Skip to content
  • Leigh B. Stoller's avatar
    Support for capturing the trace data that is stored in the pcal files · 4ce9c421
    Leigh B. Stoller authored
    into per-experiment databases on ops. Additional support for reconsituting
    those databases back into temporary databases on ops, for post processing.
    
    * This revision relies on the "snort" port (/usr/ports/security/snort)
      to read the pcap files and load them into a database. The schema is
      probably not ideal, but its better then nothing. See the file
      ops:/usr/local/share/examples/snort/create_mysql for the schema.
    
    * For simplicity, I have hooked into loghole, which already had all
      the code for downloading the trace data. I added some new methods to
      the XMLRPC server for loghole to use, to get the users DB password
      and the name of the per-experiment database. There is a new slot in
      the traces table that indicates that the trace should be snorted to
      its DB. In case you forgot, at the end of a run or when the instance
      is swapped out, loghole is run to download the trace data.
    
    * For reconsituting, there are lots of additions to opsdb_control and
      opsdb_control.proxy to create "temporary" databases and load them
      from a dump file that is stored in the archive. I've added a button
      to the Template Record page, inappropriately called "Analyze" since
      right now all it does is reconsitute the trace data into a DB on
      ops.
    
      Currently, the only indication of what has been done (the name of
      the DBs created on ops) is the log email that the user gets. A
      future project is tell the user this info in the web interface.
    
    * To turn on database capturing of trace data, do this in your NS
      file:
    
    	set link0 ...
    	$link0 trace
    	$link0 trace_snaplen 128
    	$link0 trace_db 1
    
       the increase in snaplen is optional, but a good idea if you want
       snort to undertand more then just ip headers.
    
    * Also some changes to the parser to allow plain experiments to take
      advantage of all this stuff. To simple get yourself a per-experiment
      DB, put this in your NS file:
    
    	tb-set-dpdb 1
    
      however, anytime you turn trace_db on for a link or lan, you
      automatically get a per-experiment DB.
    
    * To capture the trace data to the DB, you can run loghole by hand:
    
    	loghole sync -s
    
      the -s option turns on the "post-process" phase of loghole.
    4ce9c421