| 1 | .\"     Title: log2pcap | 
|---|
| 2 | .\"    Author: [see the "AUTHOR" section] | 
|---|
| 3 | .\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/> | 
|---|
| 4 | .\"      Date: 02/22/2010 | 
|---|
| 5 | .\"    Manual: User Commands | 
|---|
| 6 | .\"    Source: Samba 3.3 | 
|---|
| 7 | .\"  Language: English | 
|---|
| 8 | .\" | 
|---|
| 9 | .TH "LOG2PCAP" "1" "02/22/2010" "Samba 3\&.3" "User Commands" | 
|---|
| 10 | .\" ----------------------------------------------------------------- | 
|---|
| 11 | .\" * (re)Define some macros | 
|---|
| 12 | .\" ----------------------------------------------------------------- | 
|---|
| 13 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|---|
| 14 | .\" toupper - uppercase a string (locale-aware) | 
|---|
| 15 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|---|
| 16 | .de toupper | 
|---|
| 17 | .tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | 
|---|
| 18 | \\$* | 
|---|
| 19 | .tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz | 
|---|
| 20 | .. | 
|---|
| 21 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|---|
| 22 | .\" SH-xref - format a cross-reference to an SH section | 
|---|
| 23 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|---|
| 24 | .de SH-xref | 
|---|
| 25 | .ie n \{\ | 
|---|
| 26 | .\} | 
|---|
| 27 | .toupper \\$* | 
|---|
| 28 | .el \{\ | 
|---|
| 29 | \\$* | 
|---|
| 30 | .\} | 
|---|
| 31 | .. | 
|---|
| 32 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|---|
| 33 | .\" SH - level-one heading that works better for non-TTY output | 
|---|
| 34 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|---|
| 35 | .de1 SH | 
|---|
| 36 | .\" put an extra blank line of space above the head in non-TTY output | 
|---|
| 37 | .if t \{\ | 
|---|
| 38 | .sp 1 | 
|---|
| 39 | .\} | 
|---|
| 40 | .sp \\n[PD]u | 
|---|
| 41 | .nr an-level 1 | 
|---|
| 42 | .set-an-margin | 
|---|
| 43 | .nr an-prevailing-indent \\n[IN] | 
|---|
| 44 | .fi | 
|---|
| 45 | .in \\n[an-margin]u | 
|---|
| 46 | .ti 0 | 
|---|
| 47 | .HTML-TAG ".NH \\n[an-level]" | 
|---|
| 48 | .it 1 an-trap | 
|---|
| 49 | .nr an-no-space-flag 1 | 
|---|
| 50 | .nr an-break-flag 1 | 
|---|
| 51 | \." make the size of the head bigger | 
|---|
| 52 | .ps +3 | 
|---|
| 53 | .ft B | 
|---|
| 54 | .ne (2v + 1u) | 
|---|
| 55 | .ie n \{\ | 
|---|
| 56 | .\" if n (TTY output), use uppercase | 
|---|
| 57 | .toupper \\$* | 
|---|
| 58 | .\} | 
|---|
| 59 | .el \{\ | 
|---|
| 60 | .nr an-break-flag 0 | 
|---|
| 61 | .\" if not n (not TTY), use normal case (not uppercase) | 
|---|
| 62 | \\$1 | 
|---|
| 63 | .in \\n[an-margin]u | 
|---|
| 64 | .ti 0 | 
|---|
| 65 | .\" if not n (not TTY), put a border/line under subheading | 
|---|
| 66 | .sp -.6 | 
|---|
| 67 | \l'\n(.lu' | 
|---|
| 68 | .\} | 
|---|
| 69 | .. | 
|---|
| 70 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|---|
| 71 | .\" SS - level-two heading that works better for non-TTY output | 
|---|
| 72 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|---|
| 73 | .de1 SS | 
|---|
| 74 | .sp \\n[PD]u | 
|---|
| 75 | .nr an-level 1 | 
|---|
| 76 | .set-an-margin | 
|---|
| 77 | .nr an-prevailing-indent \\n[IN] | 
|---|
| 78 | .fi | 
|---|
| 79 | .in \\n[IN]u | 
|---|
| 80 | .ti \\n[SN]u | 
|---|
| 81 | .it 1 an-trap | 
|---|
| 82 | .nr an-no-space-flag 1 | 
|---|
| 83 | .nr an-break-flag 1 | 
|---|
| 84 | .ps \\n[PS-SS]u | 
|---|
| 85 | \." make the size of the head bigger | 
|---|
| 86 | .ps +2 | 
|---|
| 87 | .ft B | 
|---|
| 88 | .ne (2v + 1u) | 
|---|
| 89 | .if \\n[.$] \&\\$* | 
|---|
