Add a systemd Journal Export extcap.
Add an sdjournal extcap, which reads journal entries using the sd-journal API and dumps them as journal Export Format records. Change-Id: I17ccfa88ab5d053c16c869cd26e580d84022502e Reviewed-on: https://code.wireshark.org/review/29479 Reviewed-by: Gerald Combs <gerald@wireshark.org> Petri-Dish: Gerald Combs <gerald@wireshark.org> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
parent
e1ef8f6a40
commit
f69108b84e
|
@ -844,6 +844,10 @@ if(ENABLE_AIRPCAP)
|
||||||
set(PACKAGELIST ${PACKAGELIST} AIRPCAP)
|
set(PACKAGELIST ${PACKAGELIST} AIRPCAP)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
|
if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
|
||||||
|
set(PACKAGELIST ${PACKAGELIST} Systemd)
|
||||||
|
endif()
|
||||||
|
|
||||||
# Build the Qt GUI?
|
# Build the Qt GUI?
|
||||||
if(BUILD_wireshark)
|
if(BUILD_wireshark)
|
||||||
# Untested, may not work if CMAKE_PREFIX_PATH gets overwritten
|
# Untested, may not work if CMAKE_PREFIX_PATH gets overwritten
|
||||||
|
|
|
@ -16,12 +16,19 @@ option(BUILD_dftest "Build dftest" ON)
|
||||||
option(BUILD_corbaidl2wrs "Build corbaidl2wrs" OFF)
|
option(BUILD_corbaidl2wrs "Build corbaidl2wrs" OFF)
|
||||||
option(BUILD_dcerpcidl2wrs "Build dcerpcidl2wrs" ON)
|
option(BUILD_dcerpcidl2wrs "Build dcerpcidl2wrs" ON)
|
||||||
option(BUILD_xxx2deb "Build xxx2deb" OFF)
|
option(BUILD_xxx2deb "Build xxx2deb" OFF)
|
||||||
|
|
||||||
option(BUILD_androiddump "Build androiddump" ON)
|
option(BUILD_androiddump "Build androiddump" ON)
|
||||||
option(BUILD_sshdump "Build sshdump" ON)
|
option(BUILD_sshdump "Build sshdump" ON)
|
||||||
option(BUILD_ciscodump "Build ciscodump" ON)
|
option(BUILD_ciscodump "Build ciscodump" ON)
|
||||||
option(BUILD_dpauxmon "Build dpauxmon" ON)
|
option(BUILD_dpauxmon "Build dpauxmon" ON)
|
||||||
option(BUILD_randpktdump "Build randpktdump" ON)
|
option(BUILD_randpktdump "Build randpktdump" ON)
|
||||||
|
if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
|
||||||
|
option(BUILD_sdjournal "Build sdjournal" ON)
|
||||||
|
else()
|
||||||
|
option(BUILD_sdjournal "Build sdjournal" OFF)
|
||||||
|
endif()
|
||||||
option(BUILD_udpdump "Build udpdump" ON)
|
option(BUILD_udpdump "Build udpdump" ON)
|
||||||
|
|
||||||
option(BUILD_sharkd "Build sharkd" ON)
|
option(BUILD_sharkd "Build sharkd" ON)
|
||||||
if(WIN32)
|
if(WIN32)
|
||||||
option(BUILD_fuzzshark "Build fuzzshark" OFF)
|
option(BUILD_fuzzshark "Build fuzzshark" OFF)
|
||||||
|
|
|
@ -0,0 +1,41 @@
|
||||||
|
# Copied from https://github.com/Cloudef/wlc/blob/master/CMake/FindSystemd.cmake
|
||||||
|
#.rst:
