farsightsec / nmsg Goto Github PK
View Code? Open in Web Editor NEWnetwork message encapsulation library
License: Apache License 2.0
network message encapsulation library
License: Apache License 2.0
Explicitly specify the protocol version?
GEN nmsg/nmsg.pb-c.c
[libprotobuf WARNING google/protobuf/compiler/parser.cc:547] No syntax
specified for the proto file: nmsg/nmsg.proto. Please use 'syntax =
"proto2";' or 'syntax = "proto3";' to specify a syntax version. (Defaulted
to proto2 syntax.)
...
GEN nmsg/base/dnstap.pb-c.c
[libprotobuf WARNING google/protobuf/compiler/parser.cc:547] No syntax
specified for the proto file: nmsg/base/dnstap.proto. Please use 'syntax =
"proto2";' or 'syntax = "proto3";' to specify a syntax version. (Defaulted
to proto2 syntax.)
nmsg_output_set_buffered()
is ignorant of nmsg_output_type_json
and therefore does not allow the option of unbuffering json output objects (ostensibly via nmsgtool's --unbuffered
option).
It may be possible to optimize the BPF that we generate for IPv6 traffic so that it only matches port 53 traffic, similar to what we do for IPv4, given a new enough libpcap. (The BPF program must execute in the kernel, though.)
presentation default is default and no -V and -T are required.
-o option in manual says -V and -T are required, but -o works without them.
New SIE customers typically get a tutorial session on how to read NMSG data, and I typically start by using nmsgtool presentation output to demonstrate. When they are ready to do script or C programming, I refer to the examples that come with the source and compare it to nmsgtool functionality. I typically download the latest source file (nmsg-$version.tar.gz) and extract the examples/ subdirectory. During installation it may be a good idea to have the examples/ subdirectory copied to a system documentation area like /usr/local/share/doc/nmsg or /usr/share/doc/nmsg so that they're available to reference without extra work.
It's possible that we don't need to install the examples/ if we know that github or some other online place will be available (for example: https://github.com/farsightsec/nmsg/tree/master/examples). Thoughts?
The same request would would apply to python-nmsg script examples and maybe Perl Net::Nmsg script examples, but I thought I'd try asking for nmsg first. If there's consensus that it's a good idea for nmsg, I'll reach out for the others.
Thanks,
Eric Ziegast
the flags for JSON operation appear in the command help, but are absent from the manpage.
This ticket is for adding some missing documentation to the nmsgtool manual:
-B --byterate
-X --readxchan
--readif (optional for -i)
-D --daemon
-P --pidfile
-U --username
-v --version
--unbuffered
Maybe while there alphabetize the options?
Also document the environment variables:
NMSG_BPF environment variable sets c->bpfstr (same as -b or --bpf)
NMSG_KICKER sets c->kicker (same as -k or --kicker)
These both override corresponding command line options.
NMSG_MSGMOD_DIR overrides the default directory for finding message modules. Later this could be in a nmsg.3 manual.
And either put into this manual the base environment variable settings. (I am fine with doing a new man page for this but since these are builtin, same manual is fine with me for now. Or it could be moved to a new nmsg.3 manual):
DNSQR_CAPTURE_QR
DNSQR_CAPTURE_RD
DNSQR_ZERO_RESOLVER_ADDRESS
DNSQR_STATE_TABLE_MAX
DNSQR_QUERY_TIMEOUT
DNSQR_AUTH_ADDRS
DNSQR_RES_ADDRS
DNSQR_FILTER_QNAMES_INCLUDE
DNSQR_FILTER_QNAMES_EXCLUDE
It looks like a change was made to the .so plugin install path between nmsg-msg9-module-base
versions 0.14.0-1+fsi9
(/usr/lib/nmsg/
) and 0.15.0-1+fsi9
(/usr/lib/x86_64-linux-gnu/nmsg/
):
version 0.14.0-1+fsi9
# dpkg --list | grep nmsg-msg9-module-base
ii nmsg-msg9-module-base 0.14.0-1+fsi9 amd64 base message module plugin for libnmsg
# dpkg --listfiles nmsg-msg9-module-base
/.
