forked from osmocom/wireshark
146 lines
3.0 KiB
Plaintext
146 lines
3.0 KiB
Plaintext
=begin man
|
|
|
|
=encoding utf8
|
|
|
|
=end man
|
|
|
|
=head1 NAME
|
|
|
|
sdjournal - Provide an interface to capture systemd journal entries.
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
B<sdjournal>
|
|
S<[ B<--help> ]>
|
|
S<[ B<--version> ]>
|
|
S<[ B<--extcap-interfaces> ]>
|
|
S<[ B<--extcap-dlts> ]>
|
|
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
|
|
S<[ B<--extcap-config> ]>
|
|
S<[ B<--capture> ]>
|
|
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
|
|
S<[ B<--start-from>=E<lt>entry countE<gt> ]>
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
B<sdjournal> is an extcap tool that allows one to capture systemd
|
|
journal entries. It can be used to correlate system events with
|
|
network traffic.
|
|
|
|
Supported interfaces:
|
|
|
|
=over 4
|
|
|
|
=item 1. sdjournal
|
|
|
|
=back
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over 4
|
|
|
|
=item --help
|
|
|
|
Print program arguments.
|
|
|
|
=item --version
|
|
|
|
Print program version.
|
|
|
|
=item --extcap-interfaces
|
|
|
|
List available interfaces.
|
|
|
|
=item --extcap-interface=E<lt>interfaceE<gt>
|
|
|
|
Use specified interfaces.
|
|
|
|
=item --extcap-dlts
|
|
|
|
List DLTs of specified interface.
|
|
|
|
=item --extcap-config
|
|
|
|
List configuration options of specified interface.
|
|
|
|
=item --capture
|
|
|
|
Start capturing from specified interface and write raw packet data to the location specified by --fifo.
|
|
|
|
=item --fifo=E<lt>path to file or pipeE<gt>
|
|
|
|
Save captured packet to file or send it through pipe.
|
|
|
|
=item --start-from=E<lt>entry countE<gt>
|
|
|
|
Start from the last E<lt>entry countE<gt> entries, similar to the
|
|
"-n" or "--lines" argument for the L<tail(1)> command. Values prefixed
|
|
with a B<+> sign start from the beginning of the journal, otherwise
|
|
the count starts from the end. The default value is 10. To include
|
|
all entries use B<+0>.
|
|
|
|
=back
|
|
|
|
=head1 EXAMPLES
|
|
|
|
To see program arguments:
|
|
|
|
sdjournal --help
|
|
|
|
To see program version:
|
|
|
|
sdjournal --version
|
|
|
|
To see interfaces:
|
|
|
|
sdjournal --extcap-interfaces
|
|
|
|
Only one interface (sdjournal) is supported.
|
|
|
|
Output:
|
|
interface {value=sdjournal}{display=systemd journal capture}
|
|
|
|
To see interface DLTs:
|
|
|
|
sdjournal --extcap-interface=sdjournal --extcap-dlts
|
|
|
|
Output:
|
|
dlt {number=147}{name=sdjournal}{display=USER0}
|
|
|
|
To see interface configuration options:
|
|
|
|
sdjournal --extcap-interface=sdjournal --extcap-config
|
|
|
|
Output:
|
|
|
|
arg {number=0}{call=--start-from}{display=Starting position}{type=string}
|
|
{tooltip=The journal starting position. Values with a leading "+" start from the beginning, similar to the "tail" command}
|
|
|
|
To capture:
|
|
|
|
sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture
|
|
|
|
To capture all entries since the system was booted:
|
|
|
|
sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture --start-from +0
|
|
|
|
NOTE: To stop capturing CTRL+C/kill/terminate application.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)
|
|
|
|
=head1 NOTES
|
|
|
|
B<sdjournal> is part of the B<Wireshark> distribution. The latest version
|
|
of B<Wireshark> can be found at L<https://www.wireshark.org>.
|
|
|
|
HTML versions of the Wireshark project man pages are available at:
|
|
L<https://www.wireshark.org/docs/man-pages>.
|
|
|
|
=head1 AUTHORS
|
|
|
|
Original Author
|
|
-------- ------
|
|
Gerald Combs <gerald[AT]wireshark.org>
|