fluent-plugin-pcapng 0.0.1 → 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +1 -0
- data/.travis.yml +7 -0
- data/README.md +1 -1
- data/Rakefile +9 -0
- data/fluent-plugin-pcapng.gemspec +4 -2
- data/lib/fluent/plugin/in_pcapng.rb +30 -4
- data/test/helper.rb +17 -0
- data/test/test_in_ngpcap.rb +75 -0
- metadata +52 -25
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 110864a2d98c115bfb5812c962d8ab0a16714f02
|
4
|
+
data.tar.gz: fed160b8c87ca9384afd1ae040f2ebb46e218032
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: eadfc181296531df19333c4bd85cd991528aadbacbd929a5000439cc40df9bfb77ce0c91814b5812126eb70f05f696feb3a1c91cef4ee7aed7c35458424c466c
|
7
|
+
data.tar.gz: b054b651fba5dc43e4cfcda0beeaaec8835663e9c0f319c491687e7cb1b9bded8de2f9c02d40d6619422c6d1af2925592966514cee5777d884add310cc5e0a24
|
data/.gitignore
CHANGED
data/.travis.yml
ADDED
data/README.md
CHANGED
@@ -54,4 +54,4 @@ advanced case:
|
|
54
54
|
| fields | array | required | none | list of field to extract (-e on tshark) |
|
55
55
|
| types | array | optional | "string" for all | list of type for each field ("long", "double", "string", "time") |
|
56
56
|
| convertdot | string | optional | none | convert "." in field name (for outputing int DB who doesn't accept "dot" in schema) |
|
57
|
-
|
57
|
+
| extra_flags | array of strings | optional | none | extra flags passed to `tshark(1)`, such as `extra_flags [ "-Y dns.flags.response == 0", "-f port 53" ]`. Each element is expected to be in the form of "--option value" or a single flag, such as `-I`. Note that value of each flag will be safely quoted. |
|
data/Rakefile
CHANGED
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
4
4
|
|
5
5
|
Gem::Specification.new do |spec|
|
6
6
|
spec.name = "fluent-plugin-pcapng"
|
7
|
-
spec.version = "0.
|
7
|
+
spec.version = "0.1.1"
|
8
8
|
spec.authors = ["enukane"]
|
9
9
|
spec.email = ["enukane@glenda9.org"]
|
10
10
|
spec.description = %q{Fluentd plugin for tshark (pcapng) monitoring from specified interface}
|
@@ -17,6 +17,8 @@ Gem::Specification.new do |spec|
|
|
17
17
|
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
18
18
|
spec.require_paths = ["lib"]
|
19
19
|
|
20
|
+
spec.add_dependency "fluentd", [">= 0.12.14", "< 2"]
|
20
21
|
spec.add_development_dependency "bundler", "~> 1.3"
|
21
|
-
spec.add_development_dependency "rake"
|
22
|
+
spec.add_development_dependency "rake", ">= 0"
|
23
|
+
spec.add_development_dependency "test-unit", "~> 3.0"
|
22
24
|
end
|
@@ -14,6 +14,8 @@
|
|
14
14
|
# limitations under the License.
|
15
15
|
#
|
16
16
|
|
17
|
+
require 'fluent/input'
|
18
|
+
|
17
19
|
module Fluent
|
18
20
|
class PcapngInput < Input
|
19
21
|
Plugin.register_input('pcapng', self)
|
@@ -21,6 +23,7 @@ module Fluent
|
|
21
23
|
require 'open3'
|
22
24
|
require 'csv'
|
23
25
|
require 'time'
|
26
|
+
require 'shellwords'
|
24
27
|
|
25
28
|
LONG="long"
|
26
29
|
DOUBLE="double"
|
@@ -40,6 +43,7 @@ module Fluent
|
|
40
43
|
config_param :types, :default => [] do |val|
|
41
44
|
val.split(',')
|
42
45
|
end
|
46
|
+
config_param :extra_flags, :array, :default => []
|
43
47
|
|
44
48
|
def configure(conf)
|
45
49
|
super
|
@@ -72,13 +76,18 @@ module Fluent
|
|
72
76
|
|
73
77
|
def run
|
74
78
|
options = build_options(@fields)
|
75
|
-
|
76
|
-
|
77
|
-
|
79
|
+
options += build_extra_flags(@extra_flags)
|
80
|
+
cmdline = "tshark -i #{Shellwords(@interface)} -T fields -E separator=\",\" -E quote=d #{options}"
|
81
|
+
log.debug format("pcapng: %s", cmdline)
|
82
|
+
_stdin, stdout, stderr, @th_tshark = *Open3.popen3(cmdline)
|
78
83
|
|
79
84
|
while @th_tshark.alive?
