Write to pcap don't rotate and it was impossible to write into a pipe

[michele-deluca]

Hi,
I am trying to write the outout pcap into a named pipe:

$ ssldump -v
ssldump 1.4b
Maintained by a bunch of volunteers, see https://github.com/adulau/ssldump/blob/master/CREDITS
Copyright (C) 2015-2021 the aforementioned volunteers
Copyright (C) 1998-2001 RTFM, Inc.
All rights reserved.
Compiled with OpenSSL: decryption enabled
$ mkfifo pcap_test.pcap
$ ls -ltr pcap_test.pcap
prw-r--r-- 1 root root 0 Jun 17 14:13 pcap_test.pcap
$ ssldump -w pcap_test.pcap
Can not open/create out pcap pcap_test.pcap

it possible to write the output packet into a pipe?

In alternative it was possible to rolling the pcap output file on size/time?

We would like to run a "continuos" packet capture/decode and read it only when we have some trouble.

thanks.

[wllm-rbnt]

Hi,

Here is a quick fix that adds FIFO support for PCAP output:
wllm-rbnt@4a6fcb5

Can you give it a try ?

[michele-deluca]

Hi, Not working: $ /usr/local/sbin/ssldump PCAP: socket: Socket type not supported ERROR: Aborting $ /usr/local/sbin/ssldump -v ssldump 1.4 Maintained by a bunch of volunteers, see https://github.com/adulau/ssldump/blob/master/CREDITS Copyright (C) 2015-2021 the aforementioned volunteers Copyright (C) 1998-2001 RTFM, Inc. All rights reserved. Compiled with OpenSSL: decryption enabled $ /usr/local/sbin/ssldump port 636 PCAP: socket: Socket type not supported ERROR: Aborting From: wllm-rbnt ***@***.***> Sent: Friday, 18 June, 2021 17:37 To: adulau/ssldump ***@***.***> Cc: De Luca Michele ***@***.***>; Author ***@***.***> Subject: Re: [adulau/ssldump] Write to pcap don't rotate and it was impossible to write into a pipe (#55) Hi, Here is a quick fix that adds FIFO support for PCAP output: ***@***.***<wllm-rbnt@4a6fcb5> Can you give it a try ? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#55 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABIKM23QXY4UJHNTY6WMDBDTTNR2XANCNFSM463RQICQ>.

[wllm-rbnt]

Hi, I can't reproduce the error you reported.
Here is how I test my patch (on Debian Buster):

$ git clone -b dev https://github.com/wllm-rbnt/ssldump.git
$ cd ssldump
$ ./autogen.sh
$ ./configure
$ make
$ mkfifo test.pcap; sudo ./ssldump -n -i any -w test.pcap

In a second terminal, I run:

$ sudo tcpdump -n -r test.pcap

I have the session decoding on the first terminal, and the flow of packets on the second one.

[michele-deluca]

Hi, I try into our system that was RHEL 7.9 but there was some incompatible library version: ./ssldump: /lib64/libssl.so.1.1: version `OPENSSL_1_1_0' not found (required by ./ssldump) ./ssldump: /lib64/libcrypto.so.1.1: version `OPENSSL_1_1_0' not found (required by ./ssldump) libpcap.so.0.8 => not found libjson-c.so.4 => not found it was possible to compile into rhel 7.9 (centos 7.9)? From: wllm-rbnt ***@***.***> Sent: Friday, 25 June, 2021 09:03 To: adulau/ssldump ***@***.***> Cc: De Luca Michele ***@***.***>; Author ***@***.***> Subject: Re: [adulau/ssldump] Write to pcap don't rotate and it was impossible to write into a pipe (#55) Hi, I can't reproduce the error you reported. Here is how I test my patch (on Debian Buster): $ git clone -b dev https://github.com/wllm-rbnt/ssldump.git $ cd ssldump $ ./autogen.sh $ ./configure $ make $ mkfifo test.pcap; sudo ./ssldump -n -i any -w test.pcap In a second terminal, I run: $ sudo tcpdump -n -r test.pcap I have the session decoding on the first terminal, and the flow of packets on the second one. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#55 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABIKM2YWXT5LUEVCE2PLKQDTUQS3TANCNFSM463RQICQ>.

[wllm-rbnt]

Here is a recipe to build it on RHEL/Centos 7.9. You will need a recent version of openssl.
I've never tested it (ssldump) on this version of the distro, you might encounter bugs at runtime.

$ sudo yum install git autoconf automake gcc make libpcap-devel libnet-devel json-c-devel tmux wget

$ wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz
$ tar xvfz openssl-1.1.1k.tar.gz
$ cd openssl-1.1.1k
$ ./config
$ make
$ make install
$ cd ..

$ echo "/usr/local/lib64" | sudo tee /etc/ld.so.conf.d/openssl.conf
$ sudo ldconfig

$ git clone -b dev https://github.com/wllm-rbnt/ssldump.git
$ cd ssldump
$ ./autogen.sh
$ ./configure CPPFLAGS="-D_BSD_SOURCE=1"
$ make
$ sudo ./ssldump -n -i eth0

[michele-deluca]

HI, Because on RHEL 7 there was a version of ssldump (1.13b) compiled with the openssl version 1.0.2 do you think is possible to modify some configuration on build system to adopt this version? From: wllm-rbnt ***@***.***> Sent: Friday, 25 June, 2021 18:03 To: adulau/ssldump ***@***.***> Cc: De Luca Michele ***@***.***>; Author ***@***.***> Subject: Re: [adulau/ssldump] Write to pcap don't rotate and it was impossible to write into a pipe (#55) Here is a recipe to build it on RHEL/Centos 7.9. You will need a recent version of openssl. I've never tested it on this version of the distro, you might encounter bugs at runtime. $ sudo yum install git autoconf automake gcc make libpcap-devel libnet-devel json-c-devel tmux wget $ wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz $ tar xvfz openssl-1.1.1k.tar.gz $ cd openssl-1.1.1k $ ./config $ make $ make install $ cd .. $ echo "/usr/local/lib64" | sudo tee /etc/ld.so.conf.d/openssl.conf $ sudo ldconfig $ git clone -b dev https://github.com/wllm-rbnt/ssldump.git $ cd ssldump $ ./autogen.sh $ ./configure CPPFLAGS="-D_BSD_SOURCE=1" $ make $ sudo ./ssldump -n -i eth0 — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#55 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABIKM2ZXD7WGIDT2IOL7QA3TUSSCJANCNFSM463RQICQ>.

[michele-deluca]

I compile the latest ssldump from source into a rhel 7.

thanks.