debian/0000755000000000000000000000000012257322306007170 5ustar debian/compat0000644000000000000000000000000212146450075010370 0ustar 9 debian/chaosreader.manpages0000644000000000000000000000003112257264526013170 0ustar debian/man/chaosreader.1 debian/copyright0000644000000000000000000000221612257256533011134 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: chaosreader Source: http://chaosreader.sf.net Files: * Copyright: 2003-2004 Brendan Gregg License: GPL-2+ Files: debian/* Copyright: 2008-2013 Joao Eriberto Mota Filho License: GPL-2+ License: GPL-2+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. . On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL-2 file. debian/upstream.changelog0000644000000000000000000000137111352764740012712 0ustar # Extracted from chaosreader source code # 28-Sep-2003 Brendan Gregg Began writing this. # 08-Oct-2003 " " Released version 0.7 beta # 09-Oct-2003 " " Added telnet replays # 12-Oct-2003 " " Added IRC ports and replays # 19-Oct-2003 " " Made code more robust on different OSs # 01-Nov-2003 " " Code cleanup, complex data types, IPv6, ICMP # 03-Nov-2003 " " Added Standalone mode, standalone redo, ... # 05-Nov-2003 " " Added Image indexes, GETPOST indexes # 15-Nov-2003 " " Added HTTP proxy style log, hex dumps # 27-Jan-2004 " " Released experimental X11 & VNC processing # 30-Mar-2004 " " 802.11b, sorts, less RAM used, tun packets. # 01-May-2004 " " CLI enhanced, faster, SSH analysis. debian/patches/0000755000000000000000000000000011256211461010614 5ustar debian/patches/01-fix-division.patch0000644000000000000000000000123511256211461014464 0ustar Author: Joao Eriberto Mota Filho Description: Avoid an error because a division by zero. diff -Naurp chaosreader.orig/chaosreader0.94 chaosreader/chaosreader0.94 --- chaosreader.orig/chaosreader0.94 2009-07-09 12:15:01.000000000 +0000 +++ chaosreader/chaosreader0.94 2009-07-09 13:43:00.000000000 +0000 @@ -4028,6 +4028,7 @@ END ### This causes the replay program to pause print REPLAY "ms($timediff1);\n"; } + $duration = 0.01 if $duration == 0; # avoid divide by 0, $speed = sprintf("%.2f",$bytes / (1024 * $duration)); print REPLAY "print \"\n\n" . "Summary: $duration2 seconds, $bytes bytes, $speed Kb/sec\\n\";"; debian/patches/series0000644000000000000000000000005411256211461012030 0ustar 01-fix-division.patch 02-fix-old-perl.patch debian/patches/02-fix-old-perl.patch0000644000000000000000000000117711256211461014364 0ustar Author: Joao Eriberto Mota Filho Description: Remove line used by old perl. diff -Naurp chaosreader.orig/chaosreader0.94 chaosreader/chaosreader0.94 --- chaosreader.orig/chaosreader0.94 2009-07-09 12:15:01.000000000 +0000 +++ chaosreader/chaosreader0.94 2009-07-09 13:43:24.000000000 +0000 @@ -262,7 +262,7 @@ $| = 1; # flush output # The following is needed for old perl5 multiline matching. New perl5 uses # a "/s" on the RE (which is used in this program as well). # -$* = 1; # old perl5 +#$* = 1; # old perl5 # # These ports have been selected to be saved as coloured 2-way HTML files debian/man/0000755000000000000000000000000012257320372007744 5ustar debian/man/header.txt0000644000000000000000000000015112257316612011734 0ustar .TH CHAOSREADER "1" "Dec 2013" "CHAOSREADER 0.94" "trace network sessions and export it to html format" debian/man/chaosreader.10000644000000000000000000002561112257320372012313 0ustar .\"Text automatically generated by txt2man .TH CHAOSREADER "1" "Dec 2013" "CHAOSREADER 0.94" "trace network sessions and export it to html format" .SH NAME \fBchaosreader \fP- trace network sessions and export it to html format .SH SYNOPSIS .nf .fam C \fBchaosreader\fP \fBchaosreader\fP [\fB-aehikqrvxAHIRTUXY\fP] [\fB-D\fP \fIdir\fP] [\fB-b\fP port[,\.\.\.]] [\fB-B\fP port[,\.\.\.]] [\fB-j\fP IPaddr[,\.\.\.]] [\fB-J\fP IPaddr[,\.\.\.]] [\fB-l\fP port[,\.\.\.]] [\fB-L\fP port[,\.\.\.]] [\fB-m\fP bytes[k]] [\fB-M\fP bytes[k]] [\fB-o\fP "time"|"size"|"type"|"ip"] [\fB-p\fP port[,\.\.\.]] [\fB-P\fP port[,\.\.\.]] \fBinfile\fP [\fIinfile2\fP \.