|
80
85
|
collect_tshark_output(stdout)
|
81
86
|
end
|
87
|
+
stderr.each do |l|
|
88
|
+
log.error(l.chomp)
|
89
|
+
end
|
90
|
+
raise RuntimeError, "tshark is not running"
|
82
91
|
rescue => e
|
83
92
|
log.error "unexpected error", :error => e.to_s
|
84
93
|
log.error_backtrace e.backtrace
|
@@ -87,7 +96,24 @@ module Fluent
|
|
87
96
|
def build_options(fields)
|
88
97
|
options = ""
|
89
98
|
fields.each do |field|
|
90
|
-
options += "-e
|
99
|
+
options += "-e #{Shellwords.escape(field)}"
|
100
|
+
end
|
101
|
+
return options
|
102
|
+
end
|
103
|
+
|
104
|
+
def build_extra_flags(extra_flags)
|
105
|
+
options = ""
|
106
|
+
valid_flag_re = /(?:-[a-zA-Z]|--[a-z\-]+)/
|
107
|
+
extra_flags.each do |i|
|
108
|
+
if !i.match(/^#{valid_flag_re}/)
|
109
|
+
raise ArgumentError, format("Invalid flags in extra_flags %s", i)
|
110
|
+
end
|
111
|
+
|
112
|
+
# escape given flags here because it is easier to understand, or write,
|
113
|
+
# extra_flags in fluentd config.
|
114
|
+
(k, v) = i.split(/\s+/, 2)
|
115
|
+
options += "#{Shellwords.escape(k)} "
|
116
|
+
options += "#{Shellwords.escape(v)} " if v
|
91
117
|
end
|
92
118
|
return options
|
93
119
|
end
|
data/test/helper.rb
ADDED
@@ -0,0 +1,17 @@
|
|
1
|
+
require "rubygems"
|
2
|
+
require "bundler"
|
3
|
+
begin
|
4
|
+
Bundler.setup(:default, :development)
|
5
|
+
rescue Bundler::BundlerError => e
|
6
|
+
$stderr.puts e.message
|
7
|
+
$stderr.puts "Run `bundle install` to install missing gems"
|
8
|
+
exit e.status_code
|
9
|
+
end
|
10
|
+
|
11
|
+
require "test/unit"
|
12
|
+
|
13
|
+
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
|
14
|
+
$LOAD_PATH.unshift(File.dirname(__FILE__))
|
15
|
+
|
16
|
+
require "fluent/test"
|
17
|
+
require "fluent/plugin/in_pcapng"
|
@@ -0,0 +1,75 @@
|
|
1
|
+
require "helper"
|
2
|
+
require "fluent/test/driver/input"
|
3
|
+
|
4
|
+
class PcapngInputTest < Test::Unit::TestCase
|
5
|
+
def setup
|
6
|
+
Fluent::Test.setup
|
7
|
+
end
|
8
|
+
|
9
|
+
CONFIG = %[
|
10
|
+
id pcap_input
|
11
|
+
tag pcap.dns.query
|
12
|
+
interface em0
|
13
|
+
fields frame.time_epoch,dns.qry.name,dns.qry.type,dns.qry.class,dns.id,ip.src,ip.dst
|
14
|
+
extra_flags [ "-Y dns.flags.response == 0", "-f port 53" ]
|
15
|
+
types double,string,long,long,long,string,string
|
16
|
+
convertdot :
|
17
|
+
]
|
18
|
+
def create_driver(config = CONFIG)
|
19
|
+
Fluent::Test::Driver::Input.new(Fluent::PcapngInput).configure(config)
|
20
|
+
end
|
21
|
+
|
22
|
+
def test_configure
|
23
|
+
instance = create_driver.instance
|
24
|
+
assert_equal "em0", instance.interface
|
25
|
+
assert_equal ["frame.time_epoch", "dns.qry.name", "dns.qry.type",
|
26
|
+
"dns.qry.class", "dns.id", "ip.src", "ip.dst"],
|
27
|
+
instance.fields
|
28
|
+
assert_equal ["-Y dns.flags.response == 0", "-f port 53"], instance.extra_flags
|
29
|
+
end
|
30
|
+
|
31
|
+
def test_build_extra_flags
|
32
|
+
instance = create_driver.instance
|
33
|
+
assert_equal "-Y dns.flags.response\\ \\=\\=\\ 0 -f port\\ 53 ", instance.build_extra_flags(instance.extra_flags)