|
||||||
|
# FindSystemd
|
||||||
|
# -------
|
||||||
|
#
|
||||||
|
# Find Systemd library
|
||||||
|
#
|
||||||
|
# Try to find Systemd library on UNIX systems. The following values are defined
|
||||||
|
#
|
||||||
|
# ::
|
||||||
|
#
|
||||||
|
# SYSTEMD_FOUND - True if Systemd is available
|
||||||
|
# SYSTEMD_INCLUDE_DIRS - Include directories for Systemd
|
||||||
|
# SYSTEMD_LIBRARIES - List of libraries for Systemd
|
||||||
|
# SYSTEMD_DEFINITIONS - List of definitions for Systemd
|
||||||
|
#
|
||||||
|
#=============================================================================
|
||||||
|
# Copyright (c) 2015 Jari Vetoniemi
|
||||||
|
#
|
||||||
|
# Distributed under the OSI-approved BSD License (the "License");
|
||||||
|
#
|
||||||
|
# This software is distributed WITHOUT ANY WARRANTY; without even the
|
||||||
|
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
# See the License for more information.
|
||||||
|
#=============================================================================
|
||||||
|
|
||||||
|
include(FeatureSummary)
|
||||||
|
set_package_properties(Systemd PROPERTIES
|
||||||
|
URL "http://freedesktop.org/wiki/Software/systemd/"
|
||||||
|
DESCRIPTION "System and Service Manager")
|
||||||
|
|
||||||
|
find_package(PkgConfig)
|
||||||
|
pkg_check_modules(PC_SYSTEMD QUIET libsystemd)
|
||||||
|
find_library(SYSTEMD_LIBRARIES NAMES systemd ${PC_SYSTEMD_LIBRARY_DIRS})
|
||||||
|
find_path(SYSTEMD_INCLUDE_DIRS systemd/sd-login.h HINTS ${PC_SYSTEMD_INCLUDE_DIRS})
|
||||||
|
|
||||||
|
set(SYSTEMD_DEFINITIONS ${PC_SYSTEMD_CFLAGS_OTHER})
|
||||||
|
|
||||||
|
include(FindPackageHandleStandardArgs)
|
||||||
|
find_package_handle_standard_args(SYSTEMD DEFAULT_MSG SYSTEMD_INCLUDE_DIRS SYSTEMD_LIBRARIES)
|
||||||
|
mark_as_advanced(SYSTEMD_INCLUDE_DIRS SYSTEMD_LIBRARIES SYSTEMD_DEFINITIONS)
|
|
@ -15,7 +15,7 @@ Build-Depends: lsb-release,
|
||||||
# backports-compatible.
|
# backports-compatible.
|
||||||
libgnutls28-dev (>= 3.2.14-1~) | libgnutls-dev,
|
libgnutls28-dev (>= 3.2.14-1~) | libgnutls-dev,
|
||||||
libgcrypt-dev, libkrb5-dev, liblua5.2-dev, libsmi2-dev,
|
libgcrypt-dev, libkrb5-dev, liblua5.2-dev, libsmi2-dev,
|
||||||
libmaxminddb-dev, dpkg-dev (>= 1.16.1~),
|
libmaxminddb-dev, dpkg-dev (>= 1.16.1~), libsystemd-dev,
|
||||||
libnl-genl-3-dev [linux-any], libnl-route-3-dev [linux-any], asciidoctor,
|
libnl-genl-3-dev [linux-any], libnl-route-3-dev [linux-any], asciidoctor,
|
||||||
cmake (>= 3.5) | cmake3, libsbc-dev, libnghttp2-dev, libssh-gcrypt-dev,
|
cmake (>= 3.5) | cmake3, libsbc-dev, libnghttp2-dev, libssh-gcrypt-dev,
|
||||||
liblz4-dev, libsnappy-dev, libspandsp-dev, libxml2-dev
|
liblz4-dev, libsnappy-dev, libspandsp-dev, libxml2-dev
|
||||||
|
|
|
@ -83,6 +83,10 @@ if(BUILD_dpauxmon AND HAVE_LIBNL3)
|
||||||
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/dpauxmon 1)
|
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/dpauxmon 1)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
|
if(BUILD_sdjournal AND SYSTEMD_FOUND)
|
||||||
|
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/sdjournal 1)
|
||||||
|
endif()
|
||||||
|
|
||||||
if(MAXMINDDB_FOUND)
|
if(MAXMINDDB_FOUND)
|
||||||
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/mmdbresolve 1)
|
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/mmdbresolve 1)
|
||||||
endif()
|
endif()
|
||||||
|
@ -120,6 +124,10 @@ if(BUILD_dpauxmon AND HAVE_LIBNL3)
|
||||||
list(APPEND MAN1_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/dpauxmon.1)
|
list(APPEND MAN1_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/dpauxmon.1)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
|
if(BUILD_sdjournal AND SYSTEMD_FOUND)
|
||||||
|
list(APPEND MAN1_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/sdjournal.1)
|
||||||
|
endif()
|
||||||
|
|
||||||
if(MAXMINDDB_FOUND)
|
if(MAXMINDDB_FOUND)
|
||||||
list(APPEND MAN1_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/mmdbresolve.1)
|
list(APPEND MAN1_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/mmdbresolve.1)
|
||||||
endif()
|
endif()
|
||||||
|
@ -174,6 +182,10 @@ if(BUILD_dpauxmon AND HAVE_LIBNL3)
|
||||||
list(APPEND HTML_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/dpauxmon.html)
|
list(APPEND HTML_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/dpauxmon.html)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
|
if(BUILD_sdjournal AND SYSTEMD_FOUND)
|
||||||
|
list(APPEND MAN1_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/sdjournal.html)
|
||||||
|
endif()
|
||||||
|
|
||||||
if(MAXMINDDB_FOUND)
|
if(MAXMINDDB_FOUND)
|
||||||
list(APPEND HTML_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/mmdbresolve.html)
|
list(APPEND HTML_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/mmdbresolve.html)
|
||||||
endif()
|
endif()
|
||||||
|
|
|
@ -0,0 +1,145 @@
|
||||||
|
=begin man
|
||||||
|
|
||||||
|
=encoding utf8
|
||||||
|
|
||||||
|
=end man
|
||||||
|
|
||||||
|
=head1 NAME
|
||||||
|
|
||||||
|
sdjournal - Provide an interface to capture systemd journal entries.
|
||||||
|
|
||||||
|
=head1 SYNOPSIS
|
||||||
|
|
||||||
|
B<sdjournal>
|
||||||
|
S<[ B<--help> ]>
|
||||||
|
S<[ B<--version> ]>
|
||||||
|
S<[ B<--extcap-interfaces> ]>
|
||||||
|
S<[ B<--extcap-dlts> ]>
|
||||||
|
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
|
||||||
|
S<[ B<--extcap-config> ]>
|
||||||
|
S<[ B<--capture> ]>
|
||||||
|
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
|
||||||
|
S<[ B<--start-from>=E<lt>entry countE<gt> ]>
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
|
B<sdjournal> is an extcap tool that allows one to capture systemd
|
||||||
|
journal entries. It can be used to correlate system events with
|
||||||
|
network traffic.
