[Forensics-changes] [chaosreader] 01/01: * Bumped Standards-Version from 3.9.4 to 3.9.5. * debian/source/: added an override to reply to check-gpg-signature. * debian/copyright: updated the file format and the upstream email address. * debian/gbp.conf: added to allow git-buildpackage usage. * debian/rules: little and insignificant adjustments. * debian/watch: improved. * manpage: - Created the debian/man directory to gather the manpage and the source. So, the debian/chaosreader.manpages was adjusted to point to file at new place. - Removed debian/{chaosreader.1.t2t, manpages}. - The manpage was improved, using information from the source code, and migrated from txt2tags to txt2man.
Eriberto Mota
eriberto-guest at moszumanska.debian.org
Sun Dec 29 02:56:36 UTC 2013
This is an automated email from the git hooks/post-receive script.
eriberto-guest pushed a commit to branch debian
in repository chaosreader.
commit c2650d7b4134fcfd67c16d5de9eaaf48522004ea
Author: Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
Date: Sun Dec 29 00:56:12 2013 -0200
* Bumped Standards-Version from 3.9.4 to 3.9.5.
* debian/source/: added an override to reply to check-gpg-signature.
* debian/copyright: updated the file format and the upstream
email address.
* debian/gbp.conf: added to allow git-buildpackage usage.
* debian/rules: little and insignificant adjustments.
* debian/watch: improved.
* manpage:
- Created the debian/man directory to gather the manpage
and the source. So, the debian/chaosreader.manpages was
adjusted to point to file at new place.
- Removed debian/{chaosreader.1.t2t,manpages}.
- The manpage was improved, using information from the
source code, and migrated from txt2tags to txt2man.
---
debian/changelog | 19 ++
debian/chaosreader.1.t2t | 33 ---
debian/chaosreader.manpages | 2 +-
debian/control | 6 +-
debian/copyright | 27 +--
debian/gbp.conf | 3 +
debian/man/chaosreader.1 | 487 ++++++++++++++++++++++++++++++++++++++++
debian/man/chaosreader.txt | 201 +++++++++++++++++
debian/man/header.txt | 1 +
debian/manpages/chaosreader.1 | 34 ---
debian/rules | 4 +-
debian/source/lintian-overrides | 2 +
debian/watch | 2 +-
13 files changed, 727 insertions(+), 94 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 8f629f1..6f2e62f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+chaosreader (0.94-5) unstable; urgency=medium
+
+ * Bumped Standards-Version from 3.9.4 to 3.9.5.
+ * debian/source/: added an override to reply to check-gpg-signature.
+ * debian/copyright: updated the file format and the upstream
+ email address.
+ * debian/gbp.conf: added to allow git-buildpackage usage.
+ * debian/rules: little and insignificant adjustments.
+ * debian/watch: improved.
+ * manpage:
+ - Created the debian/man directory to gather the manpage
+ and the source. So, the debian/chaosreader.manpages was
+ adjusted to point to file at new place.
+ - Removed debian/{chaosreader.1.t2t,manpages}.
+ - The manpage was improved, using information from the
+ source code, and migrated from txt2tags to txt2man.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Fri, 27 Dec 2013 08:49:04 -0200
+
chaosreader (0.94-4) unstable; urgency=low
* Bumped debhelper level from 7 to 9.
diff --git a/debian/chaosreader.1.t2t b/debian/chaosreader.1.t2t
deleted file mode 100644
index 250c476..0000000
--- a/debian/chaosreader.1.t2t
+++ /dev/null
@@ -1,33 +0,0 @@
-CHAOSREADER
-
-August 23, 2008
-
-= NAME =
-
-chaosreader - trace network sessions and export it to html format
-
-
-= DESCRIPTION =
-
-Chaosreader traces TCP/UDP/others sessions and fetches application data from
-snoop or tcpdump logs. This is a type of "any-snarf" program, as it will
-fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and
-SMTP emails from the captured data inside network traffic logs. A html index
-file is created to that links to all the session details, including realtime
-replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader
-reports such as image reports and HTTP GET/POST content reports.
-
-Chaosreader can also run in standalone mode, where it invokes tcpdump to
-create the log files and then processes them.
-
-
-= SEE ALSO =
-
-tcpdump(8), chaosreader help page.
-
-
-= AUTHORS =
-
-**chaosreader** was written by Brendan Gregg.