| 90 | .. | 
|---|
| 91 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|---|
| 92 | .\" BB/BE - put background/screen (filled box) around block of text | 
|---|
| 93 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|---|
| 94 | .de BB | 
|---|
| 95 | .if t \{\ | 
|---|
| 96 | .sp -.5 | 
|---|
| 97 | .br | 
|---|
| 98 | .in +2n | 
|---|
| 99 | .ll -2n | 
|---|
| 100 | .gcolor red | 
|---|
| 101 | .di BX | 
|---|
| 102 | .\} | 
|---|
| 103 | .. | 
|---|
| 104 | .de EB | 
|---|
| 105 | .if t \{\ | 
|---|
| 106 | .if "\\$2"adjust-for-leading-newline" \{\ | 
|---|
| 107 | .sp -1 | 
|---|
| 108 | .\} | 
|---|
| 109 | .br | 
|---|
| 110 | .di | 
|---|
| 111 | .in | 
|---|
| 112 | .ll | 
|---|
| 113 | .gcolor | 
|---|
| 114 | .nr BW \\n(.lu-\\n(.i | 
|---|
| 115 | .nr BH \\n(dn+.5v | 
|---|
| 116 | .ne \\n(BHu+.5v | 
|---|
| 117 | .ie "\\$2"adjust-for-leading-newline" \{\ | 
|---|
| 118 | \M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] | 
|---|
| 119 | .\} | 
|---|
| 120 | .el \{\ | 
|---|
| 121 | \M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] | 
|---|
| 122 | .\} | 
|---|
| 123 | .in 0 | 
|---|
| 124 | .sp -.5v | 
|---|
| 125 | .nf | 
|---|
| 126 | .BX | 
|---|
| 127 | .in | 
|---|
| 128 | .sp .5v | 
|---|
| 129 | .fi | 
|---|
| 130 | .\} | 
|---|
| 131 | .. | 
|---|
| 132 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|---|
| 133 | .\" BM/EM - put colored marker in margin next to block of text | 
|---|
| 134 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|---|
| 135 | .de BM | 
|---|
| 136 | .if t \{\ | 
|---|
| 137 | .br | 
|---|
| 138 | .ll -2n | 
|---|
| 139 | .gcolor red | 
|---|
| 140 | .di BX | 
|---|
| 141 | .\} | 
|---|
| 142 | .. | 
|---|
| 143 | .de EM | 
|---|
| 144 | .if t \{\ | 
|---|
| 145 | .br | 
|---|
| 146 | .di | 
|---|
| 147 | .ll | 
|---|
| 148 | .gcolor | 
|---|
| 149 | .nr BH \\n(dn | 
|---|
| 150 | .ne \\n(BHu | 
|---|
| 151 | \M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] | 
|---|
| 152 | .in 0 | 
|---|
| 153 | .nf | 
|---|
| 154 | .BX | 
|---|
| 155 | .in | 
|---|
| 156 | .fi | 
|---|
| 157 | .\} | 
|---|
| 158 | .. | 
|---|
| 159 | .\" ----------------------------------------------------------------- | 
|---|
| 160 | .\" * set default formatting | 
|---|
| 161 | .\" ----------------------------------------------------------------- | 
|---|
| 162 | .\" disable hyphenation | 
|---|
| 163 | .nh | 
|---|
| 164 | .\" disable justification (adjust text to left margin only) | 
|---|
| 165 | .ad l | 
|---|
| 166 | .\" ----------------------------------------------------------------- | 
|---|
| 167 | .\" * MAIN CONTENT STARTS HERE * | 
|---|
| 168 | .\" ----------------------------------------------------------------- | 
|---|
| 169 | .SH "Name" | 
|---|
| 170 | log2pcap \- Extract network traces from Samba log files | 
|---|
| 171 | .SH "Synopsis" | 
|---|
| 172 | .fam C | 
|---|
| 173 | .HP \w'\ 'u | 
|---|
| 174 | \FClog2pcap\F[] [\-h] [\-q] [logfile] [pcap_file] | 
|---|
| 175 | .fam | 
|---|
| 176 | .SH "DESCRIPTION" | 
|---|
| 177 | .PP | 
|---|
| 178 | This tool is part of the | 
|---|
| 179 | \fBsamba\fR(7) | 
|---|
| 180 | suite\&. | 
|---|
| 181 | .PP | 
|---|
| 182 | \FClog2pcap\F[] | 
|---|
| 183 | reads in a samba log file and generates a pcap file (readable by most sniffers, such as ethereal or tcpdump) based on the packet dumps in the log file\&. | 
|---|
| 184 | .PP | 
|---|
| 185 | The log file must have a | 
|---|
| 186 | \fIlog level\fR | 
|---|
| 187 | of at least | 
|---|
| 188 | \fB5\fR | 
|---|
| 189 | to get the SMB header/parameters right, | 
