osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
wireshark/plugins/epan/falco_bridge
History
Gerald Combs 75efbb1ac4 Rename Logwolf to Logray 
Switch to the name "Logray" for the log analyzer. Rays are biological
cousins of sharks and more people like the name "Logray" in a completely
unscientific survey here. Apologies for any inconvenience this might
cause.
 		2022-07-06 15:04:25 +00:00
..
AUTHORS
CMakeLists.txt Rename Logwolf to Logray 2022-07-06 15:04:25 +00:00
README.md Fix some spellings. 2022-07-06 09:02:37 +01:00
conversation-macros.h Falco Bridge: Misc cleanup. 2022-04-13 13:51:06 -07:00
packet-falco-bridge.c epan: Allow conversations based on arbitrary element lists. 2022-05-23 18:12:26 +00:00
sinsp-span.cpp Falco Bridge: API updates. 2022-05-19 12:52:37 -07:00
sinsp-span.h Falco Bridge: API updates. 2022-05-19 12:52:37 -07:00

README.md

Falco Bridge

This plugin is a bridge between Falco plugins and Wireshark, so that Falco plugins can be used as dissectors. It requires libsinsp and libscap.

Building the Falco Bridge plugin

  1. Download and compile libsinsp and libscap. You will probably want to pass -DMINIMAL_BUILD=ON -DCREATE_TEST_TARGETS=OFF to cmake.

  2. Configure Wireshark with cmake ... -DSINSP_INCLUDEDIR=/path/to/falcosecurity-libs -DSINSP_LIBDIR=/path/to/falcosecurity-libs/ -DSINSP_PLUGINDIR=/path/to/falcosecurity-plugins/ build ...

Quick Start

  1. Create a directory named "falco" at the same level as the "epan" plugin folder. You can find the global and per-user plugin folder locations on your system in About → Folders or in the User's Guide.

  2. Build your desired Falco plugin and place it in the "falco" plugin directory.

Licensing

libsinsp and libscap are released under the Apache 2.0 license. They depend on the following libraries:

  • b64: MIT
  • c-ares: MIT
  • curl: MIT
  • GRPC: Apache 2.0
  • jq: MIT
  • JsonCpp: MIT
  • LuaJIT: MIT
  • OpenSSL < 3.0: SSLeay
  • OpenSSL >= 3.0 : Apache 2.0
  • Protobuf: BSD-3-Clause
  • oneTBB: Apache 2.0
  • zlib: zlib

Wireshark is released under the GPL version 2 (GPL-2.0-or-later). It and the Apache-2.0 license are compatible via the "any later version" provision in the GPL version 2. As discussed at https://www.wireshark.org/lists/wireshark-dev/202203/msg00020.html, combining Wireshark and libsinsp+libscap should be OK, but that in effect invokes the GPLv2's "any later version" provision, making the Wireshark portion of the combined work GPLv3+.

Debian would appear to concur: https://lists.debian.org/debian-legal/2014/08/msg00102.html.

No version of the GPL is compatible with the SSLeay license; you must ensure that libsinsp+libscap is linked with OpenSSL 3.0 or later.