|
||||||
|
|
||||||
|
Supported interfaces:
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item 1. sdjournal
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head1 OPTIONS
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item --help
|
||||||
|
|
||||||
|
Print program arguments.
|
||||||
|
|
||||||
|
=item --version
|
||||||
|
|
||||||
|
Print program version.
|
||||||
|
|
||||||
|
=item --extcap-interfaces
|
||||||
|
|
||||||
|
List available interfaces.
|
||||||
|
|
||||||
|
=item --extcap-interface=E<lt>interfaceE<gt>
|
||||||
|
|
||||||
|
Use specified interfaces.
|
||||||
|
|
||||||
|
=item --extcap-dlts
|
||||||
|
|
||||||
|
List DLTs of specified interface.
|
||||||
|
|
||||||
|
=item --extcap-config
|
||||||
|
|
||||||
|
List configuration options of specified interface.
|
||||||
|
|
||||||
|
=item --capture
|
||||||
|
|
||||||
|
Start capturing from specified interface and write raw packet data to the location specified by --fifo.
|
||||||
|
|
||||||
|
=item --fifo=E<lt>path to file or pipeE<gt>
|
||||||
|
|
||||||
|
Save captured packet to file or send it through pipe.
|
||||||
|
|
||||||
|
=item --start-from=E<lt>entry countE<gt>
|
||||||
|
|
||||||
|
Start from the last E<lt>entry countE<gt> entries, similar to the
|
||||||
|
"-n" or "--lines" argument for the L<tail> command. Values prefixed
|
||||||
|
with a B<+> sign start from the beginning of the journal, otherwise
|
||||||
|
the count starts from the end. The default value is 10. To include
|
||||||
|
all entries use B<+0>.
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head1 EXAMPLES
|
||||||
|
|
||||||
|
To see program arguments:
|
||||||
|
|
||||||
|
sdjournal --help
|
||||||
|
|
||||||
|
To see program version:
|
||||||
|
|
||||||
|
sdjournal --version
|
||||||
|
|
||||||
|
To see interfaces:
|
||||||
|
|
||||||
|
sdjournal --extcap-interfaces
|
||||||
|
|
||||||
|
Only one interface (sdjournal) is supported.
|
||||||
|
|
||||||
|
Output:
|
||||||
|
interface {value=sdjournal}{display=systemd journal capture}
|
||||||
|
|
||||||
|
To see interface DLTs:
|
||||||
|
|
||||||
|
sdjournal --extcap-interface=sdjournal --extcap-dlts
|
||||||
|
|
||||||
|
Output:
|
||||||
|
dlt {number=147}{name=sdjournal}{display=USER0}
|
||||||
|
|
||||||
|
To see interface configuration options:
|
||||||
|
|
||||||
|
sdjournal --extcap-interface=sdjournal --extcap-config
|
||||||
|
|
||||||
|
Output:
|
||||||
|
|
||||||
|
arg {number=0}{call=--start-from}{display=Starting position}{type=string}
|
||||||
|
{tooltip=The journal starting position. Values with a leading "+" start from the beginning, similar to the "tail" command}
|
||||||
|
|
||||||
|
To capture:
|
||||||
|
|
||||||
|
sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture
|
||||||
|
|
||||||
|
To capture all entries since the system was booted:
|
||||||
|
|
||||||
|
sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture --start-from +0
|
||||||
|
|
||||||
|
NOTE: To stop capturing CTRL+C/kill/terminate application.
|
||||||
|
|
||||||
|
=head1 SEE ALSO
|
||||||
|
|
||||||
|
wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)
|
||||||
|
|
||||||
|
=head1 NOTES
|
||||||
|
|
||||||
|
B<sdjournal> is part of the B<Wireshark> distribution. The latest version
|
||||||
|
of B<Wireshark> can be found at L<https://www.wireshark.org>.
|
||||||
|
|
||||||
|
HTML versions of the Wireshark project man pages are available at:
|
||||||
|
L<https://www.wireshark.org/docs/man-pages>.
