[Forensics-changes] [chaosreader] 01/01: Revert " * Bumped Standards-Version from 3.9.4 to 3.9.5."
Eriberto Mota
eriberto-guest at moszumanska.debian.org
Sun Dec 29 02:09:26 UTC 2013
This is an automated email from the git hooks/post-receive script.
eriberto-guest pushed a commit to branch debian
in repository chaosreader.
commit b7ef1c1ec969654f1aa1449a9063c36d86595bd9
Author: Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
Date: Sun Dec 29 00:08:26 2013 -0200
Revert " * Bumped Standards-Version from 3.9.4 to 3.9.5."
This reverts commit 47f08e0553ecd71496a2a5ce70f52b990a167d0c.
---
debian/changelog | 19 --
debian/chaosreader.1.t2t | 33 +++
debian/chaosreader.manpages | 2 +-
debian/control | 6 +-
debian/copyright | 27 ++-
debian/gbp.conf | 3 -
debian/man/chaosreader.1 | 487 ----------------------------------------
debian/man/chaosreader.txt | 201 -----------------
debian/man/header.txt | 1 -
debian/manpages/chaosreader.1 | 34 +++
debian/rules | 4 +-
debian/source/lintian-overrides | 2 -
debian/watch | 2 +-
13 files changed, 94 insertions(+), 727 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 6f2e62f..8f629f1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,22 +1,3 @@
-chaosreader (0.94-5) unstable; urgency=medium
-
- * Bumped Standards-Version from 3.9.4 to 3.9.5.
- * debian/source/: added an override to reply to check-gpg-signature.
- * debian/copyright: updated the file format and the upstream
- email address.
- * debian/gbp.conf: added to allow git-buildpackage usage.
- * debian/rules: little and insignificant adjustments.
- * debian/watch: improved.
- * manpage:
- - Created the debian/man directory to gather the manpage
- and the source. So, the debian/chaosreader.manpages was
- adjusted to point to file at new place.
- - Removed debian/{chaosreader.1.t2t,manpages}.
- - The manpage was improved, using information from the
- source code, and migrated from txt2tags to txt2man.
-
- -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Fri, 27 Dec 2013 08:49:04 -0200
-
chaosreader (0.94-4) unstable; urgency=low
* Bumped debhelper level from 7 to 9.
diff --git a/debian/chaosreader.1.t2t b/debian/chaosreader.1.t2t
new file mode 100644
index 0000000..250c476
--- /dev/null
+++ b/debian/chaosreader.1.t2t
@@ -0,0 +1,33 @@
+CHAOSREADER
+
+August 23, 2008
+
+= NAME =
+
+chaosreader - trace network sessions and export it to html format
+
+
+= DESCRIPTION =
+
+Chaosreader traces TCP/UDP/others sessions and fetches application data from
+snoop or tcpdump logs. This is a type of "any-snarf" program, as it will
+fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and
+SMTP emails from the captured data inside network traffic logs. A html index
+file is created to that links to all the session details, including realtime
+replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader
+reports such as image reports and HTTP GET/POST content reports.
+
+Chaosreader can also run in standalone mode, where it invokes tcpdump to
+create the log files and then processes them.
+
+
+= SEE ALSO =
+
+tcpdump(8), chaosreader help page.
+
+
+= AUTHORS =
+
+**chaosreader** was written by Brendan Gregg.
+
+This manual page was written by Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>, using txt2tags (http://txt2tags.sourceforge.net), for the Debian project (but may be used by others).