/usr
/usr/lib
/usr/lib/nmsg
/usr/lib/nmsg/nmsg_msg9_base.so
/usr/share
/usr/share/doc
/usr/share/doc/nmsg-msg9-module-base
/usr/share/doc/nmsg-msg9-module-base/changelog.Debian.gz
/usr/share/doc/nmsg-msg9-module-base/changelog.gz
/usr/share/doc/nmsg-msg9-module-base/copyright
version 0.15.0-1+fsi9
# dpkg --list | grep nmsg-msg9-module-base
ii nmsg-msg9-module-base 0.15.0-1+fsi9 amd64 base message module plugin for libnmsg
# dpkg --listfiles nmsg-msg9-module-base
/.
/usr
/usr/lib
/usr/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu/nmsg
/usr/lib/x86_64-linux-gnu/nmsg/nmsg_msg9_base.so
/usr/share
/usr/share/doc
/usr/share/doc/nmsg-msg9-module-base
/usr/share/doc/nmsg-msg9-module-base/changelog.Debian.gz
/usr/share/doc/nmsg-msg9-module-base/changelog.gz
/usr/share/doc/nmsg-msg9-module-base/copyright
It appears to me that nmsgtool 0.15.0-1+fsi9
only loads plugins from /usr/lib/nmsg/
, and is not finding the base module installed in /usr/lib/x86_64-linux-gnu/nmsg
:
# dpkg --list | grep nmsgtool
ii nmsgtool 0.15.0-1+fsi9 amd64 network message encapsulation tool
# dpkg --search /usr/bin/nmsgtool
nmsgtool: /usr/bin/nmsgtool
# /usr/bin/nmsgtool --version
_nmsg_msgmodset_init: unable to opendir /usr/lib/nmsg: No such file or directory
nmsgtool: unable to initialize libnmsg
# ln -s /usr/lib/x86_64-linux-gnu/nmsg /usr/lib/nmsg
# /usr/bin/nmsgtool --version
nmsgtool: version 0.15.0
I find myself in a scenario where I'd like to capture 24 1-hour files for a DITL. The Kicker mode works fine if I'm willing to limit my file-size by (-c) number of records. How about allowing me to trigger kicking on (-t) the passage of time?
The JSON code appears to not properly handle the -t option.
If you try to compile nmsg against yajl 2.0.x (tested with 2.0.4) you will get a linking error with an undefined reference to yajl_gen_reset
The relevant configure.ac entry that needs to be updated is
AC_ARG_WITH([yajl], AS_HELP_STRING([--without-yajl], [Disable yajl support]))
if test "x$with_yajl" != "xno"; then
PKG_CHECK_MODULES([yajl], [yajl >= 2])
AC_DEFINE([HAVE_YAJL], [1], [Define to 1 if yajl support is enabled.])
use_yajl="true"
else
use_yajl="false"
fi
Compiler warning:
nmsg/msgmod/transparent_json.c:171:19: warning: comparison of unsigned
expression < 0 is always false [-Wtautological-compare]
if (enum_value < 0 || enum_value >= enum_descr->...
Hi,
Building nmsg 0.11.1 from source on Mac El Capitan configured w/o yajl, I seem to be hitting a type conflict:
CC nmsg/input.lo
nmsg/input.c:168:1: error: conflicting types for 'nmsg_input_open_json'
nmsg_input_open_json(int fd, nmsg_msgmod_t msgmod) {
^
./nmsg/input.h:173:1: note: previous declaration is here
nmsg_input_open_json(int fd);
^
1 error generated.
make[1]: *** [nmsg/input.lo] Error 1
make: *** [all] Error 2
FYI.
