1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="vfs_smb_traffic_analyzer.8">
6 <refentrytitle>smb_traffic_analyzer</refentrytitle>
7 <manvolnum>8</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10 <refmiscinfo class="version">3.6</refmiscinfo>
15 <refname>vfs_smb_traffic_analyzer</refname>
16 <refpurpose>log Samba VFS read and write operations through a socket
17 to a helper application</refpurpose>
22 <command>vfs objects = smb_traffic_analyzer</command>
27 <title>DESCRIPTION</title>
29 <para>This VFS module is part of the
30 <citerefentry><refentrytitle>samba</refentrytitle>
31 <manvolnum>7</manvolnum></citerefentry> suite.</para>
33 <para>The <command>vfs_smb_traffic_analyzer</command> VFS module logs
34 client file operations on a Samba server and sends this data
35 over a socket to a helper program (in the following the "Receiver"),
36 which feeds a SQL database. More
37 information on the helper programs can be obtained from the
38 homepage of the project at:
39 http://holger123.wordpress.com/smb-traffic-analyzer/
40 Since the VFS module depends on a receiver that is doing something with
41 the data, it is evolving in it's development. Therefore, the module
42 works with different protocol versions, and the receiver has to be able
43 to decode the protocol that is used. The protocol version 1 was
44 introduced to Samba at September 25, 2008. It was a very simple
45 protocol, supporting only a small list of VFS operations, and had
46 several drawbacks. The protocol version 2 is a try to solve the
47 problems version 1 had while at the same time adding new features.
48 With the release of Samba 3.6.0, the module will run protocol version 2
54 <title>Protocol version 1 documentation</title>
55 <para><command>vfs_smb_traffic_analyzer</command> protocol version 1 is aware
56 of the following VFS operations:</para>
59 <member>write</member>
60 <member>pwrite</member>
62 <member>pread</member>
65 <para><command>vfs_smb_traffic_analyzer</command> sends the following data
66 in a fixed format seperated by a comma through either an internet or a
67 unix domain socket:</para>
69 BYTES|USER|DOMAIN|READ/WRITE|SHARE|FILENAME|TIMESTAMP
72 <para>Description of the records:
75 <listitem><para><command>BYTES</command> - the length in bytes of the VFS operation</para></listitem>
76 <listitem><para><command>USER</command> - the user who initiated the operation</para></listitem>
77 <listitem><para><command>DOMAIN</command> - the domain of the user</para></listitem>
78 <listitem><para><command>READ/WRITE</command> - either "W" for a write operation or "R" for read</para></listitem>
79 <listitem><para><command>SHARE</command> - the name of the share on which the VFS operation occured</para></listitem>
80 <listitem><para><command>FILENAME</command> - the name of the file that was used by the VFS operation</para></listitem>
81 <listitem><para><command>TIMESTAMP</command> - a timestamp, formatted as "yyyy-mm-dd hh-mm-ss.ms" indicating when the VFS operation occured</para></listitem>
82 <listitem><para><command>IP</command> - The IP Address (v4 or v6) of the client machine that initiated the VFS operation.</para></listitem>
87 <para>This module is stackable.</para>
92 <title>Drawbacks of protocol version 1</title>
93 <para>Several drawbacks have been seen with protocol version 1 over time.</para>
97 <command>Problematic parsing - </command>
98 Protocol version 1 uses hyphen and comma to seperate blocks of data. Once there is a
99 filename with a hyphen, you will run into problems because the receiver decodes the
105 <command>Insecure network transfer - </command>
106 Protocol version 1 sends all it's data as plaintext over the network.
111 <command>Limited set of supported VFS operations - </command>
112 Protocol version 1 supports only four VFS operations.
117 <command>No subreleases of the protocol - </command>
118 Protocol version 1 is fixed on it's version, making it unable to introduce new
119 features or bugfixes through compatible sub-releases.
125 <title>Version 2 of the protocol</title>
126 <para>Protocol version 2 is an approach to solve the problems introduced with protcol v1.
127 From the users perspective, the following changes are most prominent among other enhancements:
132 The data from the module may be send encrypted, with a key stored in secrets.tdb. The
133 Receiver then has to use the same key. The module does AES block encryption over the
139 The module now can identify itself against the receiver with a sub-release number, where
140 the receiver may run with a different sub-release number than the module. However, as
141 long as both run on the V2.x protocol, the receiver will not crash, even if the module
142 uses features only implemented in the newer subrelease. Ultimatively, if the module uses
143 a new feature from a newer subrelease, and the receiver runs an older protocol, it is just
144 ignoring the functionality. Of course it is best to have both the receiver and the module
145 running the same subrelease of the protocol.