diff --git a/debian/chaosreader.manpages b/debian/chaosreader.manpages
index 890ef12..2fb19fb 100644
--- a/debian/chaosreader.manpages
+++ b/debian/chaosreader.manpages
@@ -1 +1 @@
-debian/man/chaosreader.1
+debian/manpages/*
diff --git a/debian/control b/debian/control
index c9577f8..2e39e06 100644
--- a/debian/control
+++ b/debian/control
@@ -4,10 +4,10 @@ Priority: optional
Maintainer: Debian Forensics <forensics-devel at lists.alioth.debian.org>
Uploaders: Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
Build-Depends: debhelper (>= 9)
-Standards-Version: 3.9.5
+Standards-Version: 3.9.4
Homepage: http://chaosreader.sf.net
-Vcs-Browser: http://anonscm.debian.org/gitweb/?p=forensics/chaosreader.git
-Vcs-Git: git://anonscm.debian.org/forensics/chaosreader.git
+Vcs-Browser: http://git.debian.org/?p=forensics/chaosreader.git
+Vcs-Git: git://git.debian.org/git/forensics/chaosreader.git
Package: chaosreader
Architecture: all
diff --git a/debian/copyright b/debian/copyright
index 773b899..52308db 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,15 +1,28 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: chaosreader
-Source: http://chaosreader.sf.net
+Author: Brendan Gregg <brendan at sun.com>
+Download: http://chaosreader.sourceforge.net
Files: *
-Copyright: 2003-2004 Brendan Gregg <brendan at joyent.com>
+Copyright: (C) 2003-2004 Brendan Gregg <brendan at sun.com>
License: GPL-2+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License
+ as published by the Free Software Foundation; either version 2
+ of the License, or (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ .
+ On Debian systems, the complete text of the GNU General Public License
+ can be found in /usr/share/common-licenses/GPL-2 file.
Files: debian/*
-Copyright: 2008-2013 Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
-License: GPL-2+
-
+Copyright: (C) 2008-2013 Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
License: GPL-2+
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
diff --git a/debian/gbp.conf b/debian/gbp.conf
deleted file mode 100644
index 23e88fe..0000000
--- a/debian/gbp.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-[DEFAULT]
-debian-branch = debian
-pristine-tar = True
diff --git a/debian/man/chaosreader.1 b/debian/man/chaosreader.1
deleted file mode 100644
index 5f77e96..0000000
--- a/debian/man/chaosreader.1
+++ /dev/null
@@ -1,487 +0,0 @@
-.\"Text automatically generated by txt2man
-.TH CHAOSREADER "1" "Dec 2013" "CHAOSREADER 0.94" "trace network sessions and export it to html format"
-.SH NAME
-\fBchaosreader \fP- trace network sessions and export it to html format
-.SH SYNOPSIS
-.nf
-.fam C
-\fBchaosreader\fP
-
-\fBchaosreader\fP [\fB-aehikqrvxAHIRTUXY\fP] [\fB-D\fP \fIdir\fP]
- [\fB-b\fP port[,\.\.\.]] [\fB-B\fP port[,\.\.\.]]
- [\fB-j\fP IPaddr[,\.\.\.]] [\fB-J\fP IPaddr[,\.\.\.]]
- [\fB-l\fP port[,\.\.\.]] [\fB-L\fP port[,\.\.\.]] [\fB-m\fP bytes[k]]
- [\fB-M\fP bytes[k]] [\fB-o\fP "time"|"size"|"type"|"ip"]
- [\fB-p\fP port[,\.\.\.]] [\fB-P\fP port[,\.\.\.]]
- \fBinfile\fP [\fIinfile2\fP \.\.\.]
-
-\fBchaosreader\fP \fB-s\fP [\fImins\fP] | \fB-S\fP [\fImins\fP[,count]]
- [\fB-z\fP] [\fB-f\fP 'filter']
-.fam T
-.fi
-.fam T
-.fi
-.SH DESCRIPTION
-Chaosreader traces TCP/UDP/others sessions and fetches application data from
-snoop or tcpdump logs. This is a type of "any-snarf" program, as it will
-fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and
-SMTP emails from the captured data inside network traffic logs. A html index
-file is created to that links to all the session details, including realtime
-replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader
-reports such as image reports and HTTP GET/POST content reports.
-.PP
-Chaosreader can also run in standalone mode, where it invokes tcpdump to
-create the log files and then processes them.
