[Oisf-users] A few questions about logging.

Cooper F. Nelson cnelson at ucsd.edu
Mon Aug 4 17:52:01 UTC 2014

Hash: SHA1

On 8/4/2014 2:11 AM, Victor Julien wrote:
> In the git master we can do per thread packet logging to separate files,
> but forwarding packets to virtual interfaces isn't possible. I guess you
> could script this using my lua output branch, but you won't get the
> performance you seek as invoking the script(s) for each packet will be
> expensive.

I can forward pcap files to a virtual interface via the "tcpreplay"
program: http://tcpreplay.synfin.net/

I haven't tried it yet, but I think I could use a named pipe for the
pcap log file and then attach tcpreplay to it to then forward packets to
a virtual interface in real-time.  This is kind of clunky and I would
prefer if I could simply attach the thread packet logging directly to a
virtual interface on the loopback device.

>> 2.  Honors stream depth and drops SSL traffic past the handshake (like
>> the pcap logs).
>> 3.  Honors pass rules.  So, the logging would happen after the detect
>> process, not before.
> Honoring pass rules means not logging packets after a pass rule matched
> on a flow? I can add this.

Yes exactly.  If you want I can contact you privately to discuss the
specific issue we are having.

>> The idea is that I would like to attach an indexed packet capture
>> process to each thread that in turn spools packets to a dedicated disk.
> You can write per thread now.
> You can also write to separate directories, so if you properly mount
> your disks, you can write to separate disks.
> In pcap-log, set the mode to 'multi' and filename to something like:
> filename: /storage/pcaps/%n/pcap.%t
> %n will transform into the thread number (1 - 16 if you have 16
> threads). So mount you disks at /storage/pcaps/1, /storage/pcaps/2, etc.

This is great and will be a huge win for those with multi-gigabit
deployments.  Thanks so much for your work on this!

> Cheers,
> Victor
>> -Coop

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list