Menu
▾
▴
openfpc-users
|
From: Igor K. <igo...@gm...> - 2015-08-17 15:25:26
|
Hi All, My name is Igor. I just found the OpenFPC and evaluating it. Looks like it is very good tool. I successfully installed on Ubuntu 14.4 with Perl 5.18 I have installed the OpenFPC-master, so it is the latest code. Now I would like to find out if there is more documentation beside files which I could find under docs directory. For example the INSTALL.md refers to the USAGE document, however I was not able to find it anywhere I am looking for the usage other then basic, just to find out, what are my advanced options. For example the openfpc-dbmaint.sh script is also able to create the gui database, I wonder, what it is for? The OpenFPC looks to be very powerful, just would like to understand it as best as I can. Would so much appreciate any reply's. Many thanks. Igor. |
|
From: Leon W. <le...@le...> - 2015-08-17 15:51:20
|
Hi, Documentation is really one of the places that really needs some extra focus. The best docs I can point you to are in that folder, plus there is some out-of date info on my blog http://www.leonward.com. I actually delivered a presentation at Defcon last weekend all about OpenFPC. I have forwarded the slides separately. Hopefully that will help as well. As for your specific question about OpenFPC GUI. That's actually now been deprecated as it's no longer relevant for how it functions in a distributed manner. The OpenFPC-Chrome Extension will be the next best thing for interacting with the QueueDaemon remotely in a GUI-like way. Cheers, -L On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> wrote: > Hi All, > > > > My name is Igor. I just found the OpenFPC and evaluating it. Looks like > it is very good tool. > > I successfully installed on Ubuntu 14.4 with Perl 5.18 > > I have installed the OpenFPC-master, so it is the latest code. > > > > Now I would like to find out if there is more documentation beside files > which I could find under docs directory. > > For example the INSTALL.md refers to the USAGE document, however I was > not able to find it anywhere > > > > I am looking for the usage other then basic, just to find out, what are > my advanced options. > > > > For example the openfpc-dbmaint.sh script is also able to create the gui > database, I wonder, what it is for? > > > > The OpenFPC looks to be very powerful, just would like to understand it as > best as I can. > > > > Would so much appreciate any reply’s. > > > > Many thanks. > > > > Igor. > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > |
|
From: Igor K. <igo...@gm...> - 2015-08-18 17:21:22
|
Hi Leon, all, I have one more question please. Based on the documentation the following line in the openfpc config file restricts the space usage of captured data to 50 percent: PCAP_SPACE=50 So, if the data size exceeds 50 percent old files will be deleted automatically? Will openfpc also delete the old MySQL session tables? Many thanks and all the best! -Igor. From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward Sent: Monday, August 17, 2015 11:51 AM To: Igor Kaplan Cc: ope...@li... Subject: Re: [Openfpc-users] Openfpc usage Hi, Documentation is really one of the places that really needs some extra focus. The best docs I can point you to are in that folder, plus there is some out-of date info on my blog http://www.leonward.com. I actually delivered a presentation at Defcon last weekend all about OpenFPC. I have forwarded the slides separately. Hopefully that will help as well. As for your specific question about OpenFPC GUI. That's actually now been deprecated as it's no longer relevant for how it functions in a distributed manner. The OpenFPC-Chrome Extension will be the next best thing for interacting with the QueueDaemon remotely in a GUI-like way. Cheers, -L On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> wrote: Hi All, My name is Igor. I just found the OpenFPC and evaluating it. Looks like it is very good tool. I successfully installed on Ubuntu 14.4 with Perl 5.18 I have installed the OpenFPC-master, so it is the latest code. Now I would like to find out if there is more documentation beside files which I could find under docs directory. For example the INSTALL.md refers to the USAGE document, however I was not able to find it anywhere I am looking for the usage other then basic, just to find out, what are my advanced options. For example the openfpc-dbmaint.sh script is also able to create the gui database, I wonder, what it is for? The OpenFPC looks to be very powerful, just would like to understand it as best as I can. Would so much appreciate any reply’s. Many thanks. Igor. ------------------------------------------------------------------------------ _______________________________________________ Openfpc-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openfpc-users |
