osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
wireshark/plugins/epan/falco_bridge
History
Gerald Combs be929e162d epan: Allow conversations based on arbitrary element lists. 
Add conversation_new_full and find_conversation_full, which take
arbitrary element lists instead of fixed addresses and ports.

Update the comments in conversation.h to be more Doxygen-conformant.
Update README.dissector.

Use the new functionality to add initial conversation support to the
Falco Bridge dissector.
 		2022-05-23 18:12:26 +00:00
..
AUTHORS
CMakeLists.txt Falco Bridge: Misc cleanup. 2022-04-13 13:51:06 -07:00
README.md Falco Bridge: Add typed address fields. 2022-04-29 12:13:34 -07:00
conversation-macros.h Falco Bridge: Misc cleanup. 2022-04-13 13:51:06 -07:00
packet-falco-bridge.c epan: Allow conversations based on arbitrary element lists. 2022-05-23 18:12:26 +00:00
sinsp-span.cpp Falco Bridge: API updates. 2022-05-19 12:52:37 -07:00
sinsp-span.h Falco Bridge: API updates. 2022-05-19 12:52:37 -07:00

README.md

Falco Bridge

This plugin is a bridge between Falco plugins and Wireshark, so that Falco plugins can be used as dissectors. It requires libsinsp and libscap.

Building the Falco Bridge plugin

  1. Download and compile libsinsp and libscap. You will probably want to pass -DMINIMAL_BUILD=ON -DCREATE_TEST_TARGETS=OFF to cmake.

  2. Configure Wireshark with cmake ... -DSINSP_INCLUDEDIR=/path/to/falcosecurity-libs -DSINSP_LIBDIR=/path/to/falcosecurity-libs/ -DSINSP_PLUGINDIR=/path/to/falcosecurity-plugins/ build ...

Quick Start

  1. Create a directory named "falco" at the same level as the "epan" plugin folder. You can find the global and per-user plugin folder locations on your system in About → Folders or in the User's Guide.

  2. Build your desired Falco plugin and place it in the "falco" plugin directory.

Licensing

libsinsp and libscap are released under the Apache 2.0 license. They depend on the following libraries:

  • b64: MIT
  • c-ares: MIT
  • curl: MIT
  • GRPC: Apache 2.0
  • jq: MIT
  • JsonCpp: MIT
  • LuaJIT: MIT
  • OpenSSL < 3.0: SSLeay
  • OpenSSL >= 3.0 : Apache 2.0
  • Protobuf: BSD-3-Clause
  • oneTBB: Apache 2.0
  • zlib: zlib

Wireshark is released under the GPL version 2 (GPL-2.0-or-later). It and the Apache-2.0 license are compatible via the "any later version" provision in the GPL version 2. As discussed at https://www.wireshark.org/lists/wireshark-dev/202203/msg00020.html, combining Wireshark and libsinsp+libscap should be OK, but that in effect invokes the GPLv2's "any later version" provision, making the Wireshark portion of the cominbined work GPLv3+.

Debian would appear to concur: https://lists.debian.org/debian-legal/2014/08/msg00102.html.

No version of the GPL is compatible with the SSLeay license; you must ensure that libsinsp+libscap is linked with OpenSSL 3.0 or later.