-.SH OPTIONS
-.TP
-.B
-\fB-a\fP, \fB--application\fP
-Create application session files (default)
-.TP
-.B
-\fB-e\fP, \fB--everything\fP
-Create HTML 2-way & hex files for everything
-.TP
-.B
-\fB-h\fP
-Print a brief help
-.TP
-.B
-\fB--help\fP
-Print verbose help (this) and version
-.TP
-.B
-\fB--help2\fP
-Print massive help
-.TP
-.B
-\fB-i\fP, \fB--info\fP
-Create info file
-.TP
-.B
-\fB-q\fP, \fB--quiet\fP
-Quiet, no output to screen
-.TP
-.B
-\fB-r\fP, \fB--raw\fP
-Create raw files
-.TP
-.B
-\fB-v\fP, \fB--verbose\fP
-Verbose - Create ALL files .. (except \fB-e\fP)
-.TP
-.B
-\fB-x\fP, \fB--index\fP
-Create index files (default)
-.TP
-.B
-\fB-A\fP, \fB--noapplication\fP
-Exclude application session files
-.TP
-.B
-\fB-H\fP, \fB--hex\fP
-Include hex dumps (slow)
-.TP
-.B
-\fB-I\fP, \fB--noinfo\fP
-Exclude info files
-.TP
-.B
-\fB-R\fP, \fB--noraw\fP
-Exclude raw files
-.TP
-.B
-\fB-T\fP, \fB--notcp\fP
-Exclude TCP traffic
-.TP
-.B
-\fB-U\fP, \fB--noudp\fP
-Exclude UDP traffic
-.TP
-.B
-\fB-Y\fP, \fB--noicmp\fP
-Exclude ICMP traffic
-.TP
-.B
-\fB-X\fP, \fB--noindex\fP
-Exclude index files
-.TP
-.B
-\fB-k\fP, \fB--keydata\fP
-Create extra files for keystroke analysis
-.TP
-.B
-\fB-D\fP \fIdir\fP, --\fIdir\fP \fIdir\fP
-Output all files to this directory
-.TP
-.B
-\fB-b\fP 25,79, \fB--playtcp\fP 25,79
-replay these TCP ports as well (playback)
-.TP
-.B
-\fB-B\fP 36,42, \fB--playudp\fP 36,42
-replay these UDP ports as well (playback)
-.TP
-.B
-\fB-l\fP 7,79, \fB--htmltcp\fP 7,79
-Create HTML for these TCP ports as well
-.TP
-.B
-\fB-L\fP 7,123, \fB--htmludp\fP 7,123
-Create HTML for these UDP ports as well
-.TP
-.B
-\fB-m\fP 1k, \fB--min\fP 1k
-Min size of connection to save ("k" for Kb)
-.TP
-.B
-\fB-M\fP 1024k, \fB--max\fP 1k
-Max size of connection to save ("k" for Kb)
-.TP
-.B
-\fB-o\fP size, \fB--sort\fP size
-sort Order: time/size/type/ip (Default time)
-.TP
-.B
-\fB-p\fP 21,23, \fB--port\fP 21,23
-Only examine these ports (TCP & UDP)
-.TP
-.B
-\fB-P\fP 80,81, \fB--noport\fP 80,81
-Exclude these ports (TCP & UDP)
-.TP
-.B
-\fB-s\fP 5, \fB--runonce\fP 5
-Standalone. Run tcpdump/snoop for 5 \fImins\fP.
-.TP
-.B
-\fB-S\fP 5,10, \fB--runmany\fP 5,10
-Standalone, many. 10 samples of 5 \fImins\fP each.
-.TP
-.B
-\fB-S\fP 5, \fB--runmany\fP 5
-Standalone, endless. 5 min samples forever.
-.TP
-.B
-\fB-z\fP, \fB--runredo\fP
-Standalone, redo. Rereads last run's logs.
-.TP
-.B
-\fB-j\fP 10.1.2.1, \fB--ipaddr\fP 10.1.2.1
-Only examine these IPs
-.TP
-.B
-\fB-J\fP 10.1.2.1, \fB--noipaddr\fP 10.1.2.1
-Exclude these IPs
-.TP
-.B
-\fB-f\fP 'port 7', \fB--filter\fP 'port 7'
-With standalone, use this dump filter.
