODES]; /** Array of custom format string nodes */<br>
} LogHttpFileCtx;<br>
<br>
#define LOG_HTTP_DEFAULT 0<br>
#define LOG_HTTP_EXTENDED 1<br>
+#define LOG_HTTP_CUSTOM 2<br>
<br>
typedef struct LogHttpLogThread_ {<br>
LogHttpFileCtx *httplog_ctx;<br>
@@ -122,6 +154,149 @@ static void CreateTimeString (const struct timeval *ts, char *str, size_t size)<br>
t->tm_min, t->tm_sec, (uint32_t) ts->tv_usec);<br>
}<br>
<br>
+/* Custom format logging */<br>
+static void LogHttpLogCustom(LogHttpLogThread *aft, htp_tx_t *tx, const struct timeval *ts, char *srcip, Port sp, char *dstip, Port dp){<br>
+ LogHttpFileCtx *httplog_ctx = aft->httplog_ctx;<br>
+ uint32_t i;<br>
+ char buf[128];<br>
+<br>
+ htp_header_t *h_request_hdr = NULL;<br>
+ htp_header_t *h_response_hdr = NULL;<br>
+<br>
+ time_t time = ts->tv_sec;<br>
+ struct tm local_tm;<br>
+ struct tm *timestamp = (struct tm *)SCLocalTime(time, &local_tm);<br>
+<br>
+<br>
+ for (i=0; i<httplog_ctx->cf_n; i++) {<br>
+ switch (httplog_ctx->cf_nodes[i]->type){<br>
+ case LOG_HTTP_CF_LITERAL:<br>
+ /* LITERAL */<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer,
&aft->buffer->offset, aft->buffer->size, (uint8_t
*)httplog_ctx->cf_nodes[i]->data,strlen(httplog_ctx->cf_nodes[i]->data));<br>
+ break;<br>
+ case LOG_HTTP_CF_TIMESTAMP:<br>
+ /* TIMESTAMP */<br>
+ if (httplog_ctx->cf_nodes[i]->data=='\0') {<br>
+ strftime(buf,62,TIMESTAMP_DEFAULT_FORMAT, timestamp);<br>
+ } else {<br>
+ strftime(buf,62,httplog_ctx->cf_nodes[i]->data, timestamp);<br>
+ }<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer,
&aft->buffer->offset, aft->buffer->size, (uint8_t
*)buf,strlen(buf));<br>
+ break;<br>
+ case LOG_HTTP_CF_TIMESTAMP_U:<br>
+ /* TIMESTAMP USECONDS */<br>
+ snprintf(buf,62,"%06u", (unsigned int) ts->tv_usec);<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer,
&aft->buffer->offset, aft->buffer->size, (uint8_t
*)buf,strlen(buf));<br>
+ break;<br>
+ case LOG_HTTP_CF_CLIENT_IP:<br>
+ /* CLIENT IP ADDRESS */<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer,
&aft->buffer->offset, aft->buffer->size, (uint8_t
*)srcip,strlen(srcip));<br>
+ break;<br>
+ case LOG_HTTP_CF_SERVER_IP:<br>
+ /* SERVER IP ADDRESS */<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer,
&aft->buffer->offset, aft->buffer->size, (uint8_t
*)dstip,strlen(dstip));<br>
+ break;<br>
+ case LOG_HTTP_CF_CLIENT_PORT:<br>
+ /* CLIENT PORT */<br>
+ MemBufferWriteString(aft->buffer,"%" PRIu16 "",sp);<br>
+ break;<br>
+ case LOG_HTTP_CF_SERVER_PORT:<br>
+ /* SERVER PORT */<br>
+ MemBufferWriteString(aft->buffer,"%" PRIu16 "",dp);<br>
+ break;<br>
+ case LOG_HTTP_CF_REQUEST_METHOD:<br>
+ /* METHOD */<br>
+ if (tx->request_method != NULL) {<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer,