|
||||||
|
|
||||||
|
=head1 AUTHORS
|
||||||
|
|
||||||
|
Original Author
|
||||||
|
-------- ------
|
||||||
|
Gerald Combs <gerald[AT]wireshark.org>
|
|
@ -4211,7 +4211,7 @@ capture_loop_write_pcapng_cb(capture_src *pcap_src, const struct pcapng_block_he
|
||||||
global_ld.go = FALSE;
|
global_ld.go = FALSE;
|
||||||
global_ld.err = err;
|
global_ld.err = err;
|
||||||
pcap_src->dropped++;
|
pcap_src->dropped++;
|
||||||
} else if (bh->block_type == BLOCK_TYPE_EPB || bh->block_type == BLOCK_TYPE_SPB) {
|
} else if (bh->block_type == BLOCK_TYPE_EPB || bh->block_type == BLOCK_TYPE_SPB || bh->block_type == BLOCK_TYPE_SYSTEMD_JOURNAL) {
|
||||||
/* count packet only if we actually have an EPB or SPB */
|
/* count packet only if we actually have an EPB or SPB */
|
||||||
#if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
|
#if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
|
||||||
g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
|
g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
|
||||||
|
|
|
@ -214,6 +214,31 @@ if(BUILD_randpktdump)
|
||||||
add_dependencies(extcaps randpktdump)
|
add_dependencies(extcaps randpktdump)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
|
if(BUILD_sdjournal AND SYSTEMD_FOUND)
|
||||||
|
set(sdjournal_LIBS
|
||||||
|
ui
|
||||||
|
wiretap
|
||||||
|
writecap
|
||||||
|
wsutil
|
||||||
|
${GLIB2_LIBRARIES}
|
||||||
|
${ZLIB_LIBRARIES}
|
||||||
|
${CMAKE_DL_LIBS}
|
||||||
|
${SYSTEMD_LIBRARIES}
|
||||||
|
)
|
||||||
|
set(sdjournal_FILES
|
||||||
|
extcap-base.c
|
||||||
|
sdjournal.c
|
||||||
|
)
|
||||||
|
|
||||||
|
add_executable(sdjournal WIN32 ${sdjournal_FILES})
|
||||||
|
set_extcap_executable_properties(sdjournal)
|
||||||
|
target_link_libraries(sdjournal ${sdjournal_LIBS})
|
||||||
|
install(TARGETS sdjournal RUNTIME DESTINATION ${EXTCAP_INSTALL_LIBDIR})
|
||||||
|
add_dependencies(extcaps sdjournal)
|
||||||
|
elseif (BUILD_sdjournal)
|
||||||
|
#message( WARNING "Cannot find libsystemd, cannot build sdjournal" )
|
||||||
|
endif()
|
||||||
|
|
||||||
set(CLEAN_C_FILES
|
set(CLEAN_C_FILES
|
||||||
${dumpcap_FILES}
|
${dumpcap_FILES}
|
||||||
${androiddump_FILES}
|
${androiddump_FILES}
|
||||||
|
|
|
@ -0,0 +1,449 @@
|
||||||
|
/* sdjournal.c
|
||||||
|
* sdjournal is an extcap tool used to dump systemd journal entries.
|
||||||
|
*
|
||||||
|
* Adapted from sshdump.
|
||||||
|
* Copyright 2018, Gerald Combs and Dario Lombardo
|
||||||
|
*
|
||||||
|
* Wireshark - Network traffic analyzer
|
||||||
|
* By Gerald Combs <gerald@wireshark.org>
|
||||||
|
* Copyright 1998 Gerald Combs
|
||||||
|
*
|
||||||
|
* SPDX-License-Identifier: GPL-2.0-or-later
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* To do:
|
||||||
|
* - Add an option for sd_journal_open flags, e.g. SD_JOURNAL_LOCAL_ONLY.
|
||||||
|
* - Add journalctl options - --boot, --machine, --directory, etc.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "config.h"
|
||||||
|
|
||||||
|
#include <extcap/extcap-base.h>
|
||||||
|
#include <wsutil/interface.h>
|
||||||
|
#include <wsutil/file_util.h>
|
||||||
|
#include <wsutil/filesystem.h>
|
||||||
|
#include <writecap/pcapio.h>
|
||||||
|
#include <wiretap/wtap.h>
|
||||||
|
|
||||||
|
#include <systemd/sd-journal.h>
|
||||||
|
#include <systemd/sd-id128.h>
|
||||||
|
|
||||||
|
#include <errno.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
|
||||||
|
#define SDJOURNAL_VERSION_MAJOR "1"
|
||||||
|
#define SDJOURNAL_VERSION_MINOR "0"
|
||||||
|
#define SDJOURNAL_VERSION_RELEASE "0"
|
||||||
|
|
||||||
|
#define SDJOURNAL_EXTCAP_INTERFACE "sdjournal"
|
||||||
|
#define BLOCK_TYPE_SYSTEMD_JOURNAL 0x00000009
|
||||||
|
|
||||||
|
enum {
|
||||||
|
EXTCAP_BASE_OPTIONS_ENUM,
|
||||||
|
OPT_HELP,
|
||||||
|
OPT_VERSION,
|
||||||
|
OPT_START_FROM
|
||||||
|
};
|
||||||
|
|
||||||
|
static struct option longopts[] = {
|
||||||
|
EXTCAP_BASE_OPTIONS,
|
||||||
|
{ "help", no_argument, NULL, OPT_HELP},
|
||||||
|
{ "version", no_argument, NULL, OPT_VERSION},
|
||||||
|
{ "start-from", required_argument, NULL, OPT_START_FROM},
|
||||||
|
{ 0, 0, 0, 0}
|
||||||
|
};
|
||||||
|
|
||||||
|
#define FLD_BOOT_ID "_BOOT_ID="
|
||||||
|
#define FLD_BOOT_ID_LEN (8 + 1 + 33 + 1)
|
||||||
|
|
||||||
|
// The Journal Export Format specification doesn't place limits on entry
|
||||||
|
// lengths or lines per entry. We do.
|
||||||
|
#define ENTRY_BUF_LENGTH WTAP_MAX_PACKET_SIZE_STANDARD
|
||||||
|
#define MAX_EXPORT_ENTRY_LENGTH (ENTRY_BUF_LENGTH - 4 - 4 - 4) // Block type - total length - total length
|
||||||
|
|
||||||
|
static int sdj_dump_entries(sd_journal *jnl, FILE* fp)
|
||||||
|
{
|
||||||
|
int ret = EXIT_SUCCESS;
|
||||||
|
guint8 *entry_buff = g_new(guint8, ENTRY_BUF_LENGTH);
|
||||||
|
int jr = 0;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Read journal entries and write them as packets. Output must
|
||||||
|
* match `journalctl --output=export`.
