fluent-plugin-pcapng 0.0.1 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +1 -0
- data/.travis.yml +7 -0
- data/README.md +1 -1
- data/Rakefile +9 -0
- data/fluent-plugin-pcapng.gemspec +4 -2
- data/lib/fluent/plugin/in_pcapng.rb +30 -4
- data/test/helper.rb +17 -0
- data/test/test_in_ngpcap.rb +75 -0
- metadata +52 -25
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 110864a2d98c115bfb5812c962d8ab0a16714f02
|
4
|
+
data.tar.gz: fed160b8c87ca9384afd1ae040f2ebb46e218032
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: eadfc181296531df19333c4bd85cd991528aadbacbd929a5000439cc40df9bfb77ce0c91814b5812126eb70f05f696feb3a1c91cef4ee7aed7c35458424c466c
|
7
|
+
data.tar.gz: b054b651fba5dc43e4cfcda0beeaaec8835663e9c0f319c491687e7cb1b9bded8de2f9c02d40d6619422c6d1af2925592966514cee5777d884add310cc5e0a24
|
data/.gitignore
CHANGED
data/.travis.yml
ADDED
data/README.md
CHANGED
@@ -54,4 +54,4 @@ advanced case:
|
|
54
54
|
| fields | array | required | none | list of field to extract (-e on tshark) |
|
55
55
|
| types | array | optional | "string" for all | list of type for each field ("long", "double", "string", "time") |
|
56
56
|
| convertdot | string | optional | none | convert "." in field name (for outputing int DB who doesn't accept "dot" in schema) |
|
57
|
-
|
57
|
+
| extra_flags | array of strings | optional | none | extra flags passed to `tshark(1)`, such as `extra_flags [ "-Y dns.flags.response == 0", "-f port 53" ]`. Each element is expected to be in the form of "--option value" or a single flag, such as `-I`. Note that value of each flag will be safely quoted. |
|
data/Rakefile
CHANGED
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
4
4
|
|
5
5
|
Gem::Specification.new do |spec|
|
6
6
|
spec.name = "fluent-plugin-pcapng"
|
7
|
-
spec.version = "0.
|
7
|
+
spec.version = "0.1.1"
|
8
8
|
spec.authors = ["enukane"]
|
9
9
|
spec.email = ["enukane@glenda9.org"]
|
10
10
|
spec.description = %q{Fluentd plugin for tshark (pcapng) monitoring from specified interface}
|
@@ -17,6 +17,8 @@ Gem::Specification.new do |spec|
|
|
17
17
|
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
18
18
|
spec.require_paths = ["lib"]
|
19
19
|
|
20
|
+
spec.add_dependency "fluentd", [">= 0.12.14", "< 2"]
|
20
21
|
spec.add_development_dependency "bundler", "~> 1.3"
|
21
|
-
spec.add_development_dependency "rake"
|
22
|
+
spec.add_development_dependency "rake", ">= 0"
|
23
|
+
spec.add_development_dependency "test-unit", "~> 3.0"
|
22
24
|
end
|
@@ -14,6 +14,8 @@
|
|
14
14
|
# limitations under the License.
|
15
15
|
#
|
16
16
|
|
17
|
+
require 'fluent/input'
|
18
|
+
|
17
19
|
module Fluent
|
18
20
|
class PcapngInput < Input
|
19
21
|
Plugin.register_input('pcapng', self)
|
@@ -21,6 +23,7 @@ module Fluent
|
|
21
23
|
require 'open3'
|
22
24
|
require 'csv'
|
23
25
|
require 'time'
|
26
|
+
require 'shellwords'
|
24
27
|
|
25
28
|
LONG="long"
|
26
29
|
DOUBLE="double"
|
@@ -40,6 +43,7 @@ module Fluent
|
|
40
43
|
config_param :types, :default => [] do |val|
|
41
44
|
val.split(',')
|
42
45
|
end
|
46
|
+
config_param :extra_flags, :array, :default => []
|
43
47
|
|
44
48
|
def configure(conf)
|
45
49
|
super
|
@@ -72,13 +76,18 @@ module Fluent
|
|
72
76
|
|
73
77
|
def run
|
74
78
|
options = build_options(@fields)
|
75
|
-
|
76
|
-
|
77
|
-
|
79
|
+
options += build_extra_flags(@extra_flags)
|
80
|
+
cmdline = "tshark -i #{Shellwords(@interface)} -T fields -E separator=\",\" -E quote=d #{options}"
|
81
|
+
log.debug format("pcapng: %s", cmdline)
|
82
|
+
_stdin, stdout, stderr, @th_tshark = *Open3.popen3(cmdline)
|
78
83
|
|
79
84
|
while @th_tshark.alive?