-.SH OUTPUT FILES
-.TP
-.B
-index.html
-Html index (full details)
-.TP
-.B
-index.text
-Text index
-.TP
-.B
-index.file
-File index for standalone redo mode
-.TP
-.B
-image.html
-HTML report of images
-.TP
-.B
-getpost.html
-HTML report of HTTP GET/POST requests
-.TP
-.B
-session_0001.info
-Info file describing TCP session #1
-.TP
-.B
-session_0001.telnet.html
-HTML coloured 2-way capture (time sorted)
-.TP
-.B
-session_0001.telnet.raw
-Raw data 2-way capture (time sorted)
-.TP
-.B
-session_0001.telnet.raw1
-Raw 1-way capture (assembeled) server->client
-.TP
-.B
-session_0001.telnet.raw2
-Raw 1-way capture (assembeled) client->server
-.TP
-.B
-session_0002.web.html
-HTML coloured 2-way
-.TP
-.B
-session_0002.part_01.html
-HTTP portion of the above, a HTML file
-.TP
-.B
-session_0003.web.html
-HTML coloured 2-way
-.TP
-.B
-session_0003.part_01.jpeg
-HTTP portion of the above, a JPEG file
-.TP
-.B
-session_0004.web.html
-HTML coloured 2-way
-.TP
-.B
-session_0004.part_01.gif
-HTTP portion of the above, a GIF file
-.TP
-.B
-session_0005.part_01.ftp-data.gz
-An FTP transfer, a gz file.
-.SH CONVENTIONS
-.TP
-.B
-session_*
-TCP Sessions
-.TP
-.B
-stream_*
-UDP Streams
-.TP
-.B
-icmp_*
-ICMP packets
-.TP
-.B
-index.html
-HTML Index
-.TP
-.B
-index.text
-Text Index
-.TP
-.B
-index.file
-File Index for standalone redo mode only
-.TP
-.B
-image.html
-HTML report of images
-.TP
-.B
-getpost.html
-HTML report of HTTP GET/POST requests
-.TP
-.B
-*.info
-Info file describing the Session/Stream
-.TP
-.B
-*.raw
-Raw data 2-way capture (time sorted)
-.TP
-.B
-*.raw1
-Raw 1-way capture (assembeled) server->client
-.TP
-.B
-*.raw2
-Raw 1-way capture (assembeled) client->server
-.TP
-.B
-*.replay
-Session replay program (perl)
-.TP
-.B
-*.partial.*
-Partial capture (tcpdump/snoop were aware of drops)
-.TP
-.B
-*.hex.html
-2-way Hex dump, rendered in coloured HTML
-.TP
-.B
-*.hex.text
-2-way Hex dump in plain text
-.TP
-.B
-*.X11.replay
-X11 replay script (talks X11)
-.TP
-.B
-*.textX11.replay
-X11 communicated text replay script (text only)
-.TP
-.B
-*.textX11.html
-2-way text report, rendered in red/blue HTML
-.TP
-.B
-*.keydata
-Keystroke delay data file. Used for SSH analysis.
-.SH MODES
-.TP
-.B
-Normal
-eg "\fBchaosreader\fP \fBinfile\fP", this is where a tcpdump/snoop file
-was created previously and \fBchaosreader\fP reads and processes it.
-.TP
-.B
-Standalone once
-eg "\fBchaosreader\fP \fB-s\fP 10" this is where \fBchaosreader\fP
-runs tcpdump/snoop and generates the log file, in this case for 10 i
-minutes, and then processes the result. Some OS's may not have
-tcpdump or snoop available so this will not work (instead you may be
-able to get Ethereal, run it, save to a file, then use normal mode).
-There is a master index.html and the report index.html in a sub \fIdir\fP,
-which is of the format out_YYYYMMDD-hhmm, eg "out_20031003-2221".
-.TP
-.B
-Standalone, many
-eg "\fBchaosreader\fP \fB-S\fP 5,12", this is where \fBchaosreader\fP
-runs tcpdump/snoop and generates many log files, in this case it
-samples 12 times for 5 minutes each. While this is running, the master
-index.html can be viewed to watch progress, which links to minor
-index.html reports in each sub directory.
-.TP
-.B
-Standalone, redo
-eg "\fBchaosreader\fP \fB-ve\fP \fB-z\fP", (the \fB-z\fP), this is where
-a standalone capture was previously performed - and now you would like
-to reprocess the logs - perhaps with different options (in this case,
-"\fB-ve\fP"). It reads index.file to determine which capture logs to read.
-.TP
-.B
-Standalone, endless
-eg "\fBchaosreader\fP \fB-S\fP 5", like standalone many -
-but runs forever (if you ever had the need?). Watch your disk space!
-.PP
-Note: this is a work in progress, some of the code is a little unpolished.
