24ab9c0aaa
|
||
|---|---|---|
| .. | ||
| AUTHORS | ||
| CMakeLists.txt | ||
| README.md | ||
| conversation-macros.h | ||
| packet-falco-bridge.c | ||
| sinsp-span.cpp | ||
| sinsp-span.h | ||
README.md
Falco Bridge
This plugin is a bridge between Falco plugins and Wireshark, so that Falco plugins can be used as dissectors. It requires libsinsp and libscap.
Building the Falco Bridge plugin
-
Download and compile libsinsp and libscap. You will probably want to pass
-DMINIMAL_BUILD=ON -DCREATE_TEST_TARGETS=OFFto cmake. -
Configure Wireshark with
cmake \
-DSINSP_INCLUDEDIR=/path/to/falcosecurity-libs \
-DSINSP_LIBDIR=/path/to/falcosecurity-libs/ \
-DFALCO_PLUGINS="/path/to/plugin1;/path/to/plugin2;/path/to/plugin3" \
[other cmake args]
Quick Start
-
Create a directory named "falco" at the same level as the "epan" plugin folder. You can find the global and per-user plugin folder locations on your system in About → Folders or in the User's Guide.
-
Build your desired Falco plugin and place it in the "falco" plugin directory.
Licensing
libsinsp and libscap are released under the Apache 2.0 license. They depend on the following libraries:
- b64: MIT
- c-ares: MIT
- curl: MIT
- GRPC: Apache 2.0
- jq: MIT
- JsonCpp: MIT
- LuaJIT: MIT
- OpenSSL < 3.0: SSLeay
- OpenSSL >= 3.0 : Apache 2.0
- Protobuf: BSD-3-Clause
- oneTBB: Apache 2.0
- zlib: zlib
Wireshark is released under the GPL version 2 (GPL-2.0-or-later). It and the Apache-2.0 license are compatible via the "any later version" provision in the GPL version 2. As discussed at https://www.wireshark.org/lists/wireshark-dev/202203/msg00020.html, combining Wireshark and libsinsp+libscap should be OK, but that in effect invokes the GPLv2's "any later version" provision, making the Wireshark portion of the combined work GPLv3+.
Debian would appear to concur: https://lists.debian.org/debian-legal/2014/08/msg00102.html.
No version of the GPL is compatible with the SSLeay license; you must ensure that libsinsp+libscap is linked with OpenSSL 3.0 or later.