-
-This manual page was written by Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>, using txt2tags (http://txt2tags.sourceforge.net), for the Debian project (but may be used by others).
diff --git a/debian/chaosreader.manpages b/debian/chaosreader.manpages
index 2fb19fb..890ef12 100644
--- a/debian/chaosreader.manpages
+++ b/debian/chaosreader.manpages
@@ -1 +1 @@
-debian/manpages/*
+debian/man/chaosreader.1
diff --git a/debian/control b/debian/control
index 2e39e06..c9577f8 100644
--- a/debian/control
+++ b/debian/control
@@ -4,10 +4,10 @@ Priority: optional
Maintainer: Debian Forensics <forensics-devel at lists.alioth.debian.org>
Uploaders: Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
Build-Depends: debhelper (>= 9)
-Standards-Version: 3.9.4
+Standards-Version: 3.9.5
Homepage: http://chaosreader.sf.net
-Vcs-Browser: http://git.debian.org/?p=forensics/chaosreader.git
-Vcs-Git: git://git.debian.org/git/forensics/chaosreader.git
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=forensics/chaosreader.git
+Vcs-Git: git://anonscm.debian.org/forensics/chaosreader.git
Package: chaosreader
Architecture: all
diff --git a/debian/copyright b/debian/copyright
index 52308db..773b899 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,28 +1,15 @@
-Author: Brendan Gregg <brendan at sun.com>
-Download: http://chaosreader.sourceforge.net
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: chaosreader
+Source: http://chaosreader.sf.net
Files: *
-Copyright: (C) 2003-2004 Brendan Gregg <brendan at sun.com>
+Copyright: 2003-2004 Brendan Gregg <brendan at joyent.com>
License: GPL-2+
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License
- as published by the Free Software Foundation; either version 2
- of the License, or (at your option) any later version.
- .
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
- .
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- .
- On Debian systems, the complete text of the GNU General Public License
- can be found in /usr/share/common-licenses/GPL-2 file.
Files: debian/*
-Copyright: (C) 2008-2013 Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
+Copyright: 2008-2013 Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
+License: GPL-2+
+
License: GPL-2+
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..23e88fe
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian
+pristine-tar = True
diff --git a/debian/man/chaosreader.1 b/debian/man/chaosreader.1
new file mode 100644
index 0000000..5f77e96
--- /dev/null
+++ b/debian/man/chaosreader.1
@@ -0,0 +1,487 @@
+.\"Text automatically generated by txt2man
+.TH CHAOSREADER "1" "Dec 2013" "CHAOSREADER 0.94" "trace network sessions and export it to html format"
+.SH NAME
+\fBchaosreader \fP- trace network sessions and export it to html format
+.SH SYNOPSIS
+.nf
+.fam C
+\fBchaosreader\fP
+
+\fBchaosreader\fP [\fB-aehikqrvxAHIRTUXY\fP] [\fB-D\fP \fIdir\fP]
+ [\fB-b\fP port[,\.\.\.]] [\fB-B\fP port[,\.\.\.]]
+ [\fB-j\fP IPaddr[,\.\.\.]] [\fB-J\fP IPaddr[,\.\.\.]]
+ [\fB-l\fP port[,\.\.\.]] [\fB-L\fP port[,\.\.\.]] [\fB-m\fP bytes[k]]
+ [\fB-M\fP bytes[k]] [\fB-o\fP "time"|"size"|"type"|"ip"]
+ [\fB-p\fP port[,\.\.\.]] [\fB-P\fP port[,\.\.\.]]
+ \fBinfile\fP [\fIinfile2\fP \.\.\.]
+
+\fBchaosreader\fP \fB-s\fP [\fImins\fP] | \fB-S\fP [\fImins\fP[,count]]
+ [\fB-z\fP] [\fB-f\fP 'filter']
+.fam T
+.fi
+.fam T
+.fi
+.SH DESCRIPTION
+Chaosreader traces TCP/UDP/others sessions and fetches application data from
+snoop or tcpdump logs. This is a type of "any-snarf" program, as it will
+fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and
+SMTP emails from the captured data inside network traffic logs. A html index
+file is created to that links to all the session details, including realtime
+replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader
+reports such as image reports and HTTP GET/POST content reports.
+.PP
+Chaosreader can also run in standalone mode, where it invokes tcpdump to
+create the log files and then processes them.