-.SH ADVICES
-.IP \(bu 3
-Run \fBchaosreader\fP in an empty directory.
-.IP \(bu 3
-Create small packet dumps. Chaosreader uses around 5x the dump size
-in memory. A 100Mb file could need 500Mb of RAM to process.
-.IP \(bu 3
-Your tcpdump may allow "\fB-s0\fP" (entire packet) instead of "\fB-s9000\fP".
-.IP \(bu 3
-Beware of using too much disk space, especially standalone mode.
-.IP \(bu 3
-If you capture too many small connections giving a huge index.html,
-try using the \fB-m\fP option to ignore small connections. eg "\fB-m\fP 1k".
-.IP \(bu 3
-snoop logs may actually work better. Snoop logs are based on RFC1761,
-however there are many varients of tcpdump/libpcap and this program
-cannot read them all. If you have Ethereal you can create snoop logs
-during the "save as" option. On Solaris use "snoop \fB-o\fP logfile".
-.IP \(bu 3
-tcpdump logs may not be portable between OSs that use different sized
-timestamps or endian.
-.IP \(bu 3
-Logs are best created in a memory filesystem for speed, usually /tmp.
-.IP \(bu 3
-For X11 or VNC playbacks, first practise by replaying a recent captured
-session of your own. The biggest problem is colour depth, your screen
-must match the capture. For X11 check authentication (xhost +), for
-VNC check the viewers options (\fB-8bit\fP, "Hextile", \.\.\.)
-.IP \(bu 3
-SSH analysis can be performed with the "sshkeydata" program as
-demonstrated on http://www.brendangregg.com/sshanalysis.html .
-\fBchaosreader\fP provides the input files (*.keydata) that sshkeydata
-analyses.
-.SH BUGS
-.IP \(bu 3
-The following assumptions may cause problems (check for new vers);
-.IP \(bu 3
-A lower port number = the service type. Eg with ports 31247 and 23,
-the actual type of session is telnet (23). This may not work for
-some things (eg, VNC).
-.IP \(bu 3
-Time based order is more important for 2-way sessions (eg telnet),
-SEQ order is more import for 1-way transfers (eg ftp-data).
-.IP \(bu 3
-One particular TCP session isn't active for long enough that the SEQ
-number loops (or even wraps).
-.SH EXAMPLES
-.IP \(bu 3
-Example 1:
-.PP
-.nf
-.fam C
- tcpdump \-s9000 \-w out1; chaosreader out1; netscape index.html
-
-.nf
-.fam C
- or,
-
-.fam T
-.fi
-.RS
-snoop \fB-o\fP out1; \fBchaosreader\fP out1; netscape index.html
-.PP
-.nf
-.fam C
- or,
-
-.fam T
-.fi
-ethereal (save as "out1"); \fBchaosreader\fP out1; netscape index.html
-.PP
-.nf
-.fam C
- or,
-
-.fam T
-.fi
-\fBchaosreader\fP \fB-s\fP 5; netscape index.html
-.RE
-.IP \(bu 3
-Example 2:
-.PP
-.nf
-.fam C
- tcpdump \-s9000 \-w output1 # create tcpdump capture file
-
- chaosreader output1 # extract recognised sessions, or,
-
- chaosreader \-ve output1 # gimme everything, or,
-
- chaosreader \-p 20,21,23 output1 # only ftp and telnet\.\.\.
-
-.fam T
-.fi
-.IP \(bu 3
-Example 3:
-.PP
-.nf
-.fam C
- snoop \-o output1 # create snoop capture file instead
-
- chaosreader output1 # extract recognised sessions\.\.\.
-
-.fam T
-.fi
-.IP \(bu 3
-Example 4:
-.PP
-.nf
-.fam C
- chaosreader \-S 2,5 # Standalone, sniff network 5 times for 2 mins
- # each. View index.html for progress (or .text)
-.fam T
-.fi
-.SH SEE ALSO
-\fBtcpdump\fP(8), \fBchaosreader\fP help page.
-.SH AUTHORS
-\fBchaosreader\fP was written by Brendan Gregg.
