blob: 06de18e8e4abe33db8b6bfa35365d20ffea3062e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
# nfcollect
Collect Netfilter NFLOG log entries and commit them to stable storage in binary (compressed) format.
The project contains two binaries: `nfcollect` and `nfextract`:
#### `nfcollect`
Collect packets from *Netfilter* netlink kernel interface. Packets are
aggregated onto a memory region (we call it *a trunk*), until the *trunk* is full.
A full *trunk* will be committed to disk by configurable means (currently `zstd`
compression and no compression is implemented). Trunks will be stored in a
specific directory, which will be scanned by `nfextract` to extract all trunks.
Due to communication with the kernel, **this program requires root privilege**.
## Dependencies Installation
#### Fedora
```
sudo dnf install libnetfilter_log libzstd-devel
```
#### Ubuntu
```bash
sudo apt install libnetfilter-log1 libnetfilter-log-dev libzstd1 libzstd1-dev
```
## Build
```bash
./bootstrap.sh
./configure
make
```
Run `./configure --enable-debug` to enable debug output.
## Usage
``` bash
$ ./nfcollect --help
Usage: nfcollect [OPTION]
Options:
-c --compression=<algo> compression algorithm to use (default: no compression)
-d --storage_file=<filename> sqlite database storage file
-h --help print this help
-g --nflog-group=<id> the group id to collect
-s --storage_size=<dirsize> log files maximum total size in MiB
-v --version print version information
$ ./nfextract -h
Usage: nfextract [OPTION]
Options:
-d --storage=<dirname> sqlite storage file
-h --help print this help
-v --version print version information
-s --since start showing entries on or newer than the specified date (format: YYYY-MM-DD [HH:MM][:SS])
-u --until stop showing entries on or older than the specified date (format: YYYY-MM-DD [HH:MM][:SS])
```
#### Examples
```bash
# Send all packets destined for localhost to the nflog group #5
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j NFLOG --nflog-group 5
# Receive the packets from nfnetlink
sudo ./nfcollect -d packets.db -g 5 -s 100 -c zstd
# Let it collect for a while ...
# Dump the collected packets
./nfextract -d packets.db
```
### References
* libnetfilter_log: https://www.icir.org/gregor/tools/files/doc.libnetfilter_log/html/libnetfilter__log.html
* zstd: https://facebook.github.io/zstd/zstd_manual.html
* lz4: https://github.com/lz4/lz4
* sqlite: https://www.sqlite.org
|
