SMB_TRAFFIC_ANALYZER - Online Linux Manual PageSection : 8
Updated : 04/11/2016
Source : Samba 3​.6
Note : System Administration tools

NAMEvfs_smb_traffic_analyzer − log Samba VFS read and write operations through a socket to a helper application

SYNOPSISvfs objects = smb_traffic_analyzer

DESCRIPTIONThis VFS module is part of the samba(7) suite​. The vfs_smb_traffic_analyzer VFS module logs client file operations on a Samba server and sends this data over a socket to a helper program (in the following the "Receiver"), which feeds a SQL database​. More information on the helper programs can be obtained from the homepage of the project at: http://holger123​.wordpress​.com/smb−traffic−analyzer/ Since the VFS module depends on a receiver that is doing something with the data, it is evolving in it's development​. Therefore, the module works with different protocol versions, and the receiver has to be able to decode the protocol that is used​. The protocol version 1 was introduced to Samba at September 25, 2008​. It was a very simple protocol, supporting only a small list of VFS operations, and had several drawbacks​. The protocol version 2 is a try to solve the problems version 1 had while at the same time adding new features​. With the release of Samba 3​.6​.0, the module will run protocol version 2 by default​.

PROTOCOL VERSION 1 DOCUMENTATIONvfs_smb_traffic_analyzer protocol version 1 is aware of the following VFS operations: write pwrite read pread vfs_smb_traffic_analyzer sends the following data in a fixed format separated by a comma through either an internet or a unix domain socket: BYTES|USER|DOMAIN|READ/WRITE|SHARE|FILENAME|TIMESTAMP Description of the records: •  BYTES − the length in bytes of the VFS operation •  USER − the user who initiated the operation •  DOMAIN − the domain of the user •  READ/WRITE − either "W" for a write operation or "R" for read •  SHARE − the name of the share on which the VFS operation occurred •  FILENAME − the name of the file that was used by the VFS operation •  TIMESTAMP − a timestamp, formatted as "yyyy−mm−dd hh−mm−ss​.ms" indicating when the VFS operation occurred •  IP − The IP Address (v4 or v6) of the client machine that initiated the VFS operation​. This module is stackable​.

DRAWBACKS OF PROTOCOL VERSION 1Several drawbacks have been seen with protocol version 1 over time​. •  Problematic parsing − Protocol version 1 uses hyphen and comma to seperate blocks of data​. Once there is a filename with a hyphen, you will run into problems because the receiver decodes the data in a wrong way​. •  Insecure network transfer − Protocol version 1 sends all it's data as plaintext over the network​. •  Limited set of supported VFS operations − Protocol version 1 supports only four VFS operations​. •  No subreleases of the protocol − Protocol version 1 is fixed on it's version, making it unable to introduce new features or bugfixes through compatible sub−releases​.

VERSION 2 OF THE PROTOCOLProtocol version 2 is an approach to solve the problems introduced with protcol v1​. From the users perspective, the following changes are most prominent among other enhancements: •  The data from the module may be send encrypted, with a key stored in secrets​.tdb​. The Receiver then has to use the same key​. The module does AES block encryption over the data to send​. •  The module now can identify itself against the receiver with a sub−release number, where the receiver may run with a different sub−release number than the module​. However, as long as both run on the V2​.x protocol, the receiver will not crash, even if the module uses features only implemented in the newer subrelease​. If the module uses a new feature from a newer subrelease, and the receiver runs an older protocol, it is just ignoring the functionality​. Of course it is best to have both the receiver and the module running the same subrelease of the protocol​. •  The parsing problems of protocol V1 can no longer happen, because V2 is marshalling the data packages in a proper way​. •  The module now potientially has the ability to create data on every VFS function​. As of protocol V2​.0, there is support for 8 VFS functions, namely write,read,pread,pwrite, rename,chdir,mkdir and rmdir​. Supporting more VFS functions is one of the targets for the upcoming sub−releases​. To enable protocol V2, the protocol_version vfs option has to be used (see OPTIONS)​.

OPTIONS WITH PROTOCOL V1 AND V2.Xsmb_traffic_analyzer:mode = STRING If STRING matches to "unix_domain_socket", the module will use a unix domain socket located at /var/tmp/stadsocket, if STRING contains an different string or is not defined, the module will use an internet domain socket for data transfer​. smb_traffic_analyzer:host = STRING The module will send the data to the system named with the hostname STRING​. smb_traffic_analyzer:port = STRING The module will send the data using the TCP port given in STRING​. smb_traffic_analyzer:anonymize_prefix = STRING The module will replace the user names with a prefix given by STRING and a simple hash number​. In version 2​.x of the protocol, the users SID will also be anonymized​. smb_traffic_analyzer:total_anonymization = STRING If STRING matches to 'yes', the module will replace any user name with the string given by the option smb_traffic_analyzer:anonymize_prefix, without generating an additional hash number​. This means that any transfer data will be mapped to a single user, leading to a total anonymization of user related data​. In version 2​.x of the protocol, the users SID will also be anonymized​. smb_traffic_analyzer:protocol_version = STRING If STRING matches to V1, the module will use version 1 of the protocol​. If STRING is not given, the module will use version 2 of the protocol, which is the default​.

EXAMPLESRunning protocol V2 on share "example_share", using an internet socket​. [example_share] path = /data/example vfs_objects = smb_traffic_analyzer smb_traffic_analyzer:host = examplehost smb_traffic_analyzer:port = 3491 The module running on share "example_share", using a unix domain socket [example_share] path = /data/example vfs objects = smb_traffic_analyzer smb_traffic_analyzer:mode = unix_domain_socket The module running on share "example_share", using an internet socket, connecting to host "examplehost" on port 3491​. [example_share] path = /data/example vfs objects = smb_traffic_analyzer smb_traffic_analyzer:host = examplehost smb_traffic_analyzer:port = 3491 The module running on share "example_share", using an internet socket, connecting to host "examplehost" on port 3491, anonymizing user names with the prefix "User"​. [example_share] path = /data/example vfs objects = smb_traffic_analyzer smb_traffic_analyzer:host = examplehost smb_traffic_analyzer:port = 3491 smb_traffic_analyzer:anonymize_prefix = User

VERSIONThis man page is correct for version 3​.3 of the Samba suite​.

AUTHORThe original Samba software and related utilities were created by Andrew Tridgell​. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed​. The original version of the VFS module and the helper tools were created by Holger Hetterich​.
0
Johanes Gumabo
Data Size   :   26,322 byte
man-vfs_smb_traffic_analyzer.8Build   :   2024-12-05, 20:55   :  
Visitor Screen   :   x
Visitor Counter ( page / site )   :   4 / 170,324
Visitor ID   :     :  
Visitor IP   :   3.135.249.76   :  
Visitor Provider   :   AMAZON-02   :  
Provider Position ( lat x lon )   :   39.962500 x -83.006100   :   x
Provider Accuracy Radius ( km )   :   1000   :  
Provider City   :   Columbus   :  
Provider Province   :   Ohio ,   :   ,
Provider Country   :   United States   :  
Provider Continent   :   North America   :  
Visitor Recorder   :   Version   :  
Visitor Recorder   :   Library   :  
Online Linux Manual Page   :   Version   :   Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 24.12.05
Online Linux Manual Page   :   Library   :   lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page   :   Library   :   lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base   :   Version   :   Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base   :   Library   :   lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36

Very long time ago, I have the best tutor, Wenzel Svojanovsky . If someone knows the email address of Wenzel Svojanovsky , please send an email to johanes_gumabo@yahoo.co.id .
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.