Thanks and regards,
Joe
README.md says:
"Questions about libnmsg
, nmsgtool
, pynmsg
, the development of libnmsg
client programs or language bindings, or the NMSG
binary protocol should be
directed to the nmsg-dev
mailing list:
https://lists.farsightsecurity.com/mailman/listinfo/nmsg-dev"
but:
$ host !$
host lists.farsightsecurity.com
Host lists.farsightsecurity.com not found: 3(NXDOMAIN)
where did it go? (asking because I have a question about python nmsg and debian buster support of same)
the autoconf macro AX_CHECK_DOCBOOK_XSLT_MIN
checks that the non-namespaced version of the DocBook stylesheets can be used:
http://docbook.sourceforge.net/release/xsl/current/...
while the Makefile actually uses the namespaced version:
http://docbook.sourceforge.net/release/xsl-ns/current/...
on debian systems the non-namespaced stylesheets are in the docbook-xsl package while the namespaced stylesheets are in the separate docbook-xsl-ns package, so it is possible for the configure check to succeed while the actual xsltproc invocation to build the manpage fails. the autoconf check needs to be updated in order to check for the namespaced stylesheets.
We're well into the lifecycle of Debian Buster (10.6 even!) could the nmsg stack get debian packages built and published for buster please?
thanks!
Update the README
on how to build and install msgmod/fltmod plugins, etc., per Henry's comments on #41 here: #41 (comment).
Hi,
I have nmsg file with vendor base
and type dnsqr
.
When I use 'pres' output (nmsgtool -r file.nmsg -o -
) I have full output with all sections (ANSWER, AUTHORITY, etc).
But when I use 'json' output format (nmsgtool -r file.nmsg -J -
) I didnt see any answer, authority section data.
Can I get same data in 'json' output as in 'pres' somehow? It will be very convinient for later processing.
release tarballs currently do not install the nmsgtool(1) manpage if the docbook toolchain (and related dependencies) aren't installed even though they ship with a compiled doc/docbook/nmsgtool.1
file.
possibly commit doc/docbook/nmsgtool.1
(even though it is a generated file) to the repository, so that dist_man_MANS = doc/docbook/nmsgtool.1
can be made into an unconditional rule (and not dependent on BUILD_MAN
).
or possibly come up with a workaround in configure.ac
/ Makefile.am
that installs the nmsgtool.1
file if it's present in the source tree.
there is no public interface exporting the results from seqsrc tracking. possibly we could have the nmsg_input
implementation keep aggregate counters and export them via some new functions such as:
/**
* For UDP datagram socket nmsg_input_t objects, retrieve the total
* number of NMSG containers that have been received.
*
* \param[in] input UDP socket based NMSG input object.
* \param[out] count Total number of NMSG containers received by the
* nmsg_input_t object during its lifetime.
*
* \return #nmsg_res_success
* \return #nmsg_res_failure
*/
nmsg_res
nmsg_input_get_count_container_received(nmsg_input_t input,
uint64_t *count);
/**
* For UDP datagram socket nmsg_input_t objects, retrieve the total
* number of NMSG containers that been dropped. Sequence number
* tracking must have been previously enabled by a call to
* #nmsg_input_set_verify_seqsrc().
*
* \param[in] input UDP socket based NMSG input object.
* \param[out] count Number of NMSG containers determined to have
* been dropped by the nmsg_input_t object since sequence number
* tracking was enabled.
*
* \return #nmsg_res_success
* \return #nmsg_res_failure
*/
nmsg_res
nmsg_input_get_count_container_dropped(nmsg_input_t input,
uint64_t *count);
README.md in nmsg points to http://www.crossroads.io/ which appears to be down. After a lot of searching and bad links, I found a libxs v1.2.0 source blob at
http://ftp.de.debian.org/debian/pool/main/libx/libxs/libxs_1.2.0.orig.tar.gz
Sha256 Checksum: 525dc999cc6524779bc4eef510e423077b7f7ea491cb3ad6d8056ecaf99ff515
Need to update README.md to use it.