&aft->buffer->offset, aft->buffer->size, (uint8_t
*)bstr_ptr(tx->request_method), bstr_len(tx->request_method));<br>
+ } else {<br>
+ MemBufferWriteString(aft->buffer, LOG_HTTP_CF_NONE);<br>
+ }<br>
+ break;<br>
+ case LOG_HTTP_CF_REQUEST_URI:<br>
+ /* URI */<br>
+ if (tx->request_uri != NULL) {<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer,
&aft->buffer->offset, aft->buffer->size, (uint8_t
*)bstr_ptr(tx->request_uri), bstr_len(tx->request_uri));<br>
+ } else {<br>
+ MemBufferWriteString(aft->buffer, LOG_HTTP_CF_NONE);<br>
+ }<br>
+ break;<br>
+ case LOG_HTTP_CF_REQUEST_HOST:<br>
+ /* HOSTNAME */<br>
+ if (tx->parsed_uri != NULL &&<br>
+ tx->parsed_uri->hostname != NULL)<br>
+ {<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer,
&aft->buffer->offset, aft->buffer->size, (uint8_t
*)bstr_ptr(tx->parsed_uri->hostname), bstr_len(tx->parsed_uri->hostname));<br>
+ } else {<br>
+ MemBufferWriteString(aft->buffer, LOG_HTTP_CF_NONE);<br>
+ }<br>
+ break;<br>
+ case LOG_HTTP_CF_REQUEST_PROTOCOL:<br>
+ /* PROTOCOL */<br>
+ if (tx->request_protocol != NULL) {<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,<br>
+ (uint8_t *)bstr_ptr(tx->request_protocol),<br>
+ bstr_len(tx->request_protocol));<br>
+ } else {<br>
+ MemBufferWriteString(aft->buffer, LOG_HTTP_CF_NONE);<br>
+ }<br>
+ break;<br>
+ case LOG_HTTP_CF_REQUEST_HEADER:<br>
+ /* REQUEST HEADER */<br>
+ if (tx->request_headers != NULL) {<br>
+ h_request_hdr = table_getc(tx->request_headers, httplog_ctx->cf_nodes[i]->data);<br>
+ }<br>
+ if (h_request_hdr != NULL) {<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,<br>
+ (uint8_t *)bstr_ptr(h_request_hdr->value),<br>
+ bstr_len(h_request_hdr->value));<br>
+ } else {<br>
+ MemBufferWriteString(aft->buffer, LOG_HTTP_CF_NONE);<br>
+ }<br>
+ break;<br>
+ case LOG_HTTP_CF_RESPONSE_STATUS:<br>
+ /* RESPONSE STATUS */<br>
+ if (tx->response_status != NULL) {<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,<br>
+ (uint8_t *)bstr_ptr(tx->response_status),<br>
+ bstr_len(tx->response_status));<br>
+ /* Redirect? */<br>
+ if ((tx->response_status_number > 300) && ((tx->response_status_number) < 303)) {<br>
+ htp_header_t *h_location = table_getc(tx->response_headers, "location");<br>
+ if (h_location != NULL) {<br>
+ MemBufferWriteString(aft->buffer, "(");<br>
+<br>
+ PrintRawUriBuf((char
*)aft->buffer->buffer, &aft->buffer->offset,
aft->buffer->size,<br>
+ (uint8_t *)bstr_ptr(h_location->value),<br>
+ bstr_len(h_location->value));<br>
+ MemBufferWriteString(aft->buffer, ")");<br>
+ }<br>
+ }<br>
+ } else {<br>
+ MemBufferWriteString(aft->buffer, LOG_HTTP_CF_NONE);<br>
+ }<br>
+ break;<br>