|
From: Leon W. <le...@le...> - 2015-08-18 17:29:17
|
Actually it wont. It will only remove the oldest PCAP file. It's best to keep those PCAP files on their own partition. The old flow records in mysql actually get removed automatically based on the oldest packet in the store. So you won't have records that are older than the pcaps. -L On Tue, Aug 18, 2015 at 6:21 PM, Igor Kaplan <igo...@gm...> wrote: > Hi Leon, all, > > > > I have one more question please. > > > > Based on the documentation the following line in the openfpc config file > restricts the space usage of captured data to 50 percent: > > PCAP_SPACE=50 > > > > So, if the data size exceeds 50 percent old files will be deleted > automatically? > > Will openfpc also delete the old MySQL session tables? > > > > Many thanks and all the best! > > > > -Igor. > > > > > > *From:* leo...@gm... [mailto:leo...@gm...] *On Behalf > Of *Leon Ward > *Sent:* Monday, August 17, 2015 11:51 AM > *To:* Igor Kaplan > *Cc:* ope...@li... > *Subject:* Re: [Openfpc-users] Openfpc usage > > > > Hi, > > > > Documentation is really one of the places that really needs some extra > focus. > > > > The best docs I can point you to are in that folder, plus there is some > out-of date info on my blog http://www.leonward.com. > > I actually delivered a presentation at Defcon last weekend all about > OpenFPC. I have forwarded the slides separately. Hopefully that will help > as well. > > > > As for your specific question about OpenFPC GUI. That's actually now been > deprecated as it's no longer relevant for how it functions in a distributed > manner. The OpenFPC-Chrome Extension will be the next best thing for > interacting with the QueueDaemon remotely in a GUI-like way. > > > > Cheers, > > > > -L > > > > > > > > On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> wrote: > > Hi All, > > > > My name is Igor. I just found the OpenFPC and evaluating it. Looks like > it is very good tool. > > I successfully installed on Ubuntu 14.4 with Perl 5.18 > > I have installed the OpenFPC-master, so it is the latest code. > > > > Now I would like to find out if there is more documentation beside files > which I could find under docs directory. > > For example the INSTALL.md refers to the USAGE document, however I was > not able to find it anywhere > > > > I am looking for the usage other then basic, just to find out, what are > my advanced options. > > > > For example the openfpc-dbmaint.sh script is also able to create the gui > database, I wonder, what it is for? > > > > The OpenFPC looks to be very powerful, just would like to understand it as > best as I can. > > > > Would so much appreciate any reply’s. > > > > Many thanks. > > > > Igor. > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > |
|
From: Igor K. <igo...@gm...> - 2015-08-20 21:16:08
|
Hi Leon, Need your help please once again. Got the following problem and spent several hours trying to solve it. When making the API call to fetch the pcap data I am getting the data in pcapng format. The OpenFPC is using the mergecap to merge pcap files and by default mergecap creates the output in pcapng format instead of pcap. I have changed the following line in openfpc-default.conf file MERGECAP=/usr/bin/mergecap -F pcap This helped when I use the openfpc-client command to create pcap files, however when I use curl to fetch the data I still receive the output in pcapng format. curl -k 192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4CE8A48\&stime=20150818%2010:00\&etime=20150818%2010:30\&dpt=22 > list.pcap cat list.pcap|tshark -i- Capturing on 'Standard input' tshark: Unrecognized libpcap format Looks like in case of API call the mergecap utility is not used at all. And I was not able to find in the code how merging is done in this case. Could you please help me. Is it possible to make the fetch API call to return the data in pcap format? Thanks so much! Igor From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward Sent: Tuesday, August 18, 2015 1:29 PM To: Igor Kaplan Cc: ope...@li... Subject: Re: [Openfpc-users] Openfpc usage Actually it wont. It will only remove the oldest PCAP file. It's best to keep those PCAP files on their own partition. The old flow records in mysql actually get removed automatically based on the oldest packet in the store. So you won't have records that are older than the pcaps. -L On Tue, Aug 18, 2015 at 6:21 PM, Igor Kaplan <igo...@gm...