+.SH OPTIONS
+.TP
+.B
+\fB-a\fP, \fB--application\fP
+Create application session files (default)
+.TP
+.B
+\fB-e\fP, \fB--everything\fP
+Create HTML 2-way & hex files for everything
+.TP
+.B
+\fB-h\fP
+Print a brief help
+.TP
+.B
+\fB--help\fP
+Print verbose help (this) and version
+.TP
+.B
+\fB--help2\fP
+Print massive help
+.TP
+.B
+\fB-i\fP, \fB--info\fP
+Create info file
+.TP
+.B
+\fB-q\fP, \fB--quiet\fP
+Quiet, no output to screen
+.TP
+.B
+\fB-r\fP, \fB--raw\fP
+Create raw files
+.TP
+.B
+\fB-v\fP, \fB--verbose\fP
+Verbose - Create ALL files .. (except \fB-e\fP)
+.TP
+.B
+\fB-x\fP, \fB--index\fP
+Create index files (default)
+.TP
+.B
+\fB-A\fP, \fB--noapplication\fP
+Exclude application session files
+.TP
+.B
+\fB-H\fP, \fB--hex\fP
+Include hex dumps (slow)
+.TP
+.B
+\fB-I\fP, \fB--noinfo\fP
+Exclude info files
+.TP
+.B
+\fB-R\fP, \fB--noraw\fP
+Exclude raw files
+.TP
+.B
+\fB-T\fP, \fB--notcp\fP
+Exclude TCP traffic
+.TP
+.B
+\fB-U\fP, \fB--noudp\fP
+Exclude UDP traffic
+.TP
+.B
+\fB-Y\fP, \fB--noicmp\fP
+Exclude ICMP traffic
+.TP
+.B
+\fB-X\fP, \fB--noindex\fP
+Exclude index files
+.TP
+.B
+\fB-k\fP, \fB--keydata\fP
+Create extra files for keystroke analysis
+.TP
+.B
+\fB-D\fP \fIdir\fP, --\fIdir\fP \fIdir\fP
+Output all files to this directory
+.TP
+.B
+\fB-b\fP 25,79, \fB--playtcp\fP 25,79
+replay these TCP ports as well (playback)
+.TP
+.B
+\fB-B\fP 36,42, \fB--playudp\fP 36,42
+replay these UDP ports as well (playback)
+.TP
+.B
+\fB-l\fP 7,79, \fB--htmltcp\fP 7,79
+Create HTML for these TCP ports as well
+.TP
+.B
+\fB-L\fP 7,123, \fB--htmludp\fP 7,123
+Create HTML for these UDP ports as well
+.TP
+.B
+\fB-m\fP 1k, \fB--min\fP 1k
+Min size of connection to save ("k" for Kb)
+.TP
+.B
+\fB-M\fP 1024k, \fB--max\fP 1k
+Max size of connection to save ("k" for Kb)
+.TP
+.B
+\fB-o\fP size, \fB--sort\fP size
+sort Order: time/size/type/ip (Default time)
+.TP
+.B
+\fB-p\fP 21,23, \fB--port\fP 21,23
+Only examine these ports (TCP & UDP)
+.TP
+.B
+\fB-P\fP 80,81, \fB--noport\fP 80,81
+Exclude these ports (TCP & UDP)
+.TP
+.B
+\fB-s\fP 5, \fB--runonce\fP 5
+Standalone. Run tcpdump/snoop for 5 \fImins\fP.
+.TP
+.B
+\fB-S\fP 5,10, \fB--runmany\fP 5,10
+Standalone, many. 10 samples of 5 \fImins\fP each.
+.TP
+.B
+\fB-S\fP 5, \fB--runmany\fP 5
+Standalone, endless. 5 min samples forever.
+.TP
+.B
+\fB-z\fP, \fB--runredo\fP
+Standalone, redo. Rereads last run's logs.
+.TP
+.B
+\fB-j\fP 10.1.2.1, \fB--ipaddr\fP 10.1.2.1
+Only examine these IPs
+.TP
+.B
+\fB-J\fP 10.1.2.1, \fB--noipaddr\fP 10.1.2.1
+Exclude these IPs
+.TP
+.B
+\fB-f\fP 'port 7', \fB--filter\fP 'port 7'
+With standalone, use this dump filter.