|
80
85
|
collect_tshark_output(stdout)
|
81
86
|
end
|
87
|
+
stderr.each do |l|
|
88
|
+
log.error(l.chomp)
|
89
|
+
end
|
90
|
+
raise RuntimeError, "tshark is not running"
|
82
91
|
rescue => e
|
83
92
|
log.error "unexpected error", :error => e.to_s
|
84
93
|
log.error_backtrace e.backtrace
|
@@ -87,7 +96,24 @@ module Fluent
|
|
87
96
|
def build_options(fields)
|
88
97
|
options = ""
|
89
98
|
fields.each do |field|
|
90
|
-
options += "-e
|
99
|
+
options += "-e #{Shellwords.escape(field)}"
|
100
|
+
end
|
101
|
+
return options
|
102
|
+
end
|
103
|
+
|
104
|
+
def build_extra_flags(extra_flags)
|
105
|
+
options = ""
|
106
|
+
valid_flag_re = /(?:-[a-zA-Z]|--[a-z\-]+)/
|
107
|
+
extra_flags.each do |i|
|
108
|
+
if !i.match(/^#{valid_flag_re}/)
|
109
|
+
raise ArgumentError, format("Invalid flags in extra_flags %s", i)
|
110
|
+
end
|
111
|
+
|
112
|
+
# escape given flags here because it is easier to understand, or write,
|
113
|
+
# extra_flags in fluentd config.
|
114
|
+
(k, v) = i.split(/\s+/, 2)
|
115
|
+
options += "#{Shellwords.escape(k)} "
|
116
|
+
options += "#{Shellwords.escape(v)} " if v
|
91
117
|
end
|
92
118
|
return options
|
93
119
|
end
|
data/test/helper.rb
ADDED
@@ -0,0 +1,17 @@
|
|
1
|
+
require "rubygems"
|
2
|
+
require "bundler"
|
3
|
+
begin
|
4
|
+
Bundler.setup(:default, :development)
|
5
|
+
rescue Bundler::BundlerError => e
|
6
|
+
$stderr.puts e.message
|
7
|
+
$stderr.puts "Run `bundle install` to install missing gems"
|
8
|
+
exit e.status_code
|
9
|
+
end
|
10
|
+
|
11
|
+
require "test/unit"
|
12
|
+
|
13
|
+
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
|
14
|
+
$LOAD_PATH.unshift(File.dirname(__FILE__))
|
15
|
+
|
16
|
+
require "fluent/test"
|
17
|
+
require "fluent/plugin/in_pcapng"
|
@@ -0,0 +1,75 @@
|
|
1
|
+
require "helper"
|
2
|
+
require "fluent/test/driver/input"
|
3
|
+
|
4
|
+
class PcapngInputTest < Test::Unit::TestCase
|
5
|
+
def setup
|
6
|
+
Fluent::Test.setup
|
7
|
+
end
|
8
|
+
|
9
|
+
CONFIG = %[
|
10
|
+
id pcap_input
|
11
|
+
tag pcap.dns.query
|
12
|
+
interface em0
|
13
|
+
fields frame.time_epoch,dns.qry.name,dns.qry.type,dns.qry.class,dns.id,ip.src,ip.dst
|
14
|
+
extra_flags [ "-Y dns.flags.response == 0", "-f port 53" ]
|
15
|
+
types double,string,long,long,long,string,string
|
16
|
+
convertdot :
|
17
|
+
]
|
18
|
+
def create_driver(config = CONFIG)
|
19
|
+
Fluent::Test::Driver::Input.new(Fluent::PcapngInput).configure(config)
|
20
|
+
end
|
21
|
+
|
22
|
+
def test_configure
|
23
|
+
instance = create_driver.instance
|
24
|
+
assert_equal "em0", instance.interface
|
25
|
+
assert_equal ["frame.time_epoch", "dns.qry.name", "dns.qry.type",
|
26
|
+
"dns.qry.class", "dns.id", "ip.src", "ip.dst"],
|
27
|
+
instance.fields
|
28
|
+
assert_equal ["-Y dns.flags.response == 0", "-f port 53"], instance.extra_flags
|
29
|
+
end
|
30
|
+
|
31
|
+
def test_build_extra_flags
|
32
|
+
instance = create_driver.instance
|
33
|
+
assert_equal "-Y dns.flags.response\\ \\=\\=\\ 0 -f port\\ 53 ", instance.build_extra_flags(instance.extra_flags)