> wrote: Hi Leon, all, I have one more question please. Based on the documentation the following line in the openfpc config file restricts the space usage of captured data to 50 percent: PCAP_SPACE=50 So, if the data size exceeds 50 percent old files will be deleted automatically? Will openfpc also delete the old MySQL session tables? Many thanks and all the best! -Igor. From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward Sent: Monday, August 17, 2015 11:51 AM To: Igor Kaplan Cc: ope...@li... Subject: Re: [Openfpc-users] Openfpc usage Hi, Documentation is really one of the places that really needs some extra focus. The best docs I can point you to are in that folder, plus there is some out-of date info on my blog http://www.leonward.com. I actually delivered a presentation at Defcon last weekend all about OpenFPC. I have forwarded the slides separately. Hopefully that will help as well. As for your specific question about OpenFPC GUI. That's actually now been deprecated as it's no longer relevant for how it functions in a distributed manner. The OpenFPC-Chrome Extension will be the next best thing for interacting with the QueueDaemon remotely in a GUI-like way. Cheers, -L On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> wrote: Hi All, My name is Igor. I just found the OpenFPC and evaluating it. Looks like it is very good tool. I successfully installed on Ubuntu 14.4 with Perl 5.18 I have installed the OpenFPC-master, so it is the latest code. Now I would like to find out if there is more documentation beside files which I could find under docs directory. For example the INSTALL.md refers to the USAGE document, however I was not able to find it anywhere I am looking for the usage other then basic, just to find out, what are my advanced options. For example the openfpc-dbmaint.sh script is also able to create the gui database, I wonder, what it is for? The OpenFPC looks to be very powerful, just would like to understand it as best as I can. Would so much appreciate any reply’s. Many thanks. Igor. ------------------------------------------------------------------------------ _______________________________________________ Openfpc-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openfpc-users ------------------------------------------------------------------------------ _______________________________________________ Openfpc-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openfpc-users |
|
From: Leon W. <le...@le...> - 2015-08-20 22:23:33
|
What's your platform, version of mergecap etc. Also, if you '$ file list.pcap' what does it say? -L On Thu, Aug 20, 2015 at 10:15 PM, Igor Kaplan <igo...@gm...> wrote: > Hi Leon, > > > > Need your help please once again. > > Got the following problem and spent several hours trying to solve it. > > > > When making the API call to fetch the pcap data I am getting the data in > pcapng format. > > The OpenFPC is using the mergecap to merge pcap files and by default > mergecap creates the output in pcapng format instead of pcap. > > > > I have changed the following line in openfpc-default.conf file > > MERGECAP=/usr/bin/mergecap -F pcap > > > > This helped when I use the openfpc-client command to create pcap files, > however when I use curl to fetch the data I still receive the output in > pcapng format. > > > > curl -k > 192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4CE8A48\&stime=20150818%2010:00\&etime=20150818%2010:30\&dpt=22 > <http://192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4CE8A48%5C&stime=20150818%2010:00%5C&etime=20150818%2010:30%5C&dpt=22> > > list.pcap > > > > cat list.pcap|tshark -i- > > Capturing on 'Standard input' > > tshark: Unrecognized libpcap format > > > > Looks like in case of API call the mergecap utility is not used at all. > And I was not able to find in the code how merging is done in this case. > > > > Could you please help me. Is it possible to make the fetch API call to > return the data in pcap format? > > > > Thanks so much! > > > > Igor > > > > > > *From:* leo...@gm... [mailto:leo...@gm...] *On Behalf > Of *Leon Ward > *Sent:* Tuesday, August 18, 2015 1:29 PM > > *To:* Igor Kaplan > *Cc:* ope...@li... > *Subject:* Re: [Openfpc-users] Openfpc usage > > > > Actually it wont. It will only remove the oldest PCAP file. It's best to > keep those PCAP files on their own partition. > > The old flow records in mysql actually get removed automatically based on > the oldest packet in the store. So you won't have records that are older > than the pcaps. > > > > -L > > > > > > On Tue, Aug 18, 2015 at 6:21 PM, Igor Kaplan <igo...@gm...