+.SH OUTPUT FILES
+.TP
+.B
+index.html
+Html index (full details)
+.TP
+.B
+index.text
+Text index
+.TP
+.B
+index.file
+File index for standalone redo mode
+.TP
+.B
+image.html
+HTML report of images
+.TP
+.B
+getpost.html
+HTML report of HTTP GET/POST requests
+.TP
+.B
+session_0001.info
+Info file describing TCP session #1
+.TP
+.B
+session_0001.telnet.html
+HTML coloured 2-way capture (time sorted)
+.TP
+.B
+session_0001.telnet.raw
+Raw data 2-way capture (time sorted)
+.TP
+.B
+session_0001.telnet.raw1
+Raw 1-way capture (assembeled) server->client
+.TP
+.B
+session_0001.telnet.raw2
+Raw 1-way capture (assembeled) client->server
+.TP
+.B
+session_0002.web.html
+HTML coloured 2-way
+.TP
+.B
+session_0002.part_01.html
+HTTP portion of the above, a HTML file
+.TP
+.B
+session_0003.web.html
+HTML coloured 2-way
+.TP
+.B
+session_0003.part_01.jpeg
+HTTP portion of the above, a JPEG file
+.TP
+.B
+session_0004.web.html
+HTML coloured 2-way
+.TP
+.B
+session_0004.part_01.gif
+HTTP portion of the above, a GIF file
+.TP
+.B
+session_0005.part_01.ftp-data.gz
+An FTP transfer, a gz file.
+.SH CONVENTIONS
+.TP
+.B
+session_*
+TCP Sessions
+.TP
+.B
+stream_*
+UDP Streams
+.TP
+.B
+icmp_*
+ICMP packets
+.TP
+.B
+index.html
+HTML Index
+.TP
+.B
+index.text
+Text Index
+.TP
+.B
+index.file
+File Index for standalone redo mode only
+.TP
+.B
+image.html
+HTML report of images
+.TP
+.B
+getpost.html
+HTML report of HTTP GET/POST requests
+.TP
+.B
+*.info
+Info file describing the Session/Stream
+.TP
+.B
+*.raw
+Raw data 2-way capture (time sorted)
+.TP
+.B
+*.raw1
+Raw 1-way capture (assembeled) server->client
+.TP
+.B
+*.raw2
+Raw 1-way capture (assembeled) client->server
+.TP
+.B
+*.replay
+Session replay program (perl)
+.TP
+.B
+*.partial.*
+Partial capture (tcpdump/snoop were aware of drops)
+.TP
+.B
+*.hex.html
+2-way Hex dump, rendered in coloured HTML
+.TP
+.B
+*.hex.text
+2-way Hex dump in plain text
+.TP
+.B
+*.X11.replay
+X11 replay script (talks X11)
+.TP
+.B
+*.textX11.replay
+X11 communicated text replay script (text only)
+.TP
+.B
+*.textX11.html
+2-way text report, rendered in red/blue HTML
+.TP
+.B
+*.keydata
+Keystroke delay data file. Used for SSH analysis.
+.SH MODES
+.TP
+.B
+Normal
+eg "\fBchaosreader\fP \fBinfile\fP", this is where a tcpdump/snoop file
+was created previously and \fBchaosreader\fP reads and processes it.
+.TP
+.B
+Standalone once
+eg "\fBchaosreader\fP \fB-s\fP 10" this is where \fBchaosreader\fP
+runs tcpdump/snoop and generates the log file, in this case for 10 i
+minutes, and then processes the result. Some OS's may not have
+tcpdump or snoop available so this will not work (instead you may be
+able to get Ethereal, run it, save to a file, then use normal mode).
+There is a master index.html and the report index.html in a sub \fIdir\fP,
+which is of the format out_YYYYMMDD-hhmm, eg "out_20031003-2221".
+.TP
+.B
+Standalone, many
+eg "\fBchaosreader\fP \fB-S\fP 5,12", this is where \fBchaosreader\fP
+runs tcpdump/snoop and generates many log files, in this case it
+samples 12 times for 5 minutes each. While this is running, the master
+index.html can be viewed to watch progress, which links to minor
+index.html reports in each sub directory.
+.TP
+.B
+Standalone, redo
+eg "\fBchaosreader\fP \fB-ve\fP \fB-z\fP", (the \fB-z\fP), this is where
+a standalone capture was previously performed - and now you would like
+to reprocess the logs - perhaps with different options (in this case,
+"\fB-ve\fP"). It reads index.file to determine which capture logs to read.