\.\.] \fBchaosreader\fP \fB-s\fP [\fImins\fP] | \fB-S\fP [\fImins\fP[,count]] [\fB-z\fP] [\fB-f\fP 'filter'] .fam T .fi .fam T .fi .SH DESCRIPTION Chaosreader traces TCP/UDP/others sessions and fetches application data from snoop or tcpdump logs. This is a type of "any-snarf" program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and SMTP emails from the captured data inside network traffic logs. A html index file is created to that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader reports such as image reports and HTTP GET/POST content reports. .PP Chaosreader can also run in standalone mode, where it invokes tcpdump to create the log files and then processes them. .SH OPTIONS .TP .B \fB-a\fP, \fB--application\fP Create application session files (default) .TP .B \fB-e\fP, \fB--everything\fP Create HTML 2-way & hex files for everything .TP .B \fB-h\fP Print a brief help .TP .B \fB--help\fP Print verbose help (this) and version .TP .B \fB--help2\fP Print massive help .TP .B \fB-i\fP, \fB--info\fP Create info file .TP .B \fB-q\fP, \fB--quiet\fP Quiet, no output to screen .TP .B \fB-r\fP, \fB--raw\fP Create raw files .TP .B \fB-v\fP, \fB--verbose\fP Verbose - Create ALL files .. (except \fB-e\fP) .TP .B \fB-x\fP, \fB--index\fP Create index files (default) .TP .B \fB-A\fP, \fB--noapplication\fP Exclude application session files .TP .B \fB-H\fP, \fB--hex\fP Include hex dumps (slow) .TP .B \fB-I\fP, \fB--noinfo\fP Exclude info files .TP .B \fB-R\fP, \fB--noraw\fP Exclude raw files .TP .B \fB-T\fP, \fB--notcp\fP Exclude TCP traffic .TP .B \fB-U\fP, \fB--noudp\fP Exclude UDP traffic .TP .B \fB-Y\fP, \fB--noicmp\fP Exclude ICMP traffic .TP .B \fB-X\fP, \fB--noindex\fP Exclude index files .TP .B \fB-k\fP, \fB--keydata\fP Create extra files for keystroke analysis .TP .B \fB-D\fP \fIdir\fP, --\fIdir\fP \fIdir\fP Output all files to this directory .TP .B \fB-b\fP 25,79, \fB--playtcp\fP 25,79 replay these TCP ports as well (playback) .TP .B \fB-B\fP 36,42, \fB--playudp\fP 36,42 replay these UDP ports as well (playback) .TP .B \fB-l\fP 7,79, \fB--htmltcp\fP 7,79 Create HTML for these TCP ports as well .TP .B \fB-L\fP 7,123, \fB--htmludp\fP 7,123 Create HTML for these UDP ports as well .TP .B \fB-m\fP 1k, \fB--min\fP 1k Min size of connection to save ("k" for Kb) .TP .B \fB-M\fP 1024k, \fB--max\fP 1k Max size of connection to save ("k" for Kb) .TP .B \fB-o\fP size, \fB--sort\fP size sort Order: time/size/type/ip (Default time) .TP .B \fB-p\fP 21,23, \fB--port\fP 21,23 Only examine these ports (TCP & UDP) .TP .B \fB-P\fP 80,81, \fB--noport\fP 80,81 Exclude these ports (TCP & UDP) .TP .B \fB-s\fP 5, \fB--runonce\fP 5 Standalone. Run tcpdump/snoop for 5 \fImins\fP. .TP .B \fB-S\fP 5,10, \fB--runmany\fP 5,10 Standalone, many. 10 samples of 5 \fImins\fP each. .TP .B \fB-S\fP 5, \fB--runmany\fP 5 Standalone, endless. 5 min samples forever. .TP .B \fB-z\fP, \fB--runredo\fP Standalone, redo. Rereads last run's logs. .TP .B \fB-j\fP 10.1.2.1, \fB--ipaddr\fP 10.1.2.1 Only examine these IPs .TP .B \fB-J\fP 10.1.2.1, \fB--noipaddr\fP 10.1.2.1 Exclude these IPs .TP .B \fB-f\fP 'port 7', \fB--filter\fP 'port 7' With standalone, use this dump filter. .SH OUTPUT FILES .TP .B index.html Html index (full details) .TP .B index.text Text index .TP .B index.file File index for standalone redo mode .TP .B image.html HTML report of images .TP .B getpost.html HTML report of HTTP GET/POST requests .TP .B session_0001.info Info file describing TCP session #1 .TP .B session_0001.telnet.html HTML coloured 2-way capture (time sorted) .TP .B session_0001.telnet.raw Raw data 2-way capture (time sorted) .TP .B session_0001.telnet.raw1 Raw 1-way capture (assembeled) server->client .TP .B session_0001.telnet.raw2 Raw 1-way capture (assembeled) client->server .TP .B session_0002.web.html HTML coloured 2-way .TP .B session_0002.part_01.html HTTP portion of the above, a HTML file .TP .B session_0003.web.html HTML coloured 2-way .TP .B session_0003.part_01.jpeg