|
||||||
|
*/
|
||||||
|
while (jr == 0) {
|
||||||
|
char *cursor;
|
||||||
|
uint64_t pkt_rt_ts, mono_ts;
|
||||||
|
sd_id128_t boot_id;
|
||||||
|
char boot_id_str[FLD_BOOT_ID_LEN] = FLD_BOOT_ID;
|
||||||
|
guint32 block_type = BLOCK_TYPE_SYSTEMD_JOURNAL;
|
||||||
|
guint32 data_end = 8; // Block type + total length
|
||||||
|
const void *fld_data;
|
||||||
|
size_t fld_len;
|
||||||
|
guint64 bytes_written = 0;
|
||||||
|
int err;
|
||||||
|
|
||||||
|
memcpy(entry_buff, &block_type, 4);
|
||||||
|
|
||||||
|
jr = sd_journal_next(jnl);
|
||||||
|
g_debug("sd_journal_next: %d", jr);
|
||||||
|
if (jr < 0) {
|
||||||
|
g_warning("Error fetching journal entry: %s", g_strerror(jr));
|
||||||
|
goto end;
|
||||||
|
} else if (jr == 0) {
|
||||||
|
sd_journal_wait(jnl, (uint64_t) -1);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
jr = sd_journal_get_cursor(jnl, &cursor);
|
||||||
|
if (jr < 0) {
|
||||||
|
g_warning("Error fetching cursor: %s", g_strerror(jr));
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
data_end += g_snprintf(entry_buff+data_end, MAX_EXPORT_ENTRY_LENGTH-data_end, "__CURSOR=%s\n", cursor);
|
||||||
|
free(cursor);
|
||||||
|
|
||||||
|
jr = sd_journal_get_realtime_usec(jnl, &pkt_rt_ts);
|
||||||
|
if (jr < 0) {
|
||||||
|
g_warning("Error fetching realtime timestamp: %s", g_strerror(jr));
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
data_end += g_snprintf(entry_buff+data_end, MAX_EXPORT_ENTRY_LENGTH-data_end, "__REALTIME_TIMESTAMP=%" G_GUINT64_FORMAT "\n", pkt_rt_ts);
|
||||||
|
|
||||||
|
jr = sd_journal_get_monotonic_usec(jnl, &mono_ts, &boot_id);
|
||||||
|
if (jr < 0) {
|
||||||
|
g_warning("Error fetching monotonic timestamp: %s", g_strerror(jr));
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
sd_id128_to_string(boot_id, boot_id_str + strlen(FLD_BOOT_ID));
|
||||||
|
data_end += g_snprintf(entry_buff+data_end, MAX_EXPORT_ENTRY_LENGTH-data_end, "__MONOTONIC_TIMESTAMP=%" G_GUINT64_FORMAT "\n%s\n", mono_ts, boot_id_str);
|
||||||
|
g_debug("Entry header is %u bytes", data_end);
|
||||||
|
|
||||||
|
SD_JOURNAL_FOREACH_DATA(jnl, fld_data, fld_len) {
|
||||||
|
guint8 *eq_ptr = (guint8 *) memchr(fld_data, '=', fld_len);
|
||||||
|
if (!eq_ptr) {
|
||||||
|
g_warning("Invalid field.");
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
if (g_utf8_validate((const char *) fld_data, (gssize) fld_len, NULL)) {
|
||||||
|
// Allow for two trailing newlines, one here and one
|
||||||
|
// at the end of the buffer.
|
||||||
|
if (fld_len > MAX_EXPORT_ENTRY_LENGTH-data_end-2) {
|
||||||
|
g_debug("Breaking on UTF-8 field: %u + %zd", data_end, fld_len);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
memcpy(entry_buff+data_end, fld_data, fld_len);
|
||||||
|
data_end += (guint32) fld_len;
|
||||||
|
entry_buff[data_end] = '\n';
|
||||||
|
data_end++;
|
||||||
|
} else {
|
||||||
|
// \n + 64-bit size + \n + trailing \n = 11
|
||||||
|
if (fld_len > MAX_EXPORT_ENTRY_LENGTH-data_end-11) {
|
||||||
|
g_debug("Breaking on binary field: %u + %zd", data_end, fld_len);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
ptrdiff_t name_len = eq_ptr - (guint8 *) fld_data;
|
||||||
|
uint64_t le_data_len;
|
||||||
|
le_data_len = htole64(fld_len - name_len - 1);
|
||||||
|
memcpy(entry_buff+data_end, fld_data, name_len);
|
||||||
|
data_end+= name_len;
|
||||||
|
entry_buff[data_end] = '\n';
|
||||||
|
data_end++;
|
||||||
|
memcpy(entry_buff+data_end, &le_data_len, 8);
|
||||||
|
data_end += 8;
|
||||||
|
memcpy(entry_buff+data_end, (guint8 *) fld_data + name_len + 1, fld_len - name_len);
|
||||||
|
data_end += fld_len - name_len;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (data_end % 4) {
|
||||||
|
size_t pad_len = 4 - (data_end % 4);
|
||||||
|
memset(entry_buff+data_end, '\0', pad_len);
|
||||||
|
data_end += pad_len;
|
||||||
|
}
|
||||||
|
|
||||||
|
guint32 total_len = data_end + 4;
|
||||||
|
memcpy (entry_buff+4, &total_len, 4);
|
||||||
|
memcpy (entry_buff+data_end, &total_len, 4);
|
||||||
|
|
||||||
|
g_debug("Attempting to write %u bytes", total_len);
|
||||||
|
if (!pcapng_write_block(fp, entry_buff, total_len, &bytes_written, &err)) {
|
||||||
|
g_warning("Can't write event: %s", strerror(err));
|
||||||
|