+.TP
+.B
+Standalone, endless
+eg "\fBchaosreader\fP \fB-S\fP 5", like standalone many -
+but runs forever (if you ever had the need?). Watch your disk space!
+.PP
+Note: this is a work in progress, some of the code is a little unpolished.
+.SH ADVICES
+.IP \(bu 3
+Run \fBchaosreader\fP in an empty directory.
+.IP \(bu 3
+Create small packet dumps. Chaosreader uses around 5x the dump size
+in memory. A 100Mb file could need 500Mb of RAM to process.
+.IP \(bu 3
+Your tcpdump may allow "\fB-s0\fP" (entire packet) instead of "\fB-s9000\fP".
+.IP \(bu 3
+Beware of using too much disk space, especially standalone mode.
+.IP \(bu 3
+If you capture too many small connections giving a huge index.html,
+try using the \fB-m\fP option to ignore small connections. eg "\fB-m\fP 1k".
+.IP \(bu 3
+snoop logs may actually work better. Snoop logs are based on RFC1761,
+however there are many varients of tcpdump/libpcap and this program
+cannot read them all. If you have Ethereal you can create snoop logs
+during the "save as" option. On Solaris use "snoop \fB-o\fP logfile".
+.IP \(bu 3
+tcpdump logs may not be portable between OSs that use different sized
+timestamps or endian.
+.IP \(bu 3
+Logs are best created in a memory filesystem for speed, usually /tmp.
+.IP \(bu 3
+For X11 or VNC playbacks, first practise by replaying a recent captured
+session of your own. The biggest problem is colour depth, your screen
+must match the capture. For X11 check authentication (xhost +), for
+VNC check the viewers options (\fB-8bit\fP, "Hextile", \.\.\.)
+.IP \(bu 3
+SSH analysis can be performed with the "sshkeydata" program as
+demonstrated on http://www.brendangregg.com/sshanalysis.html .
+\fBchaosreader\fP provides the input files (*.keydata) that sshkeydata
+analyses.
+.SH BUGS
+.IP \(bu 3
+The following assumptions may cause problems (check for new vers);
+.IP \(bu 3
+A lower port number = the service type. Eg with ports 31247 and 23,
+the actual type of session is telnet (23). This may not work for
+some things (eg, VNC).
+.IP \(bu 3
+Time based order is more important for 2-way sessions (eg telnet),
+SEQ order is more import for 1-way transfers (eg ftp-data).
+.IP \(bu 3
+One particular TCP session isn't active for long enough that the SEQ
+number loops (or even wraps).
+.SH EXAMPLES
+.IP \(bu 3
+Example 1:
+.PP
+.nf
+.fam C
+ tcpdump \-s9000 \-w out1; chaosreader out1; netscape index.html
+
+.nf
+.fam C
+ or,
+
+.fam T
+.fi
+.RS
+snoop \fB-o\fP out1; \fBchaosreader\fP out1; netscape index.html
+.PP
+.nf
+.fam C
+ or,
+
+.fam T
+.fi
+ethereal (save as "out1"); \fBchaosreader\fP out1; netscape index.html
+.PP
+.nf
+.fam C
+ or,
+
+.fam T
+.fi
+\fBchaosreader\fP \fB-s\fP 5; netscape index.html
+.RE
+.IP \(bu 3
+Example 2:
+.PP
+.nf
+.fam C
+ tcpdump \-s9000 \-w output1 # create tcpdump capture file
+
+ chaosreader output1 # extract recognised sessions, or,
+
+ chaosreader \-ve output1 # gimme everything, or,
+
+ chaosreader \-p 20,21,23 output1 # only ftp and telnet\.\.\.
+
+.fam T
+.fi
+.IP \(bu 3
+Example 3:
+.PP
+.nf
+.fam C
+ snoop \-o output1 # create snoop capture file instead
+
+ chaosreader output1 # extract recognised sessions\.\.\.
+
+.fam T
+.fi
+.IP \(bu 3
+Example 4:
+.PP
+.nf
+.fam C
+ chaosreader \-S 2,5 # Standalone, sniff network 5 times for 2 mins
+ # each. View index.html for progress (or .text)
+.fam T
+.fi
+.SH SEE ALSO
+\fBtcpdump\fP(8), \fBchaosreader\fP help page.
+.SH AUTHORS
+\fBchaosreader\fP was written by Brendan Gregg.