|
34
|
+
end
|
35
|
+
|
36
|
+
def test_build_extra_flags_with_long_flag_no_value
|
37
|
+
config = %[
|
38
|
+
fields frame.time_epoch,dns.qry.name,dns.qry.type,dns.qry.class,dns.id,ip.src,ip.dst
|
39
|
+
extra_flags [ "--long-flag" ]
|
40
|
+
types double,string,long,long,long,string,string
|
41
|
+
]
|
42
|
+
instance = create_driver(config).instance
|
43
|
+
assert_equal "--long-flag ", instance.build_extra_flags(instance.extra_flags)
|
44
|
+
end
|
45
|
+
|
46
|
+
def test_build_extra_flags_with_long_flag_value
|
47
|
+
config = %[
|
48
|
+
fields frame.time_epoch,dns.qry.name,dns.qry.type,dns.qry.class,dns.id,ip.src,ip.dst
|
49
|
+
extra_flags [ "--long-flag value" ]
|
50
|
+
types double,string,long,long,long,string,string
|
51
|
+
]
|
52
|
+
instance = create_driver(config).instance
|
53
|
+
assert_equal "--long-flag value ", instance.build_extra_flags(instance.extra_flags)
|
54
|
+
end
|
55
|
+
|
56
|
+
def test_build_extra_flags_with_invalid_flag
|
57
|
+
config = %[
|
58
|
+
fields frame.time_epoch,dns.qry.name,dns.qry.type,dns.qry.class,dns.id,ip.src,ip.dst
|
59
|
+
extra_flags [ "not-valid" ]
|
60
|
+
types double,string,long,long,long,string,string
|
61
|
+
]
|
62
|
+
instance = create_driver(config).instance
|
63
|
+
assert_raise ArgumentError do instance.build_extra_flags(instance.extra_flags) end
|
64
|
+
end
|
65
|
+
|
66
|
+
def test_build_extra_flags_with_invalid_flag_and_value
|
67
|
+
config = %[
|
68
|
+
fields frame.time_epoch,dns.qry.name,dns.qry.type,dns.qry.class,dns.id,ip.src,ip.dst
|
69
|
+
extra_flags [ "not-valid value" ]
|
70
|
+
types double,string,long,long,long,string,string
|
71
|
+
]
|
72
|
+
instance = create_driver(config).instance
|
73
|
+
assert_raise ArgumentError do instance.build_extra_flags(instance.extra_flags) end
|
74
|
+
end
|
75
|
+
end
|
metadata
CHANGED
@@ -1,48 +1,77 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-pcapng
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
5
|
-
prerelease:
|
4
|
+
version: 0.1.1
|
6
5
|
platform: ruby
|
7
6
|
authors:
|
8
7
|
- enukane
|
9
8
|
autorequire:
|
10
9
|
bindir: bin
|
11
10
|
cert_chain: []
|
12
|
-
date:
|
11
|
+
date: 2017-05-30 00:00:00.000000000 Z
|
13
12
|
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: fluentd
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - ">="
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: 0.12.14
|
20
|
+
- - "<"
|
21
|
+
- !ruby/object:Gem::Version
|
22
|
+
version: '2'
|
23
|
+
type: :runtime
|
24
|
+
prerelease: false
|
25
|
+
version_requirements: !ruby/object:Gem::Requirement
|
26
|
+
requirements:
|
27
|
+
- - ">="
|
28
|
+
- !ruby/object:Gem::Version
|
29
|
+
version: 0.12.14
|
30
|
+
- - "<"
|
31
|
+
- !ruby/object:Gem::Version
|
32
|
+
version: '2'
|
14
33
|
- !ruby/object:Gem::Dependency
|
15
34
|
name: bundler
|
16
35
|
requirement: !ruby/object:Gem::Requirement
|
17
|
-
none: false
|
18
36
|
requirements:
|
19
|
-
- - ~>
|
37
|
+
- - "~>"
|
20
38
|
