summaryrefslogtreecommitdiff
path: root/docs-xml/manpages-3/vfs_smb_traffic_analyzer.8.xml
blob: 882ee6af3f8d66f4381d0b985bf35f71aaa7a1fa (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<refentry id="vfs_smb_traffic_analyzer.8">

<refmeta>
	<refentrytitle>smb_traffic_analyzer</refentrytitle>
	<manvolnum>8</manvolnum>
	<refmiscinfo class="source">Samba</refmiscinfo>
	<refmiscinfo class="manual">System Administration tools</refmiscinfo>
	<refmiscinfo class="version">3.6</refmiscinfo>
</refmeta>


<refnamediv>
	<refname>vfs_smb_traffic_analyzer</refname>
	<refpurpose>log Samba VFS read and write operations through a socket
	to a helper application</refpurpose>
</refnamediv>

<refsynopsisdiv>
	<cmdsynopsis>
		<command>vfs objects = smb_traffic_analyzer</command>
	</cmdsynopsis>
</refsynopsisdiv>

<refsect1>
	<title>DESCRIPTION</title>

	<para>This VFS module is part of the
	<citerefentry><refentrytitle>samba</refentrytitle>
	<manvolnum>7</manvolnum></citerefentry> suite.</para>

	<para>The <command>vfs_smb_traffic_analyzer</command> VFS module logs
	client file operations on a Samba server and sends this data
	over a socket to a helper program (in the following the "Receiver"),
	which feeds a SQL database. More
	information on the helper programs can be obtained from the
	homepage of the project at:
	http://holger123.wordpress.com/smb-traffic-analyzer/
	Since the VFS module depends on a receiver that is doing something with
	the data, it is evolving in it's development. Therefore, the module
	works with different protocol versions, and the receiver has to be able
	to decode the protocol that is used. The protocol version 1 was
	introduced to Samba at September 25, 2008. It was a very simple
	protocol, supporting only a small list of VFS operations, and had
	several drawbacks. The protocol version 2 is a try to solve the
	problems version 1 had while at the same time adding new features.
	</para>
</refsect1>

<refsect1>
	<title>Protocol version 1 documentation</title>
	<para><command>vfs_smb_traffic_analyzer</command> protocol version 1 is aware
		of the following VFS operations:</para>

	<simplelist>
        <member>write</member>
        <member>pwrite</member>
	<member>read</member>
	<member>pread</member>
	</simplelist>

	<para><command>vfs_smb_traffic_analyzer</command> sends the following data
	in a fixed format seperated by a comma through either an internet or a
	unix domain socket:</para>
	<programlisting>
	BYTES|USER|DOMAIN|READ/WRITE|SHARE|FILENAME|TIMESTAMP
	</programlisting>

	<para>Description of the records:

	<itemizedlist>
	<listitem><para><command>BYTES</command> - the length in bytes of the VFS operation</para></listitem>
	<listitem><para><command>USER</command> - the user who initiated the operation</para></listitem>
	<listitem><para><command>DOMAIN</command> - the domain of the user</para></listitem>
	<listitem><para><command>READ/WRITE</command> - either "W" for a write operation or "R" for read</para></listitem>
	<listitem><para><command>SHARE</command> - the name of the share on which the VFS operation occured</para></listitem>
	<listitem><para><command>FILENAME</command> - the name of the file that was used by the VFS operation</para></listitem>
	<listitem><para><command>TIMESTAMP</command> - a timestamp, formatted as "yyyy-mm-dd hh-mm-ss.ms" indicating when the VFS operation occured</para></listitem>
	</itemizedlist>

	</para>

	<para>This module is stackable.</para>

</refsect1>

<refsect1>
	<title>Drawbacks of protocol version 1</title>
	<para>Several drawbacks have been seen with protocol version 1 over time.</para>
	<itemizedlist>
	<listitem>
		<para>
			<command>Problematic parsing - </command>
			Protocol version 1 uses hyphen and comma to seperate blocks of data. Once there is a
			filename with a hyphen, you will run into problems because the receiver decodes the
			data in a wrong way.
		</para>
	</listitem>
	<listitem>
		<para>
			<command>Insecure network transfer - </command>
			Protocol version 1 sends all it's data as plaintext over the network.
		</para>
	</listitem>
	<listitem>
		<para>
			<command>Limited set of supported VFS operations - </command>
			Protocol version 1 supports only four VFS operations.
		</para>
	</listitem>
	<listitem>
		<para>
			<command>No subreleases of the protocol - </command>
			Protocol version 1 is fixed on it's version, making it unable to introduce new
			features or bugfixes through compatible sub-releases.
		</para>
	</listitem>
	</itemizedlist>
</refsect1>
<refsect1>
	<title>Version 2 of the protocol</title>
	<para>Protocol version 2 is an approach to solve the problems introduced with protcol v1.
	From the users perspective, the following changes are most prominent among other enhancements:
	</para>
	<itemizedlist>
		<listitem>
		<para>
		The data from the module may be send encrypted, with a key stored in secrets.tdb. The
		Receiver then has to use the same key. The module does AES block encryption over the
		data to send.
		</para>
		</listitem>
		<listitem>
		<para>
		The module now can identify itself against the receiver with a sub-release number, where
		the receiver may run with a different sub-release number than the module. However, as
		long as both run on the V2.x protocol, the receiver will not crash, even if the module
		uses features only implemented in the newer subrelease. Ultimativly, if the module uses
		a new feature from a newer subrelease, and the receiver runs an older protocol, it is just
		ignoring the functionality. Of course it is best to have both the receiver and the module
		running the same subrelease of the protocol.
		</para>
		</listitem>
		<listitem>
		<para>
		The parsing problems of protocol V1 can no longer happen, because V2 is marshalling the
		data packages in a proper way.
		</para>
		</listitem>
		<listitem>
		<para>
		The module now potientially has the ability to create data on every VFS function. As of
		protocol V2.0, there is support for 8 VFS functions, namely write,read,pread,pwrite,
		rename,chdir,mkdir and rmdir. Supporting more VFS functions is one of the targets for the
		upcoming sub-releases.
		</para>
		</listitem>
	</itemizedlist>
	<para>
		To enable protocol V2, the protocol_version vfs option has to be used (see OPTIONS).
	</para>
		