> wrote: > > Hi Leon, all, > > > > I have one more question please. > > > > Based on the documentation the following line in the openfpc config file > restricts the space usage of captured data to 50 percent: > > PCAP_SPACE=50 > > > > So, if the data size exceeds 50 percent old files will be deleted > automatically? > > Will openfpc also delete the old MySQL session tables? > > > > Many thanks and all the best! > > > > -Igor. > > > > > > *From:* leo...@gm... [mailto:leo...@gm...] *On Behalf > Of *Leon Ward > *Sent:* Monday, August 17, 2015 11:51 AM > *To:* Igor Kaplan > *Cc:* ope...@li... > *Subject:* Re: [Openfpc-users] Openfpc usage > > > > Hi, > > > > Documentation is really one of the places that really needs some extra > focus. > > > > The best docs I can point you to are in that folder, plus there is some > out-of date info on my blog http://www.leonward.com. > > I actually delivered a presentation at Defcon last weekend all about > OpenFPC. I have forwarded the slides separately. Hopefully that will help > as well. > > > > As for your specific question about OpenFPC GUI. That's actually now been > deprecated as it's no longer relevant for how it functions in a distributed > manner. The OpenFPC-Chrome Extension will be the next best thing for > interacting with the QueueDaemon remotely in a GUI-like way. > > > > Cheers, > > > > -L > > > > > > > > On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> wrote: > > Hi All, > > > > My name is Igor. I just found the OpenFPC and evaluating it. Looks like > it is very good tool. > > I successfully installed on Ubuntu 14.4 with Perl 5.18 > > I have installed the OpenFPC-master, so it is the latest code. > > > > Now I would like to find out if there is more documentation beside files > which I could find under docs directory. > > For example the INSTALL.md refers to the USAGE document, however I was > not able to find it anywhere > > > > I am looking for the usage other then basic, just to find out, what are > my advanced options. > > > > For example the openfpc-dbmaint.sh script is also able to create the gui > database, I wonder, what it is for? > > > > The OpenFPC looks to be very powerful, just would like to understand it as > best as I can. > > > > Would so much appreciate any reply’s. > > > > Many thanks. > > > > Igor. > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > |
|
From: Igor K. <igo...@gm...> - 2015-08-21 00:01:25
|
Also sending my reply to the list, sorry, forgot to include it. From: Igor Kaplan [mailto:igo...@gm...] Sent: Thursday, August 20, 2015 6:44 PM To: 'Leon Ward' Subject: RE: [Openfpc-users] Openfpc usage Version of mergecap: Mergecap 1.10.6 (v1.10.6 from master-1.10) Linux is Ubuntu 14.04.2 LTS File list.pcap list.pcap: pcap-ng capture file - version 1.0 Thanks. From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward Sent: Thursday, August 20, 2015 6:23 PM To: Igor Kaplan Cc: ope...@li... Subject: Re: [Openfpc-users] Openfpc usage What's your platform, version of mergecap etc. Also, if you '$ file list.pcap' what does it say? -L On Thu, Aug 20, 2015 at 10:15 PM, Igor Kaplan <igo...@gm...> wrote: Hi Leon, Need your help please once again. Got the following problem and spent several hours trying to solve it. When making the API call to fetch the pcap data I am getting the data in pcapng format. The OpenFPC is using the mergecap to merge pcap files and by default mergecap creates the output in pcapng format instead of pcap. I have changed the following line in openfpc-default.conf file MERGECAP=/usr/bin/mergecap -F pcap This helped when I use the openfpc-client command to create pcap files, however when I use curl to fetch the data I still receive the output in pcapng format. curl -k 192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4CE8A48\ <http://192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4CE8A48%5C&stime=20150818%2010:00%5C&etime=20150818%2010:30%5C&dpt=22> &stime=20150818%2010:00\&etime=20150818%2010:30\&dpt=22 > list.pcap cat list.pcap|tshark -i- Capturing on 'Standard input' tshark: Unrecognized libpcap format Looks like in case of API call the mergecap utility is not used at all. And I was not able to find in the code how merging is done in this case. Could you please help me. Is it possible to make the fetch API call to return the data in pcap format? Thanks so much! Igor From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward Sent: Tuesday, August 18, 2015 1:29 PM To: Igor Kaplan Cc: ope...@li... Subject: Re: [Openfpc-users] Openfpc usage Actually it wont. It will only remove the oldest PCAP file. It's best to keep those PCAP files on their own partition. The old flow records in mysql actually get removed automatically based on the oldest packet in the store. So you won't have records that are older than the pcaps. -L On Tue, Aug 18, 2015 at 6:21 PM, Igor Kaplan <igo...