HTTP portion of the above, a JPEG file .TP .B session_0004.web.html HTML coloured 2-way .TP .B session_0004.part_01.gif HTTP portion of the above, a GIF file .TP .B session_0005.part_01.ftp-data.gz An FTP transfer, a gz file. .SH CONVENTIONS .TP .B session_* TCP Sessions .TP .B stream_* UDP Streams .TP .B icmp_* ICMP packets .TP .B index.html HTML Index .TP .B index.text Text Index .TP .B index.file File Index for standalone redo mode only .TP .B image.html HTML report of images .TP .B getpost.html HTML report of HTTP GET/POST requests .TP .B *.info Info file describing the Session/Stream .TP .B *.raw Raw data 2-way capture (time sorted) .TP .B *.raw1 Raw 1-way capture (assembeled) server->client .TP .B *.raw2 Raw 1-way capture (assembeled) client->server .TP .B *.replay Session replay program (perl) .TP .B *.partial.* Partial capture (tcpdump/snoop were aware of drops) .TP .B *.hex.html 2-way Hex dump, rendered in coloured HTML .TP .B *.hex.text 2-way Hex dump in plain text .TP .B *.X11.replay X11 replay script (talks X11) .TP .B *.textX11.replay X11 communicated text replay script (text only) .TP .B *.textX11.html 2-way text report, rendered in red/blue HTML .TP .B *.keydata Keystroke delay data file. Used for SSH analysis. .SH MODES .TP .B Normal eg "\fBchaosreader\fP \fBinfile\fP", this is where a tcpdump/snoop file was created previously and \fBchaosreader\fP reads and processes it. .TP .B Standalone once eg "\fBchaosreader\fP \fB-s\fP 10" this is where \fBchaosreader\fP runs tcpdump/snoop and generates the log file, in this case for 10 i minutes, and then processes the result. Some OS's may not have tcpdump or snoop available so this will not work (instead you may be able to get Ethereal, run it, save to a file, then use normal mode). There is a master index.html and the report index.html in a sub \fIdir\fP, which is of the format out_YYYYMMDD-hhmm, eg "out_20031003-2221". .TP .B Standalone, many eg "\fBchaosreader\fP \fB-S\fP 5,12", this is where \fBchaosreader\fP runs tcpdump/snoop and generates many log files, in this case it samples 12 times for 5 minutes each. While this is running, the master index.html can be viewed to watch progress, which links to minor index.html reports in each sub directory. .TP .B Standalone, redo eg "\fBchaosreader\fP \fB-ve\fP \fB-z\fP", (the \fB-z\fP), this is where a standalone capture was previously performed - and now you would like to reprocess the logs - perhaps with different options (in this case, "\fB-ve\fP"). It reads index.file to determine which capture logs to read. .TP .B Standalone, endless eg "\fBchaosreader\fP \fB-S\fP 5", like standalone many - but runs forever (if you ever had the need?). Watch your disk space! .PP Note: this is a work in progress, some of the code is a little unpolished. .SH ADVICES .IP \(bu 3 Run \fBchaosreader\fP in an empty directory. .IP \(bu 3 Create small packet dumps. Chaosreader uses around 5x the dump size in memory. A 100Mb file could need 500Mb of RAM to process. .IP \(bu 3 Your tcpdump may allow "\fB-s0\fP" (entire packet) instead of "\fB-s9000\fP". .IP \(bu 3 Beware of using too much disk space, especially standalone mode. .IP \(bu 3 If you capture too many small connections giving a huge index.html, try using the \fB-m\fP option to ignore small connections. eg "\fB-m\fP 1k". .IP \(bu 3 snoop logs may actually work better. Snoop logs are based on RFC1761, however there are many varients of tcpdump/libpcap and this program cannot read them all. If you have Ethereal you can create snoop logs during the "save as" option. On Solaris use "snoop \fB-o\fP logfile". .IP \(bu 3 tcpdump logs may not be portable between OSs that use different sized timestamps or endian. .IP \(bu 3 Logs are best created in a memory filesystem for speed, usually /tmp. .IP \(bu 3 For X11 or VNC playbacks, first practise by replaying a recent captured session of your own. The biggest problem is colour depth, your screen must match the capture. For X11 check authentication (xhost +), for VNC check the viewers options (\fB-8bit\fP, "Hextile", \.