-.PP
-This manual page was written by Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>, using txt2man, for the Debian project (but may be used by others). The base of this text was caught off \fBchaosreader\fP source code.
diff --git a/debian/man/chaosreader.txt b/debian/man/chaosreader.txt
deleted file mode 100644
index b13874d..0000000
--- a/debian/man/chaosreader.txt
+++ /dev/null
@@ -1,201 +0,0 @@
-NAME
- chaosreader - trace network sessions and export it to html format
-SYNOPSIS
- chaosreader
-
- chaosreader [-aehikqrvxAHIRTUXY] [-D dir]
- [-b port[,...]] [-B port[,...]]
- [-j IPaddr[,...]] [-J IPaddr[,...]]
- [-l port[,...]] [-L port[,...]] [-m bytes[k]]
- [-M bytes[k]] [-o "time"|"size"|"type"|"ip"]
- [-p port[,...]] [-P port[,...]]
- infile [infile2 ...]
-
- chaosreader -s [mins] | -S [mins[,count]]
- [-z] [-f 'filter']
-DESCRIPTION
- Chaosreader traces TCP/UDP/others sessions and fetches application data from
- snoop or tcpdump logs. This is a type of "any-snarf" program, as it will
- fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and
- SMTP emails from the captured data inside network traffic logs. A html index
- file is created to that links to all the session details, including realtime
- replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader
- reports such as image reports and HTTP GET/POST content reports.
-
- Chaosreader can also run in standalone mode, where it invokes tcpdump to
- create the log files and then processes them.
-OPTIONS
- -a, --application Create application session files (default)
- -e, --everything Create HTML 2-way & hex files for everything
- -h Print a brief help
- --help Print verbose help (this) and version
- --help2 Print massive help
- -i, --info Create info file
- -q, --quiet Quiet, no output to screen
- -r, --raw Create raw files
- -v, --verbose Verbose - Create ALL files .. (except -e)
- -x, --index Create index files (default)
- -A, --noapplication Exclude application session files
- -H, --hex Include hex dumps (slow)
- -I, --noinfo Exclude info files
- -R, --noraw Exclude raw files
- -T, --notcp Exclude TCP traffic
- -U, --noudp Exclude UDP traffic
- -Y, --noicmp Exclude ICMP traffic
- -X, --noindex Exclude index files
- -k, --keydata Create extra files for keystroke analysis
- -D dir, --dir dir Output all files to this directory
- -b 25,79, --playtcp 25,79 replay these TCP ports as well (playback)
- -B 36,42, --playudp 36,42 replay these UDP ports as well (playback)
- -l 7,79, --htmltcp 7,79 Create HTML for these TCP ports as well
- -L 7,123, --htmludp 7,123 Create HTML for these UDP ports as well
- -m 1k, --min 1k Min size of connection to save ("k" for Kb)
- -M 1024k, --max 1k Max size of connection to save ("k" for Kb)
- -o size, --sort size sort Order: time/size/type/ip (Default time)
- -p 21,23, --port 21,23 Only examine these ports (TCP & UDP)
- -P 80,81, --noport 80,81 Exclude these ports (TCP & UDP)
- -s 5, --runonce 5 Standalone. Run tcpdump/snoop for 5 mins.
- -S 5,10, --runmany 5,10 Standalone, many. 10 samples of 5 mins each.
- -S 5, --runmany 5 Standalone, endless. 5 min samples forever.
- -z, --runredo Standalone, redo. Rereads last run's logs.
- -j 10.1.2.1, --ipaddr 10.1.2.1 Only examine these IPs
- -J 10.1.2.1, --noipaddr 10.1.2.1 Exclude these IPs
- -f 'port 7', --filter 'port 7' With standalone, use this dump filter.
-OUTPUT FILES
- index.html Html index (full details)
- index.text Text index
- index.file File index for standalone redo mode
- image.html HTML report of images
- getpost.html HTML report of HTTP GET/POST requests
- session_0001.info Info file describing TCP session #1
- session_0001.telnet.html HTML coloured 2-way capture (time sorted)
- session_0001.telnet.raw Raw data 2-way capture (time sorted)
- session_0001.telnet.raw1 Raw 1-way capture (assembeled) server->client
- session_0001.telnet.raw2 Raw 1-way capture (assembeled) client->server
- session_0002.web.html HTML coloured 2-way
- session_0002.part_01.html HTTP portion of the above, a HTML file
- session_0003.web.html HTML coloured 2-way
- session_0003.part_01.jpeg HTTP portion of the above, a JPEG file
- session_0004.web.html HTML coloured 2-way
- session_0004.part_01.gif HTTP portion of the above, a GIF file
- session_0005.part_01.ftp-data.gz An FTP transfer, a gz file.