@gm...> wrote: Hi Leon, all, I have one more question please. Based on the documentation the following line in the openfpc config file restricts the space usage of captured data to 50 percent: PCAP_SPACE=50 So, if the data size exceeds 50 percent old files will be deleted automatically? Will openfpc also delete the old MySQL session tables? Many thanks and all the best! -Igor. From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward Sent: Monday, August 17, 2015 11:51 AM To: Igor Kaplan Cc: ope...@li... Subject: Re: [Openfpc-users] Openfpc usage Hi, Documentation is really one of the places that really needs some extra focus. The best docs I can point you to are in that folder, plus there is some out-of date info on my blog http://www.leonward.com. I actually delivered a presentation at Defcon last weekend all about OpenFPC. I have forwarded the slides separately. Hopefully that will help as well. As for your specific question about OpenFPC GUI. That's actually now been deprecated as it's no longer relevant for how it functions in a distributed manner. The OpenFPC-Chrome Extension will be the next best thing for interacting with the QueueDaemon remotely in a GUI-like way. Cheers, -L On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> wrote: Hi All, My name is Igor. I just found the OpenFPC and evaluating it. Looks like it is very good tool. I successfully installed on Ubuntu 14.4 with Perl 5.18 I have installed the OpenFPC-master, so it is the latest code. Now I would like to find out if there is more documentation beside files which I could find under docs directory. For example the INSTALL.md refers to the USAGE document, however I was not able to find it anywhere I am looking for the usage other then basic, just to find out, what are my advanced options. For example the openfpc-dbmaint.sh script is also able to create the gui database, I wonder, what it is for? The OpenFPC looks to be very powerful, just would like to understand it as best as I can. Would so much appreciate any reply’s. Many thanks. Igor. ------------------------------------------------------------------------------ _______________________________________________ Openfpc-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openfpc-users ------------------------------------------------------------------------------ _______________________________________________ Openfpc-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openfpc-users |
|
From: Igor K. <igo...@gm...> - 2015-08-21 00:18:09
|
Hi all, Sorry for my last message. Everything is fine now. It was completely my folt. Was connecting to wrong ip address! The –F switch for the mergecap utility fixed the problem. Thanks. From: Igor Kaplan [mailto:igo...@gm...] Sent: Thursday, August 20, 2015 5:16 PM To: 'Leon Ward' Cc: ope...@li... Subject: RE: [Openfpc-users] Openfpc usage Hi Leon, Need your help please once again. Got the following problem and spent several hours trying to solve it. When making the API call to fetch the pcap data I am getting the data in pcapng format. The OpenFPC is using the mergecap to merge pcap files and by default mergecap creates the output in pcapng format instead of pcap. I have changed the following line in openfpc-default.conf file MERGECAP=/usr/bin/mergecap -F pcap This helped when I use the openfpc-client command to create pcap files, however when I use curl to fetch the data I still receive the output in pcapng format. curl -k 192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4CE8A48\&stime=20150818%2010:00\&etime=20150818%2010:30\&dpt=22 > list.pcap cat list.pcap|tshark -i- Capturing on 'Standard input' tshark: Unrecognized libpcap format Looks like in case of API call the mergecap utility is not used at all. And I was not able to find in the code how merging is done in this case. Could you please help me. Is it possible to make the fetch API call to return the data in pcap format? Thanks so much! Igor From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward Sent: Tuesday, August 18, 2015 1:29 PM To: Igor Kaplan Cc: ope...@li... Subject: Re: [Openfpc-users] Openfpc usage Actually it wont. It will only remove the oldest PCAP file. It's best to keep those PCAP files on their own partition. The old flow records in mysql actually get removed automatically based on the oldest packet in the store. So you won't have records that are older than the pcaps. -L On Tue, Aug 18, 2015 at 6:21 PM, Igor Kaplan <igo...@gm...