ret = EXIT_FAILURE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
fflush(fp);
|
||||||
|
}
|
||||||
|
|
||||||
|
end:
|
||||||
|
g_free(entry_buff);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int sdj_start_export(const int start_from_entries, const gboolean start_from_end, const char* fifo)
|
||||||
|
{
|
||||||
|
FILE* fp = stdout;
|
||||||
|
guint64 bytes_written = 0;
|
||||||
|
int err;
|
||||||
|
sd_journal *jnl = NULL;
|
||||||
|
sd_id128_t boot_id;
|
||||||
|
char boot_id_str[FLD_BOOT_ID_LEN] = FLD_BOOT_ID;
|
||||||
|
int ret = EXIT_FAILURE;
|
||||||
|
char* err_info = NULL;
|
||||||
|
char *appname;
|
||||||
|
gboolean success;
|
||||||
|
int jr = 0;
|
||||||
|
|
||||||
|
if (g_strcmp0(fifo, "-")) {
|
||||||
|
/* Open or create the output file */
|
||||||
|
fp = fopen(fifo, "wb");
|
||||||
|
if (fp == NULL) {
|
||||||
|
g_warning("Error creating output file: %s (%s)", fifo, g_strerror(errno));
|
||||||
|
return EXIT_FAILURE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
appname = g_strdup_printf(SDJOURNAL_EXTCAP_INTERFACE " (Wireshark) %s.%s.%s",
|
||||||
|
SDJOURNAL_VERSION_MAJOR, SDJOURNAL_VERSION_MINOR, SDJOURNAL_VERSION_RELEASE);
|
||||||
|
success = pcapng_write_session_header_block(fp,
|
||||||
|
NULL, /* Comment */
|
||||||
|
NULL, /* HW */
|
||||||
|
NULL, /* OS */
|
||||||
|
appname,
|
||||||
|
-1, /* section_length */
|
||||||
|
&bytes_written,
|
||||||
|
&err);
|
||||||
|
g_free(appname);
|
||||||
|
|
||||||
|
if (!success) {
|
||||||
|
g_warning("Can't write pcapng file header");
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
jr = sd_journal_open(&jnl, 0);
|
||||||
|
if (jr < 0) {
|
||||||
|
g_warning("Error opening journal: %s", g_strerror(jr));
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
jr = sd_id128_get_boot(&boot_id);
|
||||||
|
if (jr < 0) {
|
||||||
|
g_warning("Error fetching system boot ID: %s", g_strerror(jr));
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
sd_id128_to_string(boot_id, boot_id_str + strlen(FLD_BOOT_ID));
|
||||||
|
jr = sd_journal_add_match(jnl, boot_id_str, strlen(boot_id_str));
|
||||||
|
if (jr < 0) {
|
||||||
|
g_warning("Error adding match: %s", g_strerror(jr));
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
// According to the documentation, fields *might be* truncated to 64K.
|
||||||
|
// Let's assume that 2048 is a good balance between fetching entire fields
|
||||||
|
// and being able to fit as many fields as possible into a packet.
|
||||||
|
sd_journal_set_data_threshold(jnl, 2048);
|
||||||
|
|
||||||
|
if (start_from_end) {
|
||||||
|
g_debug("Attempting to seek %d entries from the end", start_from_entries);
|
||||||
|
jr = sd_journal_seek_tail(jnl);
|
||||||
|
if (jr < 0) {
|
||||||
|
g_warning("Error starting at end: %s", g_strerror(jr));
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
jr = sd_journal_previous_skip(jnl, (uint64_t) start_from_entries + 1);
|
||||||
|
if (jr < 0) {
|
||||||
|
g_warning("Error skipping backward: %s", g_strerror(jr));
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
g_debug("Attempting to seek %d entries from the beginning", start_from_entries);
|
||||||
|
jr = sd_journal_seek_head(jnl);
|
||||||
|
if (jr < 0) {
|
||||||
|
g_warning("Error starting at beginning: %s", g_strerror(jr));
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
if (start_from_entries > 0) {
|
||||||
|
jr = sd_journal_next_skip(jnl, (uint64_t) start_from_entries);
|
||||||
|
if (jr < 0) {
|
||||||
|
g_warning("Error skipping forward: %s", g_strerror(jr));
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* read from channel and write into fp */
|
||||||
|
if (sdj_dump_entries(jnl, fp) != 0) {
|
||||||
|
g_warning("Error dumping entries");
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = EXIT_SUCCESS;
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
if (jnl) {
|
||||||
|
sd_journal_close(jnl);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (err_info) {
|
||||||
|
g_warning("%s", err_info);
|
||||||
|
}
|
||||||
|
|
||||||
|
g_free(err_info);
|
||||||
|
|
||||||
|
/* clean up and exit */
|
||||||
|
if (g_strcmp0(fifo, "-")) {
|
||||||
|
fclose(fp);
|
||||||
|
}
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int list_config(char *interface)