|
34
|
+
end
|
35
|
+
|
36
|
+
def test_build_extra_flags_with_long_flag_no_value
|
37
|
+
config = %[
|
38
|
+
fields frame.time_epoch,dns.qry.name,dns.qry.type,dns.qry.class,dns.id,ip.src,ip.dst
|
39
|
+
extra_flags [ "--long-flag" ]
|
40
|
+
types double,string,long,long,long,string,string
|
41
|
+
]
|
42
|
+
instance = create_driver(config).instance
|
43
|
+
assert_equal "--long-flag ", instance.build_extra_flags(instance.extra_flags)
|
44
|
+
end
|
45
|
+
|
46
|
+
def test_build_extra_flags_with_long_flag_value
|
47
|
+
config = %[
|
48
|
+
fields frame.time_epoch,dns.qry.name,dns.qry.type,dns.qry.class,dns.id,ip.src,ip.dst
|
49
|
+
extra_flags [ "--long-flag value" ]
|
50
|
+
types double,string,long,long,long,string,string
|
51
|
+
]
|
52
|
+
instance = create_driver(config).instance
|
53
|
+
assert_equal "--long-flag value ", instance.build_extra_flags(instance.extra_flags)
|
54
|
+
end
|
55
|
+
|
56
|
+
def test_build_extra_flags_with_invalid_flag
|
57
|
+
config = %[
|
58
|
+
fields frame.time_epoch,dns.qry.name,dns.qry.type,dns.qry.class,dns.id,ip.src,ip.dst
|
59
|
+
extra_flags [ "not-valid" ]
|
60
|
+
types double,string,long,long,long,string,string
|
61
|
+
]
|
62
|
+
instance = create_driver(config).instance
|
63
|
+
assert_raise ArgumentError do instance.build_extra_flags(instance.extra_flags) end
|
64
|
+
end
|
65
|
+
|
66
|
+
def test_build_extra_flags_with_invalid_flag_and_value
|
67
|
+
config = %[
|
68
|
+
fields frame.time_epoch,dns.qry.name,dns.qry.type,dns.qry.class,dns.id,ip.src,ip.dst
|
69
|
+
extra_flags [ "not-valid value" ]
|
70
|
+
types double,string,long,long,long,string,string
|
71
|
+
]
|
72
|
+
instance = create_driver(config).instance
|
73
|
+
assert_raise ArgumentError do instance.build_extra_flags(instance.extra_flags) end
|
74
|
+
end
|
75
|
+
end
|
metadata
CHANGED
@@ -1,48 +1,77 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-pcapng
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
5
|
-
prerelease:
|
4
|
+
version: 0.1.1
|
6
5
|
platform: ruby
|
7
6
|
authors:
|
8
7
|
- enukane
|
9
8
|
autorequire:
|
10
9
|
bindir: bin
|
11
10
|
cert_chain: []
|
12
|
-
date:
|
11
|
+
date: 2017-05-30 00:00:00.000000000 Z
|
13
12
|
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: fluentd
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - ">="
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: 0.12.14
|
20
|
+
- - "<"
|
21
|
+
- !ruby/object:Gem::Version
|
22
|
+
version: '2'
|
23
|
+
type: :runtime
|
24
|
+
prerelease: false
|
25
|
+
version_requirements: !ruby/object:Gem::Requirement
|
26
|
+
requirements:
|
27
|
+
- - ">="
|
28
|
+
- !ruby/object:Gem::Version
|
29
|
+
version: 0.12.14
|
30
|
+
- - "<"
|
31
|
+
- !ruby/object:Gem::Version
|
32
|
+
version: '2'
|
14
33
|
- !ruby/object:Gem::Dependency
|
15
34
|
name: bundler
|
16
35
|
requirement: !ruby/object:Gem::Requirement
|
17
|
-
none: false
|
18
36
|
requirements:
|
19
|
-
- - ~>
|
37
|
+
- - "~>"
|
20
38
|