\.\.) .IP \(bu 3 SSH analysis can be performed with the "sshkeydata" program as demonstrated on http://www.brendangregg.com/sshanalysis.html . \fBchaosreader\fP provides the input files (*.keydata) that sshkeydata analyses. .SH BUGS .IP \(bu 3 The following assumptions may cause problems (check for new vers); .IP \(bu 3 A lower port number = the service type. Eg with ports 31247 and 23, the actual type of session is telnet (23). This may not work for some things (eg, VNC). .IP \(bu 3 Time based order is more important for 2-way sessions (eg telnet), SEQ order is more import for 1-way transfers (eg ftp-data). .IP \(bu 3 One particular TCP session isn't active for long enough that the SEQ number loops (or even wraps). .SH EXAMPLES .IP \(bu 3 Example 1: .PP .nf .fam C tcpdump \-s9000 \-w out1; chaosreader out1; netscape index.html .nf .fam C or, .fam T .fi .RS snoop \fB-o\fP out1; \fBchaosreader\fP out1; netscape index.html .PP .nf .fam C or, .fam T .fi ethereal (save as "out1"); \fBchaosreader\fP out1; netscape index.html .PP .nf .fam C or, .fam T .fi \fBchaosreader\fP \fB-s\fP 5; netscape index.html .RE .IP \(bu 3 Example 2: .PP .nf .fam C tcpdump \-s9000 \-w output1 # create tcpdump capture file chaosreader output1 # extract recognised sessions, or, chaosreader \-ve output1 # gimme everything, or, chaosreader \-p 20,21,23 output1 # only ftp and telnet\.\.\. .fam T .fi .IP \(bu 3 Example 3: .PP .nf .fam C snoop \-o output1 # create snoop capture file instead chaosreader output1 # extract recognised sessions\.\.\. .fam T .fi .IP \(bu 3 Example 4: .PP .nf .fam C chaosreader \-S 2,5 # Standalone, sniff network 5 times for 2 mins # each. View index.html for progress (or .text) .fam T .fi .SH SEE ALSO \fBtcpdump\fP(8), \fBchaosreader\fP help page. .SH AUTHORS \fBchaosreader\fP was written by Brendan Gregg. .PP This manual page was written by Joao Eriberto Mota Filho , using txt2man, for the Debian project (but may be used by others). The base of this text was caught off \fBchaosreader\fP source code. debian/man/chaosreader.txt0000644000000000000000000002411612257320332012765 0ustar NAME chaosreader - trace network sessions and export it to html format SYNOPSIS chaosreader chaosreader [-aehikqrvxAHIRTUXY] [-D dir] [-b port[,...]] [-B port[,...]] [-j IPaddr[,...]] [-J IPaddr[,...]] [-l port[,...]] [-L port[,...]] [-m bytes[k]] [-M bytes[k]] [-o "time"|"size"|"type"|"ip"] [-p port[,...]] [-P port[,...]] infile [infile2 ...] chaosreader -s [mins] | -S [mins[,count]] [-z] [-f 'filter'] DESCRIPTION Chaosreader traces TCP/UDP/others sessions and fetches application data from snoop or tcpdump logs. This is a type of "any-snarf" program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and SMTP emails from the captured data inside network traffic logs. A html index file is created to that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader reports such as image reports and HTTP GET/POST content reports. Chaosreader can also run in standalone mode, where it invokes tcpdump to create the log files and then processes them. OPTIONS -a, --application Create application session files (default) -e, --everything Create HTML 2-way & hex files for everything -h Print a brief help --help Print verbose help (this) and version --help2 Print massive help -i, --info Create info file -q, --quiet Quiet, no output to screen -r, --raw Create raw files -v, --verbose Verbose - Create ALL files .. (except -e) -x, --index Create index files (default) -A, --noapplication Exclude application session files -H, --hex Include hex dumps (slow) -I, --noinfo Exclude info files -R, --noraw Exclude raw files -T, --notcp Exclude TCP traffic -U, --noudp Exclude UDP traffic -Y, --noicmp Exclude ICMP traffic -X, --noindex Exclude index files -k, --keydata Create extra files for keystroke analysis -D dir, --dir dir Output all files to this directory -b 25,79, --playtcp 25,79 replay these TCP ports as well (playback) -B 36,42, --playudp 36,42 replay these UDP ports as well (playback) -l 7,79, --htmltcp 7,79 Create HTML for these TCP ports as well -L 7,123, --htmludp 7,123 Create HTML for these UDP ports as well -m 1k, --min 1k Min size of connection to save ("k" for Kb) -M 1024k, --max 1k Max size of connection to save ("k" for Kb) -o size, --sort size sort Order: time/size/type/ip (Default time) -p 21,23, --port 21,23 Only examine these ports (TCP & UDP) -P 80,81, --noport 80,81 Exclude these ports (TCP & UDP) -s 5, --runonce 5 Standalone. Run tcpdump/snoop for 5 mins. -S 5,10, --runmany 5,10 Standalone, many. 10 samples of 5 mins each. -S 5, --runmany 5 Standalone, endless. 5 min samples forever. -z, --runredo Standalone, redo. Rereads last run's logs. -j 10.1.2.1, --ipaddr 10.1.2.1 Only examine these IPs -J 10.1.2.1, --noipaddr 10.1.2.1 Exclude these IPs -f 'port 7', --filter 'port 7' With standalone, use this dump filter. OUTPUT FILES index.html Html index (full details) index.text Text index index.file File index for standalone redo mode image.html HTML report of images getpost.html HTML report of HTTP GET/POST requests session_0001.info Info file describing TCP session #1 session_0001.telnet.html HTML coloured 2-way capture (time sorted) session_0001.telnet.raw Raw data 2-way capture (time sorted) session_0001.telnet.raw1 Raw 1-way capture (assembeled) server->client session_0001.telnet.raw2 Raw 1-way capture (assembeled) client->server session_0002.web.html HTML coloured 2-way session_0002.part_01.html HTTP portion of the above, a HTML file session_0003.web.html HTML coloured 2-way session_0003.part_01.jpeg HTTP portion of the above, a JPEG file session_0004.web.html HTML coloured 2-way session_0004.part_01.gif HTTP portion of the above, a GIF file session_0005.part_01.ftp-data.gz An FTP transfer, a gz file. CONVENTIONS session_* TCP Sessions stream_* UDP Streams icmp_* ICMP packets index.html HTML Index index.text Text Index index.file File Index for standalone redo mode only image.html HTML report of images getpost.html HTML report of HTTP GET/POST requests *.info Info file describing the Session/Stream *.raw Raw data 2-way capture (time sorted) *.raw1 Raw 1-way capture (assembeled) server->client *.raw2 Raw 1-way capture (assembeled) client->server *.replay Session replay program (perl) *.partial.* Partial capture (tcpdump/snoop were aware of drops) *.hex.html 2-way Hex dump, rendered in coloured HTML *.hex.text 2-way Hex dump in plain text *.X11.replay X11 replay script (talks X11) *.textX11.replay X11 communicated text replay script (text only) *.textX11.html 2-way text report, rendered in red/blue HTML *.keydata Keystroke delay data file. Used for SSH analysis. MODES Normal eg "chaosreader infile", this is where a tcpdump/snoop file was created previously and chaosreader reads and processes it. Standalone once eg "chaosreader -s 10" this is where chaosreader runs tcpdump/snoop and generates the log file, in this case for 10 i minutes, and then processes the result. Some OS's may not have tcpdump or snoop available so this will not work (instead you may be able to get Ethereal, run it, save to a file, then use normal mode). There is a master index.html and the report index.html in a sub dir, which is of the format out_YYYYMMDD-hhmm, eg "out_20031003-2221". Standalone, many eg "chaosreader -S 5,12", this is where chaosreader runs tcpdump/snoop and generates many log files, in this case it samples 12 times for 5 minutes each. While this is running, the master index.html can be viewed to watch progress, which links to minor index.html reports in each sub directory. Standalone, redo eg "chaosreader -ve -z", (the -z), this is where a standalone capture was previously performed - and now you would like to reprocess the logs - perhaps with different options (in this case, "-ve"). It reads index.file to determine which capture logs to read. Standalone, endless eg "chaosreader -S 5", like standalone many - but runs forever (if you ever