View previous topic :: View next topic |
Author |
Message |
upengan78 l33t
Joined: 27 Jun 2007 Posts: 711 Location: IL
|
Posted: Tue Dec 04, 2012 6:47 pm Post subject: ulogd and packet capture[ SOLVED] |
|
|
Hello,
So, I unmasked newest ulogd in the excitement of using it for some packet capturing and that capture written into /var/log/ulog.pcap but currently it's not working for me.
Code: | [I] app-admin/ulogd
Available versions: 1.23-r1 ~1.24-r2 (~)2.0.0_beta4 {{doc mysql pcap postgres sqlite}}
Installed versions: 2.0.0_beta4(11:14:16 AM 12/04/2012)(pcap -doc -mysql -postgres)
Homepage: http://netfilter.org/projects/ulogd/index.html
Description: A userspace logging daemon for netfilter/iptables related logging |
/etc/ulogd.conf
Code: |
[global]
logfile="/var/log/ulogd.log"
loglevel=1
plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib64/ulogd/ulogd_inppkt_ULOG.so"
plugin="/usr/lib64/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib64/ulogd/ulogd_filter_IP2BIN.so"
plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib64/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/lib64/ulogd/ulogd_filter_PRINTFLOW.so"
plugin="/usr/lib64/ulogd/ulogd_filter_MARK.so"
plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib64/ulogd/ulogd_output_SYSLOG.so"
plugin="/usr/lib64/ulogd/ulogd_output_OPRINT.so"
plugin="/usr/lib64/ulogd/ulogd_output_NACCT.so"
plugin="/usr/lib64/ulogd/ulogd_output_PCAP.so"
plugin="/usr/lib64/ulogd/ulogd_output_DBI.so"
plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU
stack=ct1:NFCT,op1:OPRINT
stack=log2:NFLOG,base1:BASE,pcap1:PCAP
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL
stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL
stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL
stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT
[ct1]
[ct2]
hash_enable=0
[log1]
group=0
[log2]
group=1 # Group has to be different from the one use in log1
[log3]
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1 # you can label the log info based on the packet verdict
[ulog1]
nlgroup=1
[emu1]
file="/var/log/iptables.log"
sync=1
[op1]
file="/var/log/ulogd_oprint.log"
sync=1
[xml1]
directory="/var/log/"
sync=1
[pcap1]
file="/var/log/ulogd.pcap"
sync=1
[mysql1]
db="nulog"
host="localhost"
user="nupik"
table="ulog"
pass="changeme"
procedure="INSERT_PACKET_FULL"
[mysql2]
db="nulog"
host="localhost"
user="nupik"
table="ulog"
pass="changeme"
procedure="INSERT_CT"
[pgsql1]
db="nulog"
host="localhost"
user="nupik"
table="ulog"
pass="changeme"
procedure="INSERT_PACKET_FULL"
[pgsql2]
db="nulog"
host="localhost"
user="nupik"
table="ulog2_ct"
pass="changeme"
procedure="INSERT_CT"
[pgsql3]
db="nulog"
host="localhost"
user="nupik"
table="ulog2_ct"
pass="changeme"
procedure="INSERT_OR_REPLACE_CT"
[dbi1]
db="ulog2"
dbtype="pgsql"
host="localhost"
user="ulog2"
table="ulog"
pass="ulog2"
procedure="INSERT_PACKET_FULL"
[sys2]
facility=LOG_LOCAL2
[nacct1]
sync = 1
[mark1]
mark = 1
|
/var/log/ulogd.log http://pastebin.ca/2289402
iptables -L -nv | grep LOG <--just to show that there are chains/rules configured to use ULOG
Code: |
8719 2152K LOGNDROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 15/min burst 5 LOG flags 0 level 4 prefix "BADFLAGS: "
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 queue_threshold 1
Chain LOGNDROP (1 references)
458 113K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 15/min burst 5 LOG flags 0 level 4 prefix "DENIED: "
0 0 ULOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:9999 ULOG copy_range 0 nlgroup 1 queue_threshold 1
0 0 ULOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 ULOG copy_range 0 nlgroup 1 queue_threshold 1
0 0 ULOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 ULOG copy_range 0 nlgroup 1 queue_threshold 1
|
Can someone please help to get pcap working with ulogd?
Last edited by upengan78 on Tue Dec 04, 2012 10:55 pm; edited 1 time in total |
|
Back to top |
|
|
upengan78 l33t
Joined: 27 Jun 2007 Posts: 711 Location: IL
|
Posted: Tue Dec 04, 2012 10:54 pm Post subject: |
|
|
Update:
I noted in the ulogd.conf file for PCAP, the stack line states that it is using NFLOG not ULOG.
Code: | stack=log2:NFLOG,base1:BASE,pcap1:PCAP |
So, I added below to my iptables after making sure I have CONFIG_NETFILTER_XT_TARGET_NFLOG=m in .config and modules compiled/installed.
Code: |
iptables -L -nv | grep NFLOG
0 0 NFLOG all -- * * 0.0.0.0/0 0.0.0.0/0 nflog-group 1 nflog-range 100
6 360 NFLOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:9999 nflog-group 1 nflog-range 100
0 0 NFLOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 nflog-group 1 nflog-range 100
0 0 NFLOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 nflog-group 1 nflog-range 100
|
tail -f /var/log/ulogd.pcap | tcpdump -r - -qtnp
Code: | reading from file -, link-type RAW (Raw IP)
IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0
IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0
IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0
IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0
IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0
IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0 |
telnet from another machine to my machine and I see /var/log/ulogd.pcap is getting written fine now. Those 6 packets for dpts:1:9999 appeared as a result of those.
Sorry for not posting my full iptables rules. I know the grep doesn't really help iptables chains/rules with multiple chains but part that matters is what pasted here.
Thanks. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|