+ case LOG_HTTP_CF_RESPONSE_HEADER:<br>
+ /* RESPONSE HEADER */<br>
+ if (tx->response_headers != NULL) {<br>
+ h_response_hdr = table_getc(tx->response_headers, httplog_ctx->cf_nodes[i]->data);<br>
+ }<br>
+ if (h_response_hdr != NULL) {<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,<br>
+ (uint8_t *)bstr_ptr(h_response_hdr->value),<br>
+ bstr_len(h_response_hdr->value));<br>
+ } else {<br>
+ MemBufferWriteString(aft->buffer, LOG_HTTP_CF_NONE);<br>
+ }<br>
+ break;<br>
+ case LOG_HTTP_CF_RESPONSE_LEN:<br>
+ /* RESPONSE LEN */<br>
+ MemBufferWriteString(aft->buffer, "%"PRIuMAX"", (uintmax_t)tx->response_message_len);<br>
+ break;<br>
+ }<br>
+ }<br>
+ MemBufferWriteString(aft->buffer, "\n");<br>
+}<br>
+<br>
static void LogHttpLogExtended(LogHttpLogThread *aft, htp_tx_t *tx)<br>
{<br>
MemBufferWriteString(aft->buffer, " [**] ");<br>
@@ -280,50 +455,54 @@ static TmEcode LogHttpLogIPWrapper(ThreadVars *tv, Packet *p, void *data, Packet<br>
/* reset */<br>
MemBufferReset(aft->buffer);<br>
<br>
- /* time */<br>
- MemBufferWriteString(aft->buffer, "%s ", timebuf);<br>
-<br>
- /* hostname */<br>
- if (tx->parsed_uri != NULL &&<br>
- tx->parsed_uri->hostname != NULL)<br>
- {<br>
- PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,<br>
- (uint8_t *)bstr_ptr(tx->parsed_uri->hostname),<br>
- bstr_len(tx->parsed_uri->hostname));<br>
+ if (hlog->flags & LOG_HTTP_CUSTOM) {<br>
+ LogHttpLogCustom(aft, tx, &p->ts, srcip, sp, dstip, dp);<br>
} else {<br>
- MemBufferWriteString(aft->buffer, "<hostname unknown>");<br>
- }<br>
- MemBufferWriteString(aft->buffer, " [**] ");<br>
+ /* time */<br>
+ MemBufferWriteString(aft->buffer, "%s ", timebuf);<br>
<br>
- /* uri */<br>
- if (tx->request_uri != NULL) {<br>
- PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,<br>
- (uint8_t *)bstr_ptr(tx->request_uri),<br>
- bstr_len(tx->request_uri));<br>
- }<br>
- MemBufferWriteString(aft->buffer, " [**] ");<br>
+ /* hostname */<br>
+ if (tx->parsed_uri != NULL &&<br>
+ tx->parsed_uri->hostname != NULL)<br>
+ {<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,<br>
+ (uint8_t *)bstr_ptr(tx->parsed_uri->hostname),<br>
+ bstr_len(tx->parsed_uri->hostname));<br>
+ } else {<br>
+ MemBufferWriteString(aft->buffer, "<hostname unknown>");<br>
+ }<br>
+ MemBufferWriteString(aft->buffer, " [**] ");<br>
<br>
- /* user agent */<br>
- htp_header_t *h_user_agent = NULL;<br>
- if (tx->request_headers != NULL) {<br>
- h_user_agent = table_getc(tx->request_headers, "user-agent");<br>
- }<br>
- if (h_user_agent != NULL) {<br>
- PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,<br>
- (uint8_t *)bstr_ptr(h_user_agent->value),<br>
- bstr_len(h_user_agent->value));<br>
- } else {<br>
- MemBufferWriteString(aft->buffer, "<useragent unknown>");<br>
- }<br>
- if (hlog->flags & LOG_HTTP_EXTENDED) {<br>
- LogHttpLogExtended(aft, tx);<br>
- }<br>
+ /* uri */<br>
+ if (tx->request_uri != NULL) {<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,<br>
+ (uint8_t *)bstr_ptr(tx->request_uri),<br>
+ bstr_len(tx->request_uri));<br>
+ }<br>
+ MemBufferWriteString(aft->buffer, " [**] ");<br>
<br>
- /* ip/tcp header info */<br>
- MemBufferWriteString(aft->buffer,<br>
- " [**] %s:%" PRIu16 " -> %s:%" PRIu16 "\n",<br>
- srcip, sp, dstip, dp);<br>
+ /* user agent */<br>
+ htp_header_t *h_user_agent = NULL;<br>
+ if (tx->request_headers != NULL) {<br>
+ h_user_agent = table_getc(tx->request_headers, "user-agent");<br>
+ }<br>
+ if (h_user_agent != NULL) {<br>
+ PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,<br>
+ (uint8_t *)bstr_ptr(h_user_agent->value),<br>
+ bstr_len(h_user_agent->value));<br>
+ } else {<br>
+ MemBufferWriteString(aft->buffer, "<useragent unknown>");<br>
+ }<br>
+ if (hlog->flags & LOG_HTTP_EXTENDED) {<br>
+ LogHttpLogExtended(aft, tx);<br>
+ }<br>
<br>
+ /* ip/tcp header info */<br>
+ MemBufferWriteString(aft->buffer,<br>
+ " [**] %s:%" PRIu16 " -> %s:%" PRIu16 "\n",<br>
+ srcip, sp, dstip, dp);<br>
+ }<br>
+<br>
aft->uri_cnt ++;<br>
<br>
SCMutexLock(&hlog->file_ctx->fp_mutex);<br>
@@ -430,6 +609,8 @@ void LogHttpLogExitPrintStats(ThreadVars *tv, void *data) {<br>
OutputCtx *LogHttpLogInitCtx(ConfNode *conf)<br>
{<br>
LogFileCtx* file_ctx = LogFileNewCtx();<br>
+ const char *p, *np;<br>
+ uint32_t n;<br>
if(file_ctx == NULL) {<br>
SCLogError(SC_ERR_HTTP_LOG_GENERIC, "couldn't create new file_ctx");<br>
return NULL;<br>
@@ -448,18 +629,70 @@ OutputCtx *LogHttpLogInitCtx(ConfNode *conf)<br>
memset(httplog_ctx, 0x00, sizeof(LogHttpFileCtx));<br>
<br>
httplog_ctx->file_ctx = file_ctx;<br>
+ httplog_ctx->cf_n=0;<br>
<br>
const char *extended = ConfNodeLookupChildValue(conf, "extended");<br>
- if (extended == NULL) {<br>
- httplog_ctx->flags |= LOG_HTTP_DEFAULT;<br>
+ const char *custom = ConfNodeLookupChildValue(conf, "custom");<br>
+ const char *customformat = ConfNodeLookupChildValue(conf, "customformat");<br>
+<br>
+ /* If custom logging format is selected, lets parse it */<br>
+ if (custom !=NULL && customformat!=NULL && ConfValIsTrue(custom)) {<br>
+ p=customformat;<br>
+ httplog_ctx->flags |= LOG_HTTP_CUSTOM;<br>
+ for (httplog_ctx->cf_n=0; httplog_ctx->cf_n<LOG_HTTP_MAXN_NODES-1 && p && *p!='\0'; httplog_ctx->cf_n++){<br>
+ httplog_ctx->cf_nodes[httplog_ctx->cf_n]=SCMalloc(sizeof(LogHttpCustomFormatNode));<br>
+ if (*p!='%'){<br>
+ /* Literal found in format string */<br>
+ httplog_ctx->cf_nodes[httplog_ctx->cf_n]->type=LOG_HTTP_CF_LITERAL;<br>