had the need?). Watch your disk space! Note: this is a work in progress, some of the code is a little unpolished. ADVICES * Run chaosreader in an empty directory. * Create small packet dumps. Chaosreader uses around 5x the dump size in memory. A 100Mb file could need 500Mb of RAM to process. * Your tcpdump may allow "-s0" (entire packet) instead of "-s9000". * Beware of using too much disk space, especially standalone mode. * If you capture too many small connections giving a huge index.html, try using the -m option to ignore small connections. eg "-m 1k". * snoop logs may actually work better. Snoop logs are based on RFC1761, however there are many varients of tcpdump/libpcap and this program cannot read them all. If you have Ethereal you can create snoop logs during the "save as" option. On Solaris use "snoop -o logfile". * tcpdump logs may not be portable between OSs that use different sized timestamps or endian. * Logs are best created in a memory filesystem for speed, usually /tmp. * For X11 or VNC playbacks, first practise by replaying a recent captured session of your own. The biggest problem is colour depth, your screen must match the capture. For X11 check authentication (xhost +), for VNC check the viewers options (-8bit, "Hextile", ...) * SSH analysis can be performed with the "sshkeydata" program as demonstrated on http://www.brendangregg.com/sshanalysis.html . chaosreader provides the input files (*.keydata) that sshkeydata analyses. BUGS * The following assumptions may cause problems (check for new vers); * A lower port number = the service type. Eg with ports 31247 and 23, the actual type of session is telnet (23). This may not work for some things (eg, VNC). * Time based order is more important for 2-way sessions (eg telnet), SEQ order is more import for 1-way transfers (eg ftp-data). * One particular TCP session isn't active for long enough that the SEQ number loops (or even wraps). EXAMPLES * Example 1: tcpdump \-s9000 \-w out1; chaosreader out1; netscape index.html or, snoop -o out1; chaosreader out1; netscape index.html or, ethereal (save as "out1"); chaosreader out1; netscape index.html or, chaosreader -s 5; netscape index.html * Example 2: tcpdump \-s9000 \-w output1 # create tcpdump capture file chaosreader output1 # extract recognised sessions, or, chaosreader \-ve output1 # gimme everything, or, chaosreader \-p 20,21,23 output1 # only ftp and telnet... * Example 3: snoop \-o output1 # create snoop capture file instead chaosreader output1 # extract recognised sessions... * Example 4: chaosreader \-S 2,5 # Standalone, sniff network 5 times for 2 mins # each. View index.html for progress (or .text) SEE ALSO tcpdump(8), chaosreader help page. AUTHORS chaosreader was written by Brendan Gregg. This manual page was written by Joao Eriberto Mota Filho , using txt2man, for the Debian project (but may be used by others). The base of this text was caught off chaosreader source code. debian/source/0000755000000000000000000000000012257322222010465 5ustar debian/source/lintian-overrides0000644000000000000000000000015412257322222014046 0ustar # The upstream didn't provide a PGP/GPG signature. chaosreader source: debian-watch-may-check-gpg-signature debian/source/format0000644000000000000000000000001411374270403011675 0ustar 3.0 (quilt) debian/control0000644000000000000000000000233012257317746010605 0ustar Source: chaosreader Section: net Priority: optional Maintainer: Debian Forensics Uploaders: Joao Eriberto Mota Filho Build-Depends: debhelper (>= 9) Standards-Version: 3.9.5 Homepage: http://chaosreader.sf.net Vcs-Browser: http://anonscm.debian.org/gitweb/?p=forensics/chaosreader.git Vcs-Git: git://anonscm.debian.org/forensics/chaosreader.git Package: chaosreader Architecture: all Depends: ${misc:Depends}, ${perl:Depends} Suggests: tcpdump, wireshark Description: trace network sessions and export it to html format Chaosreader traces TCP/UDP/others sessions and fetches application data from snoop or tcpdump logs. This is a