+.PP
+This manual page was written by Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>, using txt2man, for the Debian project (but may be used by others). The base of this text was caught off \fBchaosreader\fP source code.
diff --git a/debian/man/chaosreader.txt b/debian/man/chaosreader.txt
new file mode 100644
index 0000000..b13874d
--- /dev/null
+++ b/debian/man/chaosreader.txt
@@ -0,0 +1,201 @@
+NAME
+ chaosreader - trace network sessions and export it to html format
+SYNOPSIS
+ chaosreader
+
+ chaosreader [-aehikqrvxAHIRTUXY] [-D dir]
+ [-b port[,...]] [-B port[,...]]
+ [-j IPaddr[,...]] [-J IPaddr[,...]]
+ [-l port[,...]] [-L port[,...]] [-m bytes[k]]
+ [-M bytes[k]] [-o "time"|"size"|"type"|"ip"]
+ [-p port[,...]] [-P port[,...]]
+ infile [infile2 ...]
+
+ chaosreader -s [mins] | -S [mins[,count]]
+ [-z] [-f 'filter']
+DESCRIPTION
+ Chaosreader traces TCP/UDP/others sessions and fetches application data from
+ snoop or tcpdump logs. This is a type of "any-snarf" program, as it will
+ fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and
+ SMTP emails from the captured data inside network traffic logs. A html index
+ file is created to that links to all the session details, including realtime
+ replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader
+ reports such as image reports and HTTP GET/POST content reports.
+
+ Chaosreader can also run in standalone mode, where it invokes tcpdump to
+ create the log files and then processes them.
+OPTIONS
+ -a, --application Create application session files (default)
+ -e, --everything Create HTML 2-way & hex files for everything
+ -h Print a brief help
+ --help Print verbose help (this) and version
+ --help2 Print massive help
+ -i, --info Create info file
+ -q, --quiet Quiet, no output to screen
+ -r, --raw Create raw files
+ -v, --verbose Verbose - Create ALL files .. (except -e)
+ -x, --index Create index files (default)
+ -A, --noapplication Exclude application session files
+ -H, --hex Include hex dumps (slow)
+ -I, --noinfo Exclude info files
+ -R, --noraw Exclude raw files
+ -T, --notcp Exclude TCP traffic
+ -U, --noudp Exclude UDP traffic
+ -Y, --noicmp Exclude ICMP traffic
+ -X, --noindex Exclude index files
+ -k, --keydata Create extra files for keystroke analysis
+ -D dir, --dir dir Output all files to this directory
+ -b 25,79, --playtcp 25,79 replay these TCP ports as well (playback)
+ -B 36,42, --playudp 36,42 replay these UDP ports as well (playback)
+ -l 7,79, --htmltcp 7,79 Create HTML for these TCP ports as well
+ -L 7,123, --htmludp 7,123 Create HTML for these UDP ports as well
+ -m 1k, --min 1k Min size of connection to save ("k" for Kb)
+ -M 1024k, --max 1k Max size of connection to save ("k" for Kb)
+ -o size, --sort size sort Order: time/size/type/ip (Default time)
+ -p 21,23, --port 21,23 Only examine these ports (TCP & UDP)
+ -P 80,81, --noport 80,81 Exclude these ports (TCP & UDP)
+ -s 5, --runonce 5 Standalone. Run tcpdump/snoop for 5 mins.
+ -S 5,10, --runmany 5,10 Standalone, many. 10 samples of 5 mins each.
+ -S 5, --runmany 5 Standalone, endless. 5 min samples forever.
+ -z, --runredo Standalone, redo. Rereads last run's logs.
+ -j 10.1.2.1, --ipaddr 10.1.2.1 Only examine these IPs
+ -J 10.1.2.1, --noipaddr 10.1.2.1 Exclude these IPs
+ -f 'port 7', --filter 'port 7' With standalone, use this dump filter.
+OUTPUT FILES
+ index.html Html index (full details)
+ index.text Text index
+ index.file File index for standalone redo mode
+ image.html HTML report of images
+ getpost.html HTML report of HTTP GET/POST requests
+ session_0001.info Info file describing TCP session #1
+ session_0001.telnet.html HTML coloured 2-way capture (time sorted)
+ session_0001.telnet.raw Raw data 2-way capture (time sorted)
+ session_0001.telnet.raw1 Raw 1-way capture (assembeled) server->client
+ session_0001.telnet.raw2 Raw 1-way capture (assembeled) client->server
+ session_0002.web.html HTML coloured 2-way
+ session_0002.part_01.html HTTP portion of the above, a HTML file
+ session_0003.web.html HTML coloured 2-way
+ session_0003.part_01.jpeg HTTP portion of the above, a JPEG file
+ session_0004.web.html HTML coloured 2-way
+ session_0004.part_01.gif HTTP portion of the above, a GIF file
+ session_0005.part_01.ftp-data.gz An FTP transfer, a gz file.