+ np=strchr(p,'%');<br>
+ if (np==NULL){<br>
+ n=LOG_HTTP_NODE_STRLEN-1;<br>
+ np=NULL; /* End */<br>
+ }else{<br>
+ n=np-p;<br>
+ }<br>
+ strncpy(httplog_ctx->cf_nodes[httplog_ctx->cf_n]->data,p,n);<br>
+ httplog_ctx->cf_nodes[httplog_ctx->cf_n]->data[n]='\0';<br>
+ p=np;<br>
+ } else {<br>
+ /* Non Literal found in format string */<br>
+ p++;<br>
+ if (*p=='{'){ /* Simple format char */<br>
+ np=strchr(p,'}');<br>
+ if (np!=NULL && np-p>1){<br>
+ p++;<br>
+ n=np-p;<br>
+ strncpy(httplog_ctx->cf_nodes[httplog_ctx->cf_n]->data,p,n);<br>
+ httplog_ctx->cf_nodes[httplog_ctx->cf_n]->data[n]='\0';<br>
+ p=np;<br>
+ }<br>
+ p++;<br>
+ } else {<br>
+ httplog_ctx->cf_nodes[httplog_ctx->cf_n]->data[0]='\0';<br>
+ }<br>
+ httplog_ctx->cf_nodes[httplog_ctx->cf_n]->type=*p;<br>
+ if (*p=='%'){<br>
+ httplog_ctx->cf_nodes[httplog_ctx->cf_n]->type=LOG_HTTP_CF_LITERAL;<br>
+ strcpy(httplog_ctx->cf_nodes[httplog_ctx->cf_n]->data,"%");<br>
+ }<br>
+ p++;<br>
+ }<br>
+ }<br>
} else {<br>
- if (ConfValIsTrue(extended)) {<br>
- httplog_ctx->flags |= LOG_HTTP_EXTENDED;<br>
+ if (extended == NULL) {<br>
+ httplog_ctx->flags |= LOG_HTTP_DEFAULT;<br>
+ } else {<br>
+ if (ConfValIsTrue(extended)) {<br>
+ httplog_ctx->flags |= LOG_HTTP_EXTENDED;<br>
+ }<br>
}<br>
}<br>
<br>
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));<br>
if (output_ctx == NULL) {<br>
+ for (n=0; n<httplog_ctx->cf_n; n++) {<br>
+ SCFree(httplog_ctx->cf_nodes[n]);<br>
+ }<br>
LogFileFreeCtx(file_ctx);<br>
SCFree(httplog_ctx);<br>
return NULL;<br>
@@ -476,6 +709,10 @@ OutputCtx *LogHttpLogInitCtx(ConfNode *conf)<br>
static void LogHttpLogDeInitCtx(OutputCtx *output_ctx)<br>
{<br>
LogHttpFileCtx *httplog_ctx = (LogHttpFileCtx *)output_ctx->data;<br>
+ uint32_t i;<br>
+ for (i=0; i<httplog_ctx->cf_n; i++) {<br>
+ SCFree(httplog_ctx->cf_nodes[i]);<br>
+ }<br>
LogFileFreeCtx(httplog_ctx->file_ctx);<br>
SCFree(httplog_ctx);<br>
SCFree(output_ctx);<br>
diff --git a/<a href="http://suricata.yaml.in/" target="_blank">suricata.yaml.in</a> b/<a href="http://suricata.yaml.in/" target="_blank">suricata.yaml.in</a><br>
index 7cfe24f..4daaa99 100644<br>
--- a/<a href="http://suricata.yaml.in/" target="_blank">suricata.yaml.in</a><br>
+++ b/<a href="http://suricata.yaml.in/" target="_blank">suricata.yaml.in</a><br>
@@ -71,6 +71,8 @@ outputs:<br>
filename: http.log<br>
append: yes<br>
#extended: yes # enable this for extended logging information<br>
+ #custom: yes # enabled the custom logging format (defined by customformat)<br>
+ #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"<br>
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'<br>
<br>
# a line based log to used with pcap file study.</div><br><br><br>