summaryrefslogtreecommitdiff
path: root/docs/htmldocs/manpages/vfs_smb_traffic_analyzer.8.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs/manpages/vfs_smb_traffic_analyzer.8.html')
-rw-r--r--docs/htmldocs/manpages/vfs_smb_traffic_analyzer.8.html83
1 files changed, 72 insertions, 11 deletions
diff --git a/docs/htmldocs/manpages/vfs_smb_traffic_analyzer.8.html b/docs/htmldocs/manpages/vfs_smb_traffic_analyzer.8.html
index b9969bb383..24c34a7ef6 100644
--- a/docs/htmldocs/manpages/vfs_smb_traffic_analyzer.8.html
+++ b/docs/htmldocs/manpages/vfs_smb_traffic_analyzer.8.html
@@ -1,34 +1,95 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smb_traffic_analyzer</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" title="smb_traffic_analyzer"><a name="vfs_smb_traffic_analyzer.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_smb_traffic_analyzer &#8212; log Samba VFS read and write operations through a socket
- to a helper application</p></div><div class="refsynopsisdiv" title="Synopsis"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = smb_traffic_analyzer</code></p></div></div><div class="refsect1" title="DESCRIPTION"><a name="id266338"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the
+ to a helper application</p></div><div class="refsynopsisdiv" title="Synopsis"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = smb_traffic_analyzer</code></p></div></div><div class="refsect1" title="DESCRIPTION"><a name="id266337"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the
<a class="citerefentry" href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">vfs_smb_traffic_analyzer</code> VFS module logs
- client write and read operations on a Samba server and sends this data
- over a socket to a helper program, which feeds a SQL database. More
+ client file operations on a Samba server and sends this data
+ over a socket to a helper program (in the following the "Receiver"),
+ which feeds a SQL database. More
information on the helper programs can be obtained from the
homepage of the project at:
http://holger123.wordpress.com/smb-traffic-analyzer/
- </p><p><code class="literal">vfs_smb_traffic_analyzer</code> currently is aware
- of the following VFS operations:</p><table border="0" summary="Simple list" class="simplelist"><tr><td>write</td></tr><tr><td>pwrite</td></tr><tr><td>read</td></tr><tr><td>pread</td></tr></table><p><code class="literal">vfs_smb_traffic_analyzer</code> sends the following data
+ Since the VFS module depends on a receiver that is doing something with
+ the data, it is evolving in it's development. Therefore, the module
+ works with different protocol versions, and the receiver has to be able
+ to decode the protocol that is used. The protocol version 1 was
+ introduced to Samba at September 25, 2008. It was a very simple
+ protocol, supporting only a small list of VFS operations, and had
+ several drawbacks. The protocol version 2 is a try to solve the
+ problems version 1 had while at the same time adding new features.
+ With the release of Samba 3.6.0, the module will run protocol version 2
+ by default.
+ </p></div><div class="refsect1" title="Protocol version 1 documentation"><a name="id266829"></a><h2>Protocol version 1 documentation</h2><p><code class="literal">vfs_smb_traffic_analyzer</code> protocol version 1 is aware
+ of the following VFS operations:</p><table border="0" summary="Simple list" class="simplelist"><tr><td>write</td></tr><tr><td>pwrite</td></tr><tr><td>read</td></tr><tr><td>pread</td></tr></table><p><code class="literal">vfs_smb_traffic_analyzer</code> sends the following data
in a fixed format seperated by a comma through either an internet or a
unix domain socket:</p><pre class="programlisting">
BYTES|USER|DOMAIN|READ/WRITE|SHARE|FILENAME|TIMESTAMP
</pre><p>Description of the records:
- </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><code class="literal">BYTES</code> - the length in bytes of the VFS operation</p></li><li class="listitem"><p><code class="literal">USER</code> - the user who initiated the operation</p></li><li class="listitem"><p><code class="literal">DOMAIN</code> - the domain of the user</p></li><li class="listitem"><p><code class="literal">READ/WRITE</code> - either "W" for a write operation or "R" for read</p></li><li class="listitem"><p><code class="literal">SHARE</code> - the name of the share on which the VFS operation occured</p></li><li class="listitem"><p><code class="literal">FILENAME</code> - the name of the file that was used by the VFS operation</p></li><li class="listitem"><p><code class="literal">TIMESTAMP</code> - a timestamp, formatted as "yyyy-mm-dd hh-mm-ss.ms" indicating when the VFS operation occured</p></li></ul></div><p>