|
||||||
|
{
|
||||||
|
unsigned inc = 0;
|
||||||
|
|
||||||
|
if (!interface) {
|
||||||
|
g_warning("ERROR: No interface specified.");
|
||||||
|
return EXIT_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (g_strcmp0(interface, SDJOURNAL_EXTCAP_INTERFACE)) {
|
||||||
|
g_warning("ERROR: interface must be %s", SDJOURNAL_EXTCAP_INTERFACE);
|
||||||
|
return EXIT_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("arg {number=%u}{call=--start-from}{display=Starting position}"
|
||||||
|
"{type=string}{tooltip=The journal starting position. Values "
|
||||||
|
"with a leading \"+\" start from the beginning, similar to the "
|
||||||
|
"\"tail\" command}{required=false}{group=Journal}\n", inc++);
|
||||||
|
|
||||||
|
extcap_config_debug(&inc);
|
||||||
|
|
||||||
|
return EXIT_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
int main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
int result;
|
||||||
|
int option_idx = 0;
|
||||||
|
int start_from_entries = 10;
|
||||||
|
gboolean start_from_end = TRUE;
|
||||||
|
int ret = EXIT_FAILURE;
|
||||||
|
extcap_parameters* extcap_conf = g_new0(extcap_parameters, 1);
|
||||||
|
char* help_url;
|
||||||
|
char* help_header = NULL;
|
||||||
|
|
||||||
|
help_url = data_file_url("sdjournal.html");
|
||||||
|
extcap_base_set_util_info(extcap_conf, argv[0], SDJOURNAL_VERSION_MAJOR, SDJOURNAL_VERSION_MINOR,
|
||||||
|
SDJOURNAL_VERSION_RELEASE, help_url);
|
||||||
|
g_free(help_url);
|
||||||
|
// We don't have an SDJOURNAL DLT, so use USER0 (147).
|
||||||
|
extcap_base_register_interface(extcap_conf, SDJOURNAL_EXTCAP_INTERFACE, "systemd Journal Export", 147, "USER0");
|
||||||
|
|
||||||
|
help_header = g_strdup_printf(
|
||||||
|
" %s --extcap-interfaces\n"
|
||||||
|
" %s --extcap-interface=%s --extcap-dlts\n"
|
||||||
|
" %s --extcap-interface=%s --extcap-config\n"
|
||||||
|
" %s --extcap-interface=%s --start-from=+0 --fifo=FILENAME --capture\n",
|
||||||
|
argv[0],
|
||||||
|
argv[0], SDJOURNAL_EXTCAP_INTERFACE,
|
||||||
|
argv[0], SDJOURNAL_EXTCAP_INTERFACE,
|
||||||
|
argv[0], SDJOURNAL_EXTCAP_INTERFACE);
|
||||||
|
extcap_help_add_header(extcap_conf, help_header);
|
||||||
|
g_free(help_header);
|
||||||
|
extcap_help_add_option(extcap_conf, "--help", "print this help");
|
||||||
|
extcap_help_add_option(extcap_conf, "--version", "print the version");
|
||||||
|
extcap_help_add_option(extcap_conf, "--start-from <entry count>", "starting position");
|
||||||
|
|
||||||
|
opterr = 0;
|
||||||
|
optind = 0;
|
||||||
|
|
||||||
|
if (argc == 1) {
|
||||||
|
extcap_help_print(extcap_conf);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
while ((result = getopt_long(argc, argv, ":", longopts, &option_idx)) != -1) {
|
||||||
|
|
||||||
|
switch (result) {
|
||||||
|
|
||||||
|
case OPT_HELP:
|
||||||
|
extcap_help_print(extcap_conf);
|
||||||
|
ret = EXIT_SUCCESS;
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
case OPT_VERSION:
|
||||||
|
printf("%s\n", extcap_conf->version);
|
||||||
|
ret = EXIT_SUCCESS;
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
case OPT_START_FROM:
|
||||||
|
start_from_entries = (int) strtol(optarg, NULL, 10);
|
||||||
|
if (errno == EINVAL) {
|
||||||
|
g_warning("Invalid entry count: %s", optarg);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
if (strlen(optarg) > 0 && optarg[0] == '+') {
|
||||||
|
start_from_end = FALSE;
|
||||||
|
}
|
||||||
|
if (start_from_entries < 0) {
|
||||||
|
start_from_end = TRUE;
|
||||||
|
start_from_entries *= -1;
|
||||||
|
}
|
||||||
|
g_debug("start %d from %s", start_from_entries, start_from_end ? "end" : "beginning");
|
||||||
|
break;
|
||||||
|
|
||||||
|
case ':':
|
||||||
|
/* missing option argument */
|
||||||
|
g_warning("Option '%s' requires an argument", argv[optind - 1]);
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
if (!extcap_base_parse_options(extcap_conf, result - EXTCAP_OPT_LIST_INTERFACES, optarg)) {
|
||||||
|
g_warning("Invalid option: %s", argv[optind - 1]);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
extcap_cmdline_debug(argv, argc);
|
||||||
|
|
||||||
|
if (extcap_base_handle_interface(extcap_conf)) {
|
||||||
|
ret = EXIT_SUCCESS;