Maybe also update README.me to explain why it might be ok to configure --without-ns
Internal jenkins' run with cppcheck reported:
State File Line Severity Type Inconclusive Message
unchanged nmsg/input_frag.c 226 error nullPointer false
Possible null pointer dereference: nmsg - otherwise it is redundant to
check if nmsg is null at line 227
unchanged nmsg/input_nmsg.c 62 error nullPointer false
Possible null pointer dereference: msg - otherwise it is redundant to
check if msg is null at line 63
As new channels have started appearing it's once again becoming obvious that the lack of nmsg documentation is slowing down adoption. While nmsgtool does produce a splash page of options, it lacks examples showing the correct combination of commands/syntax, the required support libraries, where to obtain those libraries and how to read the nmsg binary files with C and python.
I don't consider "source code" as documentation. :)
In summary, documentation regarding nmsg and nmsgtool would be greatly appreciated.
Andy
So it seems that crossroads.io and libxs are pretty much dead. http://www.crossroads.io/ is down again and it's been a year since code was pushed to https://github.com/crossroads-io/libxs. Perhaps we should switch to another, more active, library for the functionality that libxs provides.
The newest release of nmsg has two complaints when building on OS X.
In several places the following warning shows up:
...
In file included from ./nmsg/nmsg.h:93:
./nmsg/input.h:262:15: warning: declaration of 'struct timespec' will not be
visible outside of this function [-Wvisibility]
struct timespec *ts, nmsg_message_t **msg, size_t *n_msg);
^
1 warning generated.
...
This doesn't complain on Linux, just OS X:
...
nmsg/res.c:43:10: warning: comparison of constant 16 with expression of type
'enum nmsg_res' is always true
[-Wtautological-constant-out-of-range-compare]
val <= sizeof(res_strings) / sizeof(char *) &&
~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
...
Both fixes are pushed to my fork and a PR has been issued: mschiffm@8c51879
On NetBSD I saw:
fltmod/nmsg_flt_sample.c: In function 'sample_thread_init':
fltmod/nmsg_flt_sample.c:223:65: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
uint32_t seed = (unsigned) tv.tv_sec + (unsigned) tv.tv_usec + (unsigned) pthread_self();
I didn't see on LInux, both x86_64 architecture. Both with same sizes of pthread_t and unsigned and int and uintptr_t. (My NetBSD gcc is 5.5.0 and debian gcc is 6.3.0.)
My workaround is:
--- a/fltmod/nmsg_flt_sample.c
+++ b/fltmod/nmsg_flt_sample.c
@@ -220,7 +220,7 @@ sample_thread_init(void *mod_data, void **thr_data)
/* Initialize state->xsubi, seed for this thread's random generator. */
struct timeval tv = {0};
gettimeofday(&tv, NULL);
- uint32_t seed = (unsigned) tv.tv_sec + (unsigned) tv.tv_usec + (unsigned) pthread_self();
+ uint32_t seed = (unsigned) tv.tv_sec + (unsigned) tv.tv_usec + (uintptr_t) pthread_self();
memcpy(state->xsubi, &seed, sizeof(seed));
src/process_args.c:45:10: warning: ignoring return value of ‘fchown’, declared with attribute warn_unused_result [-Wunused-result]
Something like: size_t nmsg_message_get_payload_size(nmsg_message_t msg)
This is the only current way to get all instances of a field:
for (val_idx = 0; ; ++val_idx) {
res = nmsg_message_get_field_by_idx(...val_idx...)
if (res != nmsg_res_success)
break;
Robert said "There ought to be a better way (maybe some new function) ..."
I added "Another tolerable way might be a new error value for val_idx>max, but that would be less convenient and might be slower than a function that simply returns the maximum.
NMSG data with zero-length string fields presented the following issues on display:
Issues reproduced in nmsg 0.13.0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.