- !ruby/object:Gem::Version
|
21
39
|
version: '1.3'
|
22
40
|
type: :development
|
23
41
|
prerelease: false
|
24
42
|
version_requirements: !ruby/object:Gem::Requirement
|
25
|
-
none: false
|
26
43
|
requirements:
|
27
|
-
- - ~>
|
44
|
+
- - "~>"
|
28
45
|
- !ruby/object:Gem::Version
|
29
46
|
version: '1.3'
|
30
47
|
- !ruby/object:Gem::Dependency
|
31
48
|
name: rake
|
32
49
|
requirement: !ruby/object:Gem::Requirement
|
33
|
-
none: false
|
34
50
|
requirements:
|
35
|
-
- -
|
51
|
+
- - ">="
|
36
52
|
- !ruby/object:Gem::Version
|
37
53
|
version: '0'
|
38
54
|
type: :development
|
39
55
|
prerelease: false
|
40
56
|
version_requirements: !ruby/object:Gem::Requirement
|
41
|
-
none: false
|
42
57
|
requirements:
|
43
|
-
- -
|
58
|
+
- - ">="
|
44
59
|
- !ruby/object:Gem::Version
|
45
60
|
version: '0'
|
61
|
+
- !ruby/object:Gem::Dependency
|
62
|
+
name: test-unit
|
63
|
+
requirement: !ruby/object:Gem::Requirement
|
64
|
+
requirements:
|
65
|
+
- - "~>"
|
66
|
+
- !ruby/object:Gem::Version
|
67
|
+
version: '3.0'
|
68
|
+
type: :development
|
69
|
+
prerelease: false
|
70
|
+
version_requirements: !ruby/object:Gem::Requirement
|
71
|
+
requirements:
|
72
|
+
- - "~>"
|
73
|
+
- !ruby/object:Gem::Version
|
74
|
+
version: '3.0'
|
46
75
|
description: Fluentd plugin for tshark (pcapng) monitoring from specified interface
|
47
76
|
email:
|
48
77
|
- enukane@glenda9.org
|
@@ -50,7 +79,8 @@ executables: []
|
|
50
79
|
extensions: []
|
51
80
|
extra_rdoc_files: []
|
52
81
|
files:
|
53
|
-
- .gitignore
|
82
|
+
- ".gitignore"
|
83
|
+
- ".travis.yml"
|
54
84
|
- Gemfile
|
55
85
|
- LICENSE.txt
|
56
86
|
- README.md
|
@@ -58,35 +88,32 @@ files:
|
|
58
88
|
- fluent-plugin-pcapng.gemspec
|
59
89
|
- lib/fluent/plugin/in_pcapng.rb
|
60
90
|
- sample/pcapng.conf.sample
|
91
|
+
- test/helper.rb
|
92
|
+
- test/test_in_ngpcap.rb
|
61
93
|
homepage: https://github.com/enukane/fluent-plugin-pcapng
|
62
94
|
licenses:
|
63
95
|
- MIT
|
96
|
+
metadata: {}
|
64
97
|
post_install_message:
|
65
98
|
rdoc_options: []
|
66
99
|
require_paths:
|
67
100
|
- lib
|
68
101
|
required_ruby_version: !ruby/object:Gem::Requirement
|
69
|
-
none: false
|
70
102
|
requirements:
|
71
|
-
- -
|
103
|
+
- - ">="
|
72
104
|
- !ruby/object:Gem::Version
|
73
105
|
version: '0'
|
74
|
-
segments:
|
75
|
-
- 0
|
76
|
-
hash: 573394323
|
77
106
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
78
|
-
none: false
|
79
107
|
requirements:
|
80
|
-
- -
|
108
|
+
- - ">="
|
81
109
|
- !ruby/object:Gem::Version
|
82
110
|
version: '0'
|
83
|
-
segments:
|
84
|
-
- 0
|
85
|
-
hash: 573394323
|
86
111
|
requirements: []
|
87
112
|
rubyforge_project:
|
88
|
-
rubygems_version:
|
113
|
+
rubygems_version: 2.6.11
|
89
114
|
signing_key:
|
90
|
-
specification_version:
|
115
|
+
specification_version: 4
|
91
116
|
summary: Fluentd input plugin for monitoring packets received in specified interface
|
92
|
-
test_files:
|
117
|
+
test_files:
|
118
|
+
- test/helper.rb
|
119
|
+
- test/test_in_ngpcap.rb
|