+CONVENTIONS
+ session_* TCP Sessions
+ stream_* UDP Streams
+ icmp_* ICMP packets
+ index.html HTML Index
+ index.text Text Index
+ index.file File Index for standalone redo mode only
+ image.html HTML report of images
+ getpost.html HTML report of HTTP GET/POST requests
+ *.info Info file describing the Session/Stream
+ *.raw Raw data 2-way capture (time sorted)
+ *.raw1 Raw 1-way capture (assembeled) server->client
+ *.raw2 Raw 1-way capture (assembeled) client->server
+ *.replay Session replay program (perl)
+ *.partial.* Partial capture (tcpdump/snoop were aware of drops)
+ *.hex.html 2-way Hex dump, rendered in coloured HTML
+ *.hex.text 2-way Hex dump in plain text
+ *.X11.replay X11 replay script (talks X11)
+ *.textX11.replay X11 communicated text replay script (text only)
+ *.textX11.html 2-way text report, rendered in red/blue HTML
+ *.keydata Keystroke delay data file. Used for SSH analysis.
+MODES
+ Normal eg "chaosreader infile", this is where a tcpdump/snoop file
+ was created previously and chaosreader reads and processes it.
+ Standalone once eg "chaosreader -s 10" this is where chaosreader
+ runs tcpdump/snoop and generates the log file, in this case for 10 i
+ minutes, and then processes the result. Some OS's may not have
+ tcpdump or snoop available so this will not work (instead you may be
+ able to get Ethereal, run it, save to a file, then use normal mode).
+ There is a master index.html and the report index.html in a sub dir,
+ which is of the format out_YYYYMMDD-hhmm, eg "out_20031003-2221".
+ Standalone, many eg "chaosreader -S 5,12", this is where chaosreader
+ runs tcpdump/snoop and generates many log files, in this case it
+ samples 12 times for 5 minutes each. While this is running, the master
+ index.html can be viewed to watch progress, which links to minor
+ index.html reports in each sub directory.
+ Standalone, redo eg "chaosreader -ve -z", (the -z), this is where
+ a standalone capture was previously performed - and now you would like
+ to reprocess the logs - perhaps with different options (in this case,
+ "-ve"). It reads index.file to determine which capture logs to read.
+ Standalone, endless eg "chaosreader -S 5", like standalone many -
+ but runs forever (if you ever had the need?). Watch your disk space!
+
+ Note: this is a work in progress, some of the code is a little unpolished.
+ADVICES
+ * Run chaosreader in an empty directory.
+ * Create small packet dumps. Chaosreader uses around 5x the dump size
+ in memory. A 100Mb file could need 500Mb of RAM to process.
+ * Your tcpdump may allow "-s0" (entire packet) instead of "-s9000".
+ * Beware of using too much disk space, especially standalone mode.
+ * If you capture too many small connections giving a huge index.html,
+ try using the -m option to ignore small connections. eg "-m 1k".
+ * snoop logs may actually work better. Snoop logs are based on RFC1761,
+ however there are many varients of tcpdump/libpcap and this program
+ cannot read them all. If you have Ethereal you can create snoop logs
+ during the "save as" option. On Solaris use "snoop -o logfile".
+ * tcpdump logs may not be portable between OSs that use different sized
+ timestamps or endian.
+ * Logs are best created in a memory filesystem for speed, usually /tmp.
+ * For X11 or VNC playbacks, first practise by replaying a recent captured
+ session of your own. The biggest problem is colour depth, your screen
+ must match the capture. For X11 check authentication (xhost +), for
+ VNC check the viewers options (-8bit, "Hextile", ...)
+ * SSH analysis can be performed with the "sshkeydata" program as
+ demonstrated on http://www.brendangregg.com/sshanalysis.html .
+ chaosreader provides the input files (*.keydata) that sshkeydata
+ analyses.
+BUGS
+ * The following assumptions may cause problems (check for new vers);
+ * A lower port number = the service type. Eg with ports 31247 and 23,
+ the actual type of session is telnet (23). This may not work for
+ some things (eg, VNC).