> wrote: Hi Leon, all, I have one more question please. Based on the documentation the following line in the openfpc config file restricts the space usage of captured data to 50 percent: PCAP_SPACE=50 So, if the data size exceeds 50 percent old files will be deleted automatically? Will openfpc also delete the old MySQL session tables? Many thanks and all the best! -Igor. From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward Sent: Monday, August 17, 2015 11:51 AM To: Igor Kaplan Cc: ope...@li... Subject: Re: [Openfpc-users] Openfpc usage Hi, Documentation is really one of the places that really needs some extra focus. The best docs I can point you to are in that folder, plus there is some out-of date info on my blog http://www.leonward.com. I actually delivered a presentation at Defcon last weekend all about OpenFPC. I have forwarded the slides separately. Hopefully that will help as well. As for your specific question about OpenFPC GUI. That's actually now been deprecated as it's no longer relevant for how it functions in a distributed manner. The OpenFPC-Chrome Extension will be the next best thing for interacting with the QueueDaemon remotely in a GUI-like way. Cheers, -L On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> wrote: Hi All, My name is Igor. I just found the OpenFPC and evaluating it. Looks like it is very good tool. I successfully installed on Ubuntu 14.4 with Perl 5.18 I have installed the OpenFPC-master, so it is the latest code. Now I would like to find out if there is more documentation beside files which I could find under docs directory. For example the INSTALL.md refers to the USAGE document, however I was not able to find it anywhere I am looking for the usage other then basic, just to find out, what are my advanced options. For example the openfpc-dbmaint.sh script is also able to create the gui database, I wonder, what it is for? The OpenFPC looks to be very powerful, just would like to understand it as best as I can. Would so much appreciate any reply’s. Many thanks. Igor. ------------------------------------------------------------------------------ _______________________________________________ Openfpc-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openfpc-users ------------------------------------------------------------------------------ _______________________________________________ Openfpc-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openfpc-users |
|
From: Leon W. <le...@le...> - 2015-08-21 10:22:40
|
Hi, I found this interesting and I hadn't noticed that mergecap had moved to default to pcap-ng. It's clear that Snort, and tcpdump both work with it fine (at least on the systems I use here). Tshark is able to read the pcapng file, just not from STDIN. I've never tried to pipe something to tshark like this before so I don't know the limitations. pcapng is also the new standard format for all wireshark (as of 1.8, according to the Internets) including tshark. Is it tshark you're specifically trying to use, and is there a reason why you can't open the file via -r? lward@openfpc:~/openfpc$ tshark -h |grep stdin -r <infile> set the filename to read from (no pipes or stdin!) Glad that there is a simple fix for you, but I'm asking all of these questions to work out of I should make this change by default. On Fri, Aug 21, 2015 at 1:17 AM, Igor Kaplan <igo...@gm...> wrote: > Hi all, > > > > Sorry for my last message. Everything is fine now. It was completely my > folt. Was connecting to wrong ip address! > > The –F switch for the mergecap utility fixed the problem. > > > > Thanks. > > > > *From:* Igor Kaplan [mailto:igo...@gm...] > *Sent:* Thursday, August 20, 2015 5:16 PM > *To:* 'Leon Ward' > *Cc:* ope...@li... > *Subject:* RE: [Openfpc-users] Openfpc usage > > > > Hi Leon, > > > > Need your help please once again. > > Got the following problem and spent several hours trying to solve it. > > > > When making the API call to fetch the pcap data I am getting the data in > pcapng format. > > The OpenFPC is using the mergecap to merge pcap files and by default > mergecap creates the output in pcapng format instead of pcap. > > > > I have changed the following line in openfpc-default.conf file > > MERGECAP=/usr/bin/mergecap -F pcap > > > > This helped when I use the openfpc-client command to create pcap files, > however when I use curl to fetch the data I still receive the output in > pcapng format. > > > > curl -k > 192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4CE8A48\&stime=20150818%2010:00\&etime=20150818%2010:30\&dpt=22 > <http://192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4CE8A48%5C&stime=20150818%2010:00%5C&etime=20150818%2010:30%5C&dpt=22> > > list.pcap > > > > cat list.pcap|tshark -i- > > Capturing on 'Standard input' > > tshark: Unrecognized libpcap format > > > > Looks like in case of API call the mergecap utility is not used at all. > And I was not able to find in the code how merging is done in this case. > > > > Could you please help me. Is it possible to make the fetch API call to > return the data in pcap format? > > > > Thanks so much! > > > > Igor > > > > > > *From:* leo...