150 The parsing problems of protocol V1 can no longer happen, because V2 is marshalling the
151 data packages in a proper way.
156 The module now potentially has the ability to create data on every VFS function. As of
157 protocol V2.0, there is support for 8 VFS functions, namely write,read,pread,pwrite,
158 rename,chdir,mkdir and rmdir. Supporting more VFS functions is one of the targets for the
159 upcoming sub-releases.
164 To enable protocol V2, the protocol_version vfs option has to be used (see OPTIONS).
170 <title>OPTIONS with protocol V1 and V2.x</title>
175 <term>smb_traffic_analyzer:mode = STRING</term>
177 <para>If STRING matches to "unix_domain_socket", the module will
178 use a unix domain socket located at /var/tmp/stadsocket, if
179 STRING contains an different string or is not defined, the module will
180 use an internet domain socket for data transfer.</para>
187 <term>smb_traffic_analyzer:host = STRING</term>
189 <para>The module will send the data to the system named with
190 the hostname STRING.</para>
196 <term>smb_traffic_analyzer:port = STRING</term>
198 <para>The module will send the data using the TCP port given
204 <term>smb_traffic_analyzer:anonymize_prefix = STRING</term>
206 <para>The module will replace the user names with a prefix
207 given by STRING and a simple hash number. In version 2.x
208 of the protocol, the users SID will also be anonymized.
215 <term>smb_traffic_analyzer:total_anonymization = STRING</term>
217 <para>If STRING matches to 'yes', the module will replace
218 any user name with the string given by the option
219 smb_traffic_analyzer:anonymize_prefix, without generating
220 an additional hash number. This means that any transfer data
221 will be mapped to a single user, leading to a total
222 anonymization of user related data. In version 2.x of the
223 protocol, the users SID will also be anonymized.</para>
228 <term>smb_traffic_analyzer:protocol_version = STRING</term>
230 <para>If STRING matches to V1, the module will use version 1 of the
231 protocol. If STRING is not given, the module will use version 2 of the
232 protocol, which is the default.
241 <title>EXAMPLES</title>
242 <para>Running protocol V2 on share "example_share", using an internet socket.</para>
244 <smbconfsection name="[example_share]"/>
245 <smbconfoption name="path">/data/example</smbconfoption>
246 <smbconfoption name="vfs_objects">smb_traffic_analyzer</smbconfoption>
247 <smbconfoption name="smb_traffic_analyzer:host">examplehost</smbconfoption>
248 <smbconfoption name="smb_traffic_analyzer:port">3491</smbconfoption>
251 <para>The module running on share "example_share", using a unix domain socket</para>
253 <smbconfsection name="[example_share]"/>
254 <smbconfoption name="path">/data/example</smbconfoption>
255 <smbconfoption name="vfs objects">smb_traffic_analyzer</smbconfoption>
256 <smbconfoption name="smb_traffic_analyzer:mode">unix_domain_socket</smbconfoption>
259 <para>The module running on share "example_share", using an internet socket,
260 connecting to host "examplehost" on port 3491.</para>
262 <smbconfsection name="[example_share]"/>
263 <smbconfoption name="path">/data/example</smbconfoption>
264 <smbconfoption name="vfs objects">smb_traffic_analyzer</smbconfoption>
265 <smbconfoption name="smb_traffic_analyzer:host">examplehost</smbconfoption>
266 <smbconfoption name="smb_traffic_analyzer:port">3491</smbconfoption>
269 <para>The module running on share "example_share", using an internet socket,
270 connecting to host "examplehost" on port 3491, anonymizing user names with
271 the prefix "User".</para>
273 <smbconfsection name="[example_share]"/>
274 <smbconfoption name="path">/data/example</smbconfoption>
275 <smbconfoption name="vfs objects">smb_traffic_analyzer</smbconfoption>
276 <smbconfoption name="smb_traffic_analyzer:host">examplehost</smbconfoption>
277 <smbconfoption name="smb_traffic_analyzer:port">3491</smbconfoption>
278 <smbconfoption name="smb_traffic_analyzer:anonymize_prefix">User</smbconfoption>
283 <title>VERSION</title>
284 <para>This man page is correct for version 3.3 of the Samba suite.
289 <title>AUTHOR</title>
291 <para>The original Samba software and related utilities
292 were created by Andrew Tridgell. Samba is now developed
293 by the Samba Team as an Open Source project similar
294 to the way the Linux kernel is developed.</para>
296 <para>The original version of the VFS module and the
297 helper tools were created by Holger Hetterich.</para>
git.samba.org / kai / samba.git / blob