+ </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><code class="literal">BYTES</code> - the length in bytes of the VFS operation</p></li><li class="listitem"><p><code class="literal">USER</code> - the user who initiated the operation</p></li><li class="listitem"><p><code class="literal">DOMAIN</code> - the domain of the user</p></li><li class="listitem"><p><code class="literal">READ/WRITE</code> - either "W" for a write operation or "R" for read</p></li><li class="listitem"><p><code class="literal">SHARE</code> - the name of the share on which the VFS operation occured</p></li><li class="listitem"><p><code class="literal">FILENAME</code> - the name of the file that was used by the VFS operation</p></li><li class="listitem"><p><code class="literal">TIMESTAMP</code> - a timestamp, formatted as "yyyy-mm-dd hh-mm-ss.ms" indicating when the VFS operation occured</p></li><li class="listitem"><p><code class="literal">IP</code> - The IP Address (v4 or v6) of the client machine that initiated the VFS operation.</p></li></ul></div><p>
- </p><p>This module is stackable.</p></div><div class="refsect1" title="OPTIONS"><a name="id265740"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">smb_traffic_analyzer:mode = STRING</span></dt><dd><p>If STRING matches to "unix_domain_socket", the module will
+ </p><p>This module is stackable.</p></div><div class="refsect1" title="Drawbacks of protocol version 1"><a name="id265760"></a><h2>Drawbacks of protocol version 1</h2><p>Several drawbacks have been seen with protocol version 1 over time.</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
+ <code class="literal">Problematic parsing - </code>
+ Protocol version 1 uses hyphen and comma to seperate blocks of data. Once there is a
+ filename with a hyphen, you will run into problems because the receiver decodes the
+ data in a wrong way.
+ </p></li><li class="listitem"><p>
+ <code class="literal">Insecure network transfer - </code>
+ Protocol version 1 sends all it's data as plaintext over the network.
+ </p></li><li class="listitem"><p>
+ <code class="literal">Limited set of supported VFS operations - </code>
+ Protocol version 1 supports only four VFS operations.
+ </p></li><li class="listitem"><p>
+ <code class="literal">No subreleases of the protocol - </code>
+ Protocol version 1 is fixed on it's version, making it unable to introduce new
+ features or bugfixes through compatible sub-releases.
+ </p></li></ul></div></div><div class="refsect1" title="Version 2 of the protocol"><a name="id265826"></a><h2>Version 2 of the protocol</h2><p>Protocol version 2 is an approach to solve the problems introduced with protcol v1.
+ From the users perspective, the following changes are most prominent among other enhancements:
+ </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
+ The data from the module may be send encrypted, with a key stored in secrets.tdb. The
+ Receiver then has to use the same key. The module does AES block encryption over the
+ data to send.
+ </p></li><li class="listitem"><p>
+ The module now can identify itself against the receiver with a sub-release number, where
+ the receiver may run with a different sub-release number than the module. However, as
+ long as both run on the V2.x protocol, the receiver will not crash, even if the module
+ uses features only implemented in the newer subrelease. If the module uses
+ a new feature from a newer subrelease, and the receiver runs an older protocol, it is just
+ ignoring the functionality. Of course it is best to have both the receiver and the module
+ running the same subrelease of the protocol.
+ </p></li><li class="listitem"><p>
+ The parsing problems of protocol V1 can no longer happen, because V2 is marshalling the
+ data packages in a proper way.
+ </p></li><li class="listitem"><p>
+ The module now potientially has the ability to create data on every VFS function. As of
+ protocol V2.0, there is support for 8 VFS functions, namely write,read,pread,pwrite,
+ rename,chdir,mkdir and rmdir. Supporting more VFS functions is one of the targets for the
+ upcoming sub-releases.
+ </p></li></ul></div><p>
+ To enable protocol V2, the protocol_version vfs option has to be used (see OPTIONS).