- !ruby/object:Gem::Version
|
21
39
|
version: '1.3'
|
22
40
|
type: :development
|
23
41
|
prerelease: false
|
24
42
|
version_requirements: !ruby/object:Gem::Requirement
|
25
|
-
none: false
|
26
43
|
requirements:
|
27
|
-
- - ~>
|
44
|
+
- - "~>"
|
28
45
|
- !ruby/object:Gem::Version
|
29
46
|
version: '1.3'
|
30
47
|
- !ruby/object:Gem::Dependency
|
31
48
|
name: rake
|
32
49
|
requirement: !ruby/object:Gem::Requirement
|
33
|
-
none: false
|
34
50
|
requirements:
|
35
|
-
- -
|
51
|
+
- - ">="
|
36
52
|
- !ruby/object:Gem::Version
|
37
53
|
version: '0'
|
38
54
|
type: :development
|
39
55
|
prerelease: false
|
40
56
|
version_requirements: !ruby/object:Gem::Requirement
|
41
|
-
none: false
|
42
57
|
requirements:
|
43
|
-
- -
|
58
|
+
- - ">="
|
44
59
|
- !ruby/object:Gem::Version
|
45
60
|
version: '0'
|
61
|
+
- !ruby/object:Gem::Dependency
|
62
|
+
name: test-unit
|
63
|
+
requirement: !ruby/object:Gem::Requirement
|
64
|
+
requirements:
|
65
|
+
- - "~>"
|
66
|
+
- !ruby/object:Gem::Version
|
67
|
+
version: '3.0'
|
68
|
+
type: :development
|
69
|
+
prerelease: false
|
70
|
+
version_requirements: !ruby/object:Gem::Requirement
|
71
|
+
requirements:
|
72
|
+
- - "~>"
|
73
|
+
- !ruby/object:Gem::Version
|
74
|
+
version: '3.0'
|
46
75
|
description: Fluentd plugin for tshark (pcapng) monitoring from specified interface
|
47
76
|
email:
|
48
77
|
- enukane@glenda9.org
|
@@ -50,7 +79,8 @@ executables: []
|
|
50
79
|
extensions: []
|
51
80
|
extra_rdoc_files: []
|
52
81
|
files:
|
53
|
-
- .gitignore
|
82
|
+
- ".gitignore"
|
83
|
+
- ".travis.yml"
|
54
84
|
- Gemfile
|
55
85
|
- LICENSE.txt
|
56
86
|
- README.md
|
@@ -58,35 +88,32 @@ files:
|
|
58
88
|
- fluent-plugin-pcapng.gemspec
|
59
89
|
- lib/fluent/plugin/in_pcapng.rb
|
60
90
|
- sample/pcapng.conf.sample
|
91
|
+
- test/helper.rb
|
92
|
+
- test/test_in_ngpcap.rb
|
61
93
|
homepage: https://github.com/enukane/fluent-plugin-pcapng
|
62
94
|
licenses:
|
63
95
|
- MIT
|
96
|
+
metadata: {}
|
64
97
|
post_install_message:
|
65
98
|
rdoc_options: []
|
66
99
|
require_paths:
|
67
100
|
- lib
|
68
101
|
required_ruby_version: !ruby/object:Gem::Requirement
|
69
|
-
none: false
|
70
102
|
requirements:
|
71
|
-
- -
|
103
|
+
- - ">="
|
72
104
|
- !ruby/object:Gem::Version
|
73
105
|
version: '0'
|
74
|
-
segments:
|
75
|
-
- 0
|
76
|
-
hash: 573394323
|
77
106
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
78
|
-
none: false
|
79
107
|
requirements:
|
80
|
-
- -
|
108
|
+
- - ">="
|
81
109
|
- !ruby/object:Gem::Version
|
82
110
|
version: '0'
|
83
|
-
segments:
|
84
|
-
- 0
|
85
|
-
hash: 573394323
|
86
111
|
requirements: []
|
87
112
|
rubyforge_project:
|
88
|
-
rubygems_version:
|
113
|
+
rubygems_version: 2.6.11
|
89
114
|
signing_key:
|
90
|
-
specification_version:
|
115
|
+
specification_version: 4
|
91
116
|
summary: Fluentd input plugin for monitoring packets received in specified interface
|
92
|
-
test_files:
|
117
|
+
test_files:
|
118
|
+
- test/helper.rb
|
119
|
+
- test/test_in_ngpcap.rb
|