[Forensics-changes] [chaosreader] 02/02: Imported Debian patch 0.96-1
Joao Eriberto Mota Filho
eriberto at moszumanska.debian.org
Tue Nov 22 23:34:24 UTC 2016
This is an automated email from the git hooks/post-receive script.
eriberto pushed a commit to branch debian
in repository chaosreader.
commit e66c237d2015d365bcb670382f55c914a0f5f14c
Merge: 3ddc530 9d181f3
Author: Joao Eriberto Mota Filho <eriberto at debian.org>
Date: Fri Nov 18 07:56:51 2016 -0200
Imported Debian patch 0.96-1
README.md | 22 +
chaosreader0.94 => chaosreader | 2121 +++++++++++++++++++++++-----------
debian/changelog | 20 +
debian/control | 10 +-
debian/copyright | 30 +-
debian/docs | 1 +
debian/install | 1 +
debian/manpage/chaosreader.1 | 63 +-
debian/manpage/chaosreader.txt | 52 +-
debian/manpage/create-man.sh | 4 +-
debian/patches/10_fix-division.patch | 14 -
debian/patches/20_fix-old-perl.patch | 15 -
debian/patches/series | 2 -
debian/rules | 4 -
debian/upstream.changelog | 78 ++
debian/watch | 3 +-
16 files changed, 1652 insertions(+), 788 deletions(-)
diff --cc debian/changelog
index 80a8bfa,0000000..9b0fa40
mode 100644,000000..100644
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,132 -1,0 +1,152 @@@
++chaosreader (0.96-1) unstable; urgency=medium
++
++ * New upstream release.
++ * New upstream homepage.
++ * debian/control: improved the long description.
++ * debian/copyright:
++ - New upstream licensing: GPL-3+.
++ - Updated several upstream copyright data.
++ - Updated the upstream email addresses.
++ * debian/docs: created to install the README.md file.
++ * debian/install: created to install the final executable.
++ * debian/man/: updated the manpage.
++ * debian/patches/*: removed. The upstream fixed the source code. Thanks!
++ * debian/rules: removed the override_dh_auto_install. Using d/install now.
++ * debian/upstream.changelog: updated.
++ * debian/watch: added a fake site to explain about the current status of
++ the original upstream homepage.
++
++ -- Joao Eriberto Mota Filho <eriberto at debian.org> Fri, 18 Nov 2016 07:56:51 -0200
++
+chaosreader (0.94-8) unstable; urgency=medium
+
+ * Bumped DH level to 10.
+ * debian/control:
+ - Bumped Standards-Version to 3.9.8.
+ - Improved the long description.
+ - Updated the Vcs-* fields to use https instead of http and git.
+ * debian/copyright:
+ - Updated the GPL-2+ text.
+ - Updated the packaging copyright data.
+ * debian/gbp.conf: no longer used by me... Removed.
+ * debian/man/:
+ - Renamed to debian/manpage/.
+ - Changed from genallman.sh to create-man.sh.
+ - Updated the manpage. (Closes: #824434)
+ * debian/patches/:
+ - 01-fix-division.patch:
+ ~ Renamed to 10_fix-division.patch.
+ ~ Added the Last-Update field.
+ - 02-fix-old-perl.patch:
+ ~ Renamed to 20_fix-old-perl.patch.
+ ~ Added the Last-Update field.
+ * debian/rules:
+ - Added the override_dh_installchangelogs target.
+ - Removed the --parallel option from dh.
+ * debian/watch: bumped to version 4.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Mon, 24 Oct 2016 21:22:07 -0200
+
+chaosreader (0.94-7) unstable; urgency=medium
+
+ * Bumped Standards-Version to 3.9.6.
+ * Renamed from debian/chaosreader.manpages to debian/manpages.
+ * debian/man/:
+ - Changed the generator script from genman.sh to genallman.sh.
+ - Renamed header.txt to chaosreader.header.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sun, 26 Oct 2014 17:30:01 -0200
+
+chaosreader (0.94-6) unstable; urgency=medium
+
+ * New maintainer email address.
+ * debian/control: updated the Vcs-Browser field.
+ * debian/copyright: updated the packaging copyright years.
+ * debian/man/: added genman.sh to automate the manpage creation.
+ * debian/source/lintian-overrides: removed as requested by Paul Wise.
+ Thanks to Paul for explanations about the idea of the GPG sign check.
+ * debian/watch: improved.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Tue, 05 Aug 2014 11:17:26 -0300
+
+chaosreader (0.94-5) unstable; urgency=medium
+
+ * Bumped Standards-Version from 3.9.4 to 3.9.5.
+ * debian/source/: added an override to reply to check-gpg-signature.
+ * debian/copyright: updated the file format and the upstream
+ email address.
+ * debian/gbp.conf: added to allow git-buildpackage usage.
+ * debian/rules: little and insignificant adjustments.
+ * debian/watch: improved.
+ * manpage:
+ - Created the debian/man directory to gather the manpage
+ and the source. So, the debian/chaosreader.manpages was
+ adjusted to point to file at new place.
+ - Removed debian/{chaosreader.1.t2t,manpages}.
+ - The manpage was improved, using information from the
+ source code, and migrated from txt2tags to txt2man.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Fri, 27 Dec 2013 08:49:04 -0200
+
+chaosreader (0.94-4) unstable; urgency=low
+
+ * Bumped debhelper level from 7 to 9.
+ * debian/control:
+ - bumped Standards-Version from 3.8.4 to 3.9.4.
+ - changed from perl to ${perl:Depends} in Depends field
+ to avoid dh_gencontrol warning.
+ - moved tcpdump from Recommends to Suggests.
+ - removed quilt from Build-Depends.
+ - removed screenshot reference from long description.
+ * debian/copyright: updated packaging years.
+ * debian/README.source: removed because it is useless now.
+ * debian/rules:
+ - enabled parallel build.