@gm... [mailto:leo...@gm...] *On Behalf > Of *Leon Ward > *Sent:* Tuesday, August 18, 2015 1:29 PM > *To:* Igor Kaplan > *Cc:* ope...@li... > *Subject:* Re: [Openfpc-users] Openfpc usage > > > > Actually it wont. It will only remove the oldest PCAP file. It's best to > keep those PCAP files on their own partition. > > The old flow records in mysql actually get removed automatically based on > the oldest packet in the store. So you won't have records that are older > than the pcaps. > > > > -L > > > > > > On Tue, Aug 18, 2015 at 6:21 PM, Igor Kaplan <igo...@gm...> wrote: > > Hi Leon, all, > > > > I have one more question please. > > > > Based on the documentation the following line in the openfpc config file > restricts the space usage of captured data to 50 percent: > > PCAP_SPACE=50 > > > > So, if the data size exceeds 50 percent old files will be deleted > automatically? > > Will openfpc also delete the old MySQL session tables? > > > > Many thanks and all the best! > > > > -Igor. > > > > > > *From:* leo...@gm... [mailto:leo...@gm...] *On Behalf > Of *Leon Ward > *Sent:* Monday, August 17, 2015 11:51 AM > *To:* Igor Kaplan > *Cc:* ope...@li... > *Subject:* Re: [Openfpc-users] Openfpc usage > > > > Hi, > > > > Documentation is really one of the places that really needs some extra > focus. > > > > The best docs I can point you to are in that folder, plus there is some > out-of date info on my blog http://www.leonward.com. > > I actually delivered a presentation at Defcon last weekend all about > OpenFPC. I have forwarded the slides separately. Hopefully that will help > as well. > > > > As for your specific question about OpenFPC GUI. That's actually now been > deprecated as it's no longer relevant for how it functions in a distributed > manner. The OpenFPC-Chrome Extension will be the next best thing for > interacting with the QueueDaemon remotely in a GUI-like way. > > > > Cheers, > > > > -L > > > > > > > > On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> wrote: > > Hi All, > > > > My name is Igor. I just found the OpenFPC and evaluating it. Looks like > it is very good tool. > > I successfully installed on Ubuntu 14.4 with Perl 5.18 > > I have installed the OpenFPC-master, so it is the latest code. > > > > Now I would like to find out if there is more documentation beside files > which I could find under docs directory. > > For example the INSTALL.md refers to the USAGE document, however I was > not able to find it anywhere > > > > I am looking for the usage other then basic, just to find out, what are > my advanced options. > > > > For example the openfpc-dbmaint.sh script is also able to create the gui > database, I wonder, what it is for? > > > > The OpenFPC looks to be very powerful, just would like to understand it as > best as I can. > > > > Would so much appreciate any reply’s. > > > > Many thanks. > > > > Igor. > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > |
|
From: Igor K. <igo...@gm...> - 2015-08-21 13:05:39
|
Hi Leon, Yes, I also noticed that tshark will accept the pcap_ng file with –r However it is more convenient for me to pipe the output of curl to the tshark directly, something like Curl …|tshark –i- I have tried it with tshark 1.10, the default one which is installed on Ubuntu 14.04. While being absolutely fine as tshark –r file_name it did not want to process pcap_ng files as a stdin interface. I am glad, that the simple config file change was able to fix it for me. Many thanks once again. -Igor From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward Sent: Friday, August 21, 2015 6:23 AM To: Igor Kaplan Cc: ope...@li... Subject: Re: [Openfpc-users] Openfpc usage Hi, I found this interesting and I hadn't noticed that mergecap had moved to default to pcap-ng. It's clear that Snort, and tcpdump both work with it fine (at least on the systems I use here). Tshark is able to read the pcapng file, just not from STDIN. I've never tried to pipe something to tshark like this before so I don't know the limitations. pcapng is also the new standard format for all wireshark (as of 1.8, according to the Internets) including tshark. Is it tshark you're specifically trying to use, and is there a reason why you can't open the file via -r? lward@openfpc:~/openfpc$ tshark -h |grep stdin -r <infile> set the filename to read from (no pipes or stdin!) Glad that there is a simple fix for you, but I'm asking all of these questions to work out of I should make this change by default. On Fri, Aug 21, 2015 at 1:17 AM, Igor Kaplan <igo...