[Oisf-users] A few questions about logging.

Cooper F. Nelson cnelson at ucsd.edu
Mon Aug 4 17:52:01 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/4/2014 2:11 AM, Victor Julien wrote:
> In the git master we can do per thread packet logging to separate files,
> but forwarding packets to virtual interfaces isn't possible. I guess you
> could script this using my lua output branch, but you won't get the
> performance you seek as invoking the script(s) for each packet will be
> expensive.

I can forward pcap files to a virtual interface via the "tcpreplay"
program: http://tcpreplay.synfin.net/

I haven't tried it yet, but I think I could use a named pipe for the
pcap log file and then attach tcpreplay to it to then forward packets to
a virtual interface in real-time.  This is kind of clunky and I would
prefer if I could simply attach the thread packet logging directly to a
virtual interface on the loopback device.

>> 2.  Honors stream depth and drops SSL traffic past the handshake (like
>> the pcap logs).
>>
>> 3.  Honors pass rules.  So, the logging would happen after the detect
>> process, not before.
> 
> Honoring pass rules means not logging packets after a pass rule matched
> on a flow? I can add this.

Yes exactly.  If you want I can contact you privately to discuss the
specific issue we are having.

>> The idea is that I would like to attach an indexed packet capture
>> process to each thread that in turn spools packets to a dedicated disk.
> 
> You can write per thread now.
> 
> You can also write to separate directories, so if you properly mount
> your disks, you can write to separate disks.
> 
> In pcap-log, set the mode to 'multi' and filename to something like:
> 
> filename: /storage/pcaps/%n/pcap.%t
> 
> %n will transform into the thread number (1 - 16 if you have 16
> threads). So mount you disks at /storage/pcaps/1, /storage/pcaps/2, etc.

This is great and will be a huge win for those with multi-gigabit
deployments.  Thanks so much for your work on this!

> Cheers,
> Victor
> 
>> -Coop
>>

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJT38hBAAoJEKIFRYQsa8FWch0IAIrJgrbYudpdaVhDXaeQpjtT
hyt3EXe13uot0yqSQBT4TbWsdw7G0eTck25JFXp5LrTuEER2zWOVM0eMHO/AOzW4
x6R1T89vP/bAwppMMU/v4IKKcCLNqaSOtRfPU4PQC5V9IQUdz8NoHMn8PWe6FF6L
aP8B1XrjKqZ6qqXvnIjNy6XM7HJa/XMiV/8fkpnj0v3SBodhKHAExCUJHTs5xUxC
mMJLy/f3ev7uy+j0N2b/50ZiQOjMUPN2uoleHZ/m6uuJg9W4ZeKhLqOxejtFXm2W
br+qK5MH3fD6yAL6+GVgYRWY5kJ5tDYdADz0SaLEp/ZK/r6qGfaL+HT6o5eLo28=
=YGHt
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list