+ * Time based order is more important for 2-way sessions (eg telnet),
+ SEQ order is more import for 1-way transfers (eg ftp-data).
+ * One particular TCP session isn't active for long enough that the SEQ
+ number loops (or even wraps).
+EXAMPLES
+ * Example 1:
+
+ tcpdump \-s9000 \-w out1; chaosreader out1; netscape index.html
+
+ or,
+
+ snoop -o out1; chaosreader out1; netscape index.html
+
+ or,
+
+ ethereal (save as "out1"); chaosreader out1; netscape index.html
+
+ or,
+
+ chaosreader -s 5; netscape index.html
+
+ * Example 2:
+
+ tcpdump \-s9000 \-w output1 # create tcpdump capture file
+
+ chaosreader output1 # extract recognised sessions, or,
+
+ chaosreader \-ve output1 # gimme everything, or,
+
+ chaosreader \-p 20,21,23 output1 # only ftp and telnet...
+
+ * Example 3:
+
+ snoop \-o output1 # create snoop capture file instead
+
+ chaosreader output1 # extract recognised sessions...
+
+ * Example 4:
+
+ chaosreader \-S 2,5 # Standalone, sniff network 5 times for 2 mins
+ # each. View index.html for progress (or .text)
+SEE ALSO
+ tcpdump(8), chaosreader help page.
+AUTHORS
+ chaosreader was written by Brendan Gregg.
+
+ This manual page was written by Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>, using txt2man, for the Debian project (but may be used by others). The base of this text was caught off chaosreader source code.
+
diff --git a/debian/man/header.txt b/debian/man/header.txt
new file mode 100644
index 0000000..e4281b0
--- /dev/null
+++ b/debian/man/header.txt
@@ -0,0 +1 @@
+.TH CHAOSREADER "1" "Dec 2013" "CHAOSREADER 0.94" "trace network sessions and export it to html format"
diff --git a/debian/manpages/chaosreader.1 b/debian/manpages/chaosreader.1
deleted file mode 100644
index 5a629b4..0000000
--- a/debian/manpages/chaosreader.1
+++ /dev/null
@@ -1,34 +0,0 @@
-.TH "CHAOSREADER" 1 "August 23, 2008" ""
-
-.SH NAME
-.P
-chaosreader \- trace network sessions and export it to html format
-
-.SH DESCRIPTION
-.P
-Chaosreader traces TCP/UDP/others sessions and fetches application data from
-snoop or tcpdump logs. This is a type of "any\-snarf" program, as it will
-fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and
-SMTP emails from the captured data inside network traffic logs. A html index
-file is created to that links to all the session details, including realtime
-replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader
-reports such as image reports and HTTP GET/POST content reports.
-
-.P
-Chaosreader can also run in standalone mode, where it invokes tcpdump to
-create the log files and then processes them.
-
-.SH SEE ALSO
-.P
-tcpdump(8), chaosreader help page.
-
-.SH AUTHORS
-.P
-\fBchaosreader\fR was written by Brendan Gregg.
-
-.P
-This manual page was written by Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>, using txt2tags (http://txt2tags.sourceforge.net), for the Debian project (but may be used by others).
-
-
-.\" man code generated by txt2tags 2.3 (http://txt2tags.sf.net)
-.\" cmdline: txt2tags -t man chaosreader.1.t2t
diff --git a/debian/rules b/debian/rules
index f71237e..f6f9086 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,9 +1,9 @@
#!/usr/bin/make -f
+#export DH_VERBOSE=1
%:
- dh ${@} --parallel
+ dh $@ --parallel
override_dh_auto_install:
install -D -m 0755 chaosreader0.94 debian/chaosreader/usr/bin/chaosreader
-
dh_installchangelogs debian/upstream.changelog
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
new file mode 100644
index 0000000..2bb4336
--- /dev/null
+++ b/debian/source/lintian-overrides
@@ -0,0 +1,2 @@
+# The upstream didn't provide a PGP/GPG signature.
+chaosreader source: debian-watch-may-check-gpg-signature
diff --git a/debian/watch b/debian/watch
index cae27b3..15170bb 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,2 +1,2 @@
version=3
-http://sf.net/chaosreader/chaosreader(.*)
+http://sf.net/chaosreader/chaosreader(\d\S*)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/chaosreader.git
More information about the forensics-changes
mailing list