+ - removed quilt from dh.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Mon, 20 May 2013 13:31:03 -0300
+
+chaosreader (0.94-3) unstable; urgency=low
+
+ * Added the debian/source/format file to show the "3.0 (quilt)" format
+ use in package.
+ * debian/control: updated quilt needed version in Build-Depends field.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Sun, 04 Apr 2010 09:10:11 -0300
+
+chaosreader (0.94-2) UNRELEASED; urgency=low
+
+ * Added the chaosreader.t2t. It is the manpage source.
+ * Added the debian/upstream.changelog file.
+ * Added the README.source file.
+ * Removed the source.lintian-overrides file. All problems are fixed.
+ * debian/control:
+ - Updated debhelper version in Build-Depends field.
+ - Updated Standards-Version from 3.8.2 to 3.8.4.
+ - Updated Vcs-Browser and Vcs-Git fields from debian.net to debian.org.
+ * debian/copyright: Updated the packaging copyright years.
+ * debian/watch: fixed the regular expression. The uscan works fine now.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Mon, 21 Mar 2010 01:40:40 -0300
+
+chaosreader (0.94-1) unstable; urgency=low
+
+ [ Joao Eriberto Mota Filho ]
+ * Initial release (Closes: #496228).
+
+ [ Daniel Baumann ]
+ * Prefixing debhelper files with package name.
+ * Using quilt rather than dpatch.
+ * Simply install target in rules file.
+ * Adding missing targets in rules file to make it policy conformant.
+ * Sorting package relations in control file.
+ * Adding manual depends on perl.
+ * Adding vcs fields in control file.
+ * Forgot to adjust series file.
+ * Adding lintian overrides.
+ * Using dedicated manpage debhelper file to install manpages.
+ * Rewriting copyright file in machine-interpretable format.
+ * Minimizing rules file.
+ * Simplify install target override.
+
+ -- Daniel Baumann <daniel at debian.org> Tue, 28 Jul 2009 14:23:07 +0200
diff --cc debian/control
index 26d579e,0000000..4326f42
mode 100644,000000..100644
--- a/debian/control
+++ b/debian/control
@@@ -1,29 -1,0 +1,33 @@@
+Source: chaosreader
+Section: net
+Priority: optional
+Maintainer: Debian Forensics <forensics-devel at lists.alioth.debian.org>
+Uploaders: Joao Eriberto Mota Filho <eriberto at debian.org>
+Build-Depends: debhelper (>= 10)
+Standards-Version: 3.9.8
- Homepage: http://chaosreader.sf.net
++Homepage: http://www.brendangregg.com/chaosreader.html
+Vcs-Browser: https://anonscm.debian.org/git/forensics/chaosreader.git
+Vcs-Git: https://anonscm.debian.org/git/forensics/chaosreader.git
+
+Package: chaosreader
+Architecture: all
+Depends: ${misc:Depends}, ${perl:Depends}
+Suggests: tcpdump, wireshark
+Description: trace network sessions and export it to html format
+ Chaosreader traces TCP/UDP/others sessions and fetches application data from
+ snoop or tcpdump logs. This is a type of "any-snarf" program, as it will
+ fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and
+ SMTP emails from the captured data inside network traffic logs. A html index
+ file is created to that links to all the session details, including realtime
+ replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader
+ reports such as image reports and HTTP GET/POST content reports.
+ .
- Chaosreader can also run in standalone mode, where it invokes tcpdump to
- create the log files and then processes them.
++ It also creates replay programs for telnet sessions, so that you can play
++ them back in realtime (or even different speeds).
++ .
++ Chaosreader can also run in standalone mode, where it invokes tcpdump or
++ snoop (a similar to tcpdump program for Solaris) to create the log files
++ and then processes them.
+ .
+ This package is useful for forensics investigations and for network traffic
+ analysis.
diff --cc debian/copyright
index 1156cf8,0000000..e6a4459
mode 100644,000000..100644
--- a/debian/copyright
+++ b/debian/copyright
@@@ -1,29 -1,0 +1,53 @@@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: chaosreader
- Source: http://chaosreader.sf.net
++Upstream-Contact: Brendan Gregg <brendan.d.gregg at gmail.com, bgregg at netflix.com>
++Source: https://github.com/brendangregg/Chaosreader or
++ http://www.brendangregg.com/chaosreader.html
+
+Files: *
- Copyright: 2003-2004 Brendan Gregg <brendan at joyent.com>
- License: GPL-2+
++Copyright: 2003-2014 Brendan Gregg <brendan.d.gregg at gmail.com,
++ bgregg at netflix.com>
++ 2008 Indian Larry
++ 2011-2014 Jens Lechtenbörger
++ 2014 Pavel Hančar
++ 2014 Pex <pexnet0 at gmail.com>
++License: GPL-3+
+
+Files: debian/*
+Copyright: 2009 Daniel Baumann <daniel at debian.org>
+ 2009-2016 Joao Eriberto Mota Filho <eriberto at debian.org>
+License: GPL-2+
+
+License: GPL-2+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
++
++License: GPL-3+
++ This program is free software: you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation, either version 3 of the License, or
++ (at your option) any later version.
++ .
++ This package is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++ .
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <https://www.gnu.org/licenses/>.
++ .
++ On Debian systems, the complete text of the GNU General
++ Public License version 3 can be found in "/usr/share/common-licenses/GPL-3".
diff --cc debian/docs
index 0000000,0000000..b43bf86
new file mode 100644
--- /dev/null
+++ b/debian/docs
@@@ -1,0 -1,0 +1,1 @@@
++README.md
diff --cc debian/install
index 0000000,0000000..d49096e
new file mode 100644
--- /dev/null
+++ b/debian/install
@@@ -1,0 -1,0 +1,1 @@@
++chaosreader usr/bin
diff --cc debian/manpage/chaosreader.1
index c1da325,0000000..a2f66f6
mode 100644,000000..100644
--- a/debian/manpage/chaosreader.1
+++ b/debian/manpage/chaosreader.1
@@@ -1,484 -1,0 +1,475 @@@
+.\" Text automatically generated by txt2man
- .TH chaosreader 1 "27 Dec 2013" "chaosreader-0.94" "trace network sessions and export it to html format"
++.TH chaosreader 1 "18 Nov 2016" "chaosreader-0.96" "trace network sessions and export it to html format"
+.SH NAME
+\fBchaosreader \fP- trace network sessions and export it to html format
+\fB
+.SH SYNOPSIS
+.nf
+.fam C
+\fBchaosreader\fP
+
- \fBchaosreader\fP [\fB-aehikqrvxAHIRTUXY\fP] [\fB-D\fP \fIdir\fP]
++\fBchaosreader\fP [\fB-adehiknqrvxAHIRTUXY\fP] [\fB-D\fP \fIdir\fP]
+ [\fB-b\fP port[,\.\.\.]] [\fB-B\fP port[,\.\.\.]]
+ [\fB-j\fP IPaddr[,\.\.\.]] [\fB-J\fP IPaddr[,\.\.\.]]
+ [\fB-l\fP port[,\.\.\.]] [\fB-L\fP port[,\.\.\.]] [\fB-m\fP bytes[k]]
+ [\fB-M\fP bytes[k]] [\fB-o\fP "time"|"size"|"type"|"ip"]
+ [\fB-p\fP port[,\.\.\.]] [\fB-P\fP port[,\.\.\.]]
+ \fBinfile\fP [\fIinfile2\fP \.\.\.]
+
+\fBchaosreader\fP \fB-s\fP [\fImins\fP] | \fB-S\fP [\fImins\fP[,count]]
+ [\fB-z\fP] [\fB-f\fP 'filter']
+
+.fam T
+.fi
+.fam T
+.fi
+.SH DESCRIPTION
+Chaosreader traces TCP/UDP/others sessions and fetches application data from
+snoop or tcpdump logs. This is a type of "any-snarf" program, as it will
+fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and
+SMTP emails from the captured data inside network traffic logs. A html index
+file is created to that links to all the session details, including realtime
+replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader
+reports such as image reports and HTTP GET/POST content reports.
+.PP
- Chaosreader can also run in standalone mode, where it invokes tcpdump to
- create the log files and then processes them.
++It also creates replay programs for telnet sessions, so that you can play
++them back in realtime (or even different speeds).
++.PP
++Chaosreader can also run in standalone mode, where it invokes tcpdump or
++snoop (a similar to tcpdump program for Solaris) to create the log files
++and then processes them.
+.SH OPTIONS
+.TP
+.B
+\fB-a\fP, \fB--application\fP
+Create application session files (default).
+.TP
+.B
++\fB-d\fP, \fB--preferdns\fP
++Show DNS names instead of IP addresses.
++.TP
++.B
+\fB-e\fP, \fB--everything\fP
+Create HTML 2-way & hex files for everything.
+.TP
+.B
+\fB-h\fP
+Print a brief help.
+.TP
+.B
+\fB--help\fP
+Print verbose help (this) and version.
+.TP
+.B
+\fB--help2\fP
+Print massive help.
+.TP
+.B
+\fB-i\fP, \fB--info\fP
+Create info file.
+.TP
+.B
+\fB-q\fP, \fB--quiet\fP
+Quiet, no output to screen.
+.TP
+.B
+\fB-r\fP, \fB--raw\fP
+Create raw files.
+.TP
+.B
+\fB-v\fP, \fB--verbose\fP
+Verbose.
+.TP
+.B
+\fB-x\fP, \fB--index\fP
+Create index files (default).
+.TP
+.B
+\fB-A\fP, \fB--noapplication\fP
+Exclude application session files.
+.TP
+.B
+\fB-H\fP, \fB--hex\fP
+Include hex dumps (slow).
+.TP
+.B
+\fB-I\fP, \fB--noinfo\fP
+Exclude info files.
+.TP
+.B
+\fB-R\fP, \fB--noraw\fP
+Exclude raw files.
+.TP
+.B
+\fB-T\fP, \fB--notcp\fP
+Exclude TCP traffic.
+.TP
+.B
+\fB-U\fP, \fB--noudp\fP
+Exclude UDP traffic.
+.TP
+.B
+\fB-Y\fP, \fB--noicmp\fP
+Exclude ICMP traffic.
+.TP
+.B
+\fB-X\fP, \fB--noindex\fP
+Exclude index files.
+.TP
+.B
+\fB-k\fP, \fB--keydata\fP
+Create extra files for keystroke analysis.
+.TP
+.B
++\fB-n\fP, \fB--names\fP
++Include hostnames in hyperlinked HTTPlog (HTML)
++.TP
++.B
+\fB-D\fP \fIdir\fP, --\fIdir\fP \fIdir\fP
+Output all files to this directory.
+.TP
+.B
+\fB-b\fP 25,79, \fB--playtcp\fP 25,79
+Replay these TCP ports as well (playback).
+.TP
+.B
+\fB-B\fP 36,42, \fB--playudp\fP 36,42
+Replay these UDP ports as well (playback).
+.TP
+.B
+\fB-l\fP 7,79, \fB--htmltcp\fP 7,79
+Create HTML for these TCP ports as well.
+.TP
+.B
+\fB-L\fP 7,123, \fB--htmludp\fP 7,123
+Create HTML for these UDP ports as well.
+.TP
+.B
+\fB-m\fP 1k, \fB--min\fP 1k
+Min size of connection to save ("k" for Kb).
+.TP
+.B
+\fB-M\fP 1024k, \fB--max\fP 1k
+Max size of connection to save ("k" for Kb)
+.TP
+.B
+\fB-o\fP size, \fB--sort\fP size
+Sort Order: time/size/type/ip (Default time).
+.TP
+.B
+\fB-p\fP 21,23, \fB--port\fP 21,23
+Only examine these ports (TCP & UDP).
+.TP
+.B
+\fB-P\fP 80,81, \fB--noport\fP 80,81
+Exclude these ports (TCP & UDP).
+.TP
+.B
+\fB-s\fP 5, \fB--runonce\fP 5
+Standalone. Run tcpdump/snoop for 5 \fImins\fP.
+.TP
+.B
+\fB-S\fP 5,10, \fB--runmany\fP 5,10
+Standalone, many. 10 samples of 5 \fImins\fP each.
+.TP
+.B
+\fB-S\fP 5, \fB--runmany\fP 5
+Standalone, endless. 5 min samples forever.
+.TP
+.B
+\fB-z\fP, \fB--runredo\fP
+Standalone, redo. Rereads last run's logs.
+.TP
+.B
+\fB-j\fP 10.1.2.1, \fB--ipaddr\fP 10.1.2.1
+Only examine these IPs.
+.TP
+.B
+\fB-J\fP 10.1.2.1, \fB--noipaddr\fP 10.1.2.1
+Exclude these IPs.
+.TP
+.B
+\fB-f\fP 'port 7', \fB--filter\fP 'port 7'
+With standalone, use this dump filter.
+.SH OUTPUT FILES
++Many files will be created, run this in a clean directory. Short example:
+.TP
+.B
+index.html
+Html index (full details).
+.TP
+.B
+index.text
+Text index.
+.TP
+.B
+index.file
+File index for standalone redo mode.
+.TP
+.B
+image.html
+HTML report of images.
+.TP
+.B
+getpost.html
+HTML report of HTTP GET/POST requests.
+.TP
+.B
+session_0001.info
+Info file describing TCP session #1.
+.TP
+.B
+session_0001.telnet.html
+HTML colored 2-way capture (time sorted).
+.TP
+.B
+session_0001.telnet.raw
+Raw data 2-way capture (time sorted).
+.TP
+.B
+session_0001.telnet.raw1
+Raw 1-way capture (assembled) server->client.
+.TP
+.B
+session_0001.telnet.raw2
+Raw 1-way capture (assembled) client->server.
+.TP
+.B
+session_0002.web.html
+HTML colored 2-way.
+.TP
+.B
+session_0002.part_01.html
+HTTP portion of the above, a HTML file.
+.TP
+.B
+session_0003.web.html
+HTML colored 2-way.
+.TP
+.B
+session_0003.part_01.jpeg
+HTTP portion of the above, a JPEG file.
+.TP
+.B
+session_0004.web.html
+HTML colored 2-way.
+.TP
+.B
+session_0004.part_01.gif
+HTTP portion of the above, a GIF file.
+.TP
+.B
+session_0005.part_01.ftp-data.gz
+An FTP transfer, a gz file.
+.SH CONVENTIONS
+.TP
+.B
+session_*
+TCP Sessions.
+.TP
+.B
+stream_*
+UDP Streams.
+.TP
+.B
+icmp_*
+ICMP packets.
+.TP
+.B
+index.html
+HTML Index.
+.TP
+.B
+index.text
+Text Index.
+.TP
+.B
+index.file
+File Index for standalone redo mode only.
+.TP
+.B
+image.html
+HTML report of images.
+.TP
+.B
+getpost.html
+HTML report of HTTP GET/POST requests.
+.TP
+.B
+*.info
+Info file describing the Session/Stream.
+.TP
+.B
+*.raw
+Raw data 2-way capture (time sorted).
+.TP
+.B
+*.raw1
+Raw 1-way capture (assembled) server->client.
+.TP
+.B
+*.raw2
+Raw 1-way capture (assembled) client->server.
+.TP
+.B
+*.replay
+Session replay program (perl).
+.TP
+.B
+*.partial.*
+Partial capture (tcpdump/snoop were aware of drops).
+.TP
+.B
+*.hex.html
+2-way Hex dump, rendered in colored HTML.
+.TP
+.B
+*.hex.text
+2-way Hex dump in plain text.
+.TP
+.B
+*.X11.replay
+X11 replay script (talks X11).
+.TP
+.B
+*.textX11.replay
+X11 communicated text replay script (text only).
+.TP
+.B
+*.textX11.html
+2-way text report, rendered in red/blue HTML.
+.TP
+.B
+*.keydata
+Keystroke delay data file. Used for SSH analysis.
+.SH MODES
+.TP
+.B
+Normal
+eg "\fBchaosreader\fP \fBinfile\fP", this is where a tcpdump/snoop file
+was created previously and \fBchaosreader\fP reads and processes it.
+.TP
+.B
+Standalone once
+eg "\fBchaosreader\fP \fB-s\fP 10" this is where \fBchaosreader\fP
+runs tcpdump/snoop and generates the log file, in
+this case for 10 minutes, and then processes the result.
+Some OS's may not have tcpdump or snoop available so
+this will not work (instead you may be able to get
+Ethereal, run it, save to a file, then use normal mode).
+There is a master index.html and the report index.html
+in a sub \fIdir\fP, which is of the format out_YYYYMMDD-hhmm,
+eg "out_20031003-2221".
+.TP
+.B
+Standalone, many
+eg "\fBchaosreader\fP \fB-S\fP 5,12", this is where \fBchaosreader\fP
+runs tcpdump/snoop and generates many log files, in
+this case it samples 12 times for 5 minutes each.
+While this is running, the master index.html can be
+viewed to watch progress, which links to minor index.html
+reports in each sub directory.
+.TP
+.B
+Standalone, redo
+eg "\fBchaosreader\fP \fB-ve\fP \fB-z\fP", (the \fB-z\fP), this is where a
+standalone capture was previously performed - and now you
+would like to reprocess the logs - perhaps with different
+options (in this case, "\fB-ve\fP"). It reads index.file to
+determine which capture logs to read.
+.TP
+.B
+Standalone, endless
+eg "\fBchaosreader\fP \fB-S\fP 5", like standalone many - but runs
+forever (if you ever had the need?). Watch your disk
+space!
+.PP
+Note: this is a work in progress, some of the code is a little unpolished.
- .SH ADVICE
++.SH NOTES
+.IP \(bu 3
+Run \fBchaosreader\fP in an empty directory.
+.IP \(bu 3
+Create small packet dumps. Chaosreader uses around 5x the dump size
+in memory. A 100Mb file could need 500Mb of RAM to process.
+.IP \(bu 3
+Your tcpdump may allow "\fB-s0\fP" (entire packet) instead of "\fB-s9000\fP".
+.IP \(bu 3
+Beware of using too much disk space, especially standalone mode.
+.IP \(bu 3
+If you capture too many small connections giving a huge index.html,
+try using the \fB-m\fP option to ignore small connections. eg "\fB-m\fP 1k".
+.IP \(bu 3
+snoop logs may actually work better. Snoop logs are based on RFC1761,
+however there are many variants of tcpdump/libpcap and this program
+cannot read them all. If you have Ethereal you can create snoop logs
+during the "save as" option. On Solaris use "snoop \fB-o\fP logfile".
+.IP \(bu 3
+tcpdump logs may not be portable between OSs that use different sized
+timestamps or endian.
+.IP \(bu 3
+Logs are best created in a memory filesystem for speed, usually /tmp.
+.IP \(bu 3
+For X11 or VNC playbacks, first practise by replaying a recent captured
+session of your own. The biggest problem is color depth, your screen
+must match the capture. For X11 check authentication (xhost +), for
+VNC check the viewers options (\fB-8bit\fP, "Hextile", \.\.\.)
+.IP \(bu 3
+SSH analysis can be performed with the "sshkeydata" program as
+demonstrated on http://www.brendangregg.com/sshanalysis.html .
+\fBchaosreader\fP provides the input files (*.keydata) that sshkeydata
+analyses.
+.SH BUGS
- .IP \(bu 3
- The following assumptions may cause problems (check for new vers);
++The following assumptions may cause problems (check for new vers):
+.IP \(bu 3
+A lower port number = the service type. Eg with ports 31247 and 23,
+the actual type of session is telnet (23). This may not work for
+some things (eg, VNC).
+.IP \(bu 3
+Time based order is more important for 2-way sessions (eg telnet),
+SEQ order is more import for 1-way transfers (eg ftp-data).
+.IP \(bu 3
+One particular TCP session isn't active for long enough that the SEQ
+number loops (or even wraps).
+.SH EXAMPLES
+.IP \(bu 3
+Example 1:
+.PP
+.nf
+.fam C
- tcpdump \-s9000 \-w out1; chaosreader out1; netscape index.html
-
- or,
-
- snoop -o out1; chaosreader out1; netscape index.html
-
- or,
-
- ethereal (save as "out1"); chaosreader out1; netscape index.html
-
- or,
-
- chaosreader -s 5; netscape index.html
-
- .fam T
- .fi
- .IP \(bu 3
- Example 2:
- .PP
- .nf
- .fam C
- tcpdump \-s9000 \-w output1 # create tcpdump capture file
++ tcpdump -s9000 -w output1 # create tcpdump capture file
+
+ chaosreader output1 # extract recognised sessions, or,
+
- chaosreader \-ve output1 # gimme everything, or,
++ chaosreader -ve output1 # gimme everything, or,
+
- chaosreader \-p 20,21,23 output1 # only ftp and telnet\.\.\.
++ chaosreader -p 20,21,23 output1 # only ftp and telnet\.\.\.
+
+.fam T
+.fi
+.IP \(bu 3
- Example 3:
++Example 2:
+.PP
+.nf
+.fam C
- snoop \-o output1 # create snoop capture file instead
++ snoop -o output1 # create snoop capture file instead
+
+ chaosreader output1 # extract recognised sessions\.\.\.
+
+.fam T
+.fi
+.IP \(bu 3
- Example 4:
++Example 3:
+.PP
+.nf
+.fam C
- chaosreader \-S 2,5 # Standalone, sniff network 5 times for 2 mins
++ chaosreader -S 2,5 # Standalone, sniff network 5 times for 2 mins
+ each. View index.html for progress (or .text)
+
+.fam T
+.fi
+.SH SEE ALSO
- \fBtcpdump\fP(8), \fBchaosreader\fP help page.
++\fBtcpdump\fP(8), \fBsnoop\fP(1M), \fBchaosreader\fP help page.
+.SH AUTHORS
+\fBchaosreader\fP was written by Brendan Gregg.
+.PP
+This manual page was written by Joao Eriberto Mota Filho <eriberto at debian.org> for the Debian project (but may be used by others).
diff --cc debian/manpage/chaosreader.txt
index 241d8d0,0000000..908c335
mode 100644,000000..100644
--- a/debian/manpage/chaosreader.txt
+++ b/debian/manpage/chaosreader.txt
@@@ -1,216 -1,0 +1,208 @@@
+NAME
+ chaosreader - trace network sessions and export it to html format
+
+SYNOPSIS
+ chaosreader
+
- chaosreader [-aehikqrvxAHIRTUXY] [-D dir]
++ chaosreader [-adehiknqrvxAHIRTUXY] [-D dir]
+ [-b port[,...]] [-B port[,...]]
+ [-j IPaddr[,...]] [-J IPaddr[,...]]
+ [-l port[,...]] [-L port[,...]] [-m bytes[k]]
+ [-M bytes[k]] [-o "time"|"size"|"type"|"ip"]
+ [-p port[,...]] [-P port[,...]]
