DragonFly On-Line Manual Pages
SMB_TRAFFIC_ANALYZER(8) System Administration tools SMB_TRAFFIC_ANALYZER(8)
NAME
vfs_smb_traffic_analyzer - log Samba VFS read and write operations
through a socket to a helper application
SYNOPSIS
vfs objects = smb_traffic_analyzer
DESCRIPTION
This VFS module is part of the samba(7) suite.
The vfs_smb_traffic_analyzer VFS module logs client file operations on
a Samba server and sends this data over a socket to a helper program
(in the following the "Receiver"), which feeds a SQL database. More
information on the helper programs can be obtained from the homepage of
the project at: http://holger123.wordpress.com/smb-traffic-analyzer/
Since the VFS module depends on a receiver that is doing something with
the data, it is evolving in it's development. Therefore, the module
works with different protocol versions, and the receiver has to be able
to decode the protocol that is used. The protocol version 1 was
introduced to Samba at September 25, 2008. It was a very simple
protocol, supporting only a small list of VFS operations, and had
several drawbacks. The protocol version 2 is a try to solve the
problems version 1 had while at the same time adding new features. With
the release of Samba 4.0.0, the module will run protocol version 2 by
default.
PROTOCOL VERSION 1 DOCUMENTATION
vfs_smb_traffic_analyzer protocol version 1 is aware of the following
VFS operations:
write
pwrite
read
pread
vfs_smb_traffic_analyzer sends the following data in a fixed format
separated by a comma through either an internet or a unix domain
socket:
BYTES|USER|DOMAIN|READ/WRITE|SHARE|FILENAME|TIMESTAMP
Description of the records:
o BYTES - the length in bytes of the VFS operation
o USER - the user who initiated the operation
o DOMAIN - the domain of the user
o READ/WRITE - either "W" for a write operation or "R" for read
o SHARE - the name of the share on which the VFS operation occurred
o FILENAME - the name of the file that was used by the VFS operation
o TIMESTAMP - a timestamp, formatted as "yyyy-mm-dd hh-mm-ss.ms"
indicating when the VFS operation occurred
o IP - The IP Address (v4 or v6) of the client machine that initiated
the VFS operation.
This module is stackable.
DRAWBACKS OF PROTOCOL VERSION 1
Several drawbacks have been seen with protocol version 1 over time.
o Problematic parsing - Protocol version 1 uses hyphen and comma to
separate blocks of data. Once there is a filename with a hyphen,
you will run into problems because the receiver decodes the data in
a wrong way.
o Insecure network transfer - Protocol version 1 sends all it's data
as plaintext over the network.
o Limited set of supported VFS operations - Protocol version 1
supports only four VFS operations.
o No subreleases of the protocol - Protocol version 1 is fixed on
it's version, making it unable to introduce new features or
bugfixes through compatible sub-releases.
VERSION 2 OF THE PROTOCOL
Protocol version 2 is an approach to solve the problems introduced with
protcol v1. From the users perspective, the following changes are most
prominent among other enhancements:
o The data from the module may be send encrypted, with a key stored
in secrets.tdb (or secrets.ntdb). The Receiver then has to use the
same key. The module does AES block encryption over the data to
send.
o The module now can identify itself against the receiver with a
sub-release number, where the receiver may run with a different
sub-release number than the module. However, as long as both run on
the V2.x protocol, the receiver will not crash, even if the module
uses features only implemented in the newer subrelease. Ultimately,
if the module uses a new feature from a newer subrelease, and the
receiver runs an older protocol, it is just ignoring the
functionality. Of course it is best to have both the receiver and
the module running the same subrelease of the protocol.
o The parsing problems of protocol V1 can no longer happen, because
V2 is marshalling the data packages in a proper way.
o The module now potentially has the ability to create data on every
VFS function. As of protocol V2.0, there is support for 8 VFS
functions, namely write,read,pread,pwrite, rename,chdir,mkdir and
rmdir. Supporting more VFS functions is one of the targets for the
upcoming sub-releases.
To enable protocol V2, the protocol_version vfs option has to be used
(see OPTIONS).
OPTIONS WITH PROTOCOL V1 AND V2.X
smb_traffic_analyzer:mode = STRING
If STRING matches to "unix_domain_socket", the module will use a
unix domain socket located at /var/tmp/stadsocket, if STRING
contains an different string or is not defined, the module will use
an internet domain socket for data transfer.
smb_traffic_analyzer:host = STRING
The module will send the data to the system named with the hostname
STRING.
smb_traffic_analyzer:port = STRING
The module will send the data using the TCP port given in STRING.
smb_traffic_analyzer:anonymize_prefix = STRING
The module will replace the user names with a prefix given by
STRING and a simple hash number. In version 2.x of the protocol,
the users SID will also be anonymized.
smb_traffic_analyzer:total_anonymization = STRING
If STRING matches to 'yes', the module will replace any user name
with the string given by the option
smb_traffic_analyzer:anonymize_prefix, without generating an
additional hash number. This means that any transfer data will be
mapped to a single user, leading to a total anonymization of user
related data. In version 2.x of the protocol, the users SID will
also be anonymized.
smb_traffic_analyzer:protocol_version = STRING
If STRING matches to V1, the module will use version 1 of the
protocol. If STRING is not given, the module will use version 2 of
the protocol, which is the default.
EXAMPLES
Running protocol V2 on share "example_share", using an internet socket.
[example_share]
path = /data/example
vfs_objects = smb_traffic_analyzer
smb_traffic_analyzer:host = examplehost
smb_traffic_analyzer:port = 3491
The module running on share "example_share", using a unix domain socket
[example_share]
path = /data/example
vfs objects = smb_traffic_analyzer
smb_traffic_analyzer:mode = unix_domain_socket
The module running on share "example_share", using an internet socket,
connecting to host "examplehost" on port 3491.
[example_share]
path = /data/example
vfs objects = smb_traffic_analyzer
smb_traffic_analyzer:host = examplehost
smb_traffic_analyzer:port = 3491
The module running on share "example_share", using an internet socket,
connecting to host "examplehost" on port 3491, anonymizing user names
with the prefix "User".
[example_share]
path = /data/example
vfs objects = smb_traffic_analyzer
smb_traffic_analyzer:host = examplehost
smb_traffic_analyzer:port = 3491
smb_traffic_analyzer:anonymize_prefix = User
VERSION
This man page is correct for version 3.3 of the Samba suite.
AUTHOR
The original Samba software and related utilities were created by
Andrew Tridgell. Samba is now developed by the Samba Team as an Open
Source project similar to the way the Linux kernel is developed.
The original version of the VFS module and the helper tools were
created by Holger Hetterich.
Samba 4.2 12/10/2015 SMB_TRAFFIC_ANALYZER(8)