type of "any-snarf" program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and SMTP emails from the captured data inside network traffic logs. A html index file is created to that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions. Chaosreader reports such as image reports and HTTP GET/POST content reports. . Chaosreader can also run in standalone mode, where it invokes tcpdump to create the log files and then processes them. debian/changelog0000644000000000000000000000636212257322277011060 0ustar chaosreader (0.94-5) unstable; urgency=medium * Bumped Standards-Version from 3.9.4 to 3.9.5. * debian/source/: added an override to reply to check-gpg-signature. * debian/copyright: updated the file format and the upstream email address. * debian/gbp.conf: added to allow git-buildpackage usage. * debian/rules: little and insignificant adjustments. * debian/watch: improved. * manpage: - Created the debian/man directory to gather the manpage and the source. So, the debian/chaosreader.manpages was adjusted to point to file at new place. - Removed debian/{chaosreader.1.t2t,manpages}. - The manpage was improved, using information from the source code, and migrated from txt2tags to txt2man. -- Joao Eriberto Mota Filho Fri, 27 Dec 2013 08:49:04 -0200 chaosreader (0.94-4) unstable; urgency=low * Bumped debhelper level from 7 to 9. * debian/control: - bumped Standards-Version from 3.8.4 to 3.9.4. - changed from perl to ${perl:Depends} in Depends field to avoid dh_gencontrol warning. - moved tcpdump from Recommends to Suggests. - removed quilt from Build-Depends. - removed screenshot reference from long description. * debian/copyright: updated packaging years. * debian/README.source: removed because it is useless now. * debian/rules: - enabled parallel build. - removed quilt from dh. -- Joao Eriberto Mota Filho Mon, 20 May 2013 13:31:03 -0300 chaosreader (0.94-3) unstable; urgency=low * Added the debian/source/format file to show the "3.0 (quilt)" format use in package. * debian/control: updated quilt needed version in Build-Depends field. -- Joao Eriberto Mota Filho Sun, 04 Apr 2010 09:10:11 -0300 chaosreader (0.94-2) UNRELEASED; urgency=low * Added the chaosreader.t2t. It is the manpage source. * Added the debian/upstream.changelog file. * Added the README.source file. * Removed the source.lintian-overrides file. All problems are fixed. * debian/control: - Updated debhelper version in Build-Depends field. - Updated Standards-Version from 3.8.2 to 3.8.4. - Updated Vcs-Browser and Vcs-Git fields from debian.net to debian.org. * debian/copyright: Updated the packaging copyright years. * debian/watch: fixed the regular expression. The uscan works fine now. -- Joao Eriberto Mota Filho Mon, 21 Mar 2010 01:40:40 -0300 chaosreader (0.94-1) unstable; urgency=low [ Joao Eriberto Mota Filho ] * Initial release (Closes: #496228). [ Daniel Baumann ] * Prefixing debhelper files with package name. * Using quilt rather than dpatch. * Simply install target in rules file. * Adding missing targets in rules file to make it policy conformant. * Sorting package relations in control file. * Adding manual depends on perl. * Adding vcs fields in control file. * Forgot to adjust series file. * Adding lintian overrides. * Using dedicated manpage debhelper file to install manpages. * Rewriting copyright file in machine-interpretable format. * Minimizing rules file. * Simplify install target override. -- Daniel Baumann Tue, 28 Jul 2009 14:23:07 +0200 debian/watch0000644000000000000000000000006712257264640010232 0ustar version=3 http://sf.net/chaosreader/chaosreader(\d\S*) debian/rules0000755000000000000000000000032412257317132010250 0ustar #!/usr/bin/make -f #export DH_VERBOSE=1 %: dh $@ --parallel override_dh_auto_install: install -D -m 0755 chaosreader0.94 debian/chaosreader/usr/bin/chaosreader dh_installchangelogs debian/upstream.changelog debian/gbp.conf0000644000000000000000000000006512257317434010616 0ustar [DEFAULT] debian-branch = debian pristine-tar = True