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (extcap_conf->show_config) {
|
||||||
|
ret = list_config(extcap_conf->interface);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (extcap_conf->capture) {
|
||||||
|
ret = sdj_start_export(start_from_entries, start_from_end, extcap_conf->fifo);
|
||||||
|
} else {
|
||||||
|
g_debug("You should not come here... maybe some parameter missing?");
|
||||||
|
ret = EXIT_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
end:
|
||||||
|
/* clean up stuff */
|
||||||
|
extcap_base_cleanup(&extcap_conf);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Editor modelines - https://www.wireshark.org/tools/modelines.html
|
||||||
|
*
|
||||||
|
* Local variables:
|
||||||
|
* c-basic-offset: 8
|
||||||
|
* tab-width: 8
|
||||||
|
* indent-tabs-mode: t
|
||||||
|
* End:
|
||||||
|
*
|
||||||
|
* vi: set shiftwidth=8 tabstop=8 noexpandtab:
|
||||||
|
* :indentSize=8:tabSize=8:noTabs=false:
|
||||||
|
*/
|
|
@ -18,6 +18,7 @@
|
||||||
%bcond_without bcg729
|
%bcond_without bcg729
|
||||||
%bcond_with libxml2
|
%bcond_with libxml2
|
||||||
%bcond_with nghttp2
|
%bcond_with nghttp2
|
||||||
|
%bcond_with sdjournal
|
||||||
%bcond_with guides
|
%bcond_with guides
|
||||||
|
|
||||||
|
|
||||||
|
@ -109,6 +110,15 @@ BuildRequires: libnghttp2-devel
|
||||||
Requires: libnghttp2
|
Requires: libnghttp2
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%if %{with sdjournal}
|
||||||
|
BuildRequires: systemd-devel
|
||||||
|
%if 0%{?suse_version}
|
||||||
|
Requires: libsystemd0
|
||||||
|
%else
|
||||||
|
Requires: systemd-libs
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
# Uncomment these if you want to be sure you get them...
|
# Uncomment these if you want to be sure you get them...
|
||||||
#BuildRequires: krb5-devel
|
#BuildRequires: krb5-devel
|
||||||
#BuildRequires: libsmi-devel
|
#BuildRequires: libsmi-devel
|
||||||
|
@ -269,6 +279,11 @@ cmake3 \
|
||||||
-DENABLE_NGHTTP2=ON \
|
-DENABLE_NGHTTP2=ON \
|
||||||
%else
|
%else
|
||||||
-DENABLE_NGHTTP2=OFF \
|
-DENABLE_NGHTTP2=OFF \
|
||||||
|
%endif
|
||||||
|
%if %{with sdjournal}
|
||||||
|
-DBUILD_sdjournal=ON \
|
||||||
|
%else
|
||||||
|
-DBUILD_sdjournal=OFF \
|
||||||
%endif
|
%endif
|
||||||
-DDISABLE_WERROR=ON \
|
-DDISABLE_WERROR=ON \
|
||||||
%if %{with ninja}
|
%if %{with ninja}
|
||||||
|
@ -439,6 +454,9 @@ update-mime-database %{_datadir}/mime &> /dev/null || :
|
||||||
%{_libdir}/pkgconfig/wireshark.pc
|
%{_libdir}/pkgconfig/wireshark.pc
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Sep 28 2018 Gerald Combs
|
||||||
|
- Add sdjournal
|
||||||
|
|
||||||
* Thu Sep 27 2018 Jeff Morriss
|
* Thu Sep 27 2018 Jeff Morriss
|
||||||
- Have the qt package obsolute the old gnome and gtk packages. This allows
|
- Have the qt package obsolute the old gnome and gtk packages. This allows
|
||||||
clean upgrades to the Qt version.
|
clean upgrades to the Qt version.
|
||||||
|
|
|
@ -2290,7 +2290,7 @@ pcapng_read_systemd_journal_export_block(wtap *wth, FILE_T fh, pcapng_block_head
|
||||||
|
|
||||||
pcapng_debug("%s: entry_length %u", G_STRFUNC, entry_length);
|
pcapng_debug("%s: entry_length %u", G_STRFUNC, entry_length);
|
||||||
|
|
||||||
size_t rt_ts_len = sizeof(SDJ__REALTIME_TIMESTAMP);
|
size_t rt_ts_len = strlen(SDJ__REALTIME_TIMESTAMP);
|
||||||
char *ts_pos = strstr(buf_ptr, SDJ__REALTIME_TIMESTAMP);
|
char *ts_pos = strstr(buf_ptr, SDJ__REALTIME_TIMESTAMP);
|
||||||
|
|
||||||
if (!ts_pos) {
|
if (!ts_pos) {
|
||||||
|
@ -2319,8 +2319,8 @@ pcapng_read_systemd_journal_export_block(wtap *wth, FILE_T fh, pcapng_block_head
|
||||||
wblock->rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
|
wblock->rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
|
||||||
wblock->rec->tsprec = WTAP_TSPREC_USEC;
|
wblock->rec->tsprec = WTAP_TSPREC_USEC;
|
||||||
|
|
||||||
wblock->rec->ts.secs = (time_t) (rt_ts / 1000000000);
|
wblock->rec->ts.secs = (time_t) rt_ts / 1000000;
|
||||||
wblock->rec->ts.nsecs = (int) (rt_ts % 1000000000);
|
wblock->rec->ts.nsecs = (rt_ts % 1000000) * 1000;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* We return these to the caller in pcapng_read().
|
* We return these to the caller in pcapng_read().
|
||||||
|
|
Loading…
Reference in New Issue