-CONVENTIONS
- session_* TCP Sessions
- stream_* UDP Streams
- icmp_* ICMP packets
- index.html HTML Index
- index.text Text Index
- index.file File Index for standalone redo mode only
- image.html HTML report of images
- getpost.html HTML report of HTTP GET/POST requests
- *.info Info file describing the Session/Stream
- *.raw Raw data 2-way capture (time sorted)
- *.raw1 Raw 1-way capture (assembeled) server->client
- *.raw2 Raw 1-way capture (assembeled) client->server
- *.replay Session replay program (perl)
- *.partial.* Partial capture (tcpdump/snoop were aware of drops)
- *.hex.html 2-way Hex dump, rendered in coloured HTML
- *.hex.text 2-way Hex dump in plain text
- *.X11.replay X11 replay script (talks X11)
- *.textX11.replay X11 communicated text replay script (text only)
- *.textX11.html 2-way text report, rendered in red/blue HTML
- *.keydata Keystroke delay data file. Used for SSH analysis.
-MODES
- Normal eg "chaosreader infile", this is where a tcpdump/snoop file
- was created previously and chaosreader reads and processes it.
- Standalone once eg "chaosreader -s 10" this is where chaosreader
- runs tcpdump/snoop and generates the log file, in this case for 10 i
- minutes, and then processes the result. Some OS's may not have
- tcpdump or snoop available so this will not work (instead you may be
- able to get Ethereal, run it, save to a file, then use normal mode).
- There is a master index.html and the report index.html in a sub dir,
- which is of the format out_YYYYMMDD-hhmm, eg "out_20031003-2221".
- Standalone, many eg "chaosreader -S 5,12", this is where chaosreader
- runs tcpdump/snoop and generates many log files, in this case it
- samples 12 times for 5 minutes each. While this is running, the master
- index.html can be viewed to watch progress, which links to minor
- index.html reports in each sub directory.
- Standalone, redo eg "chaosreader -ve -z", (the -z), this is where
- a standalone capture was previously performed - and now you would like
- to reprocess the logs - perhaps with different options (in this case,
- "-ve"). It reads index.file to determine which capture logs to read.
- Standalone, endless eg "chaosreader -S 5", like standalone many -
- but runs forever (if you ever had the need?). Watch your disk space!
-
- Note: this is a work in progress, some of the code is a little unpolished.
-ADVICES
- * Run chaosreader in an empty directory.
- * Create small packet dumps. Chaosreader uses around 5x the dump size
- in memory. A 100Mb file could need 500Mb of RAM to process.
- * Your tcpdump may allow "-s0" (entire packet) instead of "-s9000".
- * Beware of using too much disk space, especially standalone mode.
- * If you capture too many small connections giving a huge index.html,
- try using the -m option to ignore small connections. eg "-m 1k".
- * snoop logs may actually work better. Snoop logs are based on RFC1761,
- however there are many varients of tcpdump/libpcap and this program
- cannot read them all. If you have Ethereal you can create snoop logs
- during the "save as" option. On Solaris use "snoop -o logfile".
- * tcpdump logs may not be portable between OSs that use different sized
- timestamps or endian.
- * Logs are best created in a memory filesystem for speed, usually /tmp.
- * For X11 or VNC playbacks, first practise by replaying a recent captured
- session of your own. The biggest problem is colour depth, your screen
- must match the capture. For X11 check authentication (xhost +), for
- VNC check the viewers options (-8bit, "Hextile", ...)
- * SSH analysis can be performed with the "sshkeydata" program as
- demonstrated on http://www.brendangregg.com/sshanalysis.html .
- chaosreader provides the input files (*.keydata) that sshkeydata
- analyses.
-BUGS
- * The following assumptions may cause problems (check for new vers);
- * A lower port number = the service type. Eg with ports 31247 and 23,
- the actual type of session is telnet (23). This may not work for
- some things (eg, VNC).