@gm...> wrote: Hi all, Sorry for my last message. Everything is fine now. It was completely my folt. Was connecting to wrong ip address! The –F switch for the mergecap utility fixed the problem. Thanks. From: Igor Kaplan [mailto:igo...@gm...] Sent: Thursday, August 20, 2015 5:16 PM To: 'Leon Ward' Cc: ope...@li... Subject: RE: [Openfpc-users] Openfpc usage Hi Leon, Need your help please once again. Got the following problem and spent several hours trying to solve it. When making the API call to fetch the pcap data I am getting the data in pcapng format. The OpenFPC is using the mergecap to merge pcap files and by default mergecap creates the output in pcapng format instead of pcap. I have changed the following line in openfpc-default.conf file MERGECAP=/usr/bin/mergecap -F pcap This helped when I use the openfpc-client command to create pcap files, however when I use curl to fetch the data I still receive the output in pcapng format. curl -k 192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4CE8A48\ <http://192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4CE8A48%5C&stime=20150818%2010:00%5C&etime=20150818%2010:30%5C&dpt=22> &stime=20150818%2010:00\&etime=20150818%2010:30\&dpt=22 > list.pcap cat list.pcap|tshark -i- Capturing on 'Standard input' tshark: Unrecognized libpcap format Looks like in case of API call the mergecap utility is not used at all. And I was not able to find in the code how merging is done in this case. Could you please help me. Is it possible to make the fetch API call to return the data in pcap format? Thanks so much! Igor From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward Sent: Tuesday, August 18, 2015 1:29 PM To: Igor Kaplan Cc: ope...@li... Subject: Re: [Openfpc-users] Openfpc usage Actually it wont. It will only remove the oldest PCAP file. It's best to keep those PCAP files on their own partition. The old flow records in mysql actually get removed automatically based on the oldest packet in the store. So you won't have records that are older than the pcaps. -L On Tue, Aug 18, 2015 at 6:21 PM, Igor Kaplan <igo...@gm...> wrote: Hi Leon, all, I have one more question please. Based on the documentation the following line in the openfpc config file restricts the space usage of captured data to 50 percent: PCAP_SPACE=50 So, if the data size exceeds 50 percent old files will be deleted automatically? Will openfpc also delete the old MySQL session tables? Many thanks and all the best! -Igor. From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward Sent: Monday, August 17, 2015 11:51 AM To: Igor Kaplan Cc: ope...@li... Subject: Re: [Openfpc-users] Openfpc usage Hi, Documentation is really one of the places that really needs some extra focus. The best docs I can point you to are in that folder, plus there is some out-of date info on my blog http://www.leonward.com. I actually delivered a presentation at Defcon last weekend all about OpenFPC. I have forwarded the slides separately. Hopefully that will help as well. As for your specific question about OpenFPC GUI. That's actually now been deprecated as it's no longer relevant for how it functions in a distributed manner. The OpenFPC-Chrome Extension will be the next best thing for interacting with the QueueDaemon remotely in a GUI-like way. Cheers, -L On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> wrote: Hi All, My name is Igor. I just found the OpenFPC and evaluating it. Looks like it is very good tool. I successfully installed on Ubuntu 14.4 with Perl 5.18 I have installed the OpenFPC-master, so it is the latest code. Now I would like to find out if there is more documentation beside files which I could find under docs directory. For example the INSTALL.md refers to the USAGE document, however I was not able to find it anywhere I am looking for the usage other then basic, just to find out, what are my advanced options. For example the openfpc-dbmaint.sh script is also able to create the gui database, I wonder, what it is for? The OpenFPC looks to be very powerful, just would like to understand it as best as I can. Would so much appreciate any reply’s. Many thanks. Igor. ------------------------------------------------------------------------------ _______________________________________________ Openfpc-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openfpc-users ------------------------------------------------------------------------------ _______________________________________________ Openfpc-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openfpc-users |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X