Re: [RADIATOR] MessageLog Format text2pcap, missing tool in goodies
On 10.8.2017 21.00, Karl Gaissmaier wrote: 1.) Please add a dot as delimiter between seconds and microseconds, then text2pcap can parse the timestamp with the option flag '-t %s.' This patch, with fix to correct order for source and destination address and ports, and correct padding for timestamps are now in 4.19 patches. Thanks for helping with these, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] MessageLog Format text2pcap, missing tool in goodies
On 14.8.2017 16.31, Karl Gaissmaier wrote: ok, and my wrapper script parses already one or more # before TEXT2PCAP, but I will update the comments and add a shebang line. What shebang do you prefer in the goodies? #!/usr/bin/perl or #!/usr/bin/env perl I'd say the latter with env would be desired by those who use, for example, perlbrew instead of system perl. But if the wrapper does not use, for example, Radiator modules, it likely does not matter that much. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] MessageLog Format text2pcap, missing tool in goodies
Hi Heikki, Am 14.08.2017 um 15:03 schrieb Heikki Vatiainen: On 10.8.2017 21.00, Karl Gaissmaier wrote: 1.) Please add a dot as delimiter between seconds and microseconds, then text2pcap can parse the timestamp with the option flag '-t %s.' Ok, the microseconds will be zero padded too keep all significant digits. 2.) and if we already patch and change the output format, we should also trim the directive line to meet promised text2pcap enhancements: Reconsidering this, I think the current '##' prefix should stay since we don't know how text2pcap will handle '#TEXT2PCAP'. If the prefix is kept as is, the lines can still processed to get the options but they should not clash with the possible text2pcap extensions. ok, and my wrapper script parses already one or more # before TEXT2PCAP, but I will update the comments and add a shebang line. What shebang do you prefer in the goodies? #!/usr/bin/perl or #!/usr/bin/env perl Thanks Charly -- Karl Gaissmaier Universität Ulm kiz, Kommunikations und Informationszentrum 89069 Ulm Tel.: 49(0)731/50-22499 Fax : 49(0)731/50-12-22499 ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] MessageLog Format text2pcap, missing tool in goodies
On 10.8.2017 21.00, Karl Gaissmaier wrote: 1.) Please add a dot as delimiter between seconds and microseconds, then text2pcap can parse the timestamp with the option flag '-t %s.' Ok, the microseconds will be zero padded too keep all significant digits. 2.) and if we already patch and change the output format, we should also trim the directive line to meet promised text2pcap enhancements: Reconsidering this, I think the current '##' prefix should stay since we don't know how text2pcap will handle '#TEXT2PCAP'. If the prefix is kept as is, the lines can still processed to get the options but they should not clash with the possible text2pcap extensions. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] MessageLog Format text2pcap, missing tool in goodies
Hi Heikki,
Am 10.08.2017 um 12:04 schrieb Heikki Vatiainen:
On 9.8.2017 20.11, Karl Gaissmaier wrote:
is there already a wrapper in your toolbox to feed the msglog to
text2pcap, using the proper directives per packet and collecting all
packets in one pcap file?
No, there is not. If I remember correctly, the idea was to have the
directives more or less ready for text2pcap so that it could do the
processing when it creates the pcap file. As you probably noticed from
text2pcap documentation, line starting with '#TEXT2PCAP' is a special
directive but it looks like it does nothing yet (and currently Radiator
adds ##TEXT2PCAP).
The only, slightly, related thing in goodies is hexdump2wireshark.pl
which creates similar output from Trace 5 messages dumps.
In case someone wants to try this now, running text2pcap against the
file with one set of command line options does create a valid pcap file.
However, the ports and IPs are all the same, so the direction needs to
be deduced from the message contents.
Please let us know how it goes if you decide to do a script,Hi Heikki,
yes, I'll do, but before, please inspect the following patches:
1.) Please add a dot as delimiter between seconds and microseconds, then
text2pcap can parse the timestamp with the option flag '-t %s.'
diff --git a/Radius/MessageLogFILE.pm b/Radius/MessageLogFILE.pm
index f86362a..656377f 100644
--- a/Radius/MessageLogFILE.pm
+++ b/Radius/MessageLogFILE.pm
@@ -140,7 +140,7 @@ sub format_radius_text2pcap
$from_ip = Radius::Util::inet_ntop($from_ip);
$to_ip = Radius::Util::inet_ntop($to_ip);
my $t = "##TEXT2PCAP -i 17 -4 $to_ip,$from_ip -u $to_port,$from_port\n";
-$t .= $sec . $usec . " ";
+$t .= "$sec.$usec" . " ";
$t .= join ' ', map {sprintf "%02x", $_} unpack('C*', $data);
return "$t\n";
2.) and if we already patch and change the output format, we should also
trim the directive line to meet promised text2pcap enhancements:
diff --git a/Radius/MessageLogFILE.pm b/Radius/MessageLogFILE.pm
index 656377f..68619ff 100644
--- a/Radius/MessageLogFILE.pm
+++ b/Radius/MessageLogFILE.pm
@@ -139,7 +139,7 @@ sub format_radius_text2pcap
$from_ip = Radius::Util::inet_ntop($from_ip);
$to_ip = Radius::Util::inet_ntop($to_ip);
-my $t = "##TEXT2PCAP -i 17 -4 $to_ip,$from_ip -u $to_port,$from_port\n";
+my $t = "#TEXT2PCAP -i 17 -4 $to_ip,$from_ip -u $to_port,$from_port\n";
$t .= "$sec.$usec" . " ";
$t .= join ' ', map {sprintf "%02x", $_} unpack('C*', $data);
Regards
Charly
--
Karl Gaissmaier
Universität Ulm
kiz, Kommunikations und Informationszentrum
89069 Ulm
Tel.: 49(0)731/50-22499
Fax : 49(0)731/50-12-22499
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] MessageLog Format text2pcap, missing tool in goodies
On 9.8.2017 20.11, Karl Gaissmaier wrote: is there already a wrapper in your toolbox to feed the msglog to text2pcap, using the proper directives per packet and collecting all packets in one pcap file? No, there is not. If I remember correctly, the idea was to have the directives more or less ready for text2pcap so that it could do the processing when it creates the pcap file. As you probably noticed from text2pcap documentation, line starting with '#TEXT2PCAP' is a special directive but it looks like it does nothing yet (and currently Radiator adds ##TEXT2PCAP). The only, slightly, related thing in goodies is hexdump2wireshark.pl which creates similar output from Trace 5 messages dumps. In case someone wants to try this now, running text2pcap against the file with one set of command line options does create a valid pcap file. However, the ports and IPs are all the same, so the direction needs to be deduced from the message contents. Please let us know how it goes if you decide to do a script, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