|---|
| 190 | \fB10\fR | 
|---|
| 191 | to get the first 512 data bytes of the packet and | 
|---|
| 192 | \fB50\fR | 
|---|
| 193 | to get the whole packet\&. | 
|---|
| 194 | .SH "OPTIONS" | 
|---|
| 195 | .PP | 
|---|
| 196 | \-h | 
|---|
| 197 | .RS 4 | 
|---|
| 198 | If this parameter is specified the output file will be a hex dump, in a format that is readable by the | 
|---|
| 199 | text2pcap | 
|---|
| 200 | utility\&. | 
|---|
| 201 | .RE | 
|---|
| 202 | .PP | 
|---|
| 203 | \-q | 
|---|
| 204 | .RS 4 | 
|---|
| 205 | Be quiet\&. No warning messages about missing or incomplete data will be given\&. | 
|---|
| 206 | .RE | 
|---|
| 207 | .PP | 
|---|
| 208 | logfile | 
|---|
| 209 | .RS 4 | 
|---|
| 210 | Samba log file\&. log2pcap will try to read the log from stdin if the log file is not specified\&. | 
|---|
| 211 | .RE | 
|---|
| 212 | .PP | 
|---|
| 213 | pcap_file | 
|---|
| 214 | .RS 4 | 
|---|
| 215 | Name of the output file to write the pcap (or hexdump) data to\&. If this argument is not specified, output data will be written to stdout\&. | 
|---|
| 216 | .RE | 
|---|
| 217 | .PP | 
|---|
| 218 | \-h|\-\-help | 
|---|
| 219 | .RS 4 | 
|---|
| 220 | Print a summary of command line options\&. | 
|---|
| 221 | .RE | 
|---|
| 222 | .SH "EXAMPLES" | 
|---|
| 223 | .PP | 
|---|
| 224 | Extract all network traffic from all samba log files: | 
|---|
| 225 | .PP | 
|---|
| 226 | .if n \{\ | 
|---|
| 227 | .RS 4 | 
|---|
| 228 | .\} | 
|---|
| 229 | .fam C | 
|---|
| 230 | .ps -1 | 
|---|
| 231 | .nf | 
|---|
| 232 | .if t \{\ | 
|---|
| 233 | .sp -1 | 
|---|
| 234 | .\} | 
|---|
| 235 | .BB lightgray adjust-for-leading-newline | 
|---|
| 236 | .sp -1 | 
|---|
| 237 |  | 
|---|
| 238 | \FC$\F[] log2pcap < /var/log/* > trace\&.pcap | 
|---|
| 239 |  | 
|---|
| 240 | .EB lightgray adjust-for-leading-newline | 
|---|
| 241 | .if t \{\ | 
|---|
| 242 | .sp 1 | 
|---|
| 243 | .\} | 
|---|
| 244 | .fi | 
|---|
| 245 | .fam | 
|---|
| 246 | .ps +1 | 
|---|
| 247 | .if n \{\ | 
|---|
| 248 | .RE | 
|---|
| 249 | .\} | 
|---|
| 250 | .PP | 
|---|
| 251 | Convert to pcap using text2pcap: | 
|---|
| 252 | .PP | 
|---|
| 253 | .if n \{\ | 
|---|
| 254 | .RS 4 | 
|---|
| 255 | .\} | 
|---|
| 256 | .fam C | 
|---|
| 257 | .ps -1 | 
|---|
| 258 | .nf | 
|---|
| 259 | .if t \{\ | 
|---|
| 260 | .sp -1 | 
|---|
| 261 | .\} | 
|---|
| 262 | .BB lightgray adjust-for-leading-newline | 
|---|
| 263 | .sp -1 | 
|---|
| 264 |  | 
|---|
| 265 | \FC$\F[] log2pcap \-h samba\&.log | text2pcap \-T 139,139 \- trace\&.pcap | 
|---|
| 266 |  | 
|---|
| 267 | .EB lightgray adjust-for-leading-newline | 
|---|
| 268 | .if t \{\ | 
|---|
| 269 | .sp 1 | 
|---|
| 270 | .\} | 
|---|
| 271 | .fi | 
|---|
| 272 | .fam | 
|---|
| 273 | .ps +1 | 
|---|
| 274 | .if n \{\ | 
|---|
| 275 | .RE | 
|---|
| 276 | .\} | 
|---|
| 277 | .SH "VERSION" | 
|---|
| 278 | .PP | 
|---|
| 279 | This man page is correct for version 3 of the Samba suite\&. | 
|---|
| 280 | .SH "BUGS" | 
|---|
| 281 | .PP | 
|---|
| 282 | Only SMB data is extracted from the samba logs, no LDAP, NetBIOS lookup or other data\&. | 
|---|
| 283 | .PP | 
|---|
| 284 | The generated TCP and IP headers don\'t contain a valid checksum\&. | 
|---|
| 285 | .SH "SEE ALSO" | 
|---|
| 286 | .PP | 
|---|
| 287 | \fBtext2pcap\fR(1), | 
|---|
| 288 | \fBethereal\fR(1) | 
|---|
| 289 | .SH "AUTHOR" | 
|---|
| 290 | .PP | 
|---|
| 291 | The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. | 
|---|
| 292 | .PP | 
|---|
| 293 | This manpage was written by Jelmer Vernooij\&. | 
|---|