diff --git a/src/iosource/af_packet/CMakeLists.txt b/src/iosource/af_packet/CMakeLists.txt index 48a3d24a7c..6a01b8d691 100644 --- a/src/iosource/af_packet/CMakeLists.txt +++ b/src/iosource/af_packet/CMakeLists.txt @@ -1,23 +1,31 @@ -cmake_minimum_required(VERSION 2.6.3) +cmake_minimum_required(VERSION 3.0 FATAL_ERROR) -project(Plugin) +project(ZeekPluginAF_Packet) -include(BroPlugin) +include(ZeekPlugin) find_package(KernelHeaders) if ( KERNELHEADERS_FOUND ) #TODO: Make sure the specified kernel headers are used - bro_plugin_begin(Bro AF_Packet) - bro_plugin_cc(src/Plugin.cc) - bro_plugin_cc(src/AF_Packet.cc) - bro_plugin_cc(src/RX_Ring.cc) - bro_plugin_bif(src/af_packet.bif) - bro_plugin_dist_files(broctl/af_packet.py README COPYING VERSION) - bro_plugin_end() + zeek_plugin_begin(Zeek AF_Packet) + zeek_plugin_cc(src/Plugin.cc) + zeek_plugin_cc(src/AF_Packet.cc) + zeek_plugin_cc(src/RX_Ring.cc) + zeek_plugin_bif(src/af_packet.bif) + zeek_plugin_dist_files(zeekctl/af_packet.py README COPYING VERSION) + zeek_plugin_end() message(STATUS "Kernelheader prefix : ${KERNELHEADERS_ROOT_DIR}") else () message(FATAL_ERROR "Kernel headers not found.") +endif() + +file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1) + +if ("${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}") + # Allows building rpm/deb packages via "make package" in build dir. + include(ConfigurePackaging) + ConfigurePackaging(${VERSION}) endif () diff --git a/src/iosource/af_packet/README b/src/iosource/af_packet/README index 897e9e469d..f54830b11f 100644 --- a/src/iosource/af_packet/README +++ b/src/iosource/af_packet/README @@ -1,8 +1,8 @@ -Bro::AF_Packet +Zeek::AF_Packet ============== -This plugin provides native AF_Packet support for Bro/Zeek +This plugin provides native AF_Packet support for Zeek (http://man7.org/linux/man-pages/man7/packet.7.html). Installation @@ -13,15 +13,15 @@ your kernel supports PACKET_FANOUT [1]_ and TPACKET_V3. Package Manager ``````````````` -The plugin is available as package for the `Bro/Zeek Package Manager +The plugin is available as package for the `Zeek Package Manager `_ and can be installed using the following command:: - bro-pkg install bro-af_packet-plugin + zkg install zeek-af_packet-plugin Manual Install `````````````` -The following will compile and install the AF_Packet plugin alongside Bro/Zeek, +The following will compile and install the AF_Packet plugin alongside Zeek, assuming it can find the kernel headers in a standard location:: # ./configure && make && make install @@ -32,8 +32,8 @@ Furthermore, ``--with-latest-kernel`` will use the latest headers available instead of looking for the headers matching the running kernel's version. If everything built and installed correctly, you should see this:: - # bro -NN Bro::AF_Packet - Bro::AF_Packet - Packet acquisition via AF_Packet (dynamic, version 1.4) + # zeek -NN Zeek::AF_Packet + Zeek::AF_Packet - Packet acquisition via AF_Packet (dynamic, version 1.4) [Packet Source] AF_PacketReader (interface prefix "af_packet"; supports live input) [Type] AF_Packet::FanoutMode [Constant] AF_Packet::buffer_size @@ -54,13 +54,13 @@ Once installed, you can use AF_Packet interfaces/ports by prefixing them with ``af_packet::`` on the command line. For example, to use AF_Packet to monitor interface ``eth0``:: - # bro -i af_packet::eth0 + # zeek -i af_packet::eth0 -To use AF_Packet, running Bro/Zeek without root privileges, the Bro processes +To use AF_Packet, running Zeek without root privileges, the Zeek processes need the CAP_NET_RAW capability. You can set it with the following command (on -each sensor, after ``broctl install``):: +each sensor, after ``zeekctl install``):: - # setcap cap_net_raw+eip /bin/bro + # setcap cap_net_raw+eip /bin/zeek The AF_Packet plugin automatically enables promiscuous mode on the interfaces. As the plugin is using PACKET_ADD_MEMBERSHIP to enter the promiscuous mode @@ -68,12 +68,12 @@ without interfering others, the PROMISC flag is not touched. To verify that the interface entered promiscuous mode you can use ``dmesg``. To adapt the plugin to your needs, you can set a couple of parameters like -buffer size. See scripts/init.bro for the default values. +buffer size. See scripts/init.zeek for the default values. -Usage with ``broctl`` +Usage with ``zeekctl`` --------------------- -To use the AF_Packet plugin with ``broctl``, the ``custom`` load balance method +To use the AF_Packet plugin with ``zeekctl``, the ``custom`` load balance method can be utilized. The following shows an exemplary configuration:: [manager] @@ -98,7 +98,7 @@ can be utilized. The following shows an exemplary configuration:: If all interfaces using ``lb_method=custom`` should be configured for AF_Packet, the prefix can be globally definied by adding the following -line to ``broctl.conf``:: +line to ``zeekctl.conf``:: lb_custom.InterfacePrefix=af_packet:: @@ -107,4 +107,4 @@ Limitations * Even using AF_Packet's ``ETH_P_ALL``, the kernel removes VLAN tags. While the tags are provided spereately, there is no efficient way to - pass them to Bro/Zeek. + pass them to Zeek. diff --git a/src/iosource/af_packet/scripts/__load__.bro b/src/iosource/af_packet/scripts/__load__.bro deleted file mode 100644 index f77b383b48..0000000000 --- a/src/iosource/af_packet/scripts/__load__.bro +++ /dev/null @@ -1,5 +0,0 @@ -# -# This is loaded unconditionally at Bro startup. -# - -@load ./init.bro diff --git a/src/iosource/af_packet/scripts/__load__.zeek b/src/iosource/af_packet/scripts/__load__.zeek new file mode 100644 index 0000000000..588cabc7c4 --- /dev/null +++ b/src/iosource/af_packet/scripts/__load__.zeek @@ -0,0 +1,5 @@ +# +# This is loaded unconditionally at Zeek startup. +# + +@load ./init.zeek diff --git a/src/iosource/af_packet/scripts/init.bro b/src/iosource/af_packet/scripts/init.zeek similarity index 100% rename from src/iosource/af_packet/scripts/init.bro rename to src/iosource/af_packet/scripts/init.zeek diff --git a/src/iosource/af_packet/src/AF_Packet.cc b/src/iosource/af_packet/src/AF_Packet.cc index 14ae23a611..41884e6409 100644 --- a/src/iosource/af_packet/src/AF_Packet.cc +++ b/src/iosource/af_packet/src/AF_Packet.cc @@ -1,5 +1,5 @@ -#include "bro-config.h" +#include "zeek-config.h" #include "AF_Packet.h" #include "RX_Ring.h" @@ -287,4 +287,3 @@ iosource::PktSrc* AF_PacketSource::InstantiateAF_Packet(const std::string& path, { return new AF_PacketSource(path, is_live); } - diff --git a/src/iosource/af_packet/src/Plugin.cc b/src/iosource/af_packet/src/Plugin.cc index 02c7a67cf8..475340b2e2 100644 --- a/src/iosource/af_packet/src/Plugin.cc +++ b/src/iosource/af_packet/src/Plugin.cc @@ -2,16 +2,16 @@ #include "Plugin.h" #include "AF_Packet.h" -namespace plugin { namespace Bro_AF_Packet { Plugin plugin; } } +namespace plugin { namespace Zeek_AF_Packet { Plugin plugin; } } -using namespace plugin::Bro_AF_Packet; +using namespace plugin::Zeek_AF_Packet; plugin::Configuration Plugin::Configure() { AddComponent(new ::iosource::PktSrcComponent("AF_PacketReader", "af_packet", ::iosource::PktSrcComponent::LIVE, ::iosource::pktsrc::AF_PacketSource::InstantiateAF_Packet)); plugin::Configuration config; - config.name = "Bro::AF_Packet"; + config.name = "Zeek::AF_Packet"; config.description = "Packet acquisition via AF_Packet"; config.version.major = 1; config.version.minor = 4; diff --git a/src/iosource/af_packet/src/Plugin.h b/src/iosource/af_packet/src/Plugin.h index 0631053b59..32549e2abe 100644 --- a/src/iosource/af_packet/src/Plugin.h +++ b/src/iosource/af_packet/src/Plugin.h @@ -1,11 +1,11 @@ -#ifndef BRO_PLUGIN_BRO_AF_PACKET -#define BRO_PLUGIN_BRO_AF_PACKET +#ifndef ZEEK_PLUGIN_ZEEK_AF_PACKET +#define ZEEK_PLUGIN_ZEEK_AF_PACKET #include namespace plugin { -namespace Bro_AF_Packet { +namespace Zeek_AF_Packet { class Plugin : public ::plugin::Plugin {