Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

ulogd and packet capture[ SOLVED]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
upengan78
l33t
l33t


Joined: 27 Jun 2007
Posts: 711
Location: IL
PostPosted: Tue Dec 04, 2012 6:47 pm    Post subject: ulogd and packet capture[ SOLVED] Reply with quote
Hello,

So, I unmasked newest ulogd in the excitement of using it for some packet capturing and that capture written into /var/log/ulog.pcap but currently it's not working for me.

Code:
[I] app-admin/ulogd
     Available versions:  1.23-r1 ~1.24-r2 (~)2.0.0_beta4 {{doc mysql pcap postgres sqlite}}
     Installed versions:  2.0.0_beta4(11:14:16 AM 12/04/2012)(pcap -doc -mysql -postgres)
     Homepage:            http://netfilter.org/projects/ulogd/index.html
     Description:         A userspace logging daemon for netfilter/iptables related logging


/etc/ulogd.conf
Code:

[global]
logfile="/var/log/ulogd.log"
loglevel=1
plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib64/ulogd/ulogd_inppkt_ULOG.so"
plugin="/usr/lib64/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib64/ulogd/ulogd_filter_IP2BIN.so"
plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib64/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/lib64/ulogd/ulogd_filter_PRINTFLOW.so"
plugin="/usr/lib64/ulogd/ulogd_filter_MARK.so"
plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib64/ulogd/ulogd_output_SYSLOG.so"
plugin="/usr/lib64/ulogd/ulogd_output_OPRINT.so"
plugin="/usr/lib64/ulogd/ulogd_output_NACCT.so"
plugin="/usr/lib64/ulogd/ulogd_output_PCAP.so"
plugin="/usr/lib64/ulogd/ulogd_output_DBI.so"
plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU
stack=ct1:NFCT,op1:OPRINT
stack=log2:NFLOG,base1:BASE,pcap1:PCAP
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL
stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL
stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL
stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT
[ct1]
[ct2]
hash_enable=0
[log1]
group=0
[log2]
group=1 # Group has to be different from the one use in log1
[log3]
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1 # you can label the log info based on the packet verdict
[ulog1]
nlgroup=1
[emu1]
file="/var/log/iptables.log"
sync=1
[op1]
file="/var/log/ulogd_oprint.log"
sync=1
[xml1]
directory="/var/log/"
sync=1
[pcap1]
file="/var/log/ulogd.pcap"
sync=1
[mysql1]
db="nulog"
host="localhost"
user="nupik"
table="ulog"
pass="changeme"
procedure="INSERT_PACKET_FULL"
[mysql2]
db="nulog"
host="localhost"
user="nupik"
table="ulog"
pass="changeme"
procedure="INSERT_CT"
[pgsql1]
db="nulog"
host="localhost"
user="nupik"
table="ulog"
pass="changeme"
procedure="INSERT_PACKET_FULL"
[pgsql2]
db="nulog"
host="localhost"
user="nupik"
table="ulog2_ct"
pass="changeme"
procedure="INSERT_CT"
[pgsql3]
db="nulog"
host="localhost"
user="nupik"
table="ulog2_ct"
pass="changeme"
procedure="INSERT_OR_REPLACE_CT"
[dbi1]
db="ulog2"
dbtype="pgsql"
host="localhost"
user="ulog2"
table="ulog"
pass="ulog2"
procedure="INSERT_PACKET_FULL"
[sys2]
facility=LOG_LOCAL2
[nacct1]
sync = 1
[mark1]
mark = 1



/var/log/ulogd.log http://pastebin.ca/2289402


iptables -L -nv | grep LOG <--just to show that there are chains/rules configured to use ULOG
Code:

 8719 2152K LOGNDROP   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 15/min burst 5 LOG flags 0 level 4 prefix "BADFLAGS: "
    0     0 ULOG       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ULOG copy_range 0 nlgroup 1 queue_threshold 1
Chain LOGNDROP (1 references)
  458  113K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 15/min burst 5 LOG flags 0 level 4 prefix "DENIED: "
    0     0 ULOG       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1:9999 ULOG copy_range 0 nlgroup 1 queue_threshold 1
    0     0 ULOG       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80 ULOG copy_range 0 nlgroup 1 queue_threshold 1
    0     0 ULOG       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443 ULOG copy_range 0 nlgroup 1 queue_threshold 1


Can someone please help to get pcap working with ulogd?

Last edited by upengan78 on Tue Dec 04, 2012 10:55 pm; edited 1 time in total
Back to top
View user's profile Send private message
upengan78
l33t
l33t


Joined: 27 Jun 2007
Posts: 711
Location: IL
PostPosted: Tue Dec 04, 2012 10:54 pm    Post subject: Reply with quote
Update:


I noted in the ulogd.conf file for PCAP, the stack line states that it is using NFLOG not ULOG.

Code:
stack=log2:NFLOG,base1:BASE,pcap1:PCAP



So, I added below to my iptables after making sure I have CONFIG_NETFILTER_XT_TARGET_NFLOG=m in .config and modules compiled/installed.

Code:

iptables -L -nv | grep NFLOG
    0     0 NFLOG      all  --  *      *       0.0.0.0/0            0.0.0.0/0            nflog-group 1 nflog-range 100
    6   360 NFLOG      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1:9999 nflog-group 1 nflog-range 100
    0     0 NFLOG      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80 nflog-group 1 nflog-range 100
    0     0 NFLOG      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443 nflog-group 1 nflog-range 100


tail -f /var/log/ulogd.pcap | tcpdump -r - -qtnp
Code:
reading from file -, link-type RAW (Raw IP)
IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0
IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0
IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0
IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0
IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0
IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0



telnet from another machine to my machine and I see /var/log/ulogd.pcap is getting written fine now. Those 6 packets for dpts:1:9999 appeared as a result of those.

Sorry for not posting my full iptables rules. I know the grep doesn't really help iptables chains/rules with multiple chains but part that matters is what pasted here.

Thanks.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy