SMB_TRAFFIC_ANALYZER - Online Linux Manual PageSection : 8
Updated : 04/11/2016
Source : Samba 3.6
Note : System Administration tools
NAMEvfs_smb_traffic_analyzer − log Samba VFS read and write operations through a socket to a helper application
SYNOPSISvfs objects = smb_traffic_analyzer
DESCRIPTIONThis VFS module is part of the samba(7) suite. The vfs_smb_traffic_analyzer VFS module logs client file operations on a Samba server and sends this data over a socket to a helper program (in the following the "Receiver"), which feeds a SQL database. More information on the helper programs can be obtained from the homepage of the project at: http://holger123.wordpress.com/smb−traffic−analyzer/ Since the VFS module depends on a receiver that is doing something with the data, it is evolving in it's development. Therefore, the module works with different protocol versions, and the receiver has to be able to decode the protocol that is used. The protocol version 1 was introduced to Samba at September 25, 2008. It was a very simple protocol, supporting only a small list of VFS operations, and had several drawbacks. The protocol version 2 is a try to solve the problems version 1 had while at the same time adding new features. With the release of Samba 3.6.0, the module will run protocol version 2 by default.
PROTOCOL VERSION 1 DOCUMENTATIONvfs_smb_traffic_analyzer protocol version 1 is aware of the following VFS operations: write pwrite read pread vfs_smb_traffic_analyzer sends the following data in a fixed format separated by a comma through either an internet or a unix domain socket: BYTES|USER|DOMAIN|READ/WRITE|SHARE|FILENAME|TIMESTAMP
Description of the records: • BYTES − the length in bytes of the VFS operation • USER − the user who initiated the operation • DOMAIN − the domain of the user • READ/WRITE − either "W" for a write operation or "R" for read • SHARE − the name of the share on which the VFS operation occurred • FILENAME − the name of the file that was used by the VFS operation • TIMESTAMP − a timestamp, formatted as "yyyy−mm−dd hh−mm−ss.ms" indicating when the VFS operation occurred • IP − The IP Address (v4 or v6) of the client machine that initiated the VFS operation. This module is stackable.
DRAWBACKS OF PROTOCOL VERSION 1Several drawbacks have been seen with protocol version 1 over time. • Problematic parsing − Protocol version 1 uses hyphen and comma to seperate blocks of data. Once there is a filename with a hyphen, you will run into problems because the receiver decodes the data in a wrong way. • Insecure network transfer − Protocol version 1 sends all it's data as plaintext over the network. • Limited set of supported VFS operations − Protocol version 1 supports only four VFS operations. • No subreleases of the protocol − Protocol version 1 is fixed on it's version, making it unable to introduce new features or bugfixes through compatible sub−releases.
VERSION 2 OF THE PROTOCOLProtocol version 2 is an approach to solve the problems introduced with protcol v1. From the users perspective, the following changes are most prominent among other enhancements: • The data from the module may be send encrypted, with a key stored in secrets.tdb. The Receiver then has to use the same key. The module does AES block encryption over the data to send. • The module now can identify itself against the receiver with a sub−release number, where the receiver may run with a different sub−release number than the module. However, as long as both run on the V2.x protocol, the receiver will not crash, even if the module uses features only implemented in the newer subrelease. If the module uses a new feature from a newer subrelease, and the receiver runs an older protocol, it is just ignoring the functionality. Of course it is best to have both the receiver and the module running the same subrelease of the protocol. • The parsing problems of protocol V1 can no longer happen, because V2 is marshalling the data packages in a proper way. • The module now potientially has the ability to create data on every VFS function. As of protocol V2.0, there is support for 8 VFS functions, namely write,read,pread,pwrite, rename,chdir,mkdir and rmdir. Supporting more VFS functions is one of the targets for the upcoming sub−releases. To enable protocol V2, the protocol_version vfs option has to be used (see OPTIONS).
OPTIONS WITH PROTOCOL V1 AND V2.Xsmb_traffic_analyzer:mode = STRING If STRING matches to "unix_domain_socket", the module will use a unix domain socket located at /var/tmp/stadsocket, if STRING contains an different string or is not defined, the module will use an internet domain socket for data transfer. smb_traffic_analyzer:host = STRING The module will send the data to the system named with the hostname STRING. smb_traffic_analyzer:port = STRING The module will send the data using the TCP port given in STRING. smb_traffic_analyzer:anonymize_prefix = STRING The module will replace the user names with a prefix given by STRING and a simple hash number. In version 2.x of the protocol, the users SID will also be anonymized. smb_traffic_analyzer:total_anonymization = STRING If STRING matches to 'yes', the module will replace any user name with the string given by the option smb_traffic_analyzer:anonymize_prefix, without generating an additional hash number. This means that any transfer data will be mapped to a single user, leading to a total anonymization of user related data. In version 2.x of the protocol, the users SID will also be anonymized. smb_traffic_analyzer:protocol_version = STRING If STRING matches to V1, the module will use version 1 of the protocol. If STRING is not given, the module will use version 2 of the protocol, which is the default.
EXAMPLESRunning protocol V2 on share "example_share", using an internet socket. [example_share]
path = /data/example
vfs_objects = smb_traffic_analyzer
smb_traffic_analyzer:host = examplehost
smb_traffic_analyzer:port = 3491
The module running on share "example_share", using a unix domain socket [example_share]
path = /data/example
vfs objects = smb_traffic_analyzer
smb_traffic_analyzer:mode = unix_domain_socket
The module running on share "example_share", using an internet socket, connecting to host "examplehost" on port 3491. [example_share]
path = /data/example
vfs objects = smb_traffic_analyzer
smb_traffic_analyzer:host = examplehost
smb_traffic_analyzer:port = 3491
The module running on share "example_share", using an internet socket, connecting to host "examplehost" on port 3491, anonymizing user names with the prefix "User". [example_share]
path = /data/example
vfs objects = smb_traffic_analyzer
smb_traffic_analyzer:host = examplehost
smb_traffic_analyzer:port = 3491
smb_traffic_analyzer:anonymize_prefix = User
VERSIONThis man page is correct for version 3.3 of the Samba suite.
AUTHORThe original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. The original version of the VFS module and the helper tools were created by Holger Hetterich. 0
Johanes Gumabo
Data Size : 26,322 byte
man-vfs_smb_traffic_analyzer.8Build : 2024-12-05, 20:55 :
Visitor Screen : x
Visitor Counter ( page / site ) : 4 / 170,324
Visitor ID : :
Visitor IP : 3.135.249.76 :
Visitor Provider : AMAZON-02 :
Provider Position ( lat x lon ) : 39.962500 x -83.006100 : x
Provider Accuracy Radius ( km ) : 1000 :
Provider City : Columbus :
Provider Province : Ohio , : ,
Provider Country : United States :
Provider Continent : North America :
Visitor Recorder : Version :
Visitor Recorder : Library :
Online Linux Manual Page : Version : Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 24.12.05
Online Linux Manual Page : Library : lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page : Library : lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base : Version : Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base : Library : lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36
Very long time ago, I have the best tutor, Wenzel Svojanovsky . If someone knows the email address of Wenzel Svojanovsky , please send an email to johanes_gumabo@yahoo.co.id .
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.