+ </p></div><div class="refsect1" title="OPTIONS with protocol V1 and V2.x"><a name="id265881"></a><h2>OPTIONS with protocol V1 and V2.x</h2><div class="variablelist"><dl><dt><span class="term">smb_traffic_analyzer:mode = STRING</span></dt><dd><p>If STRING matches to "unix_domain_socket", the module will
use a unix domain socket located at /var/tmp/stadsocket, if
STRING contains an different string or is not defined, the module will
use an internet domain socket for data transfer.</p></dd><dt><span class="term">smb_traffic_analyzer:host = STRING</span></dt><dd><p>The module will send the data to the system named with
the hostname STRING.</p></dd><dt><span class="term">smb_traffic_analyzer:port = STRING</span></dt><dd><p>The module will send the data using the TCP port given
in STRING.
</p></dd><dt><span class="term">smb_traffic_analyzer:anonymize_prefix = STRING</span></dt><dd><p>The module will replace the user names with a prefix
- given by STRING and a simple hash number.
+ given by STRING and a simple hash number. In version 2.x
+ of the protocol, the users SID will also be anonymized.
</p></dd><dt><span class="term">smb_traffic_analyzer:total_anonymization = STRING</span></dt><dd><p>If STRING matches to 'yes', the module will replace
any user name with the string given by the option
smb_traffic_analyzer:anonymize_prefix, without generating
an additional hash number. This means that any transfer data
will be mapped to a single user, leading to a total
- anonymization of user related data.</p></dd></dl></div></div><div class="refsect1" title="EXAMPLES"><a name="id265823"></a><h2>EXAMPLES</h2><p>The module running on share "example_share", using a unix domain socket</p><pre class="programlisting">
+ anonymization of user related data. In version 2.x of the
+ protocol, the users SID will also be anonymized.</p></dd><dt><span class="term">smb_traffic_analyzer:protocol_version = STRING</span></dt><dd><p>If STRING matches to V1, the module will use version 1 of the
+ protocol. If STRING is not given, the module will use version 2 of the
+ protocol, which is the default.
+ </p></dd></dl></div></div><div class="refsect1" title="EXAMPLES"><a name="id265980"></a><h2>EXAMPLES</h2><p>Running protocol V2 on share "example_share", using an internet socket.</p><pre class="programlisting">
+ <em class="parameter"><code>[example_share]</code></em>
+ <a class="link" href="smb.conf.5.html#PATH" target="_top">path = /data/example</a>
+ <a class="link" href="smb.conf.5.html#VFS_OBJECTS" target="_top">vfs_objects = smb_traffic_analyzer</a>
+ <a class="link" href="smb.conf.5.html#SMB_TRAFFIC_ANALYZER:HOST" target="_top">smb_traffic_analyzer:host = examplehost</a>
+ <a class="link" href="smb.conf.5.html#SMB_TRAFFIC_ANALYZER:PORT" target="_top">smb_traffic_analyzer:port = 3491</a>
+ </pre><p>The module running on share "example_share", using a unix domain socket</p><pre class="programlisting">
<em class="parameter"><code>[example_share]</code></em>
<a class="link" href="smb.conf.5.html#PATH" target="_top">path = /data/example</a>
<a class="link" href="smb.conf.5.html#VFSOBJECTS" target="_top">vfs objects = smb_traffic_analyzer</a>
@@ -49,8 +110,8 @@
<a class="link" href="smb.conf.5.html#SMB_TRAFFIC_ANALYZER:HOST" target="_top">smb_traffic_analyzer:host = examplehost</a>
<a class="link" href="smb.conf.5.html#SMB_TRAFFIC_ANALYZER:PORT" target="_top">smb_traffic_analyzer:port = 3491</a>
<a class="link" href="smb.conf.5.html#SMB_TRAFFIC_ANALYZER:ANONYMIZE_PREFIX" target="_top">smb_traffic_analyzer:anonymize_prefix = User</a>
- </pre></div><div class="refsect1" title="VERSION"><a name="id307130"></a><h2>VERSION</h2><p>This man page is correct for version 3.3 of the Samba suite.
- </p></div><div class="refsect1" title="AUTHOR"><a name="id307139"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities
+ </pre></div><div class="refsect1" title="VERSION"><a name="id307321"></a><h2>VERSION</h2><p>This man page is correct for version 3.3 of the Samba suite.
+ </p></div><div class="refsect1" title="AUTHOR"><a name="id307331"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</p><p>The original version of the VFS module and the
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-02 00:35:07 +0000