+ infile [infile2 ...]
+
+ chaosreader -s [mins] | -S [mins[,count]]
+ [-z] [-f 'filter']
+
+DESCRIPTION
+ Chaosreader traces TCP/UDP/others sessions and fetches application data from
+ snoop or tcpdump logs. This is a type of "any-snarf" program, as it will
+ fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and
+ SMTP emails from the captured data inside network traffic logs. A html index
+ file is created to that links to all the session details, including realtime
+ replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader
+ reports such as image reports and HTTP GET/POST content reports.
+
- Chaosreader can also run in standalone mode, where it invokes tcpdump to
- create the log files and then processes them.
++ It also creates replay programs for telnet sessions, so that you can play
++ them back in realtime (or even different speeds).
++
++ Chaosreader can also run in standalone mode, where it invokes tcpdump or
++ snoop (a similar to tcpdump program for Solaris) to create the log files
++ and then processes them.
+
+OPTIONS
+ -a, --application Create application session files (default).
++ -d, --preferdns Show DNS names instead of IP addresses.
+ -e, --everything Create HTML 2-way & hex files for everything.
+ -h Print a brief help.
+ --help Print verbose help (this) and version.
+ --help2 Print massive help.
+ -i, --info Create info file.
+ -q, --quiet Quiet, no output to screen.
+ -r, --raw Create raw files.
+ -v, --verbose Verbose.
+ -x, --index Create index files (default).
+ -A, --noapplication Exclude application session files.
+ -H, --hex Include hex dumps (slow).
+ -I, --noinfo Exclude info files.
+ -R, --noraw Exclude raw files.
+ -T, --notcp Exclude TCP traffic.
+ -U, --noudp Exclude UDP traffic.
+ -Y, --noicmp Exclude ICMP traffic.
+ -X, --noindex Exclude index files.
+ -k, --keydata Create extra files for keystroke analysis.
++ -n, --names Include hostnames in hyperlinked HTTPlog (HTML)
+ -D dir, --dir dir Output all files to this directory.
+ -b 25,79, --playtcp 25,79 Replay these TCP ports as well (playback).
+ -B 36,42, --playudp 36,42 Replay these UDP ports as well (playback).
+ -l 7,79, --htmltcp 7,79 Create HTML for these TCP ports as well.
+ -L 7,123, --htmludp 7,123 Create HTML for these UDP ports as well.
+ -m 1k, --min 1k Min size of connection to save ("k" for Kb).
+ -M 1024k, --max 1k Max size of connection to save ("k" for Kb)
+ -o size, --sort size Sort Order: time/size/type/ip (Default time).
+ -p 21,23, --port 21,23 Only examine these ports (TCP & UDP).
+ -P 80,81, --noport 80,81 Exclude these ports (TCP & UDP).
+ -s 5, --runonce 5 Standalone. Run tcpdump/snoop for 5 mins.
+ -S 5,10, --runmany 5,10 Standalone, many. 10 samples of 5 mins each.
+ -S 5, --runmany 5 Standalone, endless. 5 min samples forever.
+ -z, --runredo Standalone, redo. Rereads last run's logs.
+ -j 10.1.2.1, --ipaddr 10.1.2.1 Only examine these IPs.
+ -J 10.1.2.1, --noipaddr 10.1.2.1 Exclude these IPs.
+ -f 'port 7', --filter 'port 7' With standalone, use this dump filter.
+
+OUTPUT FILES
++ Many files will be created, run this in a clean directory. Short example:
++
+ index.html Html index (full details).
+ index.text Text index.
+ index.file File index for standalone redo mode.
+ image.html HTML report of images.
+ getpost.html HTML report of HTTP GET/POST requests.
+ session_0001.info Info file describing TCP session #1.
+ session_0001.telnet.html HTML colored 2-way capture (time sorted).
+ session_0001.telnet.raw Raw data 2-way capture (time sorted).
+ session_0001.telnet.raw1 Raw 1-way capture (assembled) server->client.
+ session_0001.telnet.raw2 Raw 1-way capture (assembled) client->server.
+ session_0002.web.html HTML colored 2-way.
+ session_0002.part_01.html HTTP portion of the above, a HTML file.
+ session_0003.web.html HTML colored 2-way.
+ session_0003.part_01.jpeg HTTP portion of the above, a JPEG file.
+ session_0004.web.html HTML colored 2-way.
+ session_0004.part_01.gif HTTP portion of the above, a GIF file.
+ session_0005.part_01.ftp-data.gz An FTP transfer, a gz file.
+
+CONVENTIONS
+ session_* TCP Sessions.
+ stream_* UDP Streams.
+ icmp_* ICMP packets.
+ index.html HTML Index.
+ index.text Text Index.
+ index.file File Index for standalone redo mode only.
+ image.html HTML report of images.
+ getpost.html HTML report of HTTP GET/POST requests.
+ *.info Info file describing the Session/Stream.
+ *.raw Raw data 2-way capture (time sorted).
+ *.raw1 Raw 1-way capture (assembled) server->client.
+ *.raw2 Raw 1-way capture (assembled) client->server.
+ *.replay Session replay program (perl).
+ *.partial.* Partial capture (tcpdump/snoop were aware of drops).
+ *.hex.html 2-way Hex dump, rendered in colored HTML.
+ *.hex.text 2-way Hex dump in plain text.
+ *.X11.replay X11 replay script (talks X11).
+ *.textX11.replay X11 communicated text replay script (text only).
+ *.textX11.html 2-way text report, rendered in red/blue HTML.
+ *.keydata Keystroke delay data file. Used for SSH analysis.
+
+MODES
+ Normal eg "chaosreader infile", this is where a tcpdump/snoop file
+ was created previously and chaosreader reads and processes it.
+ Standalone once eg "chaosreader -s 10" this is where chaosreader
+ runs tcpdump/snoop and generates the log file, in
+ this case for 10 minutes, and then processes the result.