</refsect1>		

<refsect1>
	<title>OPTIONS with protocol V1 and V2.x</title>

	<variablelist>

		<varlistentry>
                <term>smb_traffic_analyzer:mode = STRING</term>
                <listitem>
                <para>If STRING matches to "unix_domain_socket", the module will
		use a unix domain socket located at /var/tmp/stadsocket, if
		STRING contains an different string or is not defined, the module will
		use an internet domain socket for data transfer.</para>

                </listitem>
                </varlistentry>


		<varlistentry>
		<term>smb_traffic_analyzer:host = STRING</term>
		<listitem>
		<para>The module will send the data to the system named with
		the hostname STRING.</para>

		</listitem>
		</varlistentry>

		<varlistentry>
		<term>smb_traffic_analyzer:port = STRING</term>
		<listitem>
		<para>The module will send the data using the TCP port given
		in STRING.
		</para>
		</listitem>
		</varlistentry>
		<varlistentry>
		<term>smb_traffic_analyzer:anonymize_prefix = STRING</term>
		<listitem>
		<para>The module will replace the user names with a prefix
		given by STRING and a simple hash number. In version 2.x
		of the protocol, the users SID will also be anonymized.
		</para>

		</listitem>
		</varlistentry>

		<varlistentry>
		<term>smb_traffic_analyzer:total_anonymization = STRING</term>
		<listitem>
		<para>If STRING matches to 'yes', the module will replace
		any user name with the string given by the option 
		smb_traffic_analyzer:anonymize_prefix, without generating
		an additional hash number. This means that any transfer data
		will be mapped to a single user, leading to a total 
		anonymization of user related data. In version 2.x of the
		protocol, the users SID will also be anonymized.</para>
		</listitem>
		</varlistentry>

		<varlistentry>
		<term>smb_traffic_analyzer:protocol_version = STRING</term>
		<listitem>
		<para>If STRING matches to V1 or is not given at all, the module
		will use version 1 of the protocol. If STRING matches to "V2"
		the module will use version 2 of the protocol.
		</para>
		</listitem>
		</varlistentry>

	</variablelist>
</refsect1>

<refsect1>
	<title>EXAMPLES</title>
	<para>Running protocol V2 on share "example_share", using an internet socket.</para>
	<programlisting>
	<smbconfsection name="[example_share]"/>
	<smbconfoption name="path">/data/example</smbconfoption>
	<smbconfoption name="vfs_objects">smb_traffic_analyzer</smbconfoption>
	<smbconfoption name="smb_traffic_analyzer:protocol_version">V2</smbconfoption>
	<smbconfoption name="smb_traffic_analyzer:host">examplehost</smbconfoption>
	<smbconfoption name="smb_traffic_analyzer:port">3491</smbconfoption>
	</programlisting>

	<para>The module running on share "example_share", using a unix domain socket</para>
	<programlisting>
	<smbconfsection name="[example_share]"/>
	<smbconfoption name="path">/data/example</smbconfoption>
	<smbconfoption name="vfs objects">smb_traffic_analyzer</smbconfoption>
	<smbconfoption name="smb_traffic_analyzer:mode">unix_domain_socket</smbconfoption>
	</programlisting>

	<para>The module running on share "example_share", using an internet socket,
	connecting to host "examplehost" on port 3491.</para>
	<programlisting>
	<smbconfsection name="[example_share]"/>
	<smbconfoption name="path">/data/example</smbconfoption>
	<smbconfoption name="vfs objects">smb_traffic_analyzer</smbconfoption>
	<smbconfoption name="smb_traffic_analyzer:host">examplehost</smbconfoption>
	<smbconfoption name="smb_traffic_analyzer:port">3491</smbconfoption>
	</programlisting>

	<para>The module running on share "example_share", using an internet socket,
	connecting to host "examplehost" on port 3491, anonymizing user names with
	the prefix "User".</para>
	<programlisting>
	<smbconfsection name="[example_share]"/>
	<smbconfoption name="path">/data/example</smbconfoption>
	<smbconfoption name="vfs objects">smb_traffic_analyzer</smbconfoption>
	<smbconfoption name="smb_traffic_analyzer:host">examplehost</smbconfoption>
	<smbconfoption name="smb_traffic_analyzer:port">3491</smbconfoption>
	<smbconfoption name="smb_traffic_analyzer:anonymize_prefix">User</smbconfoption>
	</programlisting>
</refsect1>

<refsect1>
	<title>VERSION</title>
	<para>This man page is correct for version 3.3 of the Samba suite.
	</para>
</refsect1>

<refsect1>
	<title>AUTHOR</title>

	<para>The original Samba software and related utilities
	were created by Andrew Tridgell. Samba is now developed
	by the Samba Team as an Open Source project similar
	to the way the Linux kernel is developed.</para>

	<para>The original version of the VFS module and the
	helper tools were created by Holger Hetterich.</para>
</refsect1>
</refentry>