- * Time based order is more important for 2-way sessions (eg telnet),
- SEQ order is more import for 1-way transfers (eg ftp-data).
- * One particular TCP session isn't active for long enough that the SEQ
- number loops (or even wraps).
-EXAMPLES
- * Example 1:
-
- tcpdump \-s9000 \-w out1; chaosreader out1; netscape index.html
-
- or,
-
- snoop -o out1; chaosreader out1; netscape index.html
-
- or,
-
- ethereal (save as "out1"); chaosreader out1; netscape index.html
-
- or,
-
- chaosreader -s 5; netscape index.html
-
- * Example 2:
-
- tcpdump \-s9000 \-w output1 # create tcpdump capture file
-
- chaosreader output1 # extract recognised sessions, or,
-
- chaosreader \-ve output1 # gimme everything, or,
-
- chaosreader \-p 20,21,23 output1 # only ftp and telnet...
-
- * Example 3:
-
- snoop \-o output1 # create snoop capture file instead
-
- chaosreader output1 # extract recognised sessions...
-
- * Example 4:
-
- chaosreader \-S 2,5 # Standalone, sniff network 5 times for 2 mins
- # each. View index.html for progress (or .text)
-SEE ALSO
- tcpdump(8), chaosreader help page.
-AUTHORS
- chaosreader was written by Brendan Gregg.
-
- This manual page was written by Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>, using txt2man, for the Debian project (but may be used by others). The base of this text was caught off chaosreader source code.
-
diff --git a/debian/man/header.txt b/debian/man/header.txt
deleted file mode 100644
index e4281b0..0000000
--- a/debian/man/header.txt
+++ /dev/null
@@ -1 +0,0 @@
-.TH CHAOSREADER "1" "Dec 2013" "CHAOSREADER 0.94" "trace network sessions and export it to html format"
diff --git a/debian/manpages/chaosreader.1 b/debian/manpages/chaosreader.1
new file mode 100644
index 0000000..5a629b4
--- /dev/null
+++ b/debian/manpages/chaosreader.1
@@ -0,0 +1,34 @@
+.TH "CHAOSREADER" 1 "August 23, 2008" ""
+
+.SH NAME
+.P
+chaosreader \- trace network sessions and export it to html format
+
+.SH DESCRIPTION
+.P
+Chaosreader traces TCP/UDP/others sessions and fetches application data from
+snoop or tcpdump logs. This is a type of "any\-snarf" program, as it will
+fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and
+SMTP emails from the captured data inside network traffic logs. A html index
+file is created to that links to all the session details, including realtime
+replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader
+reports such as image reports and HTTP GET/POST content reports.
+
+.P
+Chaosreader can also run in standalone mode, where it invokes tcpdump to
+create the log files and then processes them.
+
+.SH SEE ALSO
+.P
+tcpdump(8), chaosreader help page.
+
+.SH AUTHORS
+.P
+\fBchaosreader\fR was written by Brendan Gregg.
+
+.P
+This manual page was written by Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>, using txt2tags (http://txt2tags.sourceforge.net), for the Debian project (but may be used by others).
+
+
+.\" man code generated by txt2tags 2.3 (http://txt2tags.sf.net)
+.\" cmdline: txt2tags -t man chaosreader.1.t2t
diff --git a/debian/rules b/debian/rules
index f6f9086..f71237e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,9 +1,9 @@
#!/usr/bin/make -f
-#export DH_VERBOSE=1
%:
- dh $@ --parallel
+ dh ${@} --parallel
override_dh_auto_install:
install -D -m 0755 chaosreader0.94 debian/chaosreader/usr/bin/chaosreader
+
dh_installchangelogs debian/upstream.changelog
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
deleted file mode 100644
index 2bb4336..0000000
--- a/debian/source/lintian-overrides
+++ /dev/null
@@ -1,2 +0,0 @@
-# The upstream didn't provide a PGP/GPG signature.
-chaosreader source: debian-watch-may-check-gpg-signature
diff --git a/debian/watch b/debian/watch
index 15170bb..cae27b3 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,2 +1,2 @@
version=3
-http://sf.net/chaosreader/chaosreader(\d\S*)
+http://sf.net/chaosreader/chaosreader(.*)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/chaosreader.git
More information about the forensics-changes
mailing list