+ Some OS's may not have tcpdump or snoop available so
+ this will not work (instead you may be able to get
+ Ethereal, run it, save to a file, then use normal mode).
+ There is a master index.html and the report index.html
+ in a sub dir, which is of the format out_YYYYMMDD-hhmm,
+ eg "out_20031003-2221".
+ Standalone, many eg "chaosreader -S 5,12", this is where chaosreader
+ runs tcpdump/snoop and generates many log files, in
+ this case it samples 12 times for 5 minutes each.
+ While this is running, the master index.html can be
+ viewed to watch progress, which links to minor index.html
+ reports in each sub directory.
+ Standalone, redo eg "chaosreader -ve -z", (the -z), this is where a
+ standalone capture was previously performed - and now you
+ would like to reprocess the logs - perhaps with different
+ options (in this case, "-ve"). It reads index.file to
+ determine which capture logs to read.
+ Standalone, endless eg "chaosreader -S 5", like standalone many - but runs
+ forever (if you ever had the need?). Watch your disk
+ space!
+
+ Note: this is a work in progress, some of the code is a little unpolished.
+
- ADVICE
++NOTES
+ * Run chaosreader in an empty directory.
+ * Create small packet dumps. Chaosreader uses around 5x the dump size
+ in memory. A 100Mb file could need 500Mb of RAM to process.
+ * Your tcpdump may allow "-s0" (entire packet) instead of "-s9000".
+ * Beware of using too much disk space, especially standalone mode.
+ * If you capture too many small connections giving a huge index.html,
+ try using the -m option to ignore small connections. eg "-m 1k".
+ * snoop logs may actually work better. Snoop logs are based on RFC1761,
+ however there are many variants of tcpdump/libpcap and this program
+ cannot read them all. If you have Ethereal you can create snoop logs
+ during the "save as" option. On Solaris use "snoop -o logfile".
+ * tcpdump logs may not be portable between OSs that use different sized
+ timestamps or endian.
+ * Logs are best created in a memory filesystem for speed, usually /tmp.
+ * For X11 or VNC playbacks, first practise by replaying a recent captured
+ session of your own. The biggest problem is color depth, your screen
+ must match the capture. For X11 check authentication (xhost +), for
+ VNC check the viewers options (-8bit, "Hextile", ...)
+ * SSH analysis can be performed with the "sshkeydata" program as
+ demonstrated on http://www.brendangregg.com/sshanalysis.html .
+ chaosreader provides the input files (*.keydata) that sshkeydata
+ analyses.
+
+BUGS
- * The following assumptions may cause problems (check for new vers);
++ The following assumptions may cause problems (check for new vers):
+ * A lower port number = the service type. Eg with ports 31247 and 23,
+ the actual type of session is telnet (23). This may not work for
+ some things (eg, VNC).
- * Time based order is more important for 2-way sessions (eg telnet),
++ * Time based order is more important for 2-way sessions (eg telnet),
+ SEQ order is more import for 1-way transfers (eg ftp-data).
+ * One particular TCP session isn't active for long enough that the SEQ
+ number loops (or even wraps).
+
+EXAMPLES
+ * Example 1:
+
- tcpdump \-s9000 \-w out1; chaosreader out1; netscape index.html
-
- or,
-
- snoop -o out1; chaosreader out1; netscape index.html
-
- or,
-
- ethereal (save as "out1"); chaosreader out1; netscape index.html
-
- or,
-
- chaosreader -s 5; netscape index.html
-
- * Example 2:
-
- tcpdump \-s9000 \-w output1 # create tcpdump capture file
++ tcpdump -s9000 -w output1 # create tcpdump capture file
+
+ chaosreader output1 # extract recognised sessions, or,
+
- chaosreader \-ve output1 # gimme everything, or,
++ chaosreader -ve output1 # gimme everything, or,
+
- chaosreader \-p 20,21,23 output1 # only ftp and telnet...
++ chaosreader -p 20,21,23 output1 # only ftp and telnet...
+
- * Example 3:
++ * Example 2:
+
- snoop \-o output1 # create snoop capture file instead
++ snoop -o output1 # create snoop capture file instead
+
+ chaosreader output1 # extract recognised sessions...
+
- * Example 4:
++ * Example 3:
+
- chaosreader \-S 2,5 # Standalone, sniff network 5 times for 2 mins
++ chaosreader -S 2,5 # Standalone, sniff network 5 times for 2 mins
+ each. View index.html for progress (or .text)
+
+SEE ALSO
- tcpdump(8), chaosreader help page.
++ tcpdump(8), snoop(1M), chaosreader help page.
+
+AUTHORS
+ chaosreader was written by Brendan Gregg.
+
+ This manual page was written by Joao Eriberto Mota Filho <eriberto at debian.org> for the Debian project (but may be used by others).
diff --cc debian/manpage/create-man.sh
index a2d8c7e,0000000..9a1bfea
mode 100755,000000..100755
--- a/debian/manpage/create-man.sh
+++ b/debian/manpage/create-man.sh
@@@ -1,13 -1,0 +1,13 @@@
+#!/bin/bash
+
+# by Eriberto
+# Create the manpage using txt2man command.
+
- T2M_DATE="27 Dec 2013"
++T2M_DATE="18 Nov 2016"
+T2M_NAME=chaosreader
- T2M_VERSION=0.94
++T2M_VERSION=0.96
+T2M_LEVEL=1
+T2M_DESC="trace network sessions and export it to html format"
+
+# Don't change the following line
+txt2man -d "$T2M_DATE" -t $T2M_NAME -r $T2M_NAME-$T2M_VERSION -s $T2M_LEVEL -v "$T2M_DESC" $T2M_NAME.txt > $T2M_NAME.$T2M_LEVEL
diff --cc debian/rules
index ec7e2cb,0000000..dacda51
mode 100755,000000..100755
--- a/debian/rules
+++ b/debian/rules
@@@ -1,12 -1,0 +1,8 @@@
+#!/usr/bin/make -f
+#export DH_VERBOSE=1
+
+%:
+ dh $@
+
- override_dh_auto_install:
- dh_auto_install
- install -D -m 0755 chaosreader0.94 debian/chaosreader/usr/bin/chaosreader
-
+override_dh_installchangelogs:
+ dh_installchangelogs debian/upstream.changelog
diff --cc debian/upstream.changelog
index 3c1c6c7,0000000..572b96c
mode 100644,000000..100644
--- a/debian/upstream.changelog
+++ b/debian/upstream.changelog
@@@ -1,13 -1,0 +1,91 @@@
+# Extracted from chaosreader source code
+# 28-Sep-2003 Brendan Gregg Began writing this.
+# 08-Oct-2003 " " Released version 0.7 beta
+# 09-Oct-2003 " " Added telnet replays
+# 12-Oct-2003 " " Added IRC ports and replays
+# 19-Oct-2003 " " Made code more robust on different OSs
+# 01-Nov-2003 " " Code cleanup, complex data types, IPv6, ICMP
+# 03-Nov-2003 " " Added Standalone mode, standalone redo, ...
+# 05-Nov-2003 " " Added Image indexes, GETPOST indexes
+# 15-Nov-2003 " " Added HTTP proxy style log, hex dumps
+# 27-Jan-2004 " " Released experimental X11 & VNC processing
+# 30-Mar-2004 " " 802.11b, sorts, less RAM used, tun packets.
+# 01-May-2004 " " CLI enhanced, faster, SSH analysis.
++# 11-Sep-2011 " " ver 0.95
++# 24-Sep 2011 " " ver 0.95b
++# 04-Jan 2012 " " ver 0.95c
++# 10-Jan 2012 " " ver 0.95d
++# 15-Mar 2013 " " ver 0.95e
++# 15-Apr 2013 " " ver 0.95f
++# 18-Apr 2013 " " ver 0.95g
++# 12-Apr 2014 " " ver 0.95h
++# 14-Apr 2014 " " ver 0.95i
++# 12-jun 2014 " " ver 0.95.10
++# 15-Jun-2014 " " ver 0.96
++
++
++11-Sep-2011, Jens Lechtenbörger:
++- Switch from GPLv2 to GPLv3
++- Integrate diff from
++ http://refrequelate.blogspot.com/2008/07/more-de-chunking-chaosreader-patch.html
++ to reassemble chunked HTTP transfers.
++- Parse linux cooked captures, which result from listening on "any"
++ interface. (Chaosreader0.94 does not produce any output for such
++ pcap files.)
++- Use HTTP content-type to identify file types such as HTML, XML,
++ Javascript, CSS; use those types for better file extensions than
++ "data".
++- Uncompress gzip'ed data.
++- Add new command line switch to show host names in HTTPlog and to
++ create href-links from HTTPlog rows to the corresponding rows in
++ the table on index.html.
++- Several minor improvements (see comments with "JL:").
++
++24-Sep-2011, Jens Lechtenbörger:
++- More systematic Content-Type handling based on MIME types.
++- More image types included in Image Report based on MIME types.
++
++4-Jan-2012, Jens Lechtenbörger:
++- Parsing of DNS replies to show names instead of IP addresses (new
++ command line switch -d) and to save DNS replies as text files.
++
++10-Feb-2012, Jens Lechtenbörger:
++- Use file magic (again) to detect MIME type if HTTP's Content-Type is
++ application/octet-stream. (Some Web servers report images incorrectly.)
++
++15-Mar-2013, Jens Lechtenbörger:
++- Create additional HTTP log file in text format. That file contains one
++ line per GET request, which shows the referrer (if present) and indicates
++ whether cookies have been sent in the request or received in the reply.
++
++15-Apr-2013, Jens Lechtenbörger:
++- Link additional HTTP log file from index.html.
++- Also look for images in plain/text Content-Types (seen in the wild).
++- Extend GET/POST report to include all GETs; not only those including a
++ question mark (with parameters).
++
++18-Apr-2013, Jens Lechtenbörger:
++- Build new "External Image Report" (linked from index.html), where images
++ are embedded from their origin servers.
++ In contrast, the "Image Report" points to images on the local hard disk.
++ The new report may be more suitable for publication on Web pages as it
++ does not require to publish (potentially copyright protected) images.
++- Parse CNAME DNS replies to show original host names (which are hopefully
++ more familiar than aliases).
++- Show also empty parts on index.html that result from cache hits.
++- Create directory passed after switch "-D".
++
++12-Apr-2014, Pavel Hančar:
++- Optimized hexadecimal dumps to use less memory.
++- Modified "IP Count" to "IP and MAC Count".
++- Fixed a few bugs concerning output.
++
++14-Apr-2014, Jens Lechtenbörger:
++- Also create HTML files for ports 8118 (polipo) and 9050 (Tor) and treat
++ both as HTTP traffic (quick hack, works for me).
++- Improved handling of TCP streams with same source and destination IP
++ address (e.g., from localhost to localhost).
++
++12 Jun 2014 Pex
++- support for deflate
++Jens frequently calls this program with options "-vden -D <somedir>".
diff --cc debian/watch
index 3e185bf,0000000..601c0af
mode 100644,000000..100644
--- a/debian/watch
+++ b/debian/watch
@@@ -1,2 -1,0 +1,3 @@@
+version=4
- http://sf.net/chaosreader/chaosreader(\d\S+)
++opts=dversionmangle=s/.*/0.No-Release/ \
++https://people.debian.org/~eriberto/ FakeWatchNoUpstreamReleaseForThisPackage-(\d\S+)\.gz